Complex configuration management made simple

Entitlement management is not a simple task. The combinatory effects when many users need access to many functions in many applications in a controlled fashion are quite overwhelming. The sum total of actual permissions to manage easily amounts to millions.

Today, this is primarily achieved via pre-configured configurations, typically bundled in static role-definitions or access control lists. The bundling as such creates a lack of flexibility which makes change requests costly. Extensible and externalized access control, by contrast, makes entitlements subject to policy evaluations. One policy change impacts permissions across an entire stack of functions and applications. By adding or altering policies and policy conditions, new requirements can be met without the need to change controlled systems.

The ability to make these changes across many applications from a central point offers important cost savings. Forrester research on Microsoft's proposed Security Development Lifecycle standard has measured costs for change introduced in different stages of software development. According to this report, change in the post-release phase costs 30 times more than what it would if done from start.
Chart based on Forrester research report "Application Security: 2011 And Beyond".

A common reason for such changes are adaptions to new authorization requirements as a result of compliance or risk management. With eXtensible authorization, you reduce these costs to what it takes to update centrally maintained policies.

Extensible access control therefore offers potential cost reductions in three areas:

• In development: Policy Enforcement Points (PEP) are standardized components that are re-used over and over again in software development. Rather than building application specific logic in each application to determine what each user is allowed to do, PEPs make calls to a central Policy Decision Point (PDP). The result: new applications and services can be produced faster, at a lower cost, and with higher quality.
• In software life-cycle management: Fundamental change requests with regard to entitlements – for instance to meet regulatory compliance requirements – are managed with centralized policies. There is no need to change configurations or functionality in individual applications or services. 
• In operations: Privilege-giving attributes are widely managed in LOB activities. Identity & Access Management (IAM) can to a large extent be embedded in existing business processes rather than demanding a separate administrative effort.

The bottom line: Extensible access control is a strategic investment, often triggered by governance, risk and compliance management needs. However, long-term the business value in terms of cost reductions, may be just as important.