It's not hard to sell IT managers on the need for access controls that govern who has access to what within their IT environments. Any number of news stories recounting the exploits of insiders pilfering corporate data or employees inadvertently spilling confidential data out onto the Net is enough to make company a fan of access control. The problem, until recently, has been managing access controls across dozens of applications and the inability to specifically define access privileges.

This is changing as a relatively new category of access-control software, known as entitlement management, hits the market. The most recent iteration was Monday's launch of version 3.0 of Securent Inc.'s Entitlement Management Solution.

Securent EMS includes three components: one for centrally administering, managing, and monitoring entitlement policies; another for making access-control decisions in real time; and a third for enforcing those decisions. With version 3.0, Securent's software can be used to manage entitlement privileges not only to applications but to databases as well. This latest version can also be used to create entitlement management capabilities within a number of software portal products, including Microsoft Office SharePoint Server 2007, JBoss Portal 2.4 and 2.6, and BEA WebLogic Portal 9.2.

There's certainly no shortage of identity or access management vendors, many of them more established than Securent. Where Securent claims to stand out among its competitors, which to some extent includes BEA Systems, CA, and Jericho Systems, is its ability to define and enforce access right down to individual fields within an application, depending upon the type of access a user is permitted.

First American Corp., a provider of mortgage, title, and other property-related information, has big plans for entitlement management software as the company renovates its 10-year old intranet using the JBoss open-source Java application server software offered by Red Hat. The company began investigating its options about a year ago. The company first considered Oracle identity-management software, whose strength comes from the capabilities the Oracle acquired in recent years along with Oblix and Thor. But Oracle couldn't refine access control to the individual field within an application, said Gus Tepper, First American's VP of software development, in an interview.

First American is hoping that Securent's entitlement management software will give the company's system administrators the ability to restrict access to down to individual fields within the company's intranet applications. Users will not even be able to view certain fields unless it's required based upon their position with the company, the location of their office, or other specific criteria. Such capabilities aren't so much a foolproof security function as a way to maintain control over access to confidential company and customer information. "What it really does is keep people's hands out of the cookie jar," Tepper said.

Tepper clearly sees regulatory compliance requirements as driving the demand for entitlement-management software. "Today, when you get a group of SOX auditors in here, there's no central place they can go to see who has access to what," he said. "A lot of people move to different divisions within the company, but they're retaining their entitlements to information from their former departments. We need to put identity information in a central location."

Programmers have generally built access privileges into the applications they write. But First American wants some way to define access privileges once and apply them to a number of different applications. Securent enables this by letting its customers create a Web service that's called whenever a user tries to access an application.

The first phase of Securent's yearlong intranet revamp is set to go live August 20. That portion of the project will create and send notifications to all relevant departments when an employee is hired, fired, or moved to a different location. Subsequent features will be added as the project progresses, although Tepper says there are no plans right now to use Securent to restrict database administrator access, even though version 3.0 features this capability. If Securent is sufficiently able to protect First American's intranet applications and data, the company may consider a Securent implementation that offers entitlement management for Web-base applications used by customers, contractors, and business partners.

Securent's Entitlement Management Solution includes management and policy administration software, as well as policy enforcement agents and a software developer's kit for companies that want to use the entitlement management software with custom-written applications. The software also supports the Extensible Access Control Markup Language standard, which lets companies add consistent and seamless policy enforcement to applications and databases, including Oracle and Microsoft SQL Server.

Tepper considers his company's investment in Securent software to be a "low-to-mid size" expense at "a little over six figures." But that doesn't mean there isn't a lot riding on the success of this project. "I'm not in the business of throwing away a hundred grand," he said.