BMC paves road for access requests

Security policies mean don’t mean much if security administrators aren’t getting user access requests quickly and securely – a problem that’s pushing demand for reliable security workflow tools, according to BMC software Inc.

Security workflow is designed to automatically bridge the gap between those who request access to restricted areas, and those who authenticate them and grant permission. By automatically notifying administrators, workflow should eliminate the confusion that results when requests are made via phone, e-mail or paper.

Houston-based BMC recently acquired Israel-based New Dimension Software, makers of the Control-SA enterprise security management solution suite, in part because they were looking to beef up their own security offering. New Dimension had previously added workflow software – called Control-SA/Workflow – to the suite through its EagleEye Control Software division.

Yishai Yobel, manager of business development with the IT process automation business unit of BMC (formerly New Dimension) in Irvine, Calif., said organizations need workflow functionality now more than ever.

“It automates the front-end process, which at this point is either manual, paper or e-mail that really nobody can track,” he said. “The administrator has no idea that a request is something that is authorized or not.”

Control-SA/Workflow, on the other hand, identifies the employee who made the request, and instantly judges whether or not he or she can gain access, Yobel said.

Using a workflow engine designed by Oracle Corp., Control-SA Workflow comes with a customizable, Web-enabled GUI that features pre-defined, on-line forms. It also lets administrators monitor requests and change processes where necessary, and automatically creates a history and audit trail of requests and approved transactions that gives a corporate-wide perspective.

And if an administrator is away from his or her station, Control-SA can re-route requests to another party for approval, Yobel said.

Although designed to offer more functionality to users of the Control-SA suite, Yobel said Control-SA/Workflow can be also be used as a stand-alone tool. “Then it becomes more of a routing system, [as in] an e-mail. At the final destination of workflow, instead of being )logged through) Control-SA…it can end up in the mailbox in control-SA workflow (itself), or the actual e-mail box of the administrator.”

Nonetheless, administrators will know instantly who sent the request, and whether or not it has been approved, Yobel added.

And Control-SA/Workflow doesn’t require users to be computer-savvy. “The aim is to be very simple. Our assumption is that end-users are not technical, and don’t really know the details of what they’re asking for.”

Although poor workflow methods plague many organizations, there isn’t a big demand for tools like Control-SA/Workflow, according to William J. Malik, research area director with Stamford, Conn.-based Gartner Group Inc. “What there is demand for is something to simplify the problem,” he said.

Not that the technology is inadequate — Malik said Control-SA/Workflow is a strong competitor in an area where relatively few players compete. “The core design of the product is pretty good,” he said.

But the complexities and rapid changes associated with today’s work environment make it difficult to assign and organize security access identifications in the first place. Workflow tools can help administrators collect user IDs and eliminate overlap, Malik said, but they can’t help organizations define the roles that decide where and when separate IDs are required.

“The people that are most amenable to [the workflow] solution…are going to be that subset of your workforce that has a well-defined role,” Malik said, adding that it requires “a very well-defined, very cookie cutter approach to the job.”

The problem is, many employees have sloppy job definitions and haphazard career paths, which means roles often overlap, if they can be defined at all. Malik recalls one large chemical company that tried to organize 25,000 employees into separate roles. “They got through half their staff, and they defined 2,000 roles.” They then gave up, Malik said.

Control-SA/Workflow ( runs on both Unix and Windows NT platforms, and is currently available. It starts at a base price of US$25,000. Additional costs vary depending on the number of users. BMC Software Inc. in Irvine, Calif., is at 1-800-347-4694.