BEA unveils new enterprise security architecture

Middleware maker BEA Systems Inc. continued to build its security profile on Monday with the announcement of a new distributed security architecture, BEA WebLogic Enterprise Security, or WLES.

The new architecture is built around a patented distributed computing architecture and will allow BEA to offer a cross-platform engine for providing sought-after enterprise security services, including user credentialing, user single sign-on and rules-based authorization, BEA said.

WLES will save companies from relying on isolated security architectures that are hard-coded into applications, or from having to develop customized authorization engines on their own. Instead, companies will get an advanced security services layer that manages security requests on behalf of applications, according to George Kassabgi, vice-president of application security infrastructure at BEA.

Rather than managing redundant security features within each application, BEA customers will be able to use WLES for centralized security policy management through a Web-based administrative console.

Because policy enforcement will be handled by a separate WLES process that runs on or close to the actual application server or network resource it affects, the new security architecture will minimize network traffic related to security and not affect overall network performance, Kassabgi said.

The new security architecture will enable companies with heterogenous application environments to simplify application security. For example, a company might use WebLogic’s WLES service to bring Web servers running Apache or Microsoft’s Internet Information Server, applications based on WebLogic, WebSphere or .NET, and legacy or custom applications all under the same security umbrella, he said.

That prospect is enticing to companies looking for ways to open their network to employees, customers and even business partners without sacrificing security, according to John Pescatore, an analyst at Gartner Inc.

Robert Levine said that his company is using WLES to help its customers, mostly large financial institutions, simplify the implementation and management of complex entitlement rules that govern the online activities of brokers and other employees.

Such “low-level” entitlements govern not just who can access an application, but also what users can do once they are logged on, said Levine, president of systems integrator Sena Systems Inc. of Iselin, N.J.

By externalizing the entitlement features and joining them to a low-level entitlements engine, WLES makes it easier to develop applications that use a consistent, flexible and centralized security framework, he said.

“It certainly can make development faster and it makes security and risk management easier, too. You have the ability to see how a transaction occurs across multiple systems from a security perspective.”

In the past, BEA relied on third-party security software vendors for security features, calling on Netegrity Inc. of Waltham, Mass., or Oblix Inc. of Cupertino, Calif., for example, to provide user authentication and authorization technology to WebLogic customers.

But that reliance was a hindrance to BEA, which had to send customers out the door when competitors like Sun Microsystems Inc. and IBM Corp. offered their own security products such as Sun ONE Identity server, an access management product for Sun’s Open Net Environment (ONE) platform or Tivoli Identity Manager and Tivoli Access Manager to complement IBM’s WebSphere middleware platform, Pescatore said.

“With IBM, companies were saying, ‘We bought WebSphere, what else can we buy from you?’ BEA was getting the same questions and they were pointing to companies like Netegrity,” he said.

Building application security features into WebLogic has been a high priority for BEA, with company executives saying that application security is a key area of investment for BEA.

In February, BEA bought CrossLogix Inc., a Redwood Shores, Calif., developer of end-user access authorization software. WLES takes advantage of the CrossLogix technology and further evolves security enhancements such as the security service provider interface that BEA introduced in WebLogic 7, Levine said.

With WLES, BEA has further developed that technology for cross-platform deployments and has a chance to improve on some of the mistakes its competitors have made, according to Pescatore.

The addition of WLES doesn’t push BEA to the head of the pack of companies offering secure middleware products, but it does make the company more competitive with IBM and Sun, Pescatore said.

In particular, the new security architecture could give BEA and WebLogic more traction against IBM and its WebSphere and Tivoli products, Pescatore said.

“BEA joined the party late, but has a shot at leapfrogging IBM,” Pescatore said. “WebSphere is a huge product and it has taken time to integrate some of the third party technologies that IBM bought. Execution is important, and IBM stumbled, so now BEA has an opportunity to do it right.”