BEA tackles application security

BEA Systems this week is expected to unveil software for securing applications and managing user access across heterogeneous legacy, Web and application platforms.

BEA Systems this week is expected to unveil software for securing applications and managing user access across heterogeneous legacy, Web and application platforms.

WebLogic Enterprise Security (WLES) addresses a problem created by disparate silos of application security programming, says George Kassabgi, vice president and general manager of application security infrastructure at BEA.

When software developers are responsible for coding and maintaining security policies for individual applications, it inflates the cost of creating, integrating and administering those applications, Kassabgi says. As companies expose more data to expanding user communities, the security burden gets heavier, he says.

WLES is aimed at replacing proprietary, application-specific security silos with a single platform for managing application security. The new product is designed to work in conjunction with a company’s existing security products.

Analysts agree managing users’ identities and access privileges is a key user issue.

“[Companies] have so many different platforms and application architecture environments they’ve reached a complexity ‘tipping point’ that begs for some kind of order,” says Earl Perkins, a vice president at Meta Group.

“None of the systems work together, there are copious legacy solutions, and now everyone wants to make applications and resources easily accessible over Web services,” says Matthew Kovar, a research director at The Yankee Group.

BEA is not the first infrastructure software maker to venture into security management, of course. A BEA rival on the application server front, IBM offers a suite of identity, access and privacy management tools. However, the two companies take different approaches, Perkins says.

IBM is building its own identity management and security product suite, whereas BEA is focused on integrating different security components at an application level. “IBM’s solution is much broader and includes elements of administration and management. There is some competition, but it’s deep within the access-management and integration product lines,” Perkins says.

Nonetheless, there are competitive drivers behind WLES, observers say. BEA needs WLES to compete with the security extensions – Access Manager and Identity Manager – that IBM has added to its WebSphere platform, says John Pescatore, a vice president at Gartner.

Laura Koetzle, a senior analyst at Forrester Research, agrees. WLES is more about keeping existing BEA customers happy than winning over new platform customers. “I don’t see [WLES] as a way of expanding BEA’s footprint, but rather a way of making sure its customer base doesn’t get eaten out from under it by the various platform vendors,” Koetzle says.

BEA used authorization technology gained in its January acquisition of CrossLogix to build WLES. The new iteration features a Web services-based model that lets developers delegate certain application-security functions – such as authentication or auditing – to a shared infrastructure, rather than maintain these functions redundantly within individual applications.

To create shared security services, users can abstract existing security code from an application and turn it into a service using BEA tools. Alternatively, WLES includes out-of-the-box security services such as authentication, identity assertion, credential mapping, rules-based parametric authorization and auditing.

BEA says WLES will be available later this month, priced at $10,000 per CPU.