RealTime IT News

BEA Tackles Application Security

BEA Systems, Inc. , is launching new policy manager tools designed to help companies tighten up who gets to go where in the digital enterprise.

Called WebLogic Enterprise Security, the software does not address viruses, cracker break-ins or other security issues but instead focuses on the centralized authentication policy manager created by CrossLogix, an enterprise-wide authentication solution bought out in February.

The acquisition was part of BEA Systems CEO Alfred Chuang's vision of business process-oriented programming, where the customer makes all the decisions from one unified platform.

The software is available for purchase Oct. 28.

But Web Logic Enterprise Security is much more than just an authentication tool, said Mark Moriconi, BEA vice president of business strategy and former owner of Cross Logics.

Because of partnerships with companies like Symantec and VeriSign , Enterprise Security offers authorization and audit integration with single-sign on (SSO) technologies.

It also goes beyond the normal ken for existing authentication, featuring a centralized point of reference for user policies throughout the enterprise that can be broken down into separate applications. With it, a particular employee could have access to one application for a certain project, but be restricted from other areas of the application. That particular employee could also have conditional access to other applications on the intranet.

The CrossLogix-inspired software also saves on processing time and bandwidth.

"It's not a client/server architecture, but distributed in the sense that we take policy and configuration information centrally and distribute them to the services that run in the enterprise," Moriconi said. "The services never go back to the central server, they keep running, so when there are any changes to policy it's distributed to them. A lot of programs go back to the central server and ask for information, and that doesn't scale and that doesn't give you the performance you need."

The single point of failure would indicate that the central server, which can be accessed from a browser over the intranet or Internet, is where an authentication breakdown would occur, but a tight administration feature keeps a rein on the administrators themselves.

While a department head would have responsibility over his charges' use of a certain application, that person would only have control over the applications/areas they've been given specific permission by the overall administrator.

Giving regional power to departments while keep overall control in the hands of the IT department is good for another reason: it lets application developers develop applications instead of instituting security changes.

In the past, a developer would have to hand-code the new policies for every change made to every application, a time-consuming affair, Moriconi said.

"(Hand-coding) takes time, and they also make mistakes," he said. "When you have more and more people coming in, and have bad security, your assets are at risk. The business owners want application developers to develop intellectual property for their business, not build security systems - because they're not experts."

So far, Enterprise Security is only available for WebLogic 8.1, though Moriconi said they are investigating putting it on version 7.0.