BEA Tackles Application Security

BEA Systems, Inc. , is launching new policy manager tools designed to help companies tighten up who gets to go where in the digital enterprise.

Called WebLogic Enterprise Security, the software does not address viruses, cracker break-ins or other security issues but instead focuses on the centralized
authentication policy manager created by CrossLogix, an
enterprise-wide authentication solution bought out in February.

The acquisition was part of BEA Systems CEO Alfred Chuang’s vision of
business process-oriented programming, where the customer makes all the
decisions from one unified platform.

The software is available for
purchase Oct. 28.

But Web Logic Enterprise Security is much more
than just an authentication tool, said Mark Moriconi, BEA vice president
of business strategy and former owner of Cross Logics.

Because of
partnerships with companies like Symantec and
VeriSign , Enterprise Security offers authorization
and audit integration with single-sign on (SSO) technologies.

It also goes beyond the normal ken for existing authentication,
featuring a centralized point of reference for user policies throughout
the enterprise that can be broken down into separate applications. With
it, a particular employee could have access to one application for a
certain project, but be restricted from other areas of the application.
That particular employee could also have conditional access to other
applications on the intranet.

The CrossLogix-inspired software also saves on processing time and

“It’s not a client/server architecture, but distributed
in the sense that we take policy and configuration information centrally
and distribute them to the services that run in the enterprise,”
Moriconi said. “The services never go back to the central server, they
keep running, so when there are any changes to policy it’s distributed
to them. A lot of programs go back to the central server and ask for
information, and that doesn’t scale and that doesn’t give you the
performance you need.”

The single point of failure would indicate
that the central server, which can be accessed from a browser over the
intranet or Internet, is where an authentication breakdown would occur,
but a tight administration feature keeps a rein on the administrators

While a department head would have responsibility over
his charges’ use of a certain application, that person would only have
control over the applications/areas they’ve been given specific
permission by the overall administrator.

Giving regional power to
departments while keep overall control in the hands of the IT department
is good for another reason: it lets application developers develop
applications instead of instituting security changes.

In the past, a developer would have to hand-code the new policies for
every change made to every application, a time-consuming affair,
Moriconi said.

“(Hand-coding) takes time, and they also make mistakes,” he said. “When
you have more and more people coming in, and have bad security, your
assets are at risk. The business owners want application developers to
develop intellectual property for their business, not build security
systems – because they’re not experts.”

So far, Enterprise Security
is only available for WebLogic 8.1, though Moriconi said they are
investigating putting it on version 7.0.

News Around the Web