On Monday, BEA intends to introduce WebLogic Enterprise Security (WLES), a software package for enforcing employee or business partner access privileges to corporate applications. The initial product, which is set for delivery by the end of October, is based on security software that BEA gained through the acquisition of CrossLogix earlier this year.
BEA's security push mirrors the moves of application server competitors that supply software to build and run corporate applications, such as Web sites and banking systems. Application server companies are building authorisation capabilities, once the exclusive realm of security specialists, within their respective products.
IBM has been selling its WebSphere Java middleware with its Tivoli-branded security products to authorise a person's identity for some time, analysts note. Sun Microsystems already sells an "identity server" with its Java application server and Oracle is expected to outline its security plans next week. Microsoft, meanwhile, has labelled security a top priority and has numerous initiatives, including its Trustworthy Computing initiative, to make software programs more secure.
"Everybody that is selling application platforms has found that people want this type of access management built in," said John Pescatore, an analyst at Gartner. "If you're selling against Oracle and IBM, this is an area that BEA had to fill in."
Companies can use the WLES system to control access to business applications that run on BEA's WebLogic Platform version 8.1, which is a suite of server software products, including a corporate portal, that are based on the Java 2 Enterprise Edition (J2EE) standard.
WLES will also include Java-based tools to allow a company to tie other applications into BEA's security system, including home-grown or packaged applications written with other programming languages. Follow-on versions of WLES, due next year, will work with IBM's competing WebSphere Java server suite as well as with applications written using Microsoft's .Net line of tools, said George Kassabgi, the general manager of application security infrastructure at BEA.
Most existing security products rely on a centralised server to authorise and authenticate a person's entry into a network. BEA's WLES, by contrast, has a distributed set-up built around a single server. It also has "security service modules" -- small applications that reside on several servers on a network. Placing the software that tracks the security policies on several network nodes will allow users to get quicker access to applications, Kassabgi said.
WLES also allows administrators to secure specific software components within a large application. For example, a brokerage company could authorise a stock trader to execute only certain trades at certain times.
BEA said that its security software can work with a company's existing network directories and with security products -- from companies such as Netegrity and Oblix -- that authorise access to a corporate network or a Web site. Or, customers can choose to use all-BEA software for the authorisation.
BEA could start competing with established security companies with its WLES initiative, particularly as it tries to sell the products to its existing customers, said analysts.
"You're seeing the beginnings of a competitive threat coming from big application development and deployment companies to some of the traditional security companies," Earl Perkins, an analyst at Meta Group, said.
Although traditional security companies such as VeriSign have more mature authorisation products, BEA's distributed approach to security and its focus on application development and deployment sets it apart, Perkins said.
"What BEA is attempting to do is to formalise its approach to integrating security within the application for different platforms and different development environments," he said. "It's taking authorisation and authentication to the next step."
