FRAMINGHAM (10/14/2003) - BEA Systems Inc. this week will roll out middleware technology aimed at helping companies build a shared security infrastructure for authenticating, authorizing and auditing user access to both Web-based and legacy applications.
The technology is intended to eventually eliminate the need for companies to embed separate security and access-control functions for each application.
Instead, BEA's new WebLogic Enterprise Security (WLES) product will allow companies to delegate the task of managing and handling such functions to a shared application security service, said George Kassabgi, vice president of application security at the San Jose-based company.
Such a shared environment "would most definitely be the Holy Grail," said Val King, manager of information security at Canadian Pacific Railway Ltd. in Calgary, Alberta.
But despite the need for such technologies, there are enormous challenges involved in linking disparate systems using a shared security service model, users and analysts said. For example, the ability of a product such as WLES to broker identity and security information with older applications is totally untested, King said.
A New Mind-set
"The kind of space that BEA is dealing with is complex enough that a lot of people have been satisfied with work-around solutions," said Randy Heffner, an analyst at Forrester Research Inc. in Cambridge, Mass.
The use of technologies like WLES will also require a fundamental change in the way companies approach application development, said Earl Perkins, an analyst at Meta Group Inc. in Stamford, Conn.
These technologies eliminate the need for developers to code separate access and security functions with each new application. As a result, changes have to be made in the development process to accommodate the exchange of authentication and authorization information between the application and security service layers, he said. "There's a cultural mind-set that needs to change in the way applications are developed," Perkins said.
Even so, technologies such as WLES address an important need, said Robert Levine, president of Sena Systems Inc. an Iselin, N.J.-based systems integrator.
"A number of our leading clients are looking at ways in which they can centralize authorization decisions by pulling them out of applications and making them an infrastructure component," said Levine. The goal is simplified application security policy development and enforcement, he said.
A core aspect of WLES is its ability to work with multiple Web access management products and other security management tools that may be used for authentication and authorization functions, Kassabgi said. The idea is to allow companies to take existing technology and code and turn them into a distributed enterprise security service with minimal disruption, he said.
BEA isn't the only company -- nor was it the first -- to try to move users to a shared security services infrastructure.
Quadrasis Inc. in 2001 was one of the first to release a product aimed at helping companies unify and centralize security policies. The Waltham, Mass.-based company's Security Unifier product was pitched as a tool for brokering security functions across a range of applications, but so far it has failed to gain much market attention.
IBM Corp. moved in that direction by embedding its WebSphere application server software with its Tivoli Access Manager technology. Some vendors of Web access management products, such as Netegrity Inc. in Waltham, Mass., have also been expanding their Web single sign-on technologies for use in legacy environments. Oracle Corp. is expected to make an announcement similar to BEA's next week.
BEA is trying to differentiate itself by making its technology as broadly interoperable with other products as possible, Heffner said. "The difference is that BEA's is more of an architectural approach. And that has a lot of merit," he said.
IBM Upgrades ID Management Line
IBM last week upgraded its Tivoli line of identity management products, adding new features designed to allow companies to use ID information more efficiently and securely in changing business conditions.
The upgrades include the following:
- IBM Tivoli Access Manager Version 5.1, featuring a new Dynamic Rules Engine for automatically pulling user information from multiple sources to help make access-control decisions involving complex transactions. A new Dynamic Group Support feature is aimed at making it easier for companies to respond to organizational changes, such as mergers and acquisitions, involving ID information.
- Tivoli Identity Manager Version 4.5, offering a new automated workflow engine for managing and enforcing policy based on a user's changing status within a company.
- Tivoli Privacy Manager Version 1.2, with support for real-time privacy and security compliance checks of up to 100 transactions per second.
The changes are part of IBM's broad effort to enable all of its products to participate in an on-demand computing environment, said Jeff Drake, director of security strategy at IBM. "(ID management) products need to be very flexible. They need to be able to synchronize, receive and send data into business processes" more efficiently, Drake said.
IBM's identity management efforts are well focused, said Val King, information security manager at Canadian Pacific Railway. The railway uses Tivoli tools, among others, to control and secure access to its customer portal site and to manage passwords for its 18,000 employees.