The next frontier for app server supersuites: Security

In rolling out Web Logic Enterprise Security (WLES) this week, BEA is bringing its "we're-the-Switzerland-of-application-security" message to enterprises that are wrestling with complex and often not-well integrated proprietary fabrics of application security schemes and tools.
Written by David Berlind, Inactive

In rolling out Web Logic Enterprise Security (WLES) this week, BEA is bringing its "we're-the-Switzerland-of-application-security" message to enterprises that are wrestling with complex and often not-well integrated proprietary fabrics of application security schemes and tools.

The announcement, according to company officials, marks the latest and most significant phase of producing a highly identity-centric, one-stop shop for easily applying security policies across a businesses' entire portfolio of enterprise applications. BEA has absorbed the acquired functionality of stand-alone, best-of-breed provider CrossLogix into the DNA of its existing application platform while maintaining extensibility to other architectures--namely those of IBM's WebSphere and Microsoft's .NET.

The basic goal behind frameworks like this one is to provide a single security management interface to all of an enterprise's applications. Let's take a medical practice, for example. If one doctor can only view radiology records while another doctor can view radiology and surgery records, a universal framework like WLES should make it possible to set those policies once and propagate them to all of the relevant systems. If the radiology data is available through a Web-based application that's driven by WebLogic as well as through the radiology department's canned radiology management application, the presence of such a framework theoretically obviates the need to dive into both separately in order to manage authentication and access control.

Perhaps the most easily understood benefit of such functionality is evident when access rights need to be revoked in order to prevent a disgruntled employee from compromising sensitive data. Depending on how many systems that user has access to, the task of revoking his or her privileges could prove complex and time consuming if each application's security was managed separately. The possibility also exists that one set of privileges could be overlooked. With a universal security framework, it shouldn't take more than a few clicks to perform a company-wide revocation of rights.

Prior to this announcement, BEA's application platform was one of those independently managed silos. IT managers had a choice: They could dive into the BEA platform separately in order to manage its security independently from non-BEA platforms, or they could find a third-party solution that covered the heterogeneous environment in which their BEA-based infrastructure was a participant. Third-party identity management providers like Netegrity, Oblix, and, prior to BEA's acquisition of it, CrossLogix, come to mind. Although the BEA platform served as a hub for managing each of the different BEA spokes, it was, at best, a spoke in the greater scheme of managing all enterprise applications.

In buying CrossLogix and marrying it to the already unified management scheme behind BEA's portfolio, BEA went from being an enterprise application management spoke to being an enterprise application management hub. This is probably just another natural step in the evolution of the application server supersuite--a phenomenon I wrote about last year.

The biggest beneficiaries of this role-reversal will be BEA customers with an affinity for BEA's administration tools and console. Buyers of BEA's WebLogic application server, for example, automatically get a comprehensive administration console for managing its security. Under the hood, it's the WebLogic Enterprise Security offering, but only for whatever BEA-based applications they're running. What's new is that those customers will now be able to use those same tools --- the ones from BEA --- to manage application security on the rest of the enterprise's application servers, portal servers, third-party applications (like the aforementioned radiology application), and Web-based applications regardless of what vendor is behind them.

There is an extra charge involved ($10,000 per CPU) once non-BEA applications need to be managed. Depending on whether or not a canned adapter is available for the infrastructures to which you want to connect WLES, there could be minor Java development work involved. Out of the box, WLES will work with some of the more popular application servers, Web servers, directory services, and other security infrastructure providers.

According to Gartner security analyst John Pescatore, however, becoming a management hub could be an uphill battle for BEA. "If you're a WebLogic shop, this is very good. It equalizes them with IBM's WebSphere. Before this, BEA was always depending on third parties like Oblix or Netegrity. But they're late. After the CrossLogix technology was adapted to BEA's platform, you essentially have an unproven 1.0 product. Meanwhile, IBM, which followed the same acquisition-driven path (it acquired Access360 and Dascom), is at least a year or two ahead."

But BEA officials believe that the company's message of neutrality is the sort of differentiator that will turn heads. In addition to supporting BEA's competition, the offering also supports, in almost plug-in-like fashion, third-party offerings that focus on specific cogs in the application security process: for example, directory services or certificate authorities. The key message behind this other tangent of extensibility, according to BEA vice president George Kassabgi, is that "we don't want customers to feel like they have to throw out whatever they already have in place. Take the authentication service, for example. You can use BEA's built-in one, or pick one that's provided by a best-of-breed third party. We recognize, for example, that we don't have the best-of-breed X.509 certificate management system or directory service. Once you decide how you're going to handle identity management, our framework allows you to take that system and easily integrate into the security of all your enterprise applications."

BEA is taking care not to create an impression that alienates the partners that were complementary to its offerings and therefore helped to build its business. But Gartner's Pescatore remains skeptical. "It sounds good, but in practice, every one of these big guys says they won't compete with their channel. But the truth is, [BEA] will now be competing with companies like Netegrity and Oblix who were a part of their ecosystem. BEA used to sell that stuff. But now, they'll be selling their stuff. It's inevitable in this space. IBM did it. Sun did it. BEA will do it. Eventually, there will be fewer companies in the space."

One thing is certain. This isn't the first time we've seen this acquisition-driven, consolidation-causing, framework-based fever sweep across all the app server vendors. . Almost a year ago, shortly after each of the major app server vendors had their similarly (to the security framework) plug and playable development frameworks in play, there were some land grabs for the companies that plugged in. In my column summarizing the trend, I wrote "I'm beginning to wonder where the appetite of application server supersuites, in terms of how they and their purveyors are swallowing other categories of software whole, will end."

IBM had just acquired Rational. Oracle swallowed Toplink, Borland bought Togethersoft, and BEA ate up CrossLogix. It was a clean sweep of some of the best of the best-of-breed application development toolmakers. Although my "wonderings" were strictly on the development front, I now realize that I was barely scratching the surface. One year later, my guess is that we'll see several more waves of consolidation on the security front.

Five years from now, what will the application server supersuite look like? What companies will be swept up? Which ones will be eliminated? Share your thoughts with your fellow readers Using TalkBack. Or write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.

Editorial standards