Maintaining application-level security is more of a challenge than ever before. Applications have become more complex. User communities have expanded. Application security is now recognized as a key enabler to unlocking business efficiencies, meaning that the focus of security has evolved from "keeping the bad guys out" to "letting the good guys in." But even as an enabler, managing a complex set of business entitlements for diverse applications and users continues to be a difficult challenge.

So how do you ensure secure user access to enterprise applications and resources? How do you manage policy across multiple application environments throughout the enterprise? How easily can you respond to the increased privacy and regulatory pressures around information access?

Traditionally, application security logic is typically hard-coded and maintained in each individual application by developers, making it expensive to manage and inflexible to changing business needs. IT infrastructure is evolving to be more agile and aligned with the business, and the underlying security infrastructure must evolve with it. What you require is a solution that simplifies the process of securing your custom applications.

BEA AquaLogic Enterprise Security is a fine-grained entitlement management solution that combines centralized policy management with distributed policy decision-making and enforcement. This combination provides management and control of your critical applications and resources with uncompromised performance and reliability, allowing you to adapt to changing business requirements quickly and easily.

BEA provides the superior solution for meeting your business objectives:

• Enhance business agility
• Improve IT efficiency
• Strengthen security and compliance.

Benefits

Enhances Business Agility

• Simplifies the management, enforcement, and auditing of security access policies that more closely models the business and business processes.
• Respond faster to changing corporate and regulatory policies.
• Easily adapts to new business requirements and usage scenarios without re-coding or re-deployment.
• Offers a robust alternative solution to homegrown entitlements that is both scalable and easy to maintain.

Improves IT Efficiency

• Enables reuse and sharing of security services.
• Centralized security policy management alleviates much of the effort in managing and maintaining multiple, application security silos.
• Makes security visible by externalizing the application security logic.
• Frees developers up to focus on value-add business logic in application development.
• Extends integration with third-party technologies, leveraging an organization’s existing investment in security.

Strengthens Application Security and Compliance

• Manages all security policies from a single place.
• Provides finer control over the protection of all resources in a SOA.
• Offers detailed context-based auditing of all administrative and end-user events for governance and regulatory compliance.

Capabilities

What is BEA AquaLogic Enterprise Security?

BEA AquaLogic Enterprise Security is a fine-grained entitlements management solution that externalizes entitlements—removing security decisions from the application. It secures access to both application resources and software components (such as URLs, EJBs, JSPs) and arbitrary business objects (such as customer accounts, patient records). Policies can then be written that outlines which users, groups, and/or roles can access those resources.

BEA AquaLogic Enterprise Security provides a patented distributed computing security architecture. Runtime enforcement of entitlements or policies is accomplished through a set of Security Service Modules (SSMs). The SSMs act as the Policy Decision Points (PDPs) and can be deployed in one of two ways depending on an on organization's requirements:

• As a centralized entitlements server that can be invoked via Web Services or through the XACML 2.0 request/response protocol.
• As a distributed set of PDPs which plug into the application container itself. In this case, policy is evaluated and enforced locally in the application container so application context can be included in the access decision.

BEA AquaLogic Enterprise Security Architecture.

The SSMs can integrate with a number of Policy Information Points (PIPs) to get user and group attributes or any other entitlements data required to make an access decision. The SSMs can retrieve static user data at the time when a user is authenticated or dynamic entitlements data when a policy is evaluated. The SSMs maintain a fully configurable cache to minimize data retrieval calls to the PIPs.

The SSMs within BEA AquaLogic Enterprise Security contain a security framework that provides a set of standard security services including authentication, authorization, role mapping, auditing and credential mapping. All runtime security services can be invoked directly through either the Java or Web Services APIs.

The Administrative Server is where access control policies and security configurations are defined at the Policy Administration Point (PAP). It offers centralized policy management, delegated administration, and controls the distribution of security policies and configurations to the SSMs. The Administration Server features an administrative console to centrally view and manage all security policies and configurations. In addition, the Administrative Server offers a Web-based console that enables business users to manage user entitlements based upon employee roles in their applications. The Administrative Server provides detailed reporting of security policies and configurations as well as user entitlements across a distributed, application environment. It supports the incremental transactional distribution of policies to the SSMs. The Administrative Server supports the export of BEA AquaLogic Enterprise Security policies in XACML 2.0 format. Java and Web Services APIs are available to provide full prorammatic access to all BEA AquaLogic Enterprise Security administrative functionality.