BEA Buys Security Firm CrossLogix

In its drive to offer customers the industry’s most robust and secure infrastructure, BEA Systems, Inc. (Nasdaq: BEAS) announced it has acquired CrossLogix, Inc., a small privately-held provider of enterprise authorization infrastructure in Redwood Shores, Calif. The CrossLogix team and solutions are a part of BEA’s ongoing effort to provide superior application security for customers building and managing business applications and processes with the BEA WebLogic Enterprise Platform. The financial terms of the transaction were not disclosed.

Analytical Summary

Current Perspective: Neutral to positive on BEA’s acquisition of CrossLogix, as the company gains unique policy management/authorization software which it may use to counter suites from competitors such as Sun, Novell, and IBM.

Vendor Importance: Moderate to BEA, as the company gains technology applicable to a niche market, but could leverage the intellectual property for a broader audience.

Market Impact: Low on the application infrastructure market, as BEA’s plans for the technology are not yet clear, however, the notion of performance sensitive “distributed authorization” could impact this market in the long-term.

Competitive Positives

With its acquisition of privately-owned CrossLogix, BEA gains cutting edge security/policy management technology, which could be leveraged in a general purpose policy management/security offering. This would help the company compete against Sun, Novell and IBM, which have better developed policy management product families. It will also help the company garner new corporate customers who view policy management/security as a major factor in a purchasing decision for application infrastructure suites.

In particular, BEA acquires technology that allows authorization to occur in microseconds, enabling transactional applications, particularly in the financial service arena. CrossLogix achieves this by distributing authorization engines to local servers, employing caching of entitlement processes, and other methods. The rapid authorization capabilities will help BEA sell this product as is into niche markets where transactions are time sensitive. Already CrossLogix has a small base of customers in the financial services arena.

The technology also includes advanced provisioning, which allows centralized provisioning and central rules enforcement along with distributed provisioning and policy enforcement. Consoles are JSP (Java Server Page format). The technology is flexible enough that it could be sold into the wider market.

There are a number of integration points in the product that will allow it to fit into BEA’s existing products. CrossLogix has already worked to fit the product into BEA’s application security infrastructure.

The product can easily leverage BEA’s LDAP directory (as well as third-party directories), and there are some elements, such as the JSP console, which fit into a J2EE server environment nicely. Leveraging the CrossLogix technology to build a broader based offering does not pose a huge technical challenge.

Competitive Concerns

Although terms of this deal were not disclosed, CrossLogix is extremely small(less than 25 employees) and its customer base is likely small as well. BEA is not buying marketshare or revenues.

BEA has not yet decided on (or articulated) plans to turn the CrossLogix product into a general purpose policy management/authorization offering. If it remains a niche offering aimed at the financial services arena, it will have less of an impact on BEA’s revenues and the general market.

BEA runs the risk of competing with partners that fit into its security framework if it decides to market this as a general product.

There will be additional work that BEA needs to do to fit this product into its WebLogic framework, including merging its directory (currently OEMe from a third-party) with CrossLogix, and basing more of the services and interfaces on Java (for example, JMX as a management interface). Also, BEA will want to integrate the CrossLogix functionality, or at least expose it, to its WorkShop product, as well as its portal and EJB development tool. This will likely take from six to 24 months.

Recommended Vendor Actions

BEA should strongly consider turning this technology into its own policy management/authorization product, as it has strong differentiators in performance, and distributed management. This will help the company compete with Sun, Novell, IBM, and Microsoft who have stronger policy management offerings.

BEA must continue to partner with a variety of security vendors through its open framework both on the short, medium and long-term. This is a key differentiator for many customers who have invested in third party security solutions.

Over time, BEA should build links between CrossLogix and its application development tools (for example, WorkShop and EJB-Gen) to enhance these tools and ease the job of developers.

Recommended Competitor Actions

Competitors in the policy management/authorization spaces (for example, IBM, Novell, Sun, Microsoft, Netegrity, and so on) should consider technology that speeds up common security procedures such as authorization, in order to enable transaction applications that cannot tolerate latency. Distributing authorization engines is one technique to solve this problem.

Competitors in the provisioning space must continue to provide multiple options for distributing provisioning functionality to departments and different users.

Competitors in this space should monitor BEA’s actions and prepare a response if it decides to take the CrossLogix technology and apply it to a broader target market.