Tuesday, March 31, 2009

The business of security is business

"Security decisions are business, not technical, decisions".
Gunnar Peterson in IEEE Security and Privacy

Yes exactly. Decisions of authentication and authorization are not technical procedures which are grafted onto an application in order to make it "more secure", they are what enables it in the first place.

Take the example of one of Vordel's customers, an insurance company which receives insurance "new business" information from a bank. These documents, formatted as XML (XML wrapped in XML, in some cases) includes private information which can only be accessed by the appropriate, authorized people. Without authentication and authorization, the solution is impossible.

Consider the common Venture Capitalist question "What would happen if your product didn't exist?". With a perimeter security product like a firewall, the answer is often "The application would be less secure". The application would work fine, but be prone to attack. But, when security decisions are part of the business application itself, the answer is that without the product in place (in this case an XML Gateway), the application itself cannot exist.