Stop reinventing the security wheel
By Robert Scheier
How many security standards -- official and unofficial -- do you have
in your organization? The answer probably is: Too many, and we spend
far too much time and effort creating them.
For starters, there's probably a fairly vague enterprise-wide
standard, somewhere along the lines of "brush your teeth and be nice
to others." At the business-unit level, there's probably a more
specific policy, and at the workgroup level it gets more specific and
more tightly enforced, especially if the users are handling financial
transactions or customer information.
Then there are security policies built around different kinds of
data. Top-level, aggregated data about sales should be protected to a
certain, definable standard. But a specific customer's sales history
should be protected by a different and higher standard of security.
You could also argue for user-specific security policies: A
distributor who accesses your parts database a few times a year to
buy a few commodity items doesn't need the same expensive
authentication you'd throw at a contract manufacturer who's working
under NDA to build a prototype of your next killer product.
Yes, you could create a different security policy for each of these
scenarios. But why should you? Are your different types of security
needs -- whether defined by customer, by user or by type of data --
that much different from the rest of the world's?
I got to thinking about this the other day while talking to a
start-up developing a set of context-sensitive encryption
technologies. Rather than enforce security through the use of
individual passwords and authentication, this vendor plans to take an
object-like approach where encrypted data would contain security
rules about when it would, or would not, allow itself to be
decrypted. Rather than rely only on passwords, firewalls or intrusion
detection systems, the data object itself would be able to tell
whether or not a user should have access to it.
I have no idea how well this would work in the real world. But the
idea of an object-oriented approach to security got me thinking about
reusability, which is one of the prime attractions of object-oriented
development. If we can reuse software components, I thought, why not
create reusable security policies that could be applied across
applications, across entire companies and maybe across entire
Think about building a Web marketplace, for example. You'll need
different security policies for different levels of customers,
suppliers and shippers, but that's true whether you're trading
semiconductors, energy or chemicals. Or consider an intranet designed
to speed the internal budget process. You'll want one security policy
to protect top-level departmental spending data and another, tighter
policy to guard specific employee salary information. But the
requirements for those two security policies will be about the same
whether you're the CIA or a chain of pet stores.
For many security needs, I'd argue, you can define a set of common,
accepted safe practices much like the building codes in place for
virtually every municipality. Such codes specify, for example, how
much artificial light must be available per square foot in public
buildings. In frigid Maine, such codes might require a certain
minimum slant to the roof to prevent ice buildup. In hot and humid
Mississippi, the code might specify certain types of treated wood to
prevent insect damage.
My point is that any given type of building has a lot of common
requirements that can be established once, rather than reinvented by
every builder or architect. The architects and builders then compete
on extra features such as elegance of design, speed of construction,
or quality beyond the minimum called for in the building code.
Of course, the construction industry is far more mature than the
software or the security industry. And we do have security standards
that have evolved around specific technologies, as well as standards
Balkanized across vertical markets, such as Visa's Cardholder
Information Security Program (CISP) or the federal government's
Health Insurance Portability and Accountability Act (HIPAA).
But I think we have fundamental, common, infrastructure-level
security needs that can and should be established and enforced, much
like a building code. That will allow security administrators (and
vendors) to tackle the very difficult, industry-specific security
challenges that remain -- as well as the day-to-day firefighting that
is always a security manager's first priority.
About the author:
Robert L. Scheier is a freelance writer based in Boylston, Mass., who
writes frequently about security issues.
This was first published in July 2001