Security should continue to be an element of enterprise architecture. When we start looking at security as something that is application specific and try to enforce strict standards of security on the application developer as Richard Clarke suggests, we will have all kinds of problems. Software applications are increasingly just modules or components of very complex environments and to build all aspects of security into a given application would be cumbersome, costly, and frankly impossible. It must be incumbent on an enterprise to understand their environment, and build a secure architecture to support it. Security is best performed by specialists who understand risk and vulnerability as it applies to the multi-tiered, complex enterprise and can address issues that include encryption, virus protection, accessibility, authentication, intrusion detection, etc. Software architectures are rarely built using a single software developer or company. If anyone should be held responsible for security in large enterprise systems, it should probably be the integrator who understands the environment into which the application is being placed. Darwin John is quoted saying, "...in the security business, there are no absolutes and that's very difficult for some people to accept." Software is not like a bridge where you can understand the precise envirnomental variables into which the structure is placed unless you produce customized applications for every situation. I don't quite see how the bridge analogy works in this case.
Thursday, May 20, 2004