Saturday, January 24, 2009
Prescriptive compliance weakens enterprise security...
Ever ran across an Enterprise Architect who thinks what they do is somehow related to the building trades? Sadly, the conversation has shifted away from more important topics such as the OWASP Top Ten and learning how to build applications securely upfront to after the fact remediation.
The notion of building codes isn't meant to be the goal but is meant to be the minimum that a plumber, carpenter or electrician should meet. In the building trades, they do aspire to do better than code, but the same thing can't always be said of architects.
The funny thing is that our business customers truly want us to deliver secure software and they would like for us to be proactive yet we speak to them about spending millions of dollars on after the fact compliance. They want to pay for security that enables the strategic intent of the business and not stuff that is already amortized. Why are we always playing with dead snakes?
So, in my mind wouldn't it serve both demographics if we talked about technologies such as federated identity? Instead of having silly policies on password complexity, why shouldn't we all be having a conversation on eliminating passwords? Imagine if all enterprise applications could leverage Cardspace, we wouldn't worry about rainbow tables or whether I changed my password in the last sixty days. In other words, federated identity enable both the strategic intent in a going forward basis but also address compliance.
More importantly, there are some of us who want to use security as a strategic weapon yet are handicapped by foolish consistency. Using prescriptive regulatory compliance to “get your way” removes your ability to be a better architect and therefore have proper influence in building secure software.
If enterprise architects can't help make good decisions and therefore, in the eyes of management do not deserve the right to make the decisions that need to happen. Enterprise security needs to be more than just the guys who manages our PCI stuff. As Gunnar Peterson might say, you can't have security if someone else is telling you how to spend your budget...
Links to this post: