Information Technology Reference
In-Depth Information
assume that applications are built to be secure. The analogy can be home
security systems that do not come with the house, as opposed to door
locks and window latches. Costs to retrofit security frameworks eat into
the funding for new applications, leading to uncertainty and frustration
in IT departments.
If insecure environments can negate the secure applications and secure
applications can become insecure over time, is this a losing battle? As
software architects, we have to guide and convince our customers that it
is not foolish to spend money on application security. It is clear that
security will be an ongoing battle with recurring costs, and businesses
need to plan for it. As long as there is a need to fight the battle, and we
are on a war metaphor, business must pay for a standing army.
What Is the Vendor's Role in Security?
Another aspect of security should be well understood by architects and
designers: some security features must come from the vendors themselves,
and be embedded in the product or tools. Airbags must be designed and
built-in by the car manufacturer. Software applications become more
secure because the underlying layers provide certain security features or
models. Bolting solutions on top of applications or tools that do not
recognize or support security concepts may turn out to be very expensive,
infeasible, and provide a false sense of security. Recognizing what respon-
sibility belongs to the vendor and what belongs to the customer is therefore
important.
Offshore Security
As companies continue to expand offshore, one cannot assume that secure
environments can be created easily in all countries. Security is a combi-
nation of business, technology, process, and human factors. To this must
be added cultural factors. Some countries, because of their past social
systems, may already be obsessed about security. Others may have always
kept things open and might find it difficult to implement certain formal
procedures because the employees may become uncomfortable with
procedures that go against their social codes.
In some countries, legal recourse may also be limited if a breach occurs.
Laws that exist on paper may be difficult to implement, due to slow-moving
court systems or inadequate investigation skills with the local law enforce-
ment agencies, especially when these are related to computer crimes.
