RSA Provides Policy-Based Approach to App Security

Why do so many application development organizations push security to the back of the bus? One reason, says Gartner analyst Ray Wagner, is that security requires a level of expertise most developers don't have.

"Organizations often have little confidence that they have implemented security controls properly because of the high level of sophistication required, and the result is too often an expensive or even embarrassing scramble when a problem is found after rollout," Wagner says.

One way around what often amounts to an ad hoc approach to providing security to and within applications, Wagner says, is the implementation of a centralized, policy-based approach, which "may allow organizations to more easily control and audit application security, as well as change security policies over time without reengineering applications."

That policy-based approach is the cornerstone of a new security middleware solution unveiled by RSA Security. The RSA BSAFE Data Security Manager is designed to simplify application security by putting security decisions and design in the hands of security experts, while easing the implementation of security for developers.

"Our customers tell us, we do believe that it’s better to design security into our applications in the beginning," says RSA product manager Chris Parkerson, "but when we look at tools that help us to do that, we’re faced with adding six months to a year to our development cycles for people to get knowledgeable enough about security they can actually act on this stuff."

RSA BSAFE Data Security Manager is designed to eliminate the need for application developers to acquire specialized security knowledge, Parkerson says, by providing a centralized, policy-based control framework, which shifts the responsibility for making security decisions to security experts and application architects in the design phase of the application development process.

The BSAFE Data Security Manager resides beneath a business application, hosting an organization’s data security policy, a library of all applicable security mechanisms and a protection engine for enforcing these mechanisms. The security mechanisms include encryption and decryption, signing and verifying, message authentication, certificate processing and secure transport protocol implementations.

"We're giving the manageability benefits and control to the security people, who know about regulations and risk management, but we're also encouraging good security application design on the front end in a way that’s easy for developers," Parkerson explains. "The security mechanisms will now be driven by policy."

The new BSAFE Data Security Manager represents a transition in the company's developer division, Parkerson says, which traditionally focused on selling toolkits to software and device OEMs.

"Some enterprises have a high level of security sophistication and knowledge--primarily big financial institutions--to make the most of the tools currently available," he says. "But other industries--especially retail--don't have the same expertise. But they have the same problems--problems that have been exacerbated by new regulations."

The company expects to begin shipping the new RSA BSAFE Data Security Manager in late September. For more information, go to:

About the Author

John K. Waters is a freelance writer based in Silicon Valley. He can be reached at [email protected].