RSA Provides Policy-Based Approach to App Security
- By John K. Waters
Why do so many application development organizations push security to the back
of the bus? One reason, says Gartner analyst Ray Wagner, is that security requires
a level of expertise most developers don't have.
"Organizations often have little confidence that they have implemented
security controls properly because of the high level of sophistication required,
and the result is too often an expensive or even embarrassing scramble when
a problem is found after rollout," Wagner says.
One way around what often amounts to an ad hoc approach to providing security
to and within applications, Wagner says, is the implementation of a centralized,
policy-based approach, which "may allow organizations to more easily control
and audit application security, as well as change security policies over time
without reengineering applications."
That policy-based approach is the cornerstone of a new security middleware
solution unveiled by RSA Security. The RSA BSAFE Data Security Manager is designed
to simplify application security by putting security decisions and design in
the hands of security experts, while easing the implementation of security for
"Our customers tell us, we do believe that it’s better to design
security into our applications in the beginning," says RSA product manager
Chris Parkerson, "but when we look at tools that help us to do that, we’re
faced with adding six months to a year to our development cycles for people
to get knowledgeable enough about security they can actually act on this stuff."
RSA BSAFE Data Security Manager is designed to eliminate the need for application
developers to acquire specialized security knowledge, Parkerson says, by providing
a centralized, policy-based control framework, which shifts the responsibility
for making security decisions to security experts and application architects
in the design phase of the application development process.
The BSAFE Data Security Manager resides beneath a business application, hosting
an organization’s data security policy, a library of all applicable security
mechanisms and a protection engine for enforcing these mechanisms. The security
mechanisms include encryption and decryption, signing and verifying, message
authentication, certificate processing and secure transport protocol implementations.
"We're giving the manageability benefits and control to the security people,
who know about regulations and risk management, but we're also encouraging good
security application design on the front end in a way that’s easy for
developers," Parkerson explains. "The security mechanisms will now
be driven by policy."
The new BSAFE Data Security Manager represents a transition in the company's
developer division, Parkerson says, which traditionally focused on selling toolkits
to software and device OEMs.
"Some enterprises have a high level of security sophistication and knowledge--primarily
big financial institutions--to make the most of the tools currently available,"
he says. "But other industries--especially retail--don't have the same
expertise. But they have the same problems--problems that have been exacerbated
by new regulations."
The company expects to begin shipping the new RSA BSAFE Data Security Manager
in late September. For more information, go to: www.rsa.com.