Securing Computer Systems

“Your security policy may or may not involve politeness.”

-- Michael W. Lucas, “Absolute OpenBSD: UNIX for the Practical Paranoid”

I could easily have said the same thing myself in any number of conversations, but it was while I was referring to this book in the course of configuring a new firewall that I realized it was just the perfect way to say it.

This statement illuminates what I consider to be one of the biggest issues facing the adoption and deployment of secure computing systems, that security policy is a business decision and that the role of the applications that comprise the system is to enforce that policy, not set it.