Jiri’s Notepad

Mark O’Neill, CTO of Irish web services security outlet VordelSecure, I mentioned here some time ago, has a brand new weblog. This is also a reminder that I should read technical papers I downloaded from their website.

In his weblog, Mark talks about legal implications of SAML. Legal issues have quite a significant impact on any security design. In a sense, security does not mean protecting systems, but rather protecting business objectives or people’ objectives. To achieve this goal, good security needs to consider an issue of liability. This means that it is not enough to find out what the risks are and how to protect against them, but also to consider who would be held liable should anything go wrong.  When security fails (provided the incident is discovered) you can bet that somebody will need to take the blame. Serious incidents can lead to lawsuits. To certain a limit, you can reduce this risk through appropriate use of technology.  To a certain extent, you can transfer the risk to other parties through legal means. On some occasions, this can be a better approach than to design unusable or technically difficult technical solution.

Talking about legal issues, some time ago I came across presentations on legal issues and on security from an Object Management Group’s workshop on web services.