BANGALORE, INDIA: After many years of purely negative security provided by anti-virus scanners, IDS/IPS, and antispam engines, it’s refreshing to hear that the positive security model—the basis for tried and true security devices like network firewalls and ACLs—is coming back in vogue.

Most recently, this positive policy re-emergence has revolved around the Web Application Firewall (WAF) and application security market. Yet with the positive security positioning comeback carries with it a very interesting point of detail: although many in the WAF space argue that the positive model is preferable, nearly all application security providers still rely on a partially negative solution.

As the application security market continues to evolve and define itself, there continues to be diverging views on which security methodology is the best option. In reality, enterprise security decisions are highly dependent on many factors, most of which are more business than technology oriented. Implementing an application security solution that is both secure and practical, while still allowing for the fluid nature of protecting dynamic applications, requires taking the best pieces of technology and business analysis and synthesizing them into an effective and efficient security solution.

What does “good” security cost?

In theory, the best security is impenetrable, but practical security does not function as a control group. In a business environment, security is a multivariate problem. What is the performance of the security? How easy is it to deploy? What impact will adding security have on the cost per transaction? Is it more expensive to build an impenetrable security system or risk covering the cost of a public breach?

The quality of the security is always questioned as well, but it’s never the only question. Many security-related questions come from the balance sheets, not the security engineers. Approaching security from a technical standpoint alone does not help the business; it hurts it. Businesses constantly analyze their economic model to generate better operational efficiencies and a greater return on investment; the entire business intelligence market exists for this purpose.

The driving force behind any IT security decision is an evaluation of a situation’s potential risks versus the investment necessary to circumvent these risks. In the same vein, a business’ security efforts should address a business problem; namely, to increase operational efficiencies. Security breaches can mar this efficiency, hurting a company’s value, either in real dollars, operational downtime, or loss of customer trust.