OMG, Availability Trumps Security! Oh, the Horror!
Michael Farnum’s making me shake my head today in confusion based upon a post wherein he’s shocked that some businesses may favor availability over (ahem) "security."
Classically we’ve come to know and love (a)vailability as a component of
security — part of the holy triumvirate paired with (c)onfidentiality
and (i)ntegrity — but somehow it’s now incredulous that one of
these concerns can matter more to a business than the others.
If one measures business impact against an asset, are you telling me, Mike, that all three are always equal? Of course not…
Depending upon what’s important to maintain operations as an on-going concern or what is required as a business decision to be more critical, being available even under degraded service levels may be more important than preserving or enforcing confidentiality and integrity. To some, it may not.
The reality is that this isn’t an issue of absolutes. The measured output of the investments in C, I and A aren’t binary — you’re not only either 0% or 100% secure. There are shades of gray. Decisions are often made such that one of the elements of C, I and A are deemed more relevant or more important.
Businesses often decide to manage risk by trading off one leg of the stool for another. You may very end up with a wobbly seat, but there’s a difference between what we see in textbooks and what the realities in the field actually are.
Deal with it. Sometimes businesses make calculated bets that straddle the fine line of acceptable loss and readiness and decide to invest in certain things versus others. Banks to this all the time. Their goal is to be right more often than they are wrong. They manage their risk. They generally do it well. Depending upon the element in question, sometimes A wins. Sometimes it doesn’t.
Here’s a test. Go turn off your Internet firewall and tell everyone you’re perfectly secure now. Will everyone high-five you for a job well done?
Firewall’s down. Business stops. Not for "security’s sake." Pushed the wrong button…
Compensating controls can help offset effects against C and I, but if an asset or service is not A(vailable) what good is it? Again, this depends on the type of asset/service and YMMV. Sometimes C or I win.
Thanks to the glut of security band-aids we’ve thrown at tackling "security" problems these days, availability has become — quite literally — a function of security. As we see the trend move from managing "security" toward managing "risk," we’ll see more of this heresy common sense appear as mainstream thinking.
Since we can’t seem to express (for the most part) how things like firewalls translate to a healthier bottom line, better productivity or efficiency, it’s no wonder businesses are starting to look to actionable risk management strategies that focuses on operational business impact instead.
Measuring availability (at the macro level or transactionally) is easy. IT knows how to do this. Either something is available or it isn’t. How do you measure confidentiality of integrity as a repeatable metric?
In my comment to Michael (and Kurt Wismer) I note:
It’s funny how allergic you and Wismer are toward the notion that managing risk may mean that “security” (namely C and I) isn’t always the priority. Basic risk assessment process shows us that in many cases “availability” trumps "security."
This can’t be a surprise to either of you.
Depending upon your BCP/DR/Incident Response capabilities, the notion of a breakdown in C or I can be overcome by resilience that also has the derivative effect of preserving A.
Risk Management != Security.
However, good Security helps to reinforce and enforce those things which lend themselves toward making better decisions on how to manage risk.
What’s so hard to understand about that?
Sounds perfectly reasonable to me.
Security’s in the eye of the beholder. Stop sticking your thumb in yours 😉
Speaking of which Twitter’s down. Damn! Unavailability strikes again!
/Hoff
Here's one place where small businesses "get it", even if it is by accident. There are never enough resources to secure things, so the focus is always on the overly-simple question "does it work?". Isn't that is just a non-CISSP way of saying Availability must be a higher priority than anything else?
By the way, if you explain it to them, you might even get them to grasp Survivability. Small business folks "get" that, because failure is so common in their environment.
I'm somewhat nonplussed by the excitement. Maybe that's because at my day job, availability is very much the only thing that matters. It's not just users screaming about not being able to get their work done, it's also funding agencies annoyed at pouring money into a drain rather than getting science done.
The whole CIA business in the minds of auditors or managers has always been a problem. They come to us with the mindset that we're going to tell them how we are ensuring confidentiality/secrecy and integrity, with the only nod to availability being "DoS attacks (which don't matter)".
Luckily, there's a fairly easy workaround that can be made quite effective. We just point out loudly and repeatedly that if we break confidentiality, or especially if we lose integrity, then we have an availability problem that goes beyond what some 3rd party DoS attack can create. The lack of availability lasts for as long as it takes to figure out what happened and get back into service.
From there, it's often possible to talk more intelligently with them about prevention, detection, and response. Preventing the problem in the first place is good, but because no prevention is perfect, we're trying to lead them into prioritizing detection and response/rebuild capabilities. Sometimes we're successful. It's nice when that happens.
In the final analysis for my job, there is no 3-legged CIA stool. Secrecy and integrity are only some of the means to the end of ensuring availability.
I think the disagreement comes from some pretty deep dogmatic differences, both sides of which are neither righter nor wronger than the other (yet, anyway). Namely, the perception of where security comes into play compared to general IT.
This is a rather fun discussion, and one to keep on the short-list of secgeek conversation starters. CIA: which is least like the others!?