Monday, July 23, 2012

It’s About Confidentiality and Integrity (not so much Availability)

Everyone knows the C-I-A triad for information security: security is about protecting the Confidentiality, Integrity and Availability of systems and data.

In a recent post, Warren Axelrod argues that Availability is the most important of these factors for security, more important than Integrity and Confidentiality – that C-I-A should be A-I-C.

I don't agree.

Protecting the Confidentiality of customer data and sensitive business data and system resources is a critical priority for information security. It’s what you should first think about in security.

And protecting the Integrity of data and systems, through firewalls and network engineering and operational hardening, and access control, data validation and encoding, auditing, digital signatures and so on is the other critical priority for information security.

Availability is a devops problem, not a security problem

Axelrod makes the point that it doesn’t matter if the Confidentiality or Integrity of data is protected if the system isn’t available, which is true. But Availability is already the responsibility of application architects and operations engineers. Their job is designing and building scalable applications that can handle load surges and failures, and architecting and operating technical infrastructure that is equally resilient to load and failures. Availability of systems is one of the key ways that their success is measured and one of the main things that they get paid to take care of.

Availability of systems and data is a devops problem that requires application developers and architects and operations engineers to work together. I don’t see where security experts add value in ensuring Availability – with the possible exception of helping architects and engineers understand how to protect themselves from DDOS attacks.

When it comes to Availability, I look to people like James Hamilton and Michael Nygard and John Allspaw for guidance and solutions, not to application security experts.

In information security, C-I-A should be C and I, with a little bit of A – not the other way around.


Anonymous said...

I agree. Confidentiality and Integrity are within the security domain, availability is operations (and application architecture). Availability isn't going to be of much value if you can't trust the integrity of the data.

Dave Mossman said...

Yes, while availability is important in many cases, it's really more of an operational responsibility. However, for confidential data, maintenance of that confidentiality, and being able to verify the integrity are the critical security concerns.

Geoff K said...

I also agree, it is really "CIa". Also telling is that "C" is governed by legislation in various jurisdictions. That would seem to make it pretty important. The "I" can also be covered by legislation or regulation (e.g. financial data held by a bank). The "A" is generally dealt with through service levels and contracts. Governments don't get too involved with "A", except when they are the customer.

Colin said...

Unless you are dealing with Critical Infrastructure, gas, electricity, water etc. In which case Availability is your primary concern, and Denial Of Service is not your friend.

Namblé Désiré Yeo said...

@Colin : I totaly agree with you!
In my point of view there are no generalities here. This matter is closely related to the area requirements... Wheter availability/integrity/ confidentiality is more critical to your business/area of activity or not. And giving this understanding of the domain build a security strategy (which risks you're going to mitigate/accept/transfer) for your business to be efficient.

Site Meter