Michael Farnum's making me shake my head today in confusion based upon a post wherein he's shocked that some businesses may favor availability over (ahem) "security."
Classically we've come to know and love (a)vailability as a component of security -- part of the holy triumvirate paired with (c)onfidentiality and (i)ntegrity -- but somehow it's now incredulous that one of these concerns can matter more to a business than the others.
If one measures business impact against an asset, are you telling me, Mike, that all three are always equal? Of course not...
Depending upon what's important to maintain operations as an on-going concern or what is required as a business decision to be more critical, being available even under degraded service levels may be more important than preserving or enforcing confidentiality and integrity. To some, it may not.
The reality is that this isn't an issue of absolutes. The measured output of the investments in C, I and A aren't binary -- you're not only either 0% or 100% secure. There are shades of gray. Decisions are often made such that one of the elements of C, I and A are deemed more relevant or more important.
Businesses often decide to manage risk by trading off one leg of the stool for another. You may very end up with a wobbly seat, but there's a difference between what we see in textbooks and what the realities in the field actually are.
Deal with it. Sometimes businesses make calculated bets that straddle the fine line of acceptable loss and readiness and decide to invest in certain things versus others. Banks to this all the time. Their goal is to be right more often than they are wrong. They manage their risk. They generally do it well. Depending upon the element in question, sometimes A wins. Sometimes it doesn't.
Here's a test. Go turn off your Internet firewall and tell everyone you're perfectly secure now. Will everyone high-five you for a job well done?
Firewall's down. Business stops. Not for "security's sake." Pushed the wrong button...
Compensating controls can help offset effects against C and I, but if an asset or service is not A(vailable) what good is it? Again, this depends on the type of asset/service and YMMV. Sometimes C or I win.
Thanks to the glut of security band-aids we've thrown at tackling "security" problems these days, availability has become -- quite literally -- a function of security. As we see the trend move from managing "security" toward managing "risk," we'll see more of this heresy common sense appear as mainstream thinking.
Since we can't seem to express (for the most part) how things like firewalls translate to a healthier bottom line, better productivity or efficiency, it's no wonder businesses are starting to look to actionable risk management strategies that focuses on operational business impact instead.
Measuring availability (at the macro level or transactionally) is easy. IT knows how to do this. Either something is available or it isn't. How do you measure confidentiality of integrity as a repeatable metric?
In my comment to Michael (and Kurt Wismer) I note:
It’s funny how allergic you and Wismer are toward the notion that managing risk may mean that “security” (namely C and I) isn’t always the priority. Basic risk assessment process shows us that in many cases “availability” trumps "security."
This can’t be a surprise to either of you.
Depending upon your BCP/DR/Incident Response capabilities, the notion of a breakdown in C or I can be overcome by resilience that also has the derivative effect of preserving A.
Risk Management != Security.
However, good Security helps to reinforce and enforce those things which lend themselves toward making better decisions on how to manage risk.
What’s so hard to understand about that?
Sounds perfectly reasonable to me.
Security's in the eye of the beholder. Stop sticking your thumb in yours ;)
Speaking of which Twitter's down. Damn! Unavailability strikes again!
/Hoff