Thursday, July 17, 2008

Take the A out of the CIA model for Information Security

Have you ever wondered why Availability is included in the Confidentially, Integrity and Availability model? I did… and wrote this blog to express my thoughts.

Wikipedia definition “Information Security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.”

Hmmm, okay. But why should I, as a security professional, be worried about the availability of the data? The way I see it, if the information is unavailable… then that is better. I believe the Payment Card Industry (PCI) standard was the first regulation to catch on to this. If you read the standard it doesn’t mention the availability, back up or recovery of data, and being a Qualified Security Assessor (QSA), I understand the PCI Council has good reasons why.

As a security professional I understand that the evolution of security. Back in the day… security meant having a firewall and making sure that network was available. However, today security has a completely different role within organization. The ability for the information to be available falls under the jurisdiction of the Chief Information Officer.

I have authored hundreds of security documents that if/when implemented would “break” the functionality of the application, system or process. However, if these controls are not implemented the application, system or process is left vulnerable to attack. Being concerned with availability, you, as the security professional cannot push the implementation of the control. As such, you have accepted the vulnerability.

Why is this important? Many organizations are unable to position Security in the right structure, meaning that security still falls under the CIO. While this can work, there are too many points of failure for security to be embraced within the organization. So, as long as security professionals continue to position themselves with the responsibility of ensuring availability of information, the ability to truly secure the data will be jeopardized.


Andy, ITGuy said...

I think you are confusing availability with availability. :) In the CIA Triad availability is referring to ways that a hacker can make it unavailable. DoS, deleting it, encrypting it, etc.. Not the server being down or offline. I think that availability is critical to our jobs. We just have to make sure we are looking at it in the CIA sense of the word.

Dave Kennedy said...

Andy ITGUY: I disagree, taken specifically from ISC2 and Shon Harris' CISSP All-In-One, Availability is defined as follows:

"The systems and networks should provide adequate capacity in order to perform in a predictable manner with an acceptable level of performance. They should be able to recover from disruptions in a secure and quick manner so that productivity is not negatively affected."

Shon continues as follows:

"System availability can be affected by device or software failure. Backup devices should be used and available to quickly replace critical systems, and employees should be skilled and available to make necessary adjustments to bring the system back online.".

Your comment states "deleting it" of or "encrypting it", deleting it or encrypting it would effect the overall integrity and confidentiality of the overall data.

What Ken's main point was again, why is it security's responsibility to maintain up-time of systems, we are only concerns with protecting data, not if theres a hardware failure, or if we're getting DoS'd. While some DoS activities may ultimately lead to security, the overall availability of the system is not important to us.