In the IT Security industry, we often refer to the three pillars of Confidentiality, Integrity, and Availability. This is so common, it’s often referred to by the initialism, “CIA” or “CIA Triad”. Laypeople are often not as well informed.
Of course, everyone knows that Integrity is an aspect of security. Pop culture is littered with plots involving changing student grades, expunging criminal records, or wiping a person’s entire identity in a digital world. Nobody wants unauthorized tampering of our data. If we don’t have confidence in the quality of the data, it can’t be trusted for the operations of the organization. Security is how we reduce that risk.
Confidentiality is also a well-known component. Every organization has sensitive information: password, financial records and forecasts, salaries, personally identifiable information, intellectual property, e-mail messages, and probably much more. Since we do not want that information in the hands of unauthorized individuals, we deploy security to protect it.
But Availability does not often come to the forefront if you ask the average person about what security means to them. If you were to ask about Denial of Service attacks, then a light will probably come on. But it is so much more than that.
Aspects of Security Relating to Availability
Security includes Business Continuity Planning and Disaster Recovery Planning (Yes, they are related. No, they are not the same thing.) It also includes Fault Tolerance and High Availability. Capacity Planning ensures that the system can provide sufficient resources to provide access to the data during periods of increased demand, both now and in the future. Security also includes Quality Assurance and Quality Control (these two concepts actually relate to all three pillars).
In a nutshell, Security includes any controls that ensure that the correct people have access to correct information at the correct time.
By “controls”, I mean not just hardware and software technology, but also any process, policy, or other documentation. The obvious corollary to that is that the information must not be available to unauthorized people or at unauthorized times.
Some time ago, I heard the expression “created negative availability”. At the time, I laughed because it sounded like a really fancy way of saying “caused downtime”. However, now I find that this is how I think about outages. For some people, the word “downtime” can have a very specific meaning; it might only mean that a server crashed.
The term “negative availability” refers to any circumstance where our ideal availability is being negatively impacted. It is subtracting from our availability. Consider the case when someone is performing maintenance on systems that have been taken offline (while other systems take over its function). This does not impact availability, but this could be considered “downtime” by some people. The term “negative availability” is unambiguous.
Of course, there is a very specific form of negative availability: When negative availability exceeds our acceptable level of unavailability (which we call our “Maximum Tolerable Downtime” (MTD). We consider this a “disaster” and this is when our DRP comes into play. DRP is a big enough subject that it is beyond the scope of this article.
If security were only about Integrity and Confidentiality, our job would be much easier: Write the data to encrypted write-once, read-only media, lock it up in a safe, and drop the whole thing into the Marianas Trench. However, it’s safe to say that this strategy would create negative availability.
Conversely, our drive to create availability must never compromise the integrity or confidentiality of the data. All three pillars of security are vital. None of them should be overlooked.