Information Security Concepts: Availability

In the ubiquitous Internet and wireless access era, information must be available 24/7, or whenever it's needed. All the effort spent securing data from unauthorized access or integrity failures may go to waste if it is not accessible when and where it is needed. Business operations rely critically on digital information and electronic information transfer. Perfect backups and massive servers are useless if system and network uptime is minimal. Unreliability brings inefficiency, a recipe for failure. Fortunately, there are numerous solutions available to increase availability. Solutions may be simple or complex, ranging in cost from almost free to as much as you want to spend!

How do we ensure our information is available? In planning, determine optimized computing and memory capacity, plan for growth, and predict peak usage requirements. High-availability solutions are becoming more affordable and simpler. Load balancing and fail-over solutions should be part of the design, not an add-on or a future consideration. These solutions don't just improve performance; they simplify maintenance, and most importantly in this discussion, ensure availability. Virtual server farms make increasing load capacity simpler, and make restores much faster. If these things don't seem that important to you yet, ask yourself: what is the real cost if employees can't do their jobs; if customers can't be serviced? Aren't planned costs for a better infrastructure better than unplanned costs for a crisis?

Availability can be compromised in many ways. Denial of Service (DoS) attacks can bring down networks, servers, or applications. A hacker or disgruntled employee could delete important data. If the network is penetrated, control of servers or network hardware can be usurped. In many cases these attacks happen through worms, like Conficker, without any person's conscious knowledge or intent during the attack. There are many points of failure. Anything, from a server, a database, an application, the LAN, WAN, Wireless net, or Internet connectivity could have an outage. Accidental downtime is possible too, of course. Like Integrity, loss of availability could occur due to error(s) on the part of the support or operations staff.

Inclusion of Availability in the traditional "CIA Triad" is the subject of considerable debate. Over the years I have leaned toward the side of the argument that availability is more of an IT Operations responsibility than an Information Security issue. I see the role of Information Security staff in assuring availability, of course. The reality is that the implementation & support of solutions that guarantee availability are the responsibility in practice of the Operations staff and management.

Authenticity is the fourth and final core concept we will explore. Authenticity is closely linked with Confidentiality and Integrity, but is a distinct and critical component.