Don't forget the "A"

IT Security is often described as the assurance of three qualities: Confidentiality, Integrity and Availability. CIA. The "C" is easy to understand, especially since so many organisations have been so helpful by their lack of it, so that we can all point and gawp at massive data losses (while secretly crossing our fingers and hoping the bad guys don't look our way).

Integrity is also easy to understand, and I've blogged before that this was the focus of IT Security efforts when I began my career in the 80s. "C" was hardly talked about, the internet was just an academic plaything back then so we didn't have any public attack surface, thus the only threats were within. The only attack my early employers could envisage was an unauthorised data edit, or perhaps an accidental modification or deletion. Thus we had lots of "I" control.

What of Availability? The "A" of the triad is often the poor relation, many have trouble considering it part of Security in the first place. Surely Availability is part of Service Management, of Disaster Recovery or Business Continuity? Well, yes, but all of those disciplines tend to kick in *after* the service goes down, the first line of defence has to be Security. If you can't apply that change with your day job account, you can't apply those untested code changes and break the system. But perhaps more obviously there is one threat, an attack methodology whose focus is just that single quality. Hitting "A" is the sole objective of the Denial of Service (DoS) attack.

DoS attacks (they are all DoS's but only DDoS's if large numbers of network nodes participate) have exploded in recent years, perhaps due to the perfect storm of ubiquitous internet access, easy availability of simple toolkits with which to launch attacks and political unrest and social disaffection thanks to the global recession. While we security professionals need to do all we can to defend against loss of "A", this article by Dr. Anton Chuvakin points out, among other things, that of the three qualities, Availability is probably the easiest breach to cost, since downtime of your core service usually has a simple economic metric!

But the point of this article is to draw attention to another point Dr Chuvakin makes, almost buried in that blog post, which is this. If Security includes Availability, and Availability is key: why not host your services in a large, redundant, elastic, multi-homed server farm for maximum protection?

Cloud, anyone?