The CIA, the lead box at the bottom of the ocean and the sacred cow.

[Where does Availability sit?]

So, the first thing you'll learn when doing Networking is the OSI stack even though everyone uses TCP/IP which doesn't fit neatly into the OSI concept. The first thing you'll learn in InfoSec is the CIA triangle. This is our sacred cow even though we don't really work towards it. Or do we? Should we?

I really respect the guys at Securosis and admire the way they dust off the sacred cows and relook at them arguing first that availability is not for InfoSec to bother with, then that it is most important.

If you speak to those that know me professionally, you'll know my feeling of how Information Security should treat The A. I sit in the IT building and my favorite saying is "everyone else in the building is making sure availability happens. I look after the C and the I"

The problem is that protecting Availability is very broad. It is actually easier to define the opposite - lack of availability:

If a server disk crashes who gets called in? Its not me.
If a service stops on a server?No me.  

If the Firewall blocks a business website? Yep, me. 

If a virus crashes the mail server or slow it down? Me.

So, I do manage availability to a point but not all of it. And, in fact I seem to manage more Availability than I should. The point is that Availability is an easy sell. IT is full of it. Check you agreements with vendors - they all have something like "99.9...% uptime" SLAs. There are no "99.9...% integrity" or "99.9..% confidential docs will not be moved". Availability can be measured - its there or it is not. Integrity and Confidentiality - not so much. Another favourite phrase of mine is "The A in SLA stands (not for agreement but stands) for availability - where is the SLI and SLC?"

The problem is that because InfoSec is traditionally based in IT - some of the Need For Availability (NFA?) seeps into our area. The tools we find easiest to sell to business - firewalls, IPS, antivirus all are there to primarily protect availability. Tools like web-filters are also very easy to sell because they stop abuse of network (think availability) and time (same). Tools like DLP are a tougher sell because they don't touch availability (and can cause issues there). Backups and DR have been the cause for some really bad C and I episodes. Yet every company does them - availability. This is not to say that backups and the other software we have are bad. Backups are essential for one but availability is king. When last did you audit all of the excel documents that people use to make business decisions for integrity?

The thing is that that C and I are opposed to A. The safest network is one that is not connected to the Internet but what use that? The way to properly secure a document is to put it in a safe, cover the safe in lead and then in concrete, chain it up for good measure and then dump it at the bottom of the ocean. But, again, what use is that? So, there is an arm wrestle between C and I on one side and A on the other and that is a good thing.

IT will always fight on the side of the "A" and so should InfoSec but we also have to fight for the C and I and ultimately get a good balance between all three. 

Fools to the left of me....

I've been working hard at work. And I've neglected this blog. It started off with a bang and now it is fizzling. So, here is a tidbit I came up with a while ago.

This may be obvious to some and hopefully it will be obvious once you have read the post but it when I came up with this idea it took a lot of thinking and a lot of convincing to all around me that this is how it works.

Please note that this does not necissarily represent the company I work for, the company I am contracted to or any other company living or dead blah blah blah. Its hopefully applicable to ALL businesses.

Lets begin.. businesses sell stuff. They either sell services or products but with nothing to sell they are not really all that useful, ask Enron.

Traditionally there have been two camps of people in businesses - users of information and the guys who make sure that the information gets to where it needs to be. You could call them "Business Decision Makers" and "IT".

Business Decision Makers could be anyone in the company from the CEO to the receptionist, etc

In terms of the CEO think "how many widgets did we sell this week?" For the receptionist it is "What is Jack from Accounts number so I can put this call through".

I call these people "Those that do not know" because they have no idea how the magic happens - they just need it to happen. And if it doesn't - there are problems. Note that IT could fall into this category as they use information but their main job is to make sure that the information gets to where it should be - and they should know how to get it where it is.

Next is IT. Their contract with Business is an SLA or a KPI. The main part the contract in both the IT department's mind and Business's mind is the "Availability" part. Downtime will be "8 seconds every 7 months" or such. Security is tucked in the contract but it is way down at the bottom and usually doesn't have an SLA. Or a realistic SLA anyhow. "IT will keep all patches up to date".

Traditionally security has been seen as an IT function. But try do something that may make the organisation more secure but at the same time will require down-time or could result in unscheduled downtime. You will be hit on the head with the contract and be shown the SLAs. I call the guys in IT from the CIO down all the way to the guy who fixes PCs "Those that do not care". Its not really that they don't care about security as such, they just have bigger fish to fry - their SLAs. Talking about the guy fixing PCs, if he has to choose between setting the CEO's password to something hard to guess or "Password1" which do you think he'll choose? He'll want to get the old man off his back and working again - Availability.

So, we have the two camps "TTDNK" and "TTDNC". Where does Information Security sit? Well, we sit in the middle. And its not a comfortable place to sit. Essentially what we sell (Confidentiality, Integrity and, the big one, Availability) is something that Business does want. They just don't know that their data may be at risk of having one of these taken away. We have to show them that. We also have to show them that by ignoring the C and I, they are at risk and they are the ones that will be left responsible. We also need to work with IT and show them that they can make the C and I work without too much extra on their plates. And with both sides we need to review SLAs that don't allow for things like patching.

Extending this to everyday activities - if a patch comes out for a piece of software. Business should be doing business stuff - not thinking about patches. They should be blissfully unaware of the risk of not patching. IT will be concerned with Availability and will want not to install the patch. Information Security has to sit in the middle and show each camp why the patch must be applied, each in their own language and get it done.