Blog

Firestarter: A Is Not for Availability

By Rich

It’s drilled into us as soon as we first cut our help-desk umbilical cords and don our information security diapers:

  • C is for Confidentiality
  • I is for Integrity
  • A is for Availability

We cite it like a tantric mantra. Include it in every presentation, as if anyone in the audience hasn’t heard it. Put it on security tests, when it’s the equivalent of awarding points for spell your name at the top. We even use it as the core of most of our risk management frameworks.

Too bad it’s wrong.

Think about this for a moment. If availability is as important as confidentiality or integrity, how is CIA even possibly internally consistent?

Every time we ask for a password we reduce availability. Every time we put in a firewall, access control, encryption, or nearly anything else… we restrict availability.

At least when we are talking about information security. When we talk about infrastructure security, I agree that availability is still very much in the mix. But then we aren’t really concerned with confidentiality, for example – although we might still include integrity. Keeping the bits flowing? That’s infrastructure rather than information security. (And yes, it’s still important).

But I do think there is still a place for the “A”. I mean, who wants to ruin a perfectly good acronym? Especially one with a pathetically juvenile non-sexual double entendre.

A doesn’t stand for Availability, it stands for Attribution. Logging, monitoring, auditing, and incident response? Knowing who did what and when? That’s all attribution. Who owns a piece of information? Who can modify and change it? All that relies on attribution. Pretty much all of identity management – every username, password, and token: attribution.

Availability? When it comes to information, that’s really a usability issue… not security. If anything, more availability means less security.

Changing A from Availability to Attribution solves that problem and makes security internally consistent.

  • (This is a prelude to a series of deeper theoretical (nope, not pragmatic) posts based on my Quantum Datum work. Special thanks to the Securosis Contributors for helping me flesh it out – especially Gunnar).
No Related Posts
Comments

Spoilers, huge tires and brakes all slow you down, but in most races the pilot with the best of these wins.
If you consider security as being a restriction, you’ve been living in a cave for at least the last 10 years.

Without the progress in security as we know it, we wouldn’t have remote access, teleworking, e-banking, e-commerce, cloud computing, .....

To name a few…

By GeertVDB


It’s about balance and assets.

For a datacenter in a bunker availability is at a premium. You would not put a mobile in a bunker.

Now the phone of Obama would be a chalange. But he has assets available to put layers of security arround his mobile without hurting the availability to him but still guarding the confidentiality (aka secret service protection try stealing that phone ;)

By Franc


Our discussion a couple years ago on survivability vs. security was to better denote the trade-off reducing availability and functionality in the face of threats to confidentiality and integrity. Survivability can mean maintaining integrity of information at the expense of availability/usability/functionality, or it may mean the opposite, depending upon what is most important. I think Steve’s comments are spot on in this regard, but I also think you are correct that availability is at odds with usability. ‘Availability’ brings the wrong connotation as it conflicts with ‘C’ and ‘I’. Anti-availability is more accurate.

By Adrian Lane


@Mark Wallace, here’s a similar quote.

“We sometimes go wrong in uninteresting ways, but certain other ways of going wrong, such as when we commit subtle fallacies, are worth studying.”

from Logic: key concepts in philosophy, by Laurence Goldstein

By Paul


Steve,

I have to disagree- usability and security are always in conflict in the short term, but as I said above I agree for the long term.

The problem is balancing, and being willing to to make short term usability sacrifices for long term.

Huh. I really like this; before your comment I wasn’t thinking in terms of time scales, and that’s clearly a huge factor. Nice.

By Rich


Endo,

I’m not saying that keeping things up isn’t an absolutely critical component of security, but I’m trying to draw a distinction between information and infrastructure. The needs of the two are often at odds, as I tried to illustrate.

Think of a roller coaster, ship, or anything else where safety is balanced with usability. In the big picture, the two goals are essentially the same- keep the boats floating to you can continue to sell seats. But in practical application? Not so much. Many safety requirements reduce the number of seats available, the cost to maintain the boat, and so on.

In security we protect the pipes, and we protect the stuff in the pipes. When we are focused on the stuff in the pipes, availability is more a usability function.

And yes, it’s all semantics… Although it does have practical implications in certain areas, such as cloud security. Besides, it’s a fun discussion.

By Rich


“Availability? When it comes to information, that’s really a usability issue… not security”

I think this is where this argument goes off the rails.  Usability is a security issue.  Remember, security as a whole for a corporation is the continued ability to turn a profit. Anything that gets in the way of that decreases security.
Likewise with the military or intelligence sectors, security is the ability to effectively continue with the mission of the organization.  The traditional CIA gives the framework for that.

Also, Attribution is a way of achieving confidentiality and integrity.  If C and I are not violated, who cares about attribution?

By Steve


Isn’t your attribution just a function if integrity?  Making sure that the correct people are allowed to change things, the wrong people are not, that changes are authorized or even just expected.

Availability doesn’t mean everyone needs access - it just means that the correct people have access, hence the need for passwords, firewalls etc.

If a file has an unauthorized change then it becomes useless because it can’t be trusted (integrity).  It is just as useless if it is deleted (availability).

I know our Director will be in my cube in seconds if the website is down.

By endo


Every time we replicate data for availability, we undermine both confidentiality (additional exposure) and integrity (how do we propagate changes to the data?  There is strong empirical evidence that every time we apply confidentiality we undermine availability (as you’ve said) and integrity (All too frequently we block the individual authorized to update the data).  Similar thought experiments can demonstrate that the three attributes are no some magical harmony, but a triad of balanced opposing forces.

C,I, and A must be interpreted by the business owner/mission owner.  This is why “wirecutters are a firewall” is a joke, but not an acceptable implementation.  I believe it is my job to ensure that the information is available to the decision maker when s/he needs it.  Copying the data to a flash drive, digging a 35 foot hole and filling the hole with rebar and concrete does not ensure security. 

Attribution, non-repudication, logging are all security services that underpin and support the big three. 

I’m not religious about those - there are times when the customer’s actual problem is served better by a Parker-ian hexad or by your triad rather than the traditional. The point of a model is that it is wrong, but we hope that it is wrong in uninteresting ways.  (Can’t find the correct source for that quote). 

I believe that Availability of information is more important to the business owner/ultimate customer than Attribution is (in the general case; there are exceptions). 

Interesting firestarter, but not persuasive.

By Mark Wallace


I think you’re just arguing semantics here.

Availability very much includes the ‘who’ of ‘who has access to information’. This encompasses access control, audit, logging and all those other important things. From a security perspective, this therefore means “only having information available to those who need it” and have a right to access it.

It also includes as you point out the infrastructure aspects, but it is not solely concerned with that.

By Somebloke


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.