It’s drilled into us as soon as we first cut our help-desk umbilical cords and don our information security diapers:
- C is for Confidentiality
- I is for Integrity
- A is for Availability
We cite it like a tantric mantra. Include it in every presentation, as if anyone in the audience hasn’t heard it. Put it on security tests, when it’s the equivalent of awarding points for spell your name at the top. We even use it as the core of most of our risk management frameworks.
Too bad it’s wrong.
Think about this for a moment. If availability is as important as confidentiality or integrity, how is CIA even possibly internally consistent?
Every time we ask for a password we reduce availability. Every time we put in a firewall, access control, encryption, or nearly anything else… we restrict availability.
At least when we are talking about information security. When we talk about infrastructure security, I agree that availability is still very much in the mix. But then we aren’t really concerned with confidentiality, for example – although we might still include integrity. Keeping the bits flowing? That’s infrastructure rather than information security. (And yes, it’s still important).
But I do think there is still a place for the “A”. I mean, who wants to ruin a perfectly good acronym? Especially one with a pathetically juvenile non-sexual double entendre.
A doesn’t stand for Availability, it stands for Attribution. Logging, monitoring, auditing, and incident response? Knowing who did what and when? That’s all attribution. Who owns a piece of information? Who can modify and change it? All that relies on attribution. Pretty much all of identity management – every username, password, and token: attribution.
Availability? When it comes to information, that’s really a usability issue… not security. If anything, more availability means less security.
Changing A from Availability to Attribution solves that problem and makes security internally consistent.
- (This is a prelude to a series of deeper theoretical (nope, not pragmatic) posts based on my Quantum Datum work. Special thanks to the Securosis Contributors for helping me flesh it out – especially Gunnar).