Recently Bloginfosec.com published an article by Warren Axelrod entitled, It’s About Availability and Integrity (not so much Confidentiality). It appears that the article generated a bit of controversy with a response by Jim Bird entitled, It’s About Confidentiality and Integrity (not so much Availability). It’s my contention that both authors are right and wrong when it comes to the CIA triad.
When it comes to theory, neither of the three components of the CIA triad can take precedence over any other one. They are all necessary conditions for security. Try to take away one condition and you will find that your protection is inadequate (or irrelevant). When it comes to pragmatism, both authors are still correct and incorrect. They are correct in that one can weight different aspects of the CIA triad but both are wrong because they fail to address the fact that these weights are situational and context dependent. As such, we find we are in a controversy that really does not exist.
The loss of a working production system for a period of about a month will cost the bank, by some estimates, at least 60 million Euros.
And Bird writes,
Availability of systems and data is a devops problem that requires application developers and architects and operations engineers to work together. I don’t see where security experts add value in ensuring Availability – with the possible exception of helping architects and engineers understand how to protect themselves from DDOS attacks.
In the Axelrod quote, the context is about the failure of a production application. Bird’s context is one of a particular information security professional’s job responsibility. These are not contradictory viewpoints; they are just different contexts under which to analyze the CIA triad. We can change the scenarios slightly to emphasize the other’s point of view. In the Axelrod case, imagine the system does not fail but the data is open to being compromised. In Bird’s case, larger organizations have dedicated security professionals for business continuity of the application: surely BCP/DR is about availability and this infosec role supports Alexrod’s perspective. If we frame the context of the discussion from a slightly different perspective both authors can support the other one.
Let’s look further into the idea of situational and context dependent information security.