What's happened to availability?

Whatever happened to the A in CIA? That's what a reader asked recently, referring to the tried-and-true information security triad: Confidentiality (keeping secrets secret), Integrity (ensuring information is not modified) and Availability (keeping electronic doors open and IT shops humming).

Availability has become perhaps the most pressing post-9/11 security issue for network-centric firms. Today, responsibility for network availability is being moved from information security staff to others within the corporate organization. Some firms view availability as part of disaster avoidance. For example, how do you pick a location for a back-up data center? What possibilities must be considered? Acts of God, to be sure. But now, acts of man are in the forefront of our paranoia. Package bombs? Severed transportation or communications links? Shoulder-launched missiles fired from buildings or hilltops? Is availability the responsibility of information security professionals, counterterrorism experts or disaster-recovery teams?

Other companies consider availability a part of business continuity. Some cities now provide utility company specialists to coordinate with local companies and critical infrastructures to ensconce mission-critical power and communications lines in concrete tubes under the streets and ostensibly away from danger. Facilities-management staff often take the lead here, even though the pre-eminent aim is to provide real-time backup, redundancy or fail-safe data centers.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Whatever happened to the A in CIA? That's what a reader asked recently, referring to the tried-and-true information security triad: Confidentiality (keeping secrets secret), Integrity (ensuring information is not modified) and Availability (keeping electronic doors open and IT shops humming).

Availability has become perhaps the most pressing post-9/11 security issue for network-centric firms. Today, responsibility for network availability is being moved from information security staff to others within the corporate organization. Some firms view availability as part of disaster avoidance. For example, how do you pick a location for a back-up data center? What possibilities must be considered? Acts of God, to be sure. But now, acts of man are in the forefront of our paranoia. Package bombs? Severed transportation or communications links? Shoulder-launched missiles fired from buildings or hilltops? Is availability the responsibility of information security professionals, counterterrorism experts or disaster-recovery teams?

Other companies consider availability a part of business continuity. Some cities now provide utility company specialists to coordinate with local companies and critical infrastructures to ensconce mission-critical power and communications lines in concrete tubes under the streets and ostensibly away from danger. Facilities-management staff often take the lead here, even though the pre-eminent aim is to provide real-time backup, redundancy or fail-safe data centers.

What I see in too many organizations is turf building, budget grabbing and "stovepiping" - vertical building of a hierarchy within a company that has no contact with other divisions or departments. This is the antithesis of what is needed to meet modern, coordinated threats that transcend corporate-divined organizational boundaries.

A new security triad, CPP, redefines the three main areas of security: Cyber (computer, network and information security), Physical (the wires, silicon, glass and structures) and People (employees, consultants, suppliers, partners and anyone in contact with your company). Under this triad, stovepiping of responsibilities and functions creates unnecessary overlap, wasted resources and a mediocre security posture.

Availability should be dealt with in all three legs of the triad. Physical security is valuable and should be part of any serious security efforts, but it cannot be done in a vacuum. Availability is affected by people - internal folks who, with malice or by ignorance, cause network availability to fail. And for organizations thinking about putting availability exclusively into the hands of physical security or business continuity staffs, think again. Denial of service is more than bombs and floods; It also is network clogging, misbalanced traffic loads, too many MP3 or MPG downloads and viruses and worms, to name a few.

All legs of the security triad are important. That's why stovepiping worries me, and the tales I hear are disturbing.