AvailabilityFoundations of Information Security Series

Vicente Aceituno @vaceituno

(c)Inovement Europe 2014

Vicente Aceituno

vac@zenobia.es - Skype: vaceituno

Linkedin - linkedin.com/in/vaceitunoInovement Europe - inovement.esVideo Blog - youtube.com/user/vaceitunoBlog - ism3.comTwitter - twitter.com/vaceitunoPresentations - slideshare.net/vaceituno/presentationsArticles - slideshare.net/vaceituno/documents

Foundations of Information Security Series

Needs

Secrecy Intellectual Property you Own

Intellectual Property you Use

Privacy

Availability

Retention

Expiration

Quality

Obligations

Technical

Compliance

Legal

What is Information Security?

“Information Security” is an emergent property of people using information.

People have expectations about information.

If there is no people or no information, “Information Security” is meaningless, as there are no expectations to meet.

What is Information Security?

When expectations about information are met, there is “Security”.

When expectations about information are not met, there is an “Incident”.

What is Information Security?

Some expectations are things people (or organizations) want to happen for their own reasons. These are Needs.

Some expectations are things people (or organizations) want to happen in order to meet technical, legal or standard compliance requirements. These are Obligations.

Availability

Availability

Some expectations of people about informationare related to ownership, control and use of information over time.

Availability

Ownership is defined having legal rights and duties on something.

Control is defined as having the ability to: Grant or deny access to users.

Attribute to specific users their use of information.

Use is defined as having access to read, writeor modify information.

Availability

There is an expectation that information will be controlled during the working window.

There is an expectation that information will be used during the working window.

Availability

Information doesn’t sustain itself on thin air, it used and controlled through information systems.

A transaction is defined as information processingwhere there is a trustworthy bijective relationship between every output and the input used to produce it.

Bijection: en.wikipedia.org/wiki/Bijection

Learn a bit about information system components at tiny.cc/ISmodels

Availability

Transactions should fulfil some basic criteria:

Atomicity: Changes to the state are atomic: either all happen or none happen. These changes include database changes, messages, and actions on transducers.

Consistency: Transformation of the state are correct. The actions taken as a group do not violate any of the constraints associated with the state.

Isolation: Even though transactions execute concurrently, it appears to each transaction T, that others executed either before T or after T, but not both.

Durability: Once a transaction completes successfully (commits), its changes to the state survive failures.

Availability

If these expectations are met or not is independent of the observer and repeatable.

Availability expectations can be determined answering the following questions: When are the information systems supposed to be up and working?

This is the working window.

What is the minimum acceptable performance of the information systems measured in outputs per input per unit of time? The duration when performance is below this value is considered downtime. During downtime the use and/or control of informationis below satisfactory thresholds.

Availability

Availability expectations can be determined answering the following questions (continued): What is the maximum duration of downtime of the information systems

you are ready to accept for maintenance reasons and when should it better occur? This defines the maintenance window.

How long would a downtime of information systems would be acceptable? This defines unacceptable downtime.

How long is the shortest uptime of information systems that is acceptable? This defines acceptable uptime.

In the event of the information system downtime, how many transactions can be lost?

Answering these questions renders figures that can be measured and managed.

Availability related incidents

When there is unacceptable downtime or unacceptable uptime during the working window and out of maintenance windows.

When upon an unacceptable downtime event, more transactions than acceptable are lost and would have to be restarted.

For a more complete list of incidents check tiny.cc/incidents

Achieving Availability

In order to achieve Availability, redundancy and transaction management measures are taken.

The O-ISM3 processes directly related to Availabilityare: OSP-26: Enhanced Reliability and Availability Management

OSP-20: Incident Emulation

OSP-15: Operations Continuity Management

In order to manage transactions, information systems need Rollback, Rollforward, Deadlocks and Compensating transactions capabilities.

Availability

The O-ISM3 Challenge

This was an exercise designed to throw into sharp relief the inadequacy of traditional information security concepts.

Check the exercise in full at tiny.cc/indepth

A summary of conclusions from the exercise, in relation to availability, follow.

Secrecy Business Needs

Intellectual

Property

Privacy

Availability

Business

Obligations

Availability

Availability

Availability (traditional definition)

ISO Definition: The property of being accessible and useable upon demand by an authorized entity.

ITIL Definition: Ability of a Configuration Item or IT Service to perform its agreed Function when required. Availability is determined by Reliability, Maintainability, Serviceability, Performance, and Security.

CobIT Definition: Relates to information being availablewhen required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

Availability (O-ISM3 definition) andAvailability (traditional definition)

Availability can’t be measured (it doesn’t have units). Therefore is not independent of the observer nor repeatable like Availability is.

Availability can be used to measure, communicate and manage a specific expectation of people about information.

Availability is not necessary to measure Availability.

Availability and Availability are not equivalent.

Availability and Availability are not synonymous.

Follow the Foundations of Information Security Series by joining the LinkedinO-ISM3 Group at: tiny.cc/osim3LG

Learn Advanced Information Security Management, joining us at an O-ISM3 Course: tiny.cc/osim3