A blog about “safety” and what is means to be “safe”. Often depressing is the fact that there is no such thing. The bad news is that nothing is ever 100% secure. Not if you want to actually be able to use the information anyway!
That does not mean however, we should throw our hands up in the air and give up, quite the opposite. “Safety” like security is a relative term, and it always comes down to an organisations Risk appetite. A good security architecture is always risk driven, with a response proportionate to both the value of the assets and the risk posed by the threats arrayed against them. But I’ll save risk assessment for a later blog…
For the moment let’s consider the qualities of the asset we are trying to protect. I’ll take you back to my much maligned “Joes Bloggs” view of information security, in which he states ‘it’s about keeping people out of computer, innit?’. My last blog dispelled the myth that computers is our area of focus, now let’s deal with the other – “it’s about keeping people out”.
Now as we’ve said, to keep everybody out is not possible. It’s also a very negative view of security which will lead the organisation concerned to think you are just there to stop them doing business. I’ve lost count of the times that security is seen as a business barrier, not the business enabler it should be.
Clearly one of the aims of security is about “keeping the right people in”. We call this CONFIDENTIALITY. Probably most peoples’ first concern, and quite correctly too. However, it’s only one of the trio that make up our security “CIA”.
Some organisations have no confidentiality concerns at all. Say a public sector organisation only concerned with ensuring public information is on the web 24x7x365. You ask any IT department when their stakeholders start to complain, and rarely will they say it’s when information is given out, but instead when it’s unable to be gotten to or used at all. The system is down, the network is out or slow, the access is restricted. In today’s modern day and age we are used to “always on” and “instant access”. What concerns people mostly is really the AVAILABILITY of the information assets.
Finally, how would you feel if your bank dropped a couple of zeros from your bank account? How annoying is it when your name is spelt incorrectly by your utility company? What are the consequences if you’ve been mislabelled a debtor, or a criminal, or your penicillin allergy has been missed off your medical file? Information has to be accurate, up to date and relevant to be useful. Acting on damaged, corrupt or simply wrongly input data can have serious and far reaching consequences. We call this third quality of the information it’s INTEGRITY.
It’s the CIA that protects us from DDD.
- Disruption vs. Availability
- Damage vs. Integrity
- Disclosure vs. Confidentiality
Getting the balance right…
Organisations will have a different Confidentiality, Integrity and Availability (CIA) balance. For some, confidentiality will be the most important, for others it may not be relevant at all as long as it is available and accurate. Considering the threat of a fire to our building assets, the main damage to be caused is that the asset becomes unavailable, or its integrity is damaged – once the building is burnt to the ground – let’s face it – the confidentiality of the information is inside is pretty much assured.
So we are left with the question of finding the right balance for your organisation. Looking at CIA and the question of security vs. usability, risk vs. reward, cost vs. benefit? Yes, nothing is 100% secure, but we should do our best to find a way that will give us the “most bang for our buck”. A system that will fit your organisation, enable it, not disable it. Add value and allow you to focus your priorities on the key qualities of the key assets.
Safe may be a relative term, but information security is specific, in that it aims to target the correct qualities of the correct assets in a balanced way to allow you to conduct business in confidence.