Monday, February 4, 2008
The discussion of the moment: A versus C-I-A
Well, it's funny to see this discussion started by Farnum about "Availability versus Security".Â I remember seeing one of the first product presentations from Symantec after the Veritas deal. It was the first time that I heard someone saying something as "there is Availability and there is Security". I remember the guy showing one of the famous "circle slides" with two halves, one representing Availability and other Security.At that time it was clear to me that they are showing that only to justify the merge between Symantec and Veritas product lines. And if you take a look at the article that started all the current discussion, you will see Symantec there. This "segregation" between A and Security is part of their marketing strategy.I think that there is space for this segregation. Let's face, the skills needed to someone working on High Availability and Business Continuity are quite different from those used by the regular Security professional. I still think that security assessments and strategies need to take A into account, but I don't see a problem if the controls and initiatives to deal with those risks are being conducted by others. I can't see, however, how to talk about Security without talking about Availability.Â After all, it's part of Information Security definition. So, let the other IT departments deal with implementation details of things like clustering and backups, but don't forget to include Availability risks on your assessments, even if it's not your direct responsibility to mitigate them.I believe that Availability is a very good sample of what lot's of good minds are predicting about security: the controls and solutions will be integrated by other IT things, like Intrusion Detection in Switches, Antivirus and malware detection on endpoint solutions also used for software distribution and configuration, and so on. It will happen to lots of things, but it doesn't mean that security will vanish from companies. Our job will be more on assessing and planning that on deploying solutions.Good parts of the "availability discussion" are here, here and here.