Increasing Business Value Through High-Availability Technology
Business Availability Needs
-
Upload
vicente-aceituno-canal -
Category
Technology
-
view
3.223 -
download
0
description
Transcript of Business Availability Needs
AvailabilityFoundations of Information Security Series
Vicente Aceituno @vaceituno
(c)Inovement Europe 2014
Vicente Aceituno
[email protected] - Skype: vaceituno
Linkedin - linkedin.com/in/vaceitunoInovement Europe - inovement.esVideo Blog - youtube.com/user/vaceitunoBlog - ism3.comTwitter - twitter.com/vaceitunoPresentations - slideshare.net/vaceituno/presentationsArticles - slideshare.net/vaceituno/documents
Foundations of Information Security Series
Needs
Secrecy Intellectual Property you Own
Intellectual Property you Use
Privacy
Availability
Retention
Expiration
Quality
Obligations
Technical
Compliance
Legal
What is Information Security?
“Information Security” is an emergent property of people using information.
People have expectations about information.
If there is no people or no information, “Information Security” is meaningless, as there are no expectations to meet.
What is Information Security?
When expectations about information are met, there is “Security”.
When expectations about information are not met, there is an “Incident”.
What is Information Security?
Some expectations are things people (or organizations) want to happen for their own reasons. These are Needs.
Some expectations are things people (or organizations) want to happen in order to meet technical, legal or standard compliance requirements. These are Obligations.
Availability
Availability
Some expectations of people about informationare related to ownership, control and use of information over time.
Availability
Ownership is defined having legal rights and duties on something.
Control is defined as having the ability to: Grant or deny access to users.
Attribute to specific users their use of information.
Use is defined as having access to read, writeor modify information.
Availability
There is an expectation that information will be controlled during the working window.
There is an expectation that information will be used during the working window.
Availability
Information doesn’t sustain itself on thin air, it used and controlled through information systems.
A transaction is defined as information processingwhere there is a trustworthy bijective relationship between every output and the input used to produce it.
Bijection: en.wikipedia.org/wiki/Bijection
Learn a bit about information system components at tiny.cc/ISmodels
Availability
Transactions should fulfil some basic criteria:
Atomicity: Changes to the state are atomic: either all happen or none happen. These changes include database changes, messages, and actions on transducers.
Consistency: Transformation of the state are correct. The actions taken as a group do not violate any of the constraints associated with the state.
Isolation: Even though transactions execute concurrently, it appears to each transaction T, that others executed either before T or after T, but not both.
Durability: Once a transaction completes successfully (commits), its changes to the state survive failures.
Availability
If these expectations are met or not is independent of the observer and repeatable.
Availability expectations can be determined answering the following questions: When are the information systems supposed to be up and working?
This is the working window.
What is the minimum acceptable performance of the information systems measured in outputs per input per unit of time? The duration when performance is below this value is considered downtime. During downtime the use and/or control of informationis below satisfactory thresholds.
Availability
Availability expectations can be determined answering the following questions (continued): What is the maximum duration of downtime of the information systems
you are ready to accept for maintenance reasons and when should it better occur? This defines the maintenance window.
How long would a downtime of information systems would be acceptable? This defines unacceptable downtime.
How long is the shortest uptime of information systems that is acceptable? This defines acceptable uptime.
In the event of the information system downtime, how many transactions can be lost?
Answering these questions renders figures that can be measured and managed.
Availability related incidents
When there is unacceptable downtime or unacceptable uptime during the working window and out of maintenance windows.
When upon an unacceptable downtime event, more transactions than acceptable are lost and would have to be restarted.
For a more complete list of incidents check tiny.cc/incidents
Achieving Availability
In order to achieve Availability, redundancy and transaction management measures are taken.
The O-ISM3 processes directly related to Availabilityare: OSP-26: Enhanced Reliability and Availability Management
OSP-20: Incident Emulation
OSP-15: Operations Continuity Management
In order to manage transactions, information systems need Rollback, Rollforward, Deadlocks and Compensating transactions capabilities.
Availability
The O-ISM3 Challenge
This was an exercise designed to throw into sharp relief the inadequacy of traditional information security concepts.
Check the exercise in full at tiny.cc/indepth
A summary of conclusions from the exercise, in relation to availability, follow.
Secrecy Business Needs
Intellectual
Property
Privacy
Availability
Business
Obligations
Availability
Availability
Availability (traditional definition)
ISO Definition: The property of being accessible and useable upon demand by an authorized entity.
ITIL Definition: Ability of a Configuration Item or IT Service to perform its agreed Function when required. Availability is determined by Reliability, Maintainability, Serviceability, Performance, and Security.
CobIT Definition: Relates to information being availablewhen required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
Availability (O-ISM3 definition) andAvailability (traditional definition)
Availability can’t be measured (it doesn’t have units). Therefore is not independent of the observer nor repeatable like Availability is.
Availability can be used to measure, communicate and manage a specific expectation of people about information.
Availability is not necessary to measure Availability.
Availability and Availability are not equivalent.
Availability and Availability are not synonymous.
Follow the Foundations of Information Security Series by joining the LinkedinO-ISM3 Group at: tiny.cc/osim3LG
Learn Advanced Information Security Management, joining us at an O-ISM3 Course: tiny.cc/osim3