Why should a security engineer care about Availability?

A debate between DevOps and Security teams about Disaster Recovery.

In all of my security training, you see me always start with the security model, CIA triangle (Confidentiality, Integrity, Availability), and how these three items can guide the security team to have a secure system.

C and I were acceptable, so we knew what we should do as security engineers. But how about availability? Isn’t it the DevOps team’s responsibility? Well, I dived deeper then I understood how it’s security. Yes, I know, at the end since we don’t have enough privileges they are the ones who should keep servers running. As security engineers, we should know what are the risks and suggest the best practice to them.

Think of a disaster recovery scenario that your company’s servers are located in an availability zone where a disaster took place and all of our services are down and you can’t access even one instance in your region. Primarily, the DevOps team will create corresponding instances, deploy the solutions, and configure necessary infrastructure settings for all of the instances and retrieve data from backups.

How long do you think it’s going to take? 24 hours? 48 hours? Or maybe a week for a large company. Right? As a security team, we should be able to prepare a well-defined business continuity plan and test Continuous Data Replication of all critical instances in another region. Then, in case of an unfortunate incident, we can always failover to the last recovery point and make sure that the availability of services is preserved.

Security Engineer at Insider. Skilled in Web Application Security and Programming.