No, availability is not security!

Security is a very important factor in my choice of distributions and software solutions, and I tend to hold a very strict view of what it means from a modern computing standpoint. In one sentence, my stance on security is this: A sound and complete security posture has to take both physical and network security into account.

Anything less will not fly. So when I came across an article that attempts to sell that view short for the sole purpose of promoting a product, it didn’t sit well with me. The offending article was written by Frank Karlitschek, founder and CTO of Owncloud, a cloud storage service and solution.

In More to Security than Encryption, he takes this skewed stance that it is (somewhat) ok to say something is secure even though it lacks encryption. He then makes several points to support that stance.

Here’s what he wrote about availability and security:

Availability as security — If you own your data it can’t be lost because someone is shutting the cloud service down, or if AWS/Dropbox goes down.

Sure, but what good is not losing your data if an unauthorized party can access it just as easily and readily as you can. There’s no debating the benefits that cloud storage services bring to the table, but there’s an ongoing discussion about the security implications of dumping all your digital assets somewhere out there. I will not take a cloud service or solution that touts “availability as security” seriously. Your data is either secure or it’s not. Just being able to access it wherever and whenever does not count as security. Lost data can still be secure, if nobody else can access it. That’s one of the benefits of encryption.

The other points he made in that article are valid, though a few are debatable, but “availability as security” is dangerous and misleading.

Related Posts

If you use a cellphone anywhere on this planet, the NSA is on your tail It's not the fact that we are all being tracked that scares one, it's the various ways and methods that the tracking is being done that makes the head...
Cases Against Thousands of Alleged BitTorrent Pirates Dismissed Last year, Larry Flynt Publications filed lawsuits against several thousand “John Does” the company accused of illegally sharing its movie “This Ain’t...
Look what Stella brought to CentOS 6.3 There is a new Linux distribution released almost every week, sometimes, even every day. The latest is one called Stella, and the first version is Ste...
NSA PRISM program a traffic boost for DuckDuckGo The NSA PRISM program's revelation, thanks to Edward Snowden, like everything else, has its good and bad side. The good part is, we now know that the ...
The ideal value of listen.backlog when setting PHP-FPM pm = ondemand I recently wrote about the impact that setting how PHP-FPM's process manager controls child processes from dynamic (pm = dynamic) to ondemand (pm = on...
ProtonMail and Subrosa: Encrypted communication for the privacy-conscious ProtonMail and Subrosa are two separate communications services that's attempting to offer users a platform for secure, encrypted communication. They ...

We Recommend These Vendors and Free Offers

ContainerizeThis 2016 is a free, 2-day conference for all things containers and big data. Featured, will be presentations and free, hands-on workshops. Learn more at ContainerizeThis.com

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


5 Comments

  1. Ostensibly

    The ‘availabily as security’ is more like a ‘security blanket’ or assurance from a parent that ‘you’re safe’ than “IT Security”. The ‘security’ in the author’s context would be more of the peace-fo-mind variety that the data is owned and housed by you ‘in the cloud’ as opposed to someone else, on thier systems, network, drives etc. Not so much that is is available to you but also that its location and control vectors are known.

  2. Pingback: Links 22/1/2013: Linux Outpaces Market Share of Windows, Mozilla Phone, Fedora Reviews Aplenty | Techrights

  3. This is a case of one sentence being taken out of context. The offending quote is only one part of an overall security policy – not a security policy by itself.

    While poorly written (and probably the reason it was misinterpreted) it makes the point that if you cannot access your data when you need it it doesn’t fulfill the security need or the reason you are putting your files into a cloud in the first place.

    After all, it doesn’t matter how secure anything is if not even the user has access to it.

  4. If you equate denial with theft, i.e., you don’t have it anymore, then the opposite of denial (availablity) is a form of security, and the active form of availability (resiliancy) is the best defense against denial of service or denial of access attacks.

    This translates best to network security, but it can translate to data/object security as well, where it forms the foundation of disaster recovery (defense against widespread vectors of vulnerability to denial of access attacks).

  5. Encryption is useless if it is just some serverside encryption where I do not control the algorithm and the keys. Encryption only benefits me if I am the keyholder, not some admin who will cooperate with the feds or whomever. Don’t forget Aaron!

Leave a Comment

Your email address will not be published. Required fields are marked *

*