Beyond Fear

December 16, 2006

Reading Bruce Schneier‘s excellent book, Beyond Fear, I was struck by the parallels between it and the disaster recovery field. For those who are not familiar with Bruce or this particular book of his: he’s a cryptography/computer security expert who here generalizes his experience with computer systems into real-world security problems, like terrorism and espionage. In this book, he lays out a fairly simple framework of five questions to be addressed when designing a security solution. When I saw these questions, I had an “aha” moment: these are exactly the same questions that one needs to address when designing a disaster recovery solution.

The framework is as follows:

  • Step 1: What assets are you trying to protect?
  • Step 2: What are the risks to the assets?
  • Step 3: How well does the solution address those risks?
  • Step 4: What other risks does the solution introduce?
  • Step 5: What trade-offs does the solution require?

I’d like to spend some time later discussing each of these questions in separate posts. For now, though, I’d like to muse a little bit on the relation between security and disaster recovery (in computer systems). These questions fit so well into disaster recovery planning because security and DR are tightly entwined. From one perspective, disaster recovery is a special case of security planning, in which you are considering risks that are not necessarily human or intentional in origin. From another perspective, security is a special case of disaster recovery, in which a breach, intentional or not, is just another type of disaster.

And yes, I know that I am drawing an arbitrary distinction by stating that security problems are intentional in nature. That’s a very common distinction, though, and I would argue that it is a useful one. Hypothesizing an opponent actively attempting to breach your system is an essential perspective during security planning. Hypothesizing a vengeful god actively attempting to disrupt your system is probably less useful.

When conducting either a disaster recovery planning exercise or a security planning exercise, it is extremely important to include the alternate perspective: what are the impacts on security of a DR solution, and what are the impacts of disasters on a security solution? There is a strong tendency for people to get distracted by the distinction, and forget to take the flip-side into account. Insecure off-site backups (unencrypted data on tapes!) would be a simple example of disaster planners forgetting security issues, while a security solution which didn’t allow people to escape from a burning building would be a flip-side example.

As far as disaster recovery in computer systems goes, I’m going to limit myself to three general classes of asset risk:

  • Data loss
  • Data corruption
  • Availability loss

I’ll be examining Schneier’s framework in light of these three risk classes in later posts.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: