on the distinction between security and disaster recovery

December 16, 2006

One more post before I let the Nyquil kick in and drag me off to bed.

There are two primary reasons why I think the somewhat arbitrary distinction between security and disaster recovery is important.

  1. Organizational Boundaries: whether it is a good idea or not, there are often lines drawn in IT department org charts which boil down to: group A is responsible for security issues, while group B is responsible for storage issues. In a case like that, each group should be aware of the impact that their decisions and designs have on the other group. Of course, a good security team should always be monitoring the gestalt of the data center, but a disaster recovery team should have just as wide a set of responsibilities.
  2. Organizational Goals: to a large extent, security planning involves a starting point of trying to prevent breaches. Disaster recovery professionals need to start from the opposite viewpoint: assume that a disaster is inevitable, examine the impact of that disaster, and examine the costs of mitigating that impact. So for example, if a security risk can result in the corruption or loss of data, a security professional will start by examining ways to avoid that risk. A disaster recovery professional, on the other hand, will start by assuming that the system was breached, and data was potentially corrupted.

Of course, the line is still fuzzy. Security analysis should always assume that any engineered solution will have undiscovered flaws, and seek ways to mitigate the breach of any single component (“defense-in-depth”). Likewise, disaster recovery planning should always consider ways to prevent any particular negative event from escalating into a disaster: e.g. the simple step of adding a UPS to handle building power failures. But a large part of the distinction, as it exists in my mind, rests on the starting points. (Maybe it goes like this: security pros start from the optimistic viewpoint that they can fix the problems, while disaster pros are pessimists who just know that something bad is bound to happen…)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: