Much debate has occurred over the priority order of information confidentiality, availability, or integrity. Which one is more important than the other? It depends. Typical consultative answer right? You cannot blindly say which is more important. The business situation changes the priorities, albeit minor in altitude. Not all information is created equal; thus, we cannot blatantly say that it should be treated with the utmost availability, integrity, or confidentiality.
Customer records, intellectual property, financial records, personal identifiable information, patient records, and so forth deserve all three in the infamous triad of confidentiality, integrity, and availability; however, corporate Christmas party logistics, department communication, and the like do not need the same level of protection. Therefore, it is paramount that organizations understand what is truly of value within the information store of their enterprise. Additionally, organizations need to understand the difference between data and information.
OK, lets assume at this point that organizations do understand the difference between data and information. Lets also assume that they have a handle on what is confidential and what is not within their information store. What good is confidential information if there is no way to verify that it has not been altered in any way? What good is confidential information if it is inaccurate? What good is confidential information if it has been corrupted? What good is confidential information if it has been accessed by non-authorized parties, internal or external? This is only the integrity portion of the equation. Now consider if the confidential information is unavailable for proper consumption. When we consider all of these elements, information is really useless if it is lacking integrity and availability. Whether information is confidential or not is up to the organization; thus, we have to know about the circumstances under which we serve information.
No matter whether information security, cybersecurity, storage management, information life-cycle management, risk management, disaster recovery, business continuity, or otherwise, information must be classified, organized, and treated in accordance with the policies, standards, and practices within that organization. Unfortunately, even within most IT departments today, there is no linkage between what one part of the department is doing and another. Security and Storage departments within the IT division rarely coordinate. In fact, you could insert just about any department within IT into that sentence and it would be accurate. Now take that to the next level, the business. Is it any surprise that IT and the other business units rarely coordinate? No.
Information is the universal language of business. Not IT. Not Security. Not Storage. Information requires organizations to take measures to protect it and make it available to those authorized. These measures need coordination with all IT departments and all business units. Organizations must organize and treat information uniformly according to the associated classification based upon its value, criticality, confidentiality, integrity, availability, and all other pertinent requirements.
The movement to the cloud simply magnifies the need for IT and the business to come together. Without a unification of policies, standards, and practices throughout the enterprise, usage of the cloud will fail to meet the requirements of that organization. Information is what will reside in the cloud. If we do not understand its confidentiality, integrity, and availability, we cannot expect to get the appropriate results as delivered by the “cloud”. Structure is the responsibility of the organization which decides to employ the cloud, not the provider. The provider abides by the specifications of the service levels. Any self respecting, proper provider will never agree to service levels that the “customer” cannot explicitly classify the information and assets to protect.