InfoSec Notes
Understanding the availability principle of the CIA Triad, including redundancy strategies, disaster recovery, DDoS protection, and ensuring systems remain accessible to authorized users when needed.
Understanding Availability
Availability ensures that information systems and data are accessible to authorized users when needed. It is the third pillar of the CIA Triad and addresses business continuity — even the most secure system is useless if legitimate users cannot access it.
Availability is measured in terms of uptime percentage:
| Availability Level | Downtime Per Year | Downtime Per Month | Common Name |
|---|---|---|---|
| 99% | 3.65 days | 7.31 hours | "Two nines" |
| 99.9% | 8.76 hours | 43.8 minutes | "Three nines" |
| 99.99% | 52.56 minutes | 4.38 minutes | "Four nines" |
| 99.999% | 5.26 minutes | 26.3 seconds | "Five nines" |
| 99.9999% | 31.5 seconds | 2.63 seconds | "Six nines" |
Threats to Availability
Natural Threats
- Earthquakes, floods, hurricanes
- Power outages
- Hardware failures (disk crashes, memory errors)
Human-Caused Threats
- Denial of Service (DoS/DDoS) attacks
- Ransomware encrypting critical systems
- Accidental deletion or misconfiguration
- Insider sabotage
Technical Threats
- Software bugs causing crashes
- Resource exhaustion (memory leaks, disk full)
- Network congestion or failures
- Cascading failures in distributed systems
Strategies for Ensuring Availability
1. Redundancy
Redundancy Patterns
=======================
Active-Active (Load Balanced)
Client → [Load Balancer] → Server A (active)
→ Server B (active)
→ Server C (active)
All servers handle traffic simultaneously
Active-Passive (Failover)
Client → Server A (active/primary)
Server B (standby/passive) ← monitors A
If A fails: Server B becomes active (automatic failover)
N+1 Redundancy
Need N servers to handle load
Deploy N+1 servers (one spare)
Any single failure is tolerated
Geographic Redundancy
Region A (US-East) ←→ Region B (US-West) ←→ Region C (EU-West)
Data replicated across regions
DNS routes to nearest healthy region
2. RAID Storage
RAID Level Comparison
========================
RAID 0 (Striping)
[Disk 1: A1,A3,A5] [Disk 2: A2,A4,A6]
↑ Performance, ✗ No redundancy
RAID 1 (Mirroring)
[Disk 1: A1,A2,A3] [Disk 2: A1,A2,A3] (exact copy)
↑ Redundancy, ↓ Storage efficiency (50%)
RAID 5 (Striping + Distributed Parity)
[Disk 1: A1,A3,Px] [Disk 2: A2,Py,A5] [Disk 3: Pz,A4,A6]
Tolerates 1 disk failure, good balance
RAID 6 (Double Parity)
Tolerates 2 simultaneous disk failures
Recommended for large arrays
RAID 10 (Mirroring + Striping)
[Mirror 1: D1a,D1b] [Mirror 2: D2a,D2b]
Best performance + redundancy, expensive
3. Backup Strategies
4. DDoS Protection
| CDN / Edge Layer | ← Geographic distribution, caching |
|---|---|
| (Cloudflare/AWS) | Absorbs volumetric attacks |
| Rate Limiting | ← Throttle excessive requests |
| & WAF | Block known attack patterns |
| Load Balancer | ← Distribute across servers |
| (Auto-scaling) | Scale up during attacks |
| Application | ← CAPTCHA, request validation |
| Layer Protection | Bot detection, IP reputation |
| Origin Servers | ← Only clean traffic reaches here |
5. High Availability Architecture
Real-World Availability Incident: AWS US-East-1 Outage (2021)
What happened: On December 7, 2021, AWS experienced a major outage in the US-East-1 region affecting hundreds of services including Disney+, Netflix, Slack, and many others.
Root cause: A network configuration change caused unexpected behavior in the internal network, creating congestion that cascaded through dependent services.
Impact: ~5 hours of degraded service affecting millions of users.
Lessons learned:
- Avoid single-region architectures for critical services
- Implement multi-region failover
- Design for graceful degradation
- Test disaster recovery regularly
Availability Monitoring
import time
from datetime import datetime
class AvailabilityMonitor:
"""Monitor system availability and calculate SLA metrics."""
def __init__(self, service_name: str, sla_target: float = 99.99):
self.service_name = service_name
self.sla_target = sla_target
self.incidents = []
self.total_minutes_monitored = 0
self.total_downtime_minutes = 0
def record_incident(self, start: datetime, end: datetime, cause: str):
"""Record a downtime incident."""
duration = (end - start).total_seconds() / 60
self.incidents.append({
"start": start,
"end": end,
"duration_minutes": duration,
"cause": cause
})
self.total_downtime_minutes += duration
def calculate_availability(self, period_minutes: int) -> dict:
"""Calculate availability percentage for a period."""
uptime = period_minutes - self.total_downtime_minutes
availability = (uptime / period_minutes) * 100
sla_met = availability >= self.sla_target
return {
"service": self.service_name,
"period_minutes": period_minutes,
"uptime_minutes": uptime,
"downtime_minutes": self.total_downtime_minutes,
"availability": f"{availability:.4f}%",
"sla_target": f"{self.sla_target}%",
"sla_met": sla_met,
"incidents": len(self.incidents)
}Interview Questions
- What is the difference between RPO and RTO?
- RPO (Recovery Point Objective) defines the maximum acceptable data loss measured in time — how far back you can tolerate losing data. RTO (Recovery Time Objective) defines the maximum acceptable downtime — how quickly systems must be restored. Both drive backup and disaster recovery strategies.
- How would you protect a web application against DDoS attacks?
- Layer approach: CDN for edge distribution, rate limiting, Web Application Firewall, auto-scaling infrastructure, geographic load balancing, IP reputation filtering, CAPTCHA for suspicious requests, and having a DDoS response plan with ISP cooperation.
- Explain the 3-2-1 backup rule.
- Keep at least 3 copies of data, stored on 2 different types of media (e.g., disk + tape or disk + cloud), with 1 copy stored offsite. Modern extensions add 1 offline/air-gapped copy and 0 errors (verified backups).
- What is the difference between high availability and fault tolerance?
- High availability aims to minimize downtime but accepts brief interruptions during failover (seconds to minutes). Fault tolerance ensures zero downtime with no interruption — the system continues operating normally even when components fail (achieved through redundant active components).
- A company requires 99.99% availability. How many minutes of downtime is allowed per month?
- 99.99% availability allows 0.01% downtime. In a 30-day month (43,200 minutes): 43,200 × 0.0001 = 4.32 minutes of downtime per month maximum.
Summary
Availability is often the most visible aspect of security — users immediately notice when systems are down but may never know about confidentiality or integrity breaches. Ensuring availability requires a comprehensive approach combining redundancy, disaster recovery planning, DDoS protection, monitoring, and regular testing of recovery procedures.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Availability in Information Security.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Information Security topic.
Search Terms
information-security, information security, information, security, fundamentals, availability, availability in information security
Related Information Security Topics