Often overlooked by Security professionals, the concept of Availability is an important member of the classic InfoSec triad. In a nutshell, what is the point of keeping your data safe from prying eyes or malicious modification if authorised users are not able to access it? With information being a prime asset of most businesses today timely and reliable access is critical.
There are typically two aspects of availability to consider: Resilience, or making sure that systems can tolerate a certain degree of failure, and Disaster Recovery, which ensures access to business information in the event of a catastrophic failure.
Resilience can be achieved in a variety of ways, from resilient server hardware such as RAID and clustering, through cold/hot-standby network devices, to multiple, possibly redundant, communications links. Some of these approaches are automatic, giving seamless failover, others require manual intervention.
The pinnacle of a resilient approach would be several fully redundant, hot-standby data centres, and this could be considered to meet the requirement of Disaster Recovery also. However Disaster Recovery solutions do not necessarily need to be this complex - off-site storage of daily back-up tapes is a ubiquitous DR approach. There are many shades of complexity between tapes and redundant data-centres, and consideration must also be given to your people. Where will they physically work if head office is uninhabitable?
As always, there is a trade-off between cost and functionality, so an availability risk assessment is a good starting point to compare the cost of a solution to the value of the data it is intended to protect.