Evaluating Security and Availability of Multiple Redundancy Designs when Applying Security Patches

TL;DR

This paper evaluates how different server redundancy designs impact security and availability during security patching, revealing trade-offs and providing a model-based approach to optimize design choices.

Contribution

It introduces a combined security and capacity availability assessment framework using graphical security and stochastic reward net models for redundancy designs during patching.

Findings

Redundancy increases capacity availability during patching.

Redundancy decreases security when patches are applied.

The approach helps identify designs satisfying both security and availability constraints.

Abstract

In most of modern enterprise systems, redundancy configuration is often considered to provide availability during the part of such systems is being patched. However, the redundancy may increase the attack surface of the system. In this paper, we model and assess the security and capacity oriented availability of multiple server redundancy designs when applying security patches to the servers. We construct (1) a graphical security model to evaluate the security under potential attacks before and after applying patches, (2) a stochastic reward net model to assess the capacity oriented availability of the system with a patch schedule. We present our approach based on case study and model-based evaluation for multiple design choices. The results show redundancy designs increase capacity oriented availability but decrease security when applying security patches. We define functions that compare values of security metrics and capacity oriented availability with the chosen upper/lower bounds to find design choices that satisfy both security and availability requirements.