Looking down a server room’s racks filled with your server infrastructure, it’s easy to assume that all the black boxes are made equal. But the plain exteriors often obscure the real truth of the matter.
If you asked a casual IT user to put a price on a server, they’d probably calculate a dollar value based on their hardware specifications that could inform you of the cost to replace a device in the event of physical theft.
A few more thorough individuals might go one step further and value the software installed on the machines, but fewer still would go as far as to evaluate the real data worth – the content we put on the servers that, for many businesses, might be close to priceless.
Given the ongoing trend of ransomware locking away your files, it’s the computer thieves who are oftentimes putting a dollar value on your data, and based on recent reports, these prices aren’t tied to anything smarter than whatever the thieves can get away with. So, if the malware makers can put a value per megabyte, how easily can you?
Valuing your IT infrastructure is a challenge in a world where data moves quickly. Backup servers might historically have been put in amongst the “low importance assets” list since losing their services was assumed to not affect business straight away. But from a security design perspective, this misses a fundamental consideration: your key business intellectual property exists on those hosts, and you can bet the bad guys will happily attack your backup infrastructure rather than the more obvious entry points.
Whilst you’re scoring up your backup infrastructure, I’m sure you’ve already considered your customer-facing web servers, as a defaced site might shatter customer confidence. But have you evaluated the network infrastructure around them with a similar view?
And don’t think your valuable data stops on your server and network infrastructure, either. There’s a risk that key documents exist on a user’s workstation, too. Even if it’s just a copy, that doesn’t mean you don’t need to protect the endpoint. After all, a single leaked document could end up as a very costly mistake to fix in no time.
It would be easy to throw your hands up in the air, give up scoring your assets, and say they’re all important. But by doing so, you would risk throwing away an important factor for prioritizing your security efforts.
Where to start? The most successful prioritization strategies I’ve seen have required an understanding of your business’s information assets and the services that deliver their access. Knowing what information is valuable, where it is, and how it can it be accessed is fundamental to ensuring data doesn’t leak out.
Some consideration should also be given to measurement methods. Simple models like ‘Critical’ versus ‘High’ might be a good starting place, but planning ahead to give a wider range of scores is sensible to allow yourself additional flexibility for the assets that sit somewhere between the two.
And the good news is that you can very quickly get value out of the time you invested in scoring your assets. Once you’ve started to map out your information values and flows, you can implement the scores in your security tools to help target your key files and assets for configuration assessment and vulnerability monitoring with an informed view of how these devices play a part in your everyday business.
Tripwire Enterprise, CCM and IP360 all support a concept of asset criticality. You can use any of these solutions to help you make intelligent decisions around securing your infrastructure.