Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

F E A T U R E

Secure to the Core

January 23, 2003
By Greg Shipley

>> continued from previous page

Cover Your Assets

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	Cover Your Assets
	Old Shortcomings Still Hurt
	Executive Summary
	The Legal Beast Begins to Stir
	Epoll Results

Rather then debate the location of the attacker, why not consider the location of the target? Circling back to the concept of triage, forward-thinking security teams are combating the problem by working with the business side to identify key targets, then creating identification and classification systems. Once they know which assets are most important, prioritization efforts can follow. Classification strategies typically start with data-grouping efforts, which can be rolled into more complex asset-classification systems when combined with variables such as system type, function or criticality.

Starting with data classification, these frameworks can be as simple as two- or three-tier systems or as complex as variable asset-value models (see "Companies Struggle With Data Classification").

A basic data-classification plan may start with the data and provide a framework for grouping that data into two or more classification tiers. A three-tier method may include categories such as public data, private data, and proprietary and confidential data.

For example, schematics for the next-generation Strong-Bad 3000 cannery machine--which is capable of packaging potted meat at the rate of 3,000 CPMs (cans per minute) and could revolutionize the potted-meat industry--would be considered sensitive and valuable by the machine's maker. In our three-tier model, the data relating to these schematics would be classified as proprietary and confidential. In contrast, last year's sales brochures touting the aging Strong-Bad 325i models, available via the company Web site, would be classified as public data.

While this example is simplistic, the success of a classification effort is often determined by its simplicity. A four-tier model might introduce a tier between private and proprietary--after all, the more tiers, the more granular the organization's data-classification efforts can be. However, with that granularity comes added complexity, larger margin for error, and potentially higher costs associated with making the classification process a reality.

Loss Costs

click to enlarge

Let's move from data classification to asset classification. In this case, an asset might be a piece of data, a single system or a group of systems that perform a given business function. For example, all the data, servers and applications that comprise the payroll system might be viewed as a single asset (with multiple components). Or, depending on the classification policies, components might be rated/ranked differently. Asset rankings might also take into account less tangible factors, such as "visibility." For example, a public Web server may not contain critical data, but a defacement of the site could result in public embarrassment and a decrease in customer confidence. Regardless, how a given organization views its digital assets depends on defined policies and strategies and the organization's ability to execute on those strategies.

Unfortunately, many organizations complete their classification policies but fall flat on their faces when it comes to completing the classification process. According to both our own observations and Network Computing reader polls, most organizations have not even completed their data-classification efforts, much less mapped those classifications to IT assets, essentially removing the possibility of an "effortless" move to a practical asset-based risk ranking system.

If you're in this boat, don't jump overboard. Often, existing tools found within the organization can help. For example, while many infosec programs are in their infancies, many disaster-recovery efforts are mature. Asking the disaster-recovery folks what they discovered during their business impact analysis studies can often provide security personnel with a much needed jump-start in identifying critical assets at a high level.

Again, business participation is critical, because neither IT nor security can be expected to understand all of an organization's dynamics. Finally, consider using third-party resources to help in the classification process, particularly if your organization is short staffed or there are concerns about business units objectively performing the task without aid or supervision.