CSA CCM DCS-05
Assets Classification

By categorizing physical and logical assets based on their value and risk to the organization, you can ensure appropriate protections are in place. This casual yet comprehensive article will explore the ins and outs of asset classification and how to make it happen in your environment.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 released on 2023-09-26. You can download the full matrix here. The CSA CCM provides a comprehensive set of controls to help secure cloud computing environments. For more background, check out the Overview of the CSA CCM.

Who should care?

This control is relevant for:

  • Datacenter managers responsible for securing physical and logical assets
  • IT asset managers who need to maintain an accurate inventory
  • Security teams tasked with assessing and mitigating risks to critical assets
  • Compliance officers ensuring adherence to regulatory requirements around data protection

What is the risk?

Failing to properly classify assets can lead to several adverse outcomes:

  • Sensitive data stored on under-protected systems resulting in breaches
  • Inadequate disaster recovery for critical business systems
  • Inefficient allocation of limited security resources
  • Difficulty demonstrating compliance with industry or government regulations

While asset classification alone won't completely mitigate these risks, it's an essential foundation. Knowing the value of your assets allows prioritizing defenses.

What's the care factor?

For most organizations, asset classification should be a high priority, especially those in regulated industries. Even if not legally required, it simply makes business sense. You can't adequately protect what you don't know you have.

That said, be pragmatic in your approach. Obsessing over classifying every last asset can become counterproductive. Focus on critical systems and data stores first.

When is it relevant?

Asset classification makes sense for:

  • Organizations subject to regulations like HIPAA, PCI-DSS, GDPR, etc.
  • Datacenters with a large number of heterogeneous systems
  • Businesses with high-value intellectual property or sensitive customer data
  • Companies relying heavily on IT for mission-critical operations

It may be less applicable for:

  • Small businesses with a limited, well-understood asset inventory
  • Organizations with mostly low-risk, public-facing systems
  • Purely cloud-native startups leveraging provider tools for asset management

What are the trade-offs?

The main costs of asset classification include:

  • Time spent by IT and security teams categorizing and labeling assets
  • Potential business disruption from systems being offline for assessment
  • Ongoing maintenance to keep the asset inventory current as things change
  • Opportunity cost of resources not working on other initiatives

However, these are generally outweighed by the risk reduction and efficiency gains of having a solid handle on your asset landscape.

How to make it happen?

  1. Define a clear set of asset categories aligned to your business risk (e.g. Critical, High, Medium, Low)
  2. Establish criteria for each category based on factors like data sensitivity, system availability requirements, regulatory scope, etc.
  3. Create a comprehensive asset inventory encompassing all physical and logical assets
  4. For each asset, determine and document key metadata like owner, location, dependencies, priority, etc.
  5. Assess each asset against your category definitions and assign it an appropriate label
  6. Tag the assets in your configuration management database (CMDB) or other inventory system
  7. Develop policies and handling procedures for each category
  8. Inform asset owners and custodians of classifications and required controls
  9. Implement the technical, physical and administrative safeguards for each level
  10. Regularly review and update asset classifications to maintain accuracy

What are some gotchas?

  • Classifying assets requires involvement from multiple stakeholders - make sure to get buy-in
  • Overly complex classification schemes become hard to manage - keep it as simple as will suffice
  • Asset metadata can include sensitive details - ensure the inventory itself is well-protected, with access limited to those with a business need (e.g. CMDB system admins)
  • Classification exercises can uncover "shadow IT" - have a plan for handling previously unknown assets
  • Applying safeguards may require specific permissions, e.g. applying tags in an AWS account requires the ec2:CreateTags permission (docs)

What are the alternatives?

While a formal classification program is ideal, some alternatives for smaller organizations include:

  • Splitting assets into broad buckets like "internal" vs "external-facing"
  • Focusing classifications only on regulated data like PII, PHI, PCI, etc.
  • Using automated discovery tools to identify high-risk assets (e.g. AWS Inspector)

However, these are generally stopgaps on the way to a more comprehensive approach.

Explore further

  • NIST SP 800-60 "Guide for Mapping Types of Information and Information Systems to Security Categories" (link)
  • CIS Control 1 "Inventory and Control of Enterprise Assets" (link)
  • CIS Control 2 "Inventory and Control of Software Assets" (link)
  • CIS Control 13 "Data Protection" (link)

Asset classification is not glamorous, but it's a core tenant of information security. By understanding your assets' value and categorizing them accordingly, you can focus your protection efforts where they matter most. And hopefully have some fun along the way!

Blog

Learn cloud security with our research blog