By: Matthias Gromann is Director Business Line IT & Data Center Solutions at FNT Software
Protection against digital threats is important for organizations of all sizes, especially for operators of critical infrastructures. The path to ICT resilience and security begins with the complete documentation and management of all IT, data center, and network infrastructure. However, many organizations are still utilizing outdated and incomplete documentation, which not only leads to inefficient operations, but also increased security risks.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) enables operators to reduce cybersecurity risks and optimize the resilience of their IT landscape and, if implemented and adhered to, offers a solid basis for strengthening IT security. The recommendations for achieving ICT resilience are set out in a catalog of measures, separated into different areas shown below.
Focusing on Identification, the goal is to develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
A fundamental component to achieve this goal is the comprehensive documentation and management of the IT infrastructure. The first task for companies and organizations therefore involves detailed asset management. This includes the identification, cataloging and evaluation of data, people, devices, systems, and equipment. What this means for those responsible for an organization’s IT infrastructure is set out in individual tasks:
- Physical devices and systems within the organization are inventoried.
- Software platforms and applications within the organization are inventoried.
- Organizational communication and data flows are mapped.
- External information systems are catalogued.
- Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.
- Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.
- Dependencies and critical functions for delivery of critical services are established.
- Resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations).
- Asset vulnerabilities are identified and documented.
- Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.
- Risk responses are identified and prioritized.
(Source: National Institute of Standards and Technology; “Cybersecurity Framework” Version 1.1, April 16, 2018, https://www.nist.gov/cyberframework)
The framework therefore requires the systematic and complete recording of all elements of the IT, data center and network infrastructure. This includes not only all physical assets, but also connections, dependencies, applications, and business services. If these requirements are met, organizations primarily achieve increased security for their operations, but also benefit from the advantages and opportunities that this transparency brings in other areas.
Seamless documentation and transparency as the foundation of cybersecurity
Holistic recording and documentation of all IT components in a system provides a transparent overview of the entire infrastructure. This documentation shows what a company’s IT infrastructure consists of in detail, how it is operated, and how it is protected. Bundling the data of all these relevant infrastructure components into a “single point of truth” facilitates reliable analysis, planning, and control of all physical and virtual assets, including:
- Locations
- Servers, racks, sensors, antennas, and cables
- IP addresses and storage networks
- Virtual servers and networks
- Applications and services
Given the dynamic development of the cybersecurity landscape, this is crucial in order to respond proactively to both acute and potential risks.
Identification of dependencies and cause-and-effect relationships
The deep insight into the various levels of the infrastructure makes it possible to clearly identify dependencies and cause-and-effect relationships between individual components. By highlighting logical links, IT managers can, for example, see which servers are located at which site, which applications run on which server, which critical processes run via which cables, and which business services are dependent on which assets.
This makes it easier to identify which areas are at risk of being affected by problems, failures, and malfunctions. Downtimes can thus be avoided while operational continuity and general service quality and reliability are improved.
Identification and elimination of vulnerability
Comprehensive documentation of the IT infrastructure, as required by the NIST CSF, also goes hand in hand with the rapid identification and elimination of vulnerabilities. A seamless data model, which acts as a “single point of truth” and maps all dependencies, allows deficits, bottlenecks, and generally the most vulnerable areas of an infrastructure to be quickly identified. This enables those responsible to strengthen these areas and fortify deficiencies before an emergency occurs, for example, by backing up data, setting up network redundancies, avoiding hotspots in data centers, balancing the utilization of capacities, and optimizing lifecycle management. If a critical error occurs nonetheless, the documentation of their IT infrastructure enables those responsible to quickly restore IT systems in an emergency while ensuring access to critical data.
Organizations are therefore empowered to take proactive measures to minimize negative effects on operations instead of reacting to existing problems and limiting and fixing damage. In this way, they not only protect the digital lifelines of their company, but also the foundation of all digital business processes and offerings.
Audits and certification processes
Complete documentation and its associated transparency make it easier for companies to implement measures to meet certification requirements in accordance with common industry standards, such as ISO, BAIT or VAIT. In this context, certification processes and audits can also be prepared and carried out more efficiently, as companies with clear documentation can respond quickly to requests from auditors and provide all the necessary information.
Complete IT asset documentation serves as a reliable basis for checking compliance with security standards. Auditors can easily understand how IT resources are managed, secured and monitored in an organization. Solid documentation enables the entire life cycle of individual assets to be reviewed, from procurement and operation through to decommissioning. Thus, IT asset documentation can, among other things, strengthen the trust of auditors in the reliability and security of an organization’s IT infrastructure and also help to preserve the external reputation of organizations.
Overall, the NIST CSF offers many comprehensive cybersecurity measures for organizations, starting with the documentation, planning, and management of their infrastructure. Comprehensive documentation is an important step to be able to mitigate cybersecurity threats in an increasingly digitalized world and to remain resilient. After all, you can only protect what you know.
The NIST CSF also proposes both organizational and technical measures, including the creation of a complete inventory of hardware and software, employee training, data protection requirements and measures for the early detection of threats, to name but a few. Through the risk-based approach, the framework enables the implementation of different levels of protection, adapted to the needs of the organization.
These measures often require new and innovative solutions in many areas of an organization. Powerful software solutions are available on the market to provide the basis for a fully documented IT landscape. Such solutions enable the efficient documentation, planning, and management of IT, telecommunications, and data center infrastructures in a digital twin – from the physical level (cables, switches, servers, etc.) to virtual components and applications through to services – all represented in a “single point of truth”. This lays the foundation for far-reaching measures to protect IT and telecommunications infrastructures and thus the lifelines of every company in the digital age.
ABOUT THE AUTHOR
Matthias Gromann is Director Business Line IT & Data Center Solutions at FNT Software. He has many years of experience as an IT technology expert and is FNT’s topic leader for service-oriented automation in infrastructure management. In his role, he shapes FNT’s solution approaches for enterprise IT, helping companies to achieve greater transparency, more security, and increased productivity in the operation of critical infrastructures.