In today's complex cloud environments, it's critical to keep tabs on all your physical and virtual assets. The DCS-06 control from the Cloud Security Alliance Cloud Controls Matrix provides guidance on cataloging and tracking servers, switches, racks and other data center equipment. Let's dive in and see why this often overlooked control deserves some attention.
Where did this come from?
This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix here: https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4 The CSA CCM provides a comprehensive set of cloud security best practices. It's a great reference for anyone looking to lock down their cloud environment.
Who should care?
- Data center managers responsible for asset tracking
- IT directors looking to improve inventory management processes
- Security analysts assessing asset-related risks
- Compliance officers ensuring asset controls are in place
What is the risk?
Losing track of physical and virtual assets opens the door to several risks:
- Unpatched/vulnerable servers open to exploit
- Unauthorized devices on the network
- Inability to locate a specific asset during an incident
- Incomplete picture of the environment for compliance
DCS-06 helps mitigate these issues by ensuring there is an accurate, up-to-date inventory of all relevant assets. It won't eliminate these problems completely, but it's an important foundation.
What's the care factor?
On a scale from "meh" to "mega critical", asset tracking is admittedly on the boring-but-important end of the spectrum. It's not the sexiest security control, but it underpins many other critical processes.
Without an accurate asset inventory, vulnerability management, incident response, change management and compliance all become much harder, if not impossible. For orgs with mature security programs, DCS-06 should be a top priority to enable everything else.
When is it relevant?
DCS-06 makes sense for any cloud deployment of significant size and complexity. Even smaller, single-cloud setups can benefit from the visibility it provides.
It becomes especially important in large enterprise multi-cloud environments and co-located data centers with a mix of physical and virtual infrastructure.
For a 3-server startup, it's probably overkill. Work up to DCS-06 as you scale.
What are the trade-offs?
Implementing asset tracking isn't free:
- RFID/GPS/BLE asset tags cost $
- Asset management software licensing and maintenance
- Ongoing time/effort to tag assets, update inventory
- Potential workflow changes as asset tracking is enforced
The main thing you're trading off is upfront and ongoing cost vs improved visibility and control. For most non-trivial deployments, it's well worth it.
How to make it happen?
Ready to get tracking? Here's how:
- Select an asset tracking solution that supports auto-discovery, tagging and reporting. Popular picks include Nlyte, Sunbird and Device42.
- Define your tagging strategy. Will you use RFID, BLE, GPS or all the above? How will assets be named and categorized?
- Determine the physical locations and logical boundaries in scope. All DCs? Only prod? Offline spares too?
- Define roles and responsibilities. Who will maintain the asset DB? What
