I recently went for coffee with a very interesting gentleman who had previously been responsible for threat and vulnerability management in a global bank – our conversation roamed far and wide but kept on circling back to one or two core messages – the real fundamental principles of information security. One of these principles was “know your assets.”
Asset management is something that many CISO tend to skip over, often in the belief that information assets are managed by the business owners and hardware assets are closely managed by IT. Unfortunately, I’m not convinced that either of these beliefs is true to any great extent.
Take, for example, Anonymous’ recent hack of a forgotten VM server within AAPT’s outsourced infrastructure. VM "sprawl" is one of the key risks that Forrester discusses, and this appears to be a classic example – a virtual server created in haste and soon forgotten about. Commonly, as these devices fall off asset lists, they get neglected – malware and patching updates are skipped and backups are overlooked – yet they still exist on the network. It’s the perfect place for an attacker to sit unnoticed and, if the device exists in a hosted environment, it can also have the negative economic impact of monthly cost and license fees. One anecdote I heard was of a system administrator who, very cautiously and very successfully, disabled around 200 orphaned virtual servers in his organisation – with no negative business impact whatsoever.
Smoke and fire is all around you, the sound of the alarm makes you dizzy and people are running in panic to escape the inferno while you have to find your way to safety. This is not a scene in the latest video game but actually training for e.g. field engineers in an exact virtual copy of a real world environment such as oil platforms or manufacturing plants.
In a recent discussion with VRcontext, a company based in Brussels and specialized since 10 years in asset virtualization, I was fascinated by the possibilities to create virtual copies of real world large, extremely complex assets simply from scanning existing CAD plans or on-site laser scans. It’s not just the 3D virtualization but the integration of the virtual world with Enterprise Asset Management (EAM), ERP, LIMS, P&ID and other systems that allows users to track, identify and locate every single piece of equipment in the real and virtual world.
These solutions are used today for safety training simulations as well as to increase operational efficiency e.g. in asset maintenance processes. There are still areas for further improvements, like the integration of RFID tags or sensor readings. However, as the technology further matures I can see future use cases all over the place – from the virtualization of any kind of location that is difficult or dangerous to enter to simple office buildings for a ‘company campus tour’ or a ‘virtual meeting’. And it doesn’t require super-computing power – it all runs on low-spec, ‘standard’ PCs and the models are only taking few GBytes storage.
So if you are bored of running around in Second Life or World Of Warcraft, if you ever have the chance, exchange your virtual sword for a wrench and visit the ‘real’ virtual world of a fascinating oil rig or refinery.