georgejohnson-us
commented
1 year ago I believe there should still be a distinction between Workloads. Serverless (lambda) workloads can only fire periodically and can often be missed in scans. Full time IaaS and PaaS can be grouped, but many people are still operating hybrid (with highly sensitive data in their facility or under their control at Colo). I believe a hands on asset should be differentiated from a cloud asset given the shared risk models that you must accept vs. your own devices where you control the environmental infrastructure and physical access to the device.
First of all, I think this is an excellent framework and bridge between the NIST CSF and the actual asset classes that we implement to assist with technology investment decisions
After using this extensively, I really think that we are missing an asset class which I will call "Workloads".
Currently Devices is used to describe both End User devices like PCs / Desktops / Mobile devices as well as Data Centre / Cloud workloads such as Servers / Containers and PaaS services.
I would say that this makes it quite challenging and doesn't really help in bringing in clarity in how both of these asset classes should be looked at.
My suggestion is to add an additional row / asset class called "Workloads". Then Devices would refer to all end user devices such as traditional MDM and endpoint solutions that users interact with and possibly VR/AR and wearable IoT devices in the future
"Workloads" on the other hand would refer to all the PaaS / IaaS and other infrastructure side assets that perform compute services. This would include servers / VMs, Containers, Kubernetes as well as Serverless Functions. This also matches up very nicely with how the industry is talking about Cloud Workload Protection Platforms (CWPP) where CWPP is really about protecting "workloads". While Devices are protecting by MDM/MEM tools that provide the "protection" capability by hardening end user devices