Skip to main content


Protect your highly sensitive information

Published: February 25, 2015

Author: Frank Simorjay, CISSP, ISSA Distinguished Fellow, and Microsoft Senior Content Developer

Data comes in all shapes and sizes, when protecting your data it’s important in understanding that classifying your data  can be one of your organization’s most complex and important issues to address. Classifying data requires that you balance security efforts with cost as your company’s most sensitive data needs to be quantifiable before you invest in securing it, in other words you should know where it is and what it is. Additionally your sensitive data’s value should be measurable and a cost should be associated to it. It’s fair to say that if your organization deals with data that, if lost, could result in loss of life, damage to the national infrastructure, and possibly fines by regulators, then that data can be classified as highly sensitive or high value. In addition, many organizations have data such as encryption keys, factory automation pre-patented IP, and corporate trade secrets, that if lost, damaged, or destroyed would put the organizations survival in to jeopardy, and is also high valued assets.

In contrast to security assessments for protecting low value information assets, protecting High Value Assets (HVA) requires a different mindset for building security safeguards. For starters, using a risk management framework (PDF) and guidelines such as those described in the Microsoft Security Risk Management Guide can be used to evaluate the overall risks for protecting high valued assets.

HVA sensitivity to cost ratio

It’s important to illustrate that the cost of protecting data grows considerably as its sensitivity increases.  For instance, if the cost of protecting as single record costs $145 (based on a loss of data  as a result of cost to recovery data from a breach) the cost to protect HVAs can cost upwards of 10 times the amount sensitive data.

An organization that is considering HVA protection should also carefully consider the following:

Protection of HVA

Several considerations must be addressed in protecting HVAs. Included in this are items such as: Facility security, Network infrastructure security, Incident management, and operational safeguards.

Security measures needed to protect HVA require a unique operational effort. In looking at operational safeguards we see that you cannot do too much when it comes to securing HVAs. Consider the following:

  • Operations staff should be specially trained to understand the value and risks associated with HVAs. In most IT organizations, there’s an operations team for identity management, one for line of business applications, one for Active Directory management, and so on. You should also have a team dedicated to understanding the special permissions and privileges required for protecting HVAs. Each employee with access to an HVA solution should be vetted and also trained so that they have the special skill sets required to provide the high level of security required for HVAs.
  • Role based access control (RBAC) is used to ensure that only those personnel with Need to Know (read access) as well as Need to Modify (write access) have access to HVA data. Using a solid role-based access control model is essential for managing the protection methods.
  • The custodian of an HVA should be a person or organization that can ensure the HVAs integrity. The result of the process of determining accessibility and identifying custodians will be a collection of protection profiles that will be used to establish the WHO, WHAT, WHERE, WHEN, and WHY – specifically, WHO has access, WHAT is being protected, WHERE will it reside, WHEN it was used, and WHY is it being protected. Technology such as just enough admin (JEA), and Just in time administration (JIT) provides assurance that administrative rights are provided only to the right person, to the right resources, in the right environment, and when it’s needed. The goal of using technologies such as JIT, and JEA can provide a means to ensure, all administrative rights are revoked daily for instance and the requests for rights are granted for the right person, at the right level, at the right time with audit and logging.

The security model for protecting HVAs should align to protect against modern sophisticated attacks that target administrators. For example, using the “kill chain” principle to defend against specialized, targeted attacks. The model is designed to stop malicious intrusion by obstructing an attacker at several points along the path to HVAs. Each zone in a kill chain is designed to detect, deter, and slow attackers and prevent them from realigning their attack vector from different zones in the chain. With detection, audit, and control mechanisms in place in each zone, a kill chain becomes more effective at stopping advanced persistent threats and attacks that traditional security measures may not be as effective against. This approach is an effective way to help prevent attacks on HVAs, and is described in the white paper “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”. In the figure, the request for an HVA is shown to be initiated in the organization and passed to the HVA asset zones. Effective HVA solutions minimize access points, transport mechanisms (both physical and virtual), and other connection methods to reduce the number of ways that HVA assets can be accessed.

The kill chain concept provides a series of controls that detects and hampers an attacker at several points along the path to HVAs. Organizations that are concerned about protecting HVAs need to perform a risk/benefit analysis before implementing an HVA solution, as it could turn out that the cost to secure the HVAs is more than the value of the information itself.  

About the Author

Frank Simorjay photoFrank Simorjay (CISSP, ISSA Distinguished Fellow) is a cloud, security architect, content developer and blogger. Frank is passionate to promote security computing, smart cloud adoption, Internet of things (security) and has developed an extensive library of security content for Microsoft. Frank is a senior content developer for the cloud and enterprise team. Frank is the founder and a long-standing member of ISSA Puget Sound, he has been recognized as a distinguished fellow with the Association.

Prior to joining Microsoft, Frank was a senior engineer for NetIQ and for NFR Security, where he designed security solutions for enterprise networks in banking and telecommunications for more than 10 years.

Microsoft Security Newsletter

Sign up for a free monthly roundup of security news, bulletins, and guidance for IT pros and developers.