Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Attack surface management and the governance gap teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Attack surface management shifts security left by exposing externally reachable assets, unmanaged services, and hidden exposure before attackers do, according to Cybertrust Japan and the incident data it cites. That matters because visibility without follow-up governance still leaves organisations with exposed paths, delayed remediation, and incomplete control over the assets that matter most.

NHIMG editorial — based on content published by Cybertrust Japan: まずはここから!ASMで始めるセキュリティ対策の第一歩

By the numbers:

Questions worth separating out

Q: How should security teams use attack surface management to improve control over exposed systems?

A: Security teams should use attack surface management to find what is actually reachable, then connect each exposed asset to an owner, access path, and remediation SLA.

Q: Why does external exposure often become an identity problem as well as a cloud problem?

A: External exposure becomes an identity problem because many reachable systems depend on service accounts, API keys, certificates, or delegated access that live longer than the workload itself.

Q: What do security teams get wrong about attack surface management?

A: Teams often treat ASM as a scanning activity when it is really an operating model for continuous exposure control.

Practitioner guidance

  • Create a continuously reconciled external asset inventory Pull ASM findings into the same inventory used for cloud, IAM, and service ownership so that every reachable asset has a named owner, business purpose, and remediation path.
  • Tie exposed assets to identity and secrets review For each internet-facing asset, check whether it carries service accounts, API keys, certificates, or delegated access that outlived the workload or application.
  • Set remediation SLAs by exposure path Prioritise assets that are directly reachable from the internet, then use a shorter SLA when the system contains privileged access, sensitive data, or unauthenticated entry points.

What's in the full article

Cybertrust Japan's full blog post covers the operational detail this post intentionally leaves for the source:

  • How ASM is positioned as the first step in the security process, including the 7-stage cyber kill chain used in the article.
  • Examples of ASM services that combine visibility, vulnerability diagnosis, penetration testing, and device identification.
  • Practical explanations of how external asset discovery supports faster executive reporting and security investment decisions.
  • The specific control flow from discovery to continuous monitoring that the source article recommends for distributed environments.

👉 Read Cybertrust Japan's article on starting security with attack surface management →

Attack surface management and the governance gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Attack surface management is now an access governance problem as much as a discovery problem. The article is right to frame ASM as the first step, but discovery alone does not reduce risk unless it leads to ownership, entitlement review, and revocation. In practice, the most dangerous exposed systems are the ones carrying unmanaged credentials or inherited trust. For identity teams, this is where NHI lifecycle management and external asset visibility intersect. Practitioners should treat exposed assets as governance exceptions, not just technical findings.

A question worth separating out:

Q: Who is accountable when an exposed asset becomes the entry point for a breach?

A: Accountability should sit with the team that owns the asset and the control function that governs its exposure, which often includes cloud, application, and identity owners together. In practice, frameworks like the NIST Cybersecurity Framework and NHI governance expect clear ownership, because unresolved exposure is a governance failure as much as a technical one.

👉 Read our full editorial: Attack surface management is becoming the first step in security



   
ReplyQuote
Share: