Context & Asset Identification
Context Definition
The lab will simulate a small cybersecurity oriented organization with :
- On-premise virtualization (Proxmox)
- Public-facing VPS services
- Administrative remote access (Teleport)
- Centralized logging & monitoring (Wazuh, Prometheus, Grafana)
- Users management (OpenLDAP)
- Automated backups, updates and deployments (Ansible, Gitea)
Asset Categories
Technical Assets
- Proxmox host - main hypervisor | ✔️ Deployed
- VPS server - web server, external backup | ✔️ Deployed
- Firewall (OPNsense) - Filtering, vLANs, IPS (Suricata) | ⏳ In Progress
- Bastion host - Secured SSH/TLS centralized access | 🚧 Planned
- SIEM and logging hosts - Log aggregation and correlation | 🚧 Planned
- Ansible and Gitea hosts - Code orchestration and management | 🚧 Planned
Information Assets
- Configuration data - Ansible playbooks, parameters files
- Credentials - passwords, SSH keys, certificates
- Backups - VMs and containers snapshots, databases backups, archives
- Log data - system, applications and network logs
- User data - LDAP accounts, access profiles
Criticality Assessment
Assets are evaluated based on:
- Availability requirements
- Confidentiality impact
- Integrity sensitivity
| Asset | Availability | Confidentiality | Integrity | Owner |
|---|---|---|---|---|
| Proxmox host | High | Medium | High | Ops |
| VPS server | High | High | High | Ops |
| OPNsense firewall | High | High | Medium | Sec |
| Teleport bastion host | High | High | High | Sec |
| SIEM & logging hosts | Medium | High | Medium | Sec |
| Ansible & Gitea hosts | Medium | Medium | Medium | Dev |
| Configuration data | Medium | High | High | Dev |
| Credentials | Low | High | High | Sec |
| Backups | High | Medium | High | Ops |
| Log data | Medium | Medium | Medium | Sec |
| User data (LDAP) | High | High | High | Sec |
In the DevSecOps approach chosen to reflect the type of organizations that this lab replicates, each asset is linked to an owner service : Operations (Ops), Security (Sec) or Development (Dev). This assignment facilitates governance, accountability, and the implementation of domain-specific controls.
References : ISO 27001 – A.8.1 (Asset Management) & A.8.1.2 (Ownership of Assets) ; NIST CSF ID.AM-1 (Asset Inventory).