Blast radius is the potential impact a single security event or failure can have on your enterprise. Essentially, it allows you to measure the amount of total impact something occurring will have on your other assets that aren’t directly involved.

Blast radius is extremely important, but it’s really just a fancy term to describe planning and asset management. You probably have some of this functionality built into your existing infrastructure, now all you have to do is connect the dots. If you have a risk management function at your company as well, they’re probably discussing impact of dependent systems or assets as well. But if this is totally new to you, that’s okay too. It’s important to continuously evaluate your situation, and the best time to start is now.

Keep reading to learn more about blast radius, measuring your impact, and how we can help you achieve maximum business revenue generation in parallel with enterprise risk reduction.

Let’s get into it…

Let’s say a single server or application fails. The blast radius, or impact of loss, might be limited to that single resource. For example, a server has issues because there’s too much data trying to go through its processing function at once, so it goes down. If no other systems are consuming the data they’re processing, it’ll be limited to that server.

Let’s say a server fails that processes information from your lead forms. That impact might look something more like this:

• Lead form submissions slow down processing

• Downstream systems receive data on a delay

• Downstream systems can’t display information

• End user can’t use company applications

• Company can’t generate revenue from end-user applications

This is an example of an availability issue plaguing your applications; let’s talk about a more catastrophic one, a confidentiality issue.

Blast radius as a confidentiality issue

Understanding the blast radius of your AWS setup is important because it can help you design and implement effective security measures to minimize the impact of potential incidents. By identifying the components that are most critical to your business and taking steps to protect them, you can reduce the risk of a catastrophic failure that could have wide-ranging consequences.

Let's say that an organization is using AWS for their cloud infrastructure, but they haven't taken steps to monitor the blast radius of potential security incidents. One day, a hacker gains access to an administrative account with high-level permissions, giving them access to critical systems and data. Because the blast radius was not monitored, the hacker is able to move laterally through the infrastructure, accessing additional systems and data as they go. This means that access to one system granted them access to many, because access controls weren’t properly managed.

As a result of the breach, the organization may experience significant financial losses due to the theft of sensitive data, the disruption of critical systems, and the cost of remediation efforts. Additionally, the organization may suffer reputation damage, loss of customer trust, and legal liability.

In terms of regulatory actions, the enterprise may face investigations and penalties from regulatory bodies in charge of enforcing the GDPR or the CCPA, depending on the type of data that was compromised and the jurisdiction in which the enterprise operates. The organization may also be required to notify affected individuals of the breach and offer them credit monitoring or other forms of identity theft protection.

Check out our other blog posts to learn more about the consequences of handling a confidentiality issue at your organization.

I have a LOT of technology assets - now what?

Many of the clients we work with have a significant number of legacy technology assets to account for, because they’ve been in business for decades before privacy laws were enacted. Think thousands of databases. Millions of user profiles. Hundreds of thousands of clients monthly.

Understanding your blast radius in a large technology organization can be a challenging task. We specialize in providing strategy and implementation resources to enterprises looking to catch up, but here are the basics:

1. Inventory your assets:

   1. Identify assets, resources, and services in your AWS infrastructure

   2. This can include (but not limited to):

      1. EC2 instances

      2. Databases

      3. Storage buckets (S3)

      4. Load balancers

   3. Having a comprehensive inventory will help you understand what’s at risk, and where you should focus

2. Categorize your assets:

   1. Categorize based on criticality to your business; if this asset isn’t available for an hour, what happens? Do you lose tangible revenue?

   2. Start by categorizing as mission-critical, business critical, and non-critical. For example”

      1. Mission critical: Application is required by end-users to generate any business with the company (ex. online app)

      2. Business critical: Application is required by internal employees to complete job functions, but can conduct work through alternate means for a short period of time without losing the entirety of a revenue stream (ex. HR portal)

      3. Non-critical: Application or process downtime does not result in direct business revenue loss when resolved within a 48 hour period (ex. Company whiteboard software)

3. Identify potential blast radius:

   1. For each critical asset, identify potential systems impacted if it were compromised either through a malicious actor removing data, or by it being unavailable to users

4. Make changes:

   1. Based on your assessment, make changes to reduce impact of potential incidents

5. Test and refine:

   1. Test security measures to make sure they’re working properly and adjust as necessary

   2. Consider regular penetration testing; we can help you with that

Starting from ground zero, it’s important to establish a security-first culture across your organization. This includes training your employees on the best security practices, implementing policies and procedures, and regularly monitoring and responding to infrastructure threats within the enterprise.

How can we help?

If you’re curious about how to explore the implications of your blast radius, reach out to us today. We provide a variety of cloud security resources,. including:

Enumerator Security Assessment:

We conduct a thorough account-level security assessment to identify potential vulnerabilities and risks. This assessment includes an inventory of all assets and services made available to us, as well as an analysis of the existing policies within your cloud environment that may pose a risk to your enterprise.

Vulnerability Scanning:

We perform vulnerability scanning and penetration testing to identify potential weaknesses in the infrastructure. This includes testing the effectiveness of security controls and identifying potential attack vectors that could be exploited.

Threat Modeling:

We conduct threat modeling exercises to identify potential threats and assess potential blast radiuses of your assets. This includes analyzing the impact of different types of incidents, and identifying critical assets that could be impacted.

Risk Assessments:

We conduct comprehensive risk assessments to evaluate the likelihood and potential impact of different types of security events. These assessments include an analysis of your organization’s security posture and identification of improvement areas for reduction of blast radius.

Reporting and Recommendations:

We provide a detailed report that outlines the findings of your security assessment, vulnerability scanning, threat modeling, and risk assessment for any audience requested. WE include recommendations and prioritization for improving organization policies and reducing blast radius at scale.

What next?

Contact us today to learn more about how we can help you reduce your blast radius