Modern collaboration accelerates processes and increases digital attack surfaces. The «Attack Surface Reduction (ASR)» approach establishes minimum security settings (baselines) and automated measures in everyday life. Potential vulnerabilities are thus identified, assessed according to their risk, mitigated, and continuously monitored. Because ASR checks all assets, settings, and processes – for sustainable protection instead of one-off security projects.
Digital division of labor is common practice today: it takes place via globally distributed teams, mobile devices, and the introduction of new functionality. This development not only increases productivity, but also complexity. Technical settings change, special cases become more frequent, and gaps arise between rules – a fertile ground for security risks.
This is where ASR comes into play. The method uses existing security features consistently and defines a target state. Deviations are automatically corrected. Instead of a one-off project, the PDCA – Plan, Do, Check, Act – cycle is used, which gradually reduces the attack surface.
The following three principles characterize ASR:
Standardize: Baselines define how digital identities, devices, and services are configured. They promote traceability and shared understanding across teams.
Harden: Deviations are identified and prioritized in order to deal with critical points first and automate routine processes. This allows efficient use of resources.
Automate: Recurring adjustments are documented in playbooks, so that implementation remains consistent regardless of responsibilities.
These principles support the day-to-day business in which security decisions are made.
ASR takes into account the interplay of onboarding, device lifecycle, project changes, and updates and integrates these into routines. This not only leads to less ticket ping-pong, but also to reports that prove the impact of ASR. At the same time, it becomes clear which measures are effective and where there is a need for adjustment.
According to Andreas Achterholt, Lead Managed Cybersecurity Services at Adnovum, project experience shows that ASR is not about which tool to choose. ASR is more of an operating model. Its added value is created where baselines are consistently defined, deviations are made transparent, and adjustments are automatically integrated into standard operation.
|
«Many companies have powerful security features in place. However, it is crucial to use them consistently and operate them continuously. ASR helps make security measurable and maintain it over the long term – even with limited resources.» Andreas Achterholt |
|
While security requirements are increasing, the number of security specialists remains limited. Automation helps cushion this imbalance: periodic measures are standardized and regulatory requirements are reliably met. This frees up time for tasks that require human judgment and thereby creates a stable basis for data-based innovation and AI.
Implementation takes place in three steps:
Determination of the current situation, including clear prioritization
Pilot project with a limited number of devices and accounts: baselines are activated, automatic corrections are tested, and communication channels are checked.
Transition to standard operation with monthly intervals: This enables transparency, ongoing adjustments, and measurable progress.
The barrier to entry is low. For higher security, it is usually sufficient to fully leverage the potential of existing functionality. The decisive factor here is not the tool, but its application according to clearly defined rules. Standardized procurement channels via cloud marketplaces reduce the interfaces between technology, procurement, and compliance, thereby facilitating an organized start.
The ultimate goal is the ability to act. A smaller attack surface protects day-to-day business and speeds up projects. ASR offers a practical framework for this: unobtrusive in appearance, effective in implementation. Those who consider security as a standard rather than a state of emergency create sustainable stability and a foundation for future developments.
A shorter version of this article (German) was published in Computerworld on December 12, 2025.