When an asset (data or functionality) is added to the application (or some attribute of an asset changed such as the data sensitivity being raised or access becoming more restrictive), you need to find out if it is similar to an existing asset. If it is similar enough, the existing control can be used to protect that asset. If no control exists, you need to add a control to your design and to your threat model to protect the new asset.
This is a good time to consider whether applying the design principle of defense in depth makes sense. For example, maybe the new asset could be protected by an existing control but the risk of some compromise is so great that adding a complementary control to protect the asset reduces your risk to an acceptable level.
When an asset is removed from the application, it likely changes your threat model in a number of ways. Wherever the asset was at rest, a security control that existed for the sole purpose of protecting that asset may no longer be needed. That asset may have flowed through one or more components. So, when it is removed, the risk profile of those components may now be different.
An asset might have already existed but is now used in another part of the application. Questions to consider in this scenario include:
- If the asset represents some functionality, are controls still in place to protect access to that functionality?
- If the asset represents a piece of data, where is that asset flowing through the application’s components?
- Does it need to be protected while in transit? If so, are there existing controls that can be used to provide that protection?
- Will that asset be stored in some new location? If so, are there existing controls to protect the asset in its new location?