OK, IT folks, here are two important questions: First question -- how many servers do you have? Second question -- are you sure?
We all know about the big servers that sit in the datacenter. They're relatively easy to count, even if the precise number can be somewhat ephemeral due to the nature of highly dynamic virtual infrastructures. If you're deeply into a cloud architecture, then the number of virtual machines can vary on a minute-by-minute basis. At the very least, though, you can send someone into the datacenter to count the number of boxes or blades in the racks. The problem, really, is defining the servers that aren't sitting in neat datacenter racks.
Let's look for a minute at a manufacturing assembly line. If the equipment on that line has a web interface that allows for management of its functions (or even reports its activities) through a user's browser, then it almost certainly is a web server as well as an injection molding machine, six-axis vertical milling machine, or whatever else it does as its primary function. How many of those do you have in your facilities?
How about the printers, fax machines (remember those?), and photo-copiers sitting in your offices? If they've come into service in the last decade they almost certainly include web servers as part of the basic device functionality. You start to get the picture...
The fact is that small, powerful CPUs and integrated systems have made it possible to include a full web server in a package not much bigger than the physical power and network connectors required for the system. With more and more employees working from the road and wanting to keep tabs on equipment at company locations, the number of web servers in the enterprise is skyrocketing. That's one level of the problem: The next level is the number of firewall rules and exceptions required to allow those employees to see the web pages when they're sipping their half-caf, no-foam, non-fat, soy lattes at their favorite coffee shop.
Here's the real question: You have a plan and a process in place for your "real" servers -- do you even have a process in place for figuring out whether a web server exists in every other product you buy? How about the products that your line-of-business groups buy on their own authority? Worried, yet?
OK, how about this: What are you going to do when the printer you supply to work-at-home employees violates the terms of service for their ISP (you know, the ToS that says you can't run a server from your home)? I think you're starting to see the size of the problem.
The only logical course of action at this point is to assume that pretty much everything you bring into the enterprise has a web server attached. New assembly line? Fleet of web servers. New printer? Web server. Box of paper clips? Web server.
What you need (aside from, perhaps, slightly less-connected paper clips) is a set of policies that allow secure access to the devices with a legitimate need to share their information, positively (and securely) shut down the web servers on those devices that don't, and provide guidance on how to tell the difference.
So, back to the original question: How many servers do you have? Is it even important to know the number at this point? I'd love to know how you and your organization are dealing with this issue -- meet me in the comments to let me know.