Feb 08 2022

To Build a Zero-Trust Environment, Start with an Inventory of What You Own

Knowing which tools are already available to you can speed the process of improving cybersecurity.

Businesses of all sizes have been moving aggressively toward adopting zero-trust security environments for several years now, and for good reason. A zero-trust architecture does not assume that internal traffic is safe; it requires ongoing authentication from users and devices whenever they want to access network resources.

That’s a good thing, because about 20 percent of security breaches involve internal actors and 61 percent involve compromised credentials, according to Verizon’s “2021 Data Breach Investigations Report.”

At the same time, the pandemic has transformed many businesses into remote-first organizations; Upwork’s “Future Workforce Report 2021” estimated that 40.7 million Americans, or about 28 percent of the total U.S. workforce, would be fully remote by 2025, with millions more working remotely at least part time.

This has turned the whole idea of perimeter-based security on its head. Yet even two years since the start of the pandemic, many businesses remain in the early phases of transitioning to zero trust.

Zero trust is all about protecting resources, which include everything from user identities and organizational data to systems and software, so the first step to adoption is knowing what’s in your current environment. Identifying all your resources and keeping that information up to date is a prerequisite for achieving zero trust.

Click the banner to learn more about the benefits of a zero-trust security strategy.

One particularly important resource is an organization’s security tools, which matter in several ways. To prepare for the transition to a zero-trust environment, here are some actions that will help organziations create an inventory of those tools.

Make a Complete List of Security Tools

First, find out what types of security tools you already have. This initial list isn’t a detailed inventory of which versions of each tool are deployed to each physical or virtual platform; that comes later.

Instead, this is a simple list of the security tools that your business is using or could use in the near future; for example, products that are being procured or software that was recently acquired but hasn’t yet been deployed.

Your organization may already have a central list of security tools, in which case all you need to do is ensure it’s up to date. If it’s not, you may need to create a list by reviewing existing asset inventories, talking with or surveying IT and cybersecurity professionals across the business, and checking active and recent procurements for security tools.

Be aware that some security tools are preinstalled or built in to platforms; don’t forget to include them in your list.

Once you know what security tools are already on hand, identify which tools to use and which tools should be replaced or retired. You should also identify gaps where additional software is needed and ensure the tools themselves are secure.

Next, use automation to find where security tools are installed or running on platforms connected to your networks. The business many already have some asset management technologies or services in place to collect this information.

MORE SECURITY: Discover how to implement zero trust in your organization.

Look Closer at What Is Outside the Network

Finally, use additional automation to find the security tools running outside your networks and collect more information about them.

Your organization almost certainly has numerous security tools outside its networks, including cloud deployments, mobile devices and remote work platforms. Finding these security tools generally requires bringing together multiple lists compiled by disparate technologies: asset management products, vulnerability management solutions and other security tools.

Organizations also need to collect additional information about all tools regardless of their location, such as which versions are deployed and which platforms are running each version.

This information should be constantly collected using automation to maintain a dynamic inventory that reflects what is used where, instead of a conventional, static inventory that is updated a few times a year.

Static inventories are simply not acceptable for zero-trust environments. A dynamic, continuously updated inventory can verify that the necessary tools are deployed at all times to the organization’s various endpoints, containers and other network components.

Having a reasonably accurate and up-to-date inventory of all security tools throughout the business is useful not only for designing and implementing a zero-trust architecture, but also for prioritizing vulnerability management actions (such as patching and security configuration) and other security controls within the environment to safeguard the security tools themselves.

A compromised security tool could grant an attacker unauthorized access to and control of platforms throughout the enterprise, so it is particularly important to monitor the versions and configurations of security tools and rapidly address any vulnerabilities you find.

iambuff/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.