One particularly important resource is an organization’s security tools, which matter in several ways. To prepare for the transition to a zero-trust environment, here are some actions that will help agencies create an inventory of those tools.
Make a Complete List of Security Tools
First, find out what types of security tools you already have. This initial list isn’t a detailed inventory of which versions of each tool are deployed to each physical or virtual platform; that comes later.
Instead, this is a simple list of the security tools that your agency is using or could use in the near future; for example, products that are being procured or software that was recently acquired but hasn’t yet been deployed.
Your organization may already have a central list of security tools, in which case all you need to do is ensure it’s up to date. If it’s not, you may need to create a list by reviewing existing asset inventories, talking with or surveying IT and cybersecurity professionals across the business, and checking active and recent procurements for security tools.
Be aware that some security tools are preinstalled or built in to platforms; don’t forget to include them in your list.
Once you know what security tools are already on hand, identify which tools to use and which tools should be replaced or retired. You should also identify gaps where additional software is needed and ensure the tools themselves are secure.
Next, use automation to find where security tools are installed or running on platforms connected to your networks. The business many already have some asset management technologies or services in place to collect this information.
Look Closer at What Is Outside the Network
Finally, use additional automation to find the security tools running outside your networks and collect more information about them.
Your organization almost certainly has numerous security tools outside its networks, including cloud deployments, mobile devices and remote work platforms. Finding these security tools generally requires bringing together multiple lists compiled by disparate technologies: asset management products, vulnerability management solutions and other security tools.
Organizations also need to collect additional information about all tools regardless of their location, such as which versions are deployed and which platforms are running each version.
This information should be constantly collected using automation to maintain a dynamic inventory that reflects what is used where, instead of a conventional, static inventory that is updated a few times a year.
Static inventories are simply not acceptable for zero-trust environments. A dynamic, continuously updated inventory can verify that the necessary tools are deployed at all times to the organization’s various endpoints, containers and other network components.
Having a reasonably accurate and up-to-date inventory of all security tools throughout the agency is useful not only for designing and implementing a zero-trust architecture, but also for prioritizing vulnerability management actions (such as patching and security configuration) and other security controls within the environment to safeguard the security tools themselves.
A compromised security tool could grant an attacker unauthorized access to and control of platforms throughout the enterprise, so it is particularly important to monitor the versions and configurations of security tools and rapidly address any vulnerabilities you find.