1. Make a Complete List of Agency Security Tools
First, find out what types of security tools you already have. This isn’t a detailed inventory of which versions of each tool are deployed to each physical or virtual platform; that comes later.
Instead, this is a list of the security tools that your agency is using or could use in the near future — for example, products that are being procured or software that was recently acquired but hasn’t yet been deployed.
Your agency may already have a centralized list of security tools, in which case all you need to do is ensure it’s up to date. If it’s not, you may need to create a list by reviewing existing asset inventories, talking with or surveying IT and cybersecurity professionals across your agency, and checking active and recent procurements for security tools.
Be aware that some security tools are built into or preinstalled onto platforms; don’t forget to include them in your list.
Once your zero-trust architects know what security tools are already on hand, they can identify existing tools to use and others that should be replaced or retired. Zero-trust architects can also identify gaps where additional software is needed. Finally, the zero-trust environment must strongly secure the security tools themselves.
2. Enable Automation to Find Security Tools
Next, use automation to find where security tools are installed or running on platforms connected to your networks. Your agency probably already has some asset management technologies or services in place to collect this information.
For example, the Cybersecurity and Infrastructure Security Agency offers the Continuous Diagnostics and Mitigation Program. CDM provides several asset management capabilities for agency use, including general software asset management and enterprise mobility management.
The CDM capabilities can identify software on agency networks only, however, so it isn’t sufficient for a full inventory.