Jan 20 2022

3 Tips That Can Help Agencies Inventory Security Tools for a Zero-Trust Environment

Knowing which tools are already available to you can speed the process of improving cybersecurity.

The cybersecurity executive order issued by the Biden administration in May requires federal agencies to quickly develop a plan to adopt a zero-trust architecture, then implement that plan over the next few years. These requirements are aggressive and intended to make significant improvements happen soon.

Many defense agencies are well on their way toward zero-trust environments, but many civilian agencies are still in the early phases of planning.

The key step to adopting a zero-trust environment is knowing what’s in the environment you already have. Zero trust is all about protecting resources, which include everything from user identities and agency data to systems and software. Identifying all your resources and keeping that information up to date is a prerequisite for achieving zero trust.

One particularly important resource is security tools, which matter in several ways for zero-trust adoption. To prepare for the transition to a zero-trust environment, here are some actions that will help agencies create an inventory of those tools.

Click the banner below to get access to customized security content by becoming an Insider.

1. Make a Complete List of Agency Security Tools 

First, find out what types of security tools you already have. This isn’t a detailed inventory of which versions of each tool are deployed to each physical or virtual platform; that comes later.

Instead, this is a list of the security tools that your agency is using or could use in the near future — for example, products that are being procured or software that was recently acquired but hasn’t yet been deployed.

Your agency may already have a centralized list of security tools, in which case all you need to do is ensure it’s up to date. If it’s not, you may need to create a list by reviewing existing asset inventories, talking with or surveying IT and cybersecurity professionals across your agency, and checking active and recent procurements for security tools.

Be aware that some security tools are built into or preinstalled onto platforms; don’t forget to include them in your list.

Once your zero-trust architects know what security tools are already on hand, they can identify existing tools to use and others that should be replaced or retired. Zero-trust architects can also identify gaps where additional software is needed. Finally, the zero-trust environment must strongly secure the security tools themselves.

DIVE DEEPER: Follow these best practices to protect data via a zero-trust architecture.

2. Enable Automation to Find Security Tools 

Next, use automation to find where security tools are installed or running on platforms connected to your networks. Your agency probably already has some asset management technologies or services in place to collect this information.

For example, the Cybersecurity and Infrastructure Security Agency offers the Continuous Diagnostics and Mitigation Program. CDM provides several asset management capabilities for agency use, including general software asset management and enterprise mobility management.

The CDM capabilities can identify software on agency networks only, however, so it isn’t sufficient for a full inventory.

Karen Scarfone
Be aware that some security tools are built into or preinstalled onto platforms; don’t forget to include them in your list.”

Karen Scarfone Principal Consultant, Scarfone Cybersecurity

3. Look Outside the Network to Gather More Information 

Finally, use additional automation to find the security tools running outside your networks and collect more information about them. Your agency almost certainly has numerous security tools outside your agency’s networks, including cloud deployments, mobile devices and remote work platforms. Finding these security tools generally requires bringing together multiple lists compiled by disparate technologies: asset management products, vulnerability management solutions and other security tools themselves.

Agencies also need to collect additional information about all tools regardless of location, such as which versions are deployed and which platforms are running each version.

This information should be constantly collected through automated means to maintain a dynamic inventory that reflects what is used where, instead of a conventional static inventory that is updated a few times a year.

Static inventories are simply not acceptable for zero-trust environments. Dynamic inventory capabilities are also useful to verify that the necessary tool components are deployed at all times to all required endpoints, containers, etc.

Having a reasonably accurate and up-to-date inventory of all security tools throughout the agency is useful not only for designing a zero-trust architecture and implementing it but also for prioritizing vulnerability management actions (e.g., patching, security configuration) and other security controls within the zero-trust environment to safeguard the security tools themselves.

A compromise of a security tool could grant an attacker unauthorized access to and control of platforms throughout the enterprise, so it is particularly important to monitor the versions and configurations of security tools and rapidly address any identified vulnerabilities.

gorodenkoff/Getty Images

aaa 1

Register