3 Tips That Can Help Agencies Inventory Security Tools for a Zero-Trust Environment

1. Make a Complete List of Agency Security Tools 

First, find out what types of security tools you already have. This isn’t a detailed inventory of which versions of each tool are deployed to each physical or virtual platform; that comes later.

Instead, this is a list of the security tools that your agency is using or could use in the near future — for example, products that are being procured or software that was recently acquired but hasn’t yet been deployed.

Your agency may already have a centralized list of security tools, in which case all you need to do is ensure it’s up to date. If it’s not, you may need to create a list by reviewing existing asset inventories, talking with or surveying IT and cybersecurity professionals across your agency, and checking active and recent procurements for security tools.

Be aware that some security tools are built into or preinstalled onto platforms; don’t forget to include them in your list.

Once your zero-trust architects know what security tools are already on hand, they can identify existing tools to use and others that should be replaced or retired. Zero-trust architects can also identify gaps where additional software is needed. Finally, the zero-trust environment must strongly secure the security tools themselves.

DIVE DEEPER: Follow these best practices to protect data via a zero-trust architecture.

2. Enable Automation to Find Security Tools 

Next, use automation to find where security tools are installed or running on platforms connected to your networks. Your agency probably already has some asset management technologies or services in place to collect this information.

For example, the Cybersecurity and Infrastructure Security Agency offers the Continuous Diagnostics and Mitigation Program. CDM provides several asset management capabilities for agency use, including general software asset management and enterprise mobility management.

The CDM capabilities can identify software on agency networks only, however, so it isn’t sufficient for a full inventory.

3. Look Outside the Network to Gather More Information 

Finally, use additional automation to find the security tools running outside your networks and collect more information about them. Your agency almost certainly has numerous security tools outside your agency’s networks, including cloud deployments, mobile devices and remote work platforms. Finding these security tools generally requires bringing together multiple lists compiled by disparate technologies: asset management products, vulnerability management solutions and other security tools themselves.

Agencies also need to collect additional information about all tools regardless of location, such as which versions are deployed and which platforms are running each version.

This information should be constantly collected through automated means to maintain a dynamic inventory that reflects what is used where, instead of a conventional static inventory that is updated a few times a year.

Static inventories are simply not acceptable for zero-trust environments. Dynamic inventory capabilities are also useful to verify that the necessary tool components are deployed at all times to all required endpoints, containers, etc.

Having a reasonably accurate and up-to-date inventory of all security tools throughout the agency is useful not only for designing a zero-trust architecture and implementing it but also for prioritizing vulnerability management actions (e.g., patching, security configuration) and other security controls within the zero-trust environment to safeguard the security tools themselves.

A compromise of a security tool could grant an attacker unauthorized access to and control of platforms throughout the enterprise, so it is particularly important to monitor the versions and configurations of security tools and rapidly address any identified vulnerabilities.