One foundational element of Zero Trust security is knowing what you have. You need an IT asset inventory. This inventory should tell you
- What you have (hardware, OS, applications)
- Where you have it
- What is connected to what (physically or virtually)
Assembling an IT asset inventory is hard, detailed work. That fact makes you want to put it on the “we will get to that later” list. I agree. Creating an IT asset inventory is hard work. But it gets easier over time. And it provides you with the information you will need to make other Zero Trust security decisions, such as where to segment your network.
Now, when I talk about IT asset inventory, I am leaving aside important topics like warranty status and device age. Managing device replacement, warranty service and software licensing is all important. It just is not related to managing for security.
Whenever I ask an IT Manager for their IT asset inventory report, I usually get an Excel file in return. This does not surprise me. (Excel, after all, is the number one choice for list-making.) I do hope that I am getting an Excel export from an IT asset management system, and not confirming that Excel is the organization’s IT asset inventory tool.
Get a Good IT Asset Inventory Tool
If you raised your hand when I asked who was using Excel as their IT asset inventory tool… Well, thanks for being honest about it. Now, go get a proper IT asset management tool. There are several on the market. ManageEngine makes variations of the same tool (Asset Explorer at the simpler end, Service Desk Plus at the highly functional end). Microsoft has Intune, part of its Enterprise Mobility + Security suite. We have talked at length about Intune, mainly because of the integration possibilities with other Microsoft cloud security tools (hello, Conditional Access).
Get whatever tool works for you. Just make sure it can manage all the devices that are part of your IT asset inventory—Macs, iOS and Android devices, Windows devices, etc.
Discover and Catalog Your Devices
Maybe your organization puts an asset tag on every IT device it owns. If so, congratulations! However It can be hard to do that. Users tend to buy stuff that you would want to know about. So, think of asset tagging as the first opportunity to “discover” a device rather than the only opportunity.
IT asset inventory tools will have the capability to automatically discover what devices are out there. Before 2020, the simplest way was to discover what was attached to the organization’s network. That is still a valid approach (more so as staff begin to work in the office). But when we all ran from the building at the beginning of the pandemic, we unplugged our devices and took them with us. From that point, not much was connected to the network.
These IT asset inventory tools can still help when devices are outside of the network. First, if devices connect via VPN, they can be discovered. IT asset inventory tools are typically able to “enroll” devices. This discovery process is not as straightforward as network discovery (users may have to be involved) but it is still a straightforward way to find devices. And, users will often be motivated to enroll their device, so they can get at data they need.
Keep Your IT Asset Data Current
In the process of penetration testing, we often discover devices that IT thought had been retired. In one case, we suspected that a bunch of devices were eavesdropping on the customer’s network. It turns out, the devices were IP phones that hadn’t been considered before. In other cases, we find laptops and servers that were (erroneously) thought to have been decommissioned.
The lesson here is to be diligent with your IT asset inventory. Make sure devices that have been retired are removed from the network. Equally, make sure you know when new devices are added.
Resist the urge to ignore your IT asset inventory. Put the work in to get a handle on it. You will see the payoff when you start implementing more Zero Trust security capabilities.