By Tom Kennedy, vice president, Axonius Federal Systems
Amid the many changes since the beginning of the second Trump Administration, the need to implement zero trust best practices remains constant. Indeed, adherence to zero trust frameworks has never been more critical as the number and sophistication of cybersecurity threats increase.
The United States DOGE Service authorizes federal cybersecurity managers to “modernize federal technology and software to maximize efficiency and productivity.” Managers should take this opportunity to accelerate and optimize their zero trust journeys.
Streamlining the Path to Zero Trust
That may seem counterintuitive. After all, many agencies consider zero trust complex and challenging to implement. However, zero trust does not have to be overly complicated as long as agencies focus on investing in a few best practices, including:
- Strictly controlling access to devices and applications
- Continuously checking for vulnerabilities
- Monitoring application usage and users’ behaviors
- Developing a comprehensive inventory of all network assets
Developing an asset inventory is the most critical of these practices, but it’s hard to accomplish due to the size and complexity of asset ecosystems. The typical agency might have thousands of hardware and software assets using its network daily. As that number grows, security managers will find it increasingly challenging to gain total asset visibility and struggle to secure assets efficiently and effectively.
However, as the adage says, “you cannot secure what you cannot see.” Security managers who cannot visualize and gain business-level context around all their assets will be unable to completely uncover security gaps or implement security policies, leaving their agencies exposed and vulnerable.
However, traditional security approaches are ineffective for a sprawling asset environment. They are labor-intensive, error-prone and unable to keep pace with the dynamic nature of today’s federal IT infrastructure. They are the antithesis of the U.S. DOGE Service’s intent to “maximize governmental efficiency and productivity.”
The Role of Automation in Asset Management
Agencies do not have the personnel power or time to hunt down and inventory every asset. Even if they did, security managers would be better off directing their expertise to more value-added tasks, like developing and enforcing cybersecurity policies and strategies that advance their zero trust initiatives.
Automating IT asset management is essential for efficiently building a strong zero trust posture. With automation, asset data can be aggregated and correlated, and accurate asset inventories can be quickly created and updated. Automated IT asset management is also the most efficient and effective way to check for security gaps, monitor for managed and unmanaged devices, and ensure assets comply with established security policies at all times.
Obtaining an accurate inventory of all assets is just the beginning. Managers also need to know if those devices are up to date with security patches or whether they are prone to known vulnerabilities. They need to know the software-as-a-service applications users might access through their phones, laptops and tablets, and how those could impact the agency. Finally, they must ensure all assets comply with their agencies’ security policies.
Automation plays a role in this process, too. Systems can monitor each of these potential issues. Security managers can be alerted in case of a problem so they can investigate, or the system can automatically remediate the issue without human intervention. Either way, asset security management becomes much more manageable, allowing managers to maximize their productivity while maintaining organizational security and building and strengthening their zero trust frameworks.
Automating Reporting & Continuous Compliance
Apart from day-to-day security management, agencies must also continue to report compliance with the Office of Management and Budget cybersecurity memorandum M-24-04 and the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 22-01, among others. Both directives require agencies to comprehensively understand all devices connected to their networks, identify devices affected by common vulnerabilities and exposures, or CVEs, and routinely report their security status to the oversight agencies.
Once again, automation is essential because manually submitting reports to CISA and OMB is not an option. Both agencies mandate the automation of reports to ensure timely, efficient delivery and accurate reporting. Automated reporting ensures the reports are comprehensive, detailed, correct and expedited.
Automation is not just a best practice for external reporting, however. The ability to automatically generate asset inventory reports at preset intervals helps agencies maintain continuous awareness of their network assets. These updated insights can help managers proactively streamline asset inventories and fix potential vulnerabilities before reporting to governing agencies. They allow agencies to maintain continuous compliance with federal cybersecurity mandates.
The Security & Financial Impact of Automated Asset Management
Automated asset management and monitoring have significantly and positively impacted agencies from a security and financial perspective. For example:
- One Department of Defense agency saved hundreds of thousands of dollars in software costs simply by uncovering unused software licenses.
- Another organization recovered millions of dollars that would have otherwise been spent on unnecessary Java licenses.
- Yet another Cabinet-level agency reduced incident response time from eight weeks to eight hours because it automated management of its attack surface.
These proven techniques move agencies closer to achieving their efficiency and security goals, which do not need to be mutually exclusive. Organizations can streamline their operations and boost their security profiles simultaneously, even in times of great upheaval like today.
However, agencies can seize this moment to innovate and grow their zero trust frameworks efficiently. By adhering to established best practices and automating wherever possible, agencies can advance their cybersecurity missions in productive and meaningful ways.
