Given the Federal government’s rapid shift to telework since the onset of the COVID-19 pandemic and the larger attack surface that working from home creates, there is a significantly greater need for government to take a fresh look at addressing the most fundamental cybersecurity challenges.
To enable the Federal workforce, agencies must provide their employees the assets they need, even in a remote setting. This highlights the importance of cybersecurity asset management for the public sector – especially when planning ahead for asset reclamation once a return to the traditional workplace is possible.
But what does asset management specifically involve and how should agencies approach future-proofing their current security strategies?
Defining Successful Asset Management
Asset management involves maintaining an accurate inventory of all IT assets, discovering security gaps related to each asset’s presence or configuration, and enforcing security requirements to quickly resolve the identified gaps.
With increased migration to the public cloud and use of Internet of things (IoT) devices, agencies need to prioritize managing their IT infrastructure and cybersecurity tools. The good news is that most agencies already have IT and security systems that keep track of at least a portion of the organization’s assets. However, these systems typically exist as data silos – they require burdensome efforts to get a unified, actionable view on asset details across multiple systems.
An agency must answer the six essential questions about every asset it owns in order to successfully define asset management: What is the asset? Where is the asset located? Is the asset managed? Is the core software up to date? Is there additional software installed? Does the asset adhere to the security policy?
The key word is “management,” which means understanding every aspect of the environment is critical for enabling an organization’s assets.
Avoiding Potential Repercussions
Asset visibility issues persist because it’s difficult for agencies to take a step back and build the foundation for their cybersecurity programs.
“One key focus for most agencies and businesses in the world today is largely moving their applications and their tools to the cloud,” said Bobby McLernon, Vice President of Federal Sales, Axonius. “There are a couple of challenges that go along with that. First is creating compliance with your cloud effort that parallels your security compliance. Second is finding the right people to help you get assets to the cloud.”
If these challenges aren’t solved, poor asset management could lead to two types of problems: increased risk and a higher operational burden. Insufficient security practices threaten the entire agency by increasing the risk of stolen data and compromising sensitive information. In regards to operational burden, agencies struggle to implement an automated, efficient, and accurate method to produce compliant inventories, which in turn wastes human capital resources.
To tackle those problems, recommendations for organizations include: querying vast amounts of data from disparate sources; identifying unmanaged assets; knowing which managed assets are missing agents; discovering and detailing new devices automatically; and developing communication and issue- resolution consistency.
Recommendations for Future-Proofing Cybersecurity
The public sector represents a massive total asset inventory given that typical government asset counts are between three to five assets per person. From the perspective of asset management, agencies will greatly benefit from having tools migrated to the cloud – the goal is for systems to be light, agentless, and larger-scaled.
McLernon also stresses the significance of adopting zero trust policies. “Security’s approach should be: trust nothing and examine everything,” he said. “Let’s establish what we have in our infrastructure and also, understand the gaps and how to fix them.”
As agencies look toward future-proofing their security strategies, lessons can be learned from a collaboration between public and private sectors. While the private sector could learn from the scale of Federal IT infrastructure, the public sector could learn how to develop better efficiency.
“You have to consider that the private sector is for profit, so they use fewer and fewer tools to achieve the same compliance and security measures as public sector organizations on a daily basis,” explained McLernon. “And they’ve managed to meet those goals because they’re trying to create a profit margin – a plateau of profitability.”
If the public sector could make this shift to fewer tools while meeting the same compliance requirements, operations and budgets could be better managed for more effective asset management.
Learn how Axonius can help your agency gain a unified picture of your IT assets and security enforcement policies on-premise and in the cloud.