[ABVM①] Zero Trust Preconditions: Asset Identification and Inventory

Today, companies invest heavily in cutting-edge security solutions and operate security operation centers around the clock. They have built formidable walls and armed them with the latest weapons, yet ironically, they lack an accurate map of what is inside the fortress.

According to Verizon's "2024 Data Breach Investigations Report," many breaches stem not from the latest zero-day attacks but from vulnerabilities in systems left unpatched or neglected by administrators over a long time. This suggests that while building high walls against external enemies, threats quietly grow through forgotten passages and unmanaged storage inside the fortress.

In the sweeping tide of Digital Transformation, corporate IT infrastructures are expanding at unprecedented speeds. Cloud, containers, IoT, and remote work environments enhance business agility but also create complexity and novel attack surfaces previously unimaginable.

The problem is that security visibility has not kept up with this expansion. Many companies cannot accurately grasp all their digital assets—a situation likened to driving in dense fog, maintaining distance only to the visible car ahead but crashing into unseen obstacles.

Industry experts point out that most companies lack complete IT asset visibility and fail to recognize the severity of this issue. The outdated belief that “firewalls and antivirus are enough” no longer holds in an era where invisible assets pose the greatest threats and cause greater risks to organizations.

Expanding Attack Surfaces and Security Blind Spots

Traditional security models are based on clear perimeters: protecting internal assets from external threats via castle-and-moat style firewalls and antivirus on internal PCs. However, modern IT environments render these boundaries meaningless and create new security blind spots.

The ubiquity of cloud services has escalated Shadow IT risks company-wide. For example, marketing subscribing to new customer analytics SaaS without IT review, integrating with Google Workspace or Microsoft 365 via SSO, leaks sensitive customer data outside through unknown paths. There is no control over whether the SaaS platform meets corporate security standards, how data is stored or managed, or if access controls are adequate.

Shadow IT in development environments is even more problematic. Developers creating temporary test databases on public clouds like AWS or Azure often set access controls to “public” for convenience and forget to delete them post-testing. Attackers use tools to scan the internet for such misconfigurations, making these abandoned test servers perfect footholds into corporate networks.

One financial institution’s cloud asset audit revealed over 40% more cloud resources than IT had officially recorded—this is not an isolated case. Unmanaged cloud resources can lead to data leaks, ransomware infections, and regulatory violations.

IoT and OT Coverage and New Challenges

The proliferation of IoT devices fundamentally changes IT asset definitions. Everything connected to the network—from smart TVs, IP cameras, building management sensors to factory PLCs—becomes a potential attack vector. These devices commonly face technical challenges:

• Most IoT devices don't run general commercial OSs like Windows or Linux, preventing endpoint security agents installation.

• They operate on low-resource hardware limiting complex security functions.

• Vendors often fail to provide timely patches, and users may not recognize patch urgency.

• Many exist outside traditional IT asset management systems, leading to insufficient patching and access control.

  
  

The accelerated convergence of IT and OT further amplifies risks. Industrial control systems once isolated now connect to the internet for remote monitoring, opening doors for cyberattacks causing physical damage. Scenarios like attackers halting production lines or causing malfunctions are no longer fictional.

OT environments prioritize availability, causing security scans or patching to be lax due to fears of system downtime, enticing attackers.

Hybrid Work and Eroded Boundaries

The COVID-19-induced hybrid/remote work era ended the binary security model of “trusted internal” vs. “untrusted external” networks. Corporate security now extends beyond physical offices to employee homes, cafes, and airports globally.

This shift elevates endpoint security importance. BYOD policies increase productivity but also allow unrestricted devices access to corporate data. If such devices are infected or poorly secured, they become entry points threatening the entire enterprise.

These changes make Zero Trust Architecture (ZTA)—“Never Trust, Always Verify”—mandatory. ZTA distrusts all access requests regardless of network location and strictly enforces authentication and authorization.

The fundamental prerequisite for successful Zero Trust implementation is asset identification and inventory listing—all assets (applications, data, infrastructure) must be known and catalogued. Controlling access without knowing the assets is futile.

DevOps Speed and Complexity

Modern development with Agile, DevOps, and CI/CD pipelines allows rapid business response but multiplies complexity. Unlike monolithic architectures, microservices split applications into dozens or hundreds of independent services, each deployed and updated frequently, vastly increasing management scope.

Container technology further complicates the concept of assets. Containers are ephemeral, created and destroyed in seconds, making traditional periodic vulnerability scans ineffective since containers may vanish or be replaced by new versions before scanning completes.

Container base images themselves can harbor vulnerabilities, risking supply chain attacks as all derived containers inherit threats. Temporary test environments create openings for attackers as poorly managed dev/test environments become easy intrusion routes.

Building a Complete Asset Inventory: The Starting Point of Security

“Know the enemy and know yourself, and you will not be imperiled in a hundred battles,” said Sun Tzu—this principle echoes in cybersecurity. "Knowing oneself" means precisely and comprehensively identifying all IT assets.

Static inventories like purchase ledgers or Excel files can’t capture dynamic asset changes. Real-time, dynamic IT environment reflection via living inventories is essential.

A complete asset inventory requires a layered approach using complementary technologies:

• Active Scanning: Sending detection packets on networks and analyzing responses to identify assets including IPs, open ports, services, OS versions. Use cautiously in sensitive OT or production environments.

• Passive Monitoring: Analyzing mirrored network traffic to detect communicating assets without impacting systems, but unable to find dormant or silent assets.

• Agent-based Collection: Installing agents on servers/endpoints for deep system info like software lists, patch status, configuration, though it entails maintenance overhead.

• API Integration: Core to modern environments—connects with AWS, Azure, GCP APIs to accurately detect cloud assets (VMs, storage, DBs, network settings). Kubernetes APIs reveal ephemeral container status in real-time.

Context-Enriched Inventory is Essential

Effective asset management demands more than mere existence info like “192.168.1.100 exists.” Only with context does asset inventory gain meaning.

Critical attributes include:

• Technical Info: OS/version, installed software, open ports, running services, hardware specs, network config (IP, MAC).

• Business Info: Asset owner (department/person), business criticality, service impact.

• Data Info: Types and sensitivity of data handled (personal info, financial, trade secrets).

• Location Info: Physical location (data center, office), network zone (internal, DMZ, cloud), internet exposure.

Combined, such multi-dimensional data reveals each asset’s unique value and risk, forming the foundation for asset classification and prioritization.

Not all assets hold equal value or require equal protection. Limited security resources should focus on vital assets, with systematic classification and risk evaluation preceding this allocation.

Datanet