Applying Zero-Trust Frameworks Across your Entire Cyber Asset Attack Surfaceument

In complex networks, building a zero-trust architecture (ZTA) means identifying and securing a diverse set of technologies, many of which have different security capabilities and needs. While organizations may struggle to manage their enterprise IT devices, various tools exist to help them. 

However, modern environments include operating technology (OT), Internet of Things (IoT) devices, and Internet of Medical Things (IoMT) devices. For many organizations, the attempt to implement zero-trust architectures fails because traditional device inventory tools disrupt service, leaving many of them unidentified and unmanaged. Even if an organization feels confident in its ability to create a comprehensive asset inventory that includes them, these devices lack the complex authentication required to enforce the principle of least privilege and the compute power to install endpoint detection and response (EDR) software.

To successfully implement a zero-trust architecture, organizations need comprehensive cyber asset visibility across IT, OT, and IoT.

Why Does Zero Trust Break Down without Complete Cyber Asset Visibility?

To implement the identity-based controls that a ZTA requires, organizations need to know what devices they have and how they behave. However, many face visibility gaps that leave them struggling to enforce these controls. 

Mixed Environments Introduce Complex Visibility Gaps

Zero-trust models focus on traditional IT environments, including the user identities, servers, endpoints, and cloud assets connected to them. However, OT and IoT bring new challenges. They may have no human user identity associated with them, or they may use different protocols for communicating across networks. Ultimately, this can create visibility gaps when organizations have no way to enforce identity, policy, and segmentation consistently. 

Zero-Trust Requires a Unified, Always-Accurate Asset Inventory

The fundamental principle underlying a ZTA is “never trust; always verify.” Problematically, an incomplete or outdated inventory means that the organization has no way to verify all connections because they may not know all the devices they have. 

Visibility Depends on Non-Disruptive Data Collection

Active scanners used for asset identification can take OT and IoT offline. While a printer falling offline is a nuisance, a medical device or manufacturing floor sensor can impact human health and safety. Often, organizations cannot identify and inventory these devices without worrying about harmful service disruption. 

What Are the Challenges Organizations Face when Trying to Unify Visibility Across IT, OT, and IoT?

Even when organizations manage to identify their IoT and OT assets, they struggle to create a comprehensive, unified asset inventory for several reasons. 

Asset Data Sits in Silos Across IT, OT, Clinical, and Facilities Teams

Each domain often has its own tools, owners, and priorities, limiting the organization’s ability to create a complete picture. The foundational data may be scattered across computerized maintenance management systems (CMMS), configuration management databases (CMDBs), network access control (NAC) solutions, spreadsheets, and vendor portals. Without a single source of device data, organizations have no way to enforce their zero-trust policies. 

Cyber Asset Identity Is Inconsistent or Incomplete

Traditional IT assets have decades of formal standards, telemetry, and consistent management practices. However, OT and IoT ecosystems evolved without a unified security or asset identification framework, leading to issues like:

• Lack of standard identifiers. 
• Limited documentation. 
• Inconsistent SBOM availability.
• Limited metadata. 
• Diverse naming conventions across teams and tools. 

Communication Patterns Vary Widely Between Device Classes

Communication patterns define how cyber assets interact. IT, IoT, and OT have different:

• Protocols
• Destinations
• Ports 
• Dependencies

 When device types behave differently, organizations cannot consistently apply security policies, detect anomalies, or segment networks.

Behavioral Baselines Are Hard to Establish

To implement ZTA, organizations need to understand typical communications across their networks, including:

• What a device should talk to
• How often it should connect
• The protocols used
• The reason for the communication

As a direct result of the varied communication patterns, many organizations have no way to identify baselines for these devices. Further, even when they can, the siloed data means they have no way to understand these communications within the broader IT and network environment’s context. 

Practical Steps for Applying Zero Trust Across Disparate Device Ecosystems

To implement ZTA across the IT, OT, and IoT ecosystems, organizations should consider the following best practices. 

Step 1: Build a Unified Asset Inventory Using Safe Discovery

To create a single source of device inventory truth, organizations should consider importing and aggregating data from any or all of the following locations:

• NAC
• CMMS
• Building systems
• Spreadsheet
• Vendor portals. 

Once they collect this data, they can cross-reference the device information against network traffic captures. When seeking a solution to automate this process, some key considerations include whether it:

• Consolidates data from these sources 
• Correlates identifiers
• Deduplicates device data
• Automatically updates attributes

Step 2: Establish Device Identity and Behavioral Baselines

To enforce least privilege, organizations need to understand:

• What each device is
• What each device does
• How each device behaves over time

Organizations need real-time insights into traffic flows across hundreds or thousands of devices. When seeking a solution to continuously monitor behavior, some key considerations include whether it:

• Analyzes protocols 
• Uses passive monitoring
• Identifies baselines to surface drift
• Provides alerts for unauthorized or risky trust paths

 Step 3: Prioritize the Riskiest Devices With Contextual Scoring

To reduce the attack surface quickly, organizations need to identify:

• Which devices are most exploitable
• Which assets create the largest blast radius
• Which vulnerabilities are actually reachable through network paths
• Which devices cannot be patched and therefore require compensating controls

To correlate common vulnerabilities and exposures (CVEs), firmware, asset function, and communication, organizations often use an automated solution. When evaluating a platform’s risk prioritization, organizations should consider whether it:

• Uses contextual scoring beyond just CVE data
• Considers exploitability, device criticality, and operational/clinical impact
• Maps reachable attack paths using real communication flows
• Highlights the highest-risk devices for immediate Zero Trust control actions

Step 4: Validate Zero Trust Controls Using Risk Simulation

Before applying segmentation, isolation, or compensating controls, organizations need to understand:

• Whether the change will disrupt clinical, operational, or industrial workflows
• How much risk reduction will the action deliver
• Whether safer alternatives exist

Going through the process of testing controls to understand the impact becomes overwhelming as the organization scales and adds more diverse devices to the network. With the right automation, organizations can simulate risk and impact before pushing the controls live. When seeking a solution, some key considerations include whether it:

• Simulates segmentation or isolation changes before they go live
• Quantifies expected risk reduction 
• Highlights potential operational or clinical disruptions
• Provides recommendations for safer compensating controls

Step 5: Apply Intelligent, Non-Disruptive Compensating Controls

Because many IoT/OT/IoMT devices cannot be patched, organizations rely on:

• Behavioral allowlists
• Targeted blocklists
• Virtual segmentation
• Communication restrictions

Creating and maintaining these controls across diverse protocols and vendors can break workflows that impact operations. With automated controls, organizations can adapt to device behavior and provide guardrails that match real-world traffic. When seeking a solution, some key considerations include whether it:

• Learns device behavior to automatically build safe allowlists
• Flags or blocks communication outside approved patterns
• Adjusts controls dynamically as devices or workflows change
• Enforces guardrails without requiring invasive scanning or configuration changes

How Asimily Enables Zero Trust Frameworks Across Diverse IT Environments

The Asimily platform is purposefully designed to enable exposure management strategies. Asimily passively scans network architecture for IoT devices and surfaces key details such as MAC address, model, firmware version, and any possible vulnerabilities. Asimily can also use non-passive means, such as correlating with other IoT databases, to build an asset inventory. 

Asimily can also identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from sources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, and NIST Guidelines. By aggregating this data, organizations can more purposefully identify and assess exposure risk. Meanwhile, security teams can also use Asimily’s Risk Simulator to test fixing hardware or software vulnerabilities before they apply the resolution. Simulating a fix can help determine criticality and whether attackers will even try to breach the system, which is critical information when deciding how to better defend systems.