The Report to the President on Federal IT Modernization recommends modernizing the Trusted Internet Connections (TIC) program, which is critical to the Federal government’s broader digital transformation strategy. By the end of this month, the report calls for the Office of Management and Budget (OMB) to conduct data calls to agencies to discuss their cloud migration projects, and identify any delays caused by current TIC policy. And, by March 2, OMB will share a “preliminary update to the TIC policy,” and launch select pilot projects to test the new TIC requirements.
The current TIC architecture, which requires security appliances to protect the network, does so with placement at a limited number of gateways–forcing traffic to be backhauled over a hub-and-spoke network design. This adversely impacts service performance and availability, prevents ubiquitous mobile access, and increases overall cost.
A series of industry and government voices are calling for a fundamental shift in the TIC’s architectural design and approach to take full advantage of cloud-based technologies. The community largely agrees that agencies must move security and access controls from the data center to the cloud to provide employees with consistent protection and improved user experience everywhere they go, while benefitting from cloud efficiency and cost savings.
Sara Mosley, acting CTO at the Department of Homeland Security (DHS) further explained, “as Federal agencies begin to leverage cloud computing, we acknowledge that security solutions need to evolve.”
While most agree TIC must progress, there are differing opinions on the path forward. Voices for modernization argue that the most effective approach would move the TIC away from the perimeter to the cloud. Aka “TIC-in-the-Cloud.”
Federal cloud security veteran Stephen R. Kovac, vice president of Global Government and Compliance, Zscaler, believes government needs to move TIC to the cloud, but in a very specific way. While Kovac concedes that virtualizing existing TICs is possible, he advises against it because of the way that TICs (which he calls appliance-based) work.
“The biggest concern that we have to modernizing the TIC is this whole idea of lift and shift,” Kovac said. “For example, to provide a cloud-based TIC, you cannot just virtualize the Einstein Platform and all the devices behind it. This simply compounds the problem. You still have multiple devices (yes, virtualized) to manage and you have not reduced the number of times you are inspecting each packet. So, the latency issue is not completely addressed.”
“The government must look to a FedRAMP compliant Security-as-a-Service vendor that was born in the cloud and understands how to operate in a multi-tenant environment dealing with the challenges of cloud, encryption, FIPS compliant algorithms, and compression technology,” he continued. “Most importantly, one that functions seamlessly and scales instantly to meet the traffic demands of cloud-based applications while addressing the latency issues of today’s TIC.”
Chris Townsend, Federal vice president at Symantec, painted the requirement for TIC to change with the times.
“When the TIC Gateways were first conceived they were absolutely the right solution at the time, providing the necessary controls to facilitate secure connectivity to the public Internet,” said Townsend. “Now needs have changed. Federal agencies are increasingly using cloud applications, and in order to take full advantage of the agility and cost savings cloud applications offer, the TIC architecture must evolve.”
“This does not mean traditional TIC controls are no longer needed, and the last thing agencies want is the cost and complexity of managing a secondary TIC stack in the cloud,” Townsend said. What agencies require is a flexible architecture that extends the perimeter security inspection of the current TIC stack into the cloud while incorporating many of the latest data-centric controls found in cloud access security brokers (CASBs) and cloud data loss prevention (DLP), in a single easy-to-manage architecture.”
Echoing Townsend, Kovac is a strong voice for TIC change–but takes a more radical view.
“I was around when we built and launched the first TIC/MTIPS platforms,” Kovac said. “It was great technology in 2007, and it met the original goal of the TIC initiative to reduce, standardize and optimize agency connections to the Internet. This initiative significantly improved the Federal Government’s security posture and incident response capability because the network perimeter was well defined. But back then, there was no cloud; there were no AWS, Azure, or Google clouds. The users were traversing the agency network, and then when they needed to go to the Internet, they were going to do a browser lookup or, they were going to go send an email. The Internet and cloud services weren’t the backbone of our business back then.”
Kovac asserts that networks are now much more open, and that moving TIC security controls, as well as other advanced security services, to a modern cloud-based, shared services platform will result in better protection, visibility, and control of agency user traffic to the Internet and cloud based services.
Similarly, Mosley affirms, “DHS is focused on the objectives that Trusted Internet Connections (TIC) mandate expected to achieve, such as gaining situational awareness across the federal civilian landscape, which still apply, as opposed to dictating specific technical approaches. We will continue our work with the Office of American Innovations, Office of Management and Budget and the federal civilian agencies to ensure agencies understand their roles and responsibilities for securing their data, maintain situational awareness and have appropriate security protections for their cloud environments.”
The White House modernizing government IT paper calls the TIC out by name. Many times. Seems change is coming. We’ll look for that March 2 OMB report.