Federal Deputy CIO Margie Graves said today that the forthcoming update to the Trusted Internet Connections (TIC) Initiative is coming “extraordinarily soon.”
With the update, there seems to be an acknowledgment that the former ways of TIC–now over a decade old–will be yielding, including the TIC architecture often seen as expensive and inflexible to cloud technologies.
“We’re going to repeal and replace the old policy with the new policy, and the new policy will allow us to drive forward,” Graves said today at the American Council for Technology and Industry Advisory Council’s Imagine Nation ELC Conference.
She indicated that TIC 3.0 will allow for cloud services to meet its requirements “as long as you meet the intent of the controls, how you implement them in your environment, and how that runs continuously and contiguously between your on-prem and your cloud services.”
Government seems well on the way to reforming the requirements–and resultant latency–from the old TIC architecture, which was based upon a perimeter defense model. And the changes come alongside rumblings that the Federal government is also going to better address that T in TIC – trust – and maybe by zeroing it out.
“The Office of Management and Budget, Department of Homeland Security, the CIO Council, this particular topic of zero trust networking is at the forefront of their discussions of IT modernization right now, if not the No.1 discussion,” Steve Hernandez, chief information security officer at the Department of Education, said today at ELC.
We heard from Federal CIO Suzette Kent in August that zero trust network pilots were well underway, and these would be changes that could go hand in hand with TIC reform.
“Trust is a vulnerability. Trust is a big vulnerability, and it’s the only vulnerability that’s also its own exploit,” said John Kindervag, field CTO at Palo Alto Networks, who created the zero trust architecture in 2010 during his time at Forrester.
Kindervag pointed to the Manning, Snowden, and Office of Personnel Management breaches in the Federal government. “They’re all exploitations of trust. In fact, every single data breach is an exploitation of trust,” he said.
He added that zero trust–which allows organization to layer their defense around data assets, rather than a perimeter network barrier–is “fundamentally the world’s only cybersecurity strategy” that can effectively tackle data breaches. “That’s the grand strategic objective, and must be the grand strategic objective, because everything’s about data,” he said.
“Zero trust has to happen. It is a TIC bypass,” said Stephen Kovac, vice president of global government and compliance at Zscaler. “We need to move quickly to make this happen. This is how we protect our networks in an economic fashion, and building a much more secure world across the Federal government.”
“The cost is substantially less–it’s hundreds of percent less, and provides more security,” Kovac added. “The boundary we face is how do we get these into the government.”
“Once I understand what to protect in a zero trust environment, threats are immaterial to me,” Kindervag said. “Then I can control access based on a ‘need to know’ basis. Neither Manning or Snowden needed to have access to most of the data they stole in order to get their job done.”
Kent has also spoken of how the Federal government’s focus on defining its high value assets was now adding particular attention to data assets. Zero trust offers the opportunity to create robust defense specifically focused on those defined data assets.
Graves called the forthcoming TIC update a “companion piece” to the administration’s new Cloud Smart policy, and said it will focus specifically on the intent of the controls “rather than you’ve architected it in a perimeter defense kind of manner.”
TIC flexibility in the cloud and a new focus on zero trust are signs that the administration is looking to drive modernization forward not just with policy, but with an eye toward outcomes focused on how networks and technology should operate in the internet of today.