Federal agencies have made major changes in their approach to network security in the recent past, spurred by last year’s move to widespread telework, the implementation of Trusted Internet Connections (TIC) 3.0, and the desire toward zero-trust network security, a panel of agency officials and experts explained.
Speaking at an ATARC event on January 14, speakers hit on the overriding theme of the pandemic, and quick efforts by agencies to enable personnel to continue meeting the mission.
“With the pandemic, [the State Department] really had to rethink how we talk about connectivity, and how we talk about security and providing secure access to our user base that’s all over the world,” said Sara Mosley, strategic architect at the State Department. “Overall, we’ve learned a lot from the work that we’ve done in order to actually have users at home and still able to access what they need, and yet provide a balance between security and availability,” she added.
Sean Connelly, program manager for TIC 3.0 at the Cybersecurity and Infrastructure Security Agency (CISA) emphasized the new remote user TIC use case released in December, and noted the program’s desire to support agencies with the shift. Connelly also shared that his office initially looked at remote users and zero-trust for one use case, but expects to release a specific TIC use case to get into the details of a zero-trust approach.
With both short-term and long-term goals in mind, agencies have been implementing the TIC 3.0 policy and associated use cases, making progress towards adopting the new principles that support modernization.
“The move to mass telework really has pushed the adoption of concepts that the TIC 3.0 program is putting out there. The agencies early on saw the roadblock that the old systems were giving them – inefficient routing of data and connections back through a single point and then out again … it really made a lot of the agencies more proactive about doing targeted pilots,” said Jim Russo, branch chief of solutions development at the General Services Administration (GSA).
“When the interim telework guidance came out, we had one customer in specific on the frontlines of the COVID battle with 15,000 people in their agency, and only 7,000 could get on the remote access network, the VPN at one time,” recounted Stephen Kovac, vice president of global government and compliance at Zscaler. “We were able to step in and offer a TIC 3.0, ZTA-type solution that was able to immediately within the cloud to scale it and be able to turn up [access] to their users in less than two weeks … when that kind of thing happens, you see the power of TIC 3.0 and the power of zero trust,” he noted.
One barrier that panelists acknowledged is that advances like zero trust can bring more complexity to agencies that are used to simpler security reporting and fewer vendors – although solutions are on the way.
“A lot of agencies were buying a service – maybe they were buying our MTIPS service – and they were used to pushing the easy button,” Russo noted. With some agencies unfamiliar with the work needed to get to their security requirements, “it’s akin to trying to teach someone algebra, and you’re staring at the equation while they just want to guess the answer but they don’t want to work the problem,” he joked.
That challenge also goes the other way for agencies that are eager to adopt new approaches, but also need to support their legacy IT.
“In terms of barriers, I would say knowledge – not only how to use the cloud to its fullest extent but knowledge of the inner workings of your agency. There’s a lot of legacy applications, a lot of networking that utilizes MTIPS and the old way of TIC, but it’s taking all of that and being able to create something new,” noted Trafenia Salzman, security architect for the CISO’s office at the Small Business Administration (SBA).
Connelly noted the efforts at CISA around the Cloud Log Aggregation Warehouse (CLAW), and said the agency is looking at having a presence closer to hyperscalers to reduce the cost of moving that data.