By: Sean Connelly, Executive Director, Global Zero Trust Strategy and Policy, Zscaler
The Trusted Internet Connection (TIC) policy has evolved to meet the security demands of multi-cloud environments and mobile end users. However, many agencies need to fully capitalize on the potential of TIC 3.0 and modern Zero Trust and Secure Access Service Edge (SASE)-based security frameworks. Addressing the prevailing misconceptions and taking decisive steps forward presents a substantial opportunity to reduce risk, lower costs, enhance user experiences, and ensure scalable security for Federal workloads and missions.
The Evolution of TIC
The Office of Management and Budget (OMB) introduced the Trusted Internet Connections (TIC) initiative over 15 years ago. Initially, TIC aimed to standardize network security and consolidate data circuits across Federal agencies, channeling all incoming and outgoing data through a minimal number of TIC access points. At that time, this centralized approach effectively safeguarded web, email, and network perimeters.
However, as workloads, applications, and access migrated to the web, TIC 3.0, introduced in 2019, acknowledged this shift. TIC 3.0 facilitates agencies’ transition from traditional perimeter-based solutions, such as Managed Trusted Internet Protocol Service (MTIPS) and legacy VPNs and firewall stacks, to modern SASE and Security Service Edge (SSE) platforms.
The Modernization Path
The updated TIC 3.0 policy provides a framework for a more robust security posture, granting the flexibility necessary to secure modern cloud environments. In contrast, continuing to lean on TIC 2.0 to protect hybrid and multi-cloud environments involves significant trade-offs, hindering the deployment of advanced security stacks. Continued investments in TIC 2.0 architectures result in cost inefficiencies, increased latency, and poor application performance due to the necessity of routing all traffic through a geographically constrained number of TIC access points. This routing inefficiency, often referred to as the “TIC Tax,” imposes additional costs and operational burdens on agencies, limiting their ability to achieve optimal performance and security, and ultimately degrading the end user’s experience.
TIC 3.0 is transformative, allowing agencies to position security closer to the end user, optimizing performance and user experiences. By adopting TIC 3.0, agencies can transition away from legacy VPNs and firewall stacks, deploying a modern SASE and Zero Trust-based security stack. This shift enables the implementation of robust security solutions in front of protected resources at a lower cost and without the aforementioned performance and user experience trade-offs.
Alignment with Zero Trust
As TIC 3.0 was released, the Zero Trust security strategy, which posits that no entity should be trusted by default and requires continuous verification, gained prominence. Following the Executive Order on Improving the Nation’s Cybersecurity, agencies were directed to adopt a Zero Trust architecture. This resulted in the publication of CISA’s Zero Trust Security Maturity Model (ZTMM), with a second version released in April 2023.
The ZTMM is a roadmap for agencies transitioning to a Zero Trust architecture, comprising five pillars: identity, devices, networks, applications/workloads, and data. Each pillar integrates cross-cutting capabilities such as Visibility and Analytics, Automation and Orchestration, and Governance. These same pillars and capabilities are similarly embraced in TIC 3.0’s various security capabilities.
While TIC 2.0 focuses on the network, TIC 3.0 emphasizes identity, devices, workloads, the network, and data, connecting trusted users to trusted applications. Agencies require secure, efficient methods to connect employees to the web and internal resources from any location. Transitioning from MTIPS and VPNs to advanced SASE/SSE options under TIC 3.0 enhances user experiences, reduces latency, and improves the quality of security solutions.
Dispelling Misconceptions
Despite the clear benefits, many agencies remain tethered to traditional MTIPS architectures and VPNs, even after implementing TIC 3.0. This lag in adoption is partly due to misconceptions. Some believe TIC 3.0 resembles TIC 2.0’s centralized control and circuit aggregation. However, TIC 3.0 is decentralized and less perimeter-focused, enabling agencies to transition to modern SASE/SSE platforms. This shift creates a more agile, secure, and efficient networking infrastructure, improving cost efficiency, user satisfaction, and security.
Another misconception is that CISA mandates agencies to remain on MTIPS for monitoring purposes via CISA’s EINSTEIN sensor suite. In reality, agencies can provide CISA with cloud-generated security information through the Cloud Log Aggregation Warehouse (CLAW) program. CLAW enables agencies to send diverse cloud telemetry data to CISA, meeting operational visibility requirements and supporting CISA’s mission to enhance the Federal government’s cybersecurity posture.
Moving Forward
With the continued expansion of multi-cloud and hybrid cloud environments, the surge of artificial intelligence (AI) data, and relentless cyber threats, now is the time for agencies to advance. Educating IT teams, procurement, and acquisition personnel on TIC 3.0 benefits is crucial. Agencies should leverage CISA’s resources, such as the Federal Virtual Training Environment, government agency webinars, and industry partnerships, to navigate the transition effectively.
Understanding the available options is paramount to achieving more robust security. CISA has provided the technology and policy framework necessary for agencies to progress with TIC 3.0 and move beyond legacy MTIPS solutions. By collaborating, we can secure Federal missions and deliver optimal outcomes for the nation.