58.3 F
Washington D.C.
Friday, March 31, 2023

A TIC 3.0 Use Case to Secure a Cloud Smart, Mobile Government

As agencies spread data across distributed cloud and on-premise environments, and more users work on mobile devices, traditional network-based security architectures (and legacy TIC environments) can’t meet the security demands of the increasingly distributed hybrid networks.

Today, agencies need a security strategy that identifies and provides secure access for the user/device in any location. Addressing the need, the TIC 3.0 policy provides agencies with more flexible guidance and use cases (traditional TIC, cloud, branch office, and remote users). In addition, the Cybersecurity and Infrastructure Security Agency (CISA) has developed a series of guidance documents, including the Use Case Handbook.

“Ultimately, there are a number of other use cases that we’re on the hook for: the Infrastructure-as-a-Service use case, the [Platform-as-a-Service], [Software-as-a-Service] use case, Email-as-a-Service and also the remote user. Those are the alternative use cases that are already embedded in the OMB memo,” said Sean Connelly, TIC Program Manager and Senior Cybersecurity Architect, CISA, in a recent NextGov interview. “At the same time, we’ve heard a lot of interest for a number of other use cases.”

As traditional network perimeters continue to dissolve, agencies need a new TIC use case that secures users on any device, in any location.

Secure Access Service Edge as a Use Case

A new networking and security model, termed by Gartner Secure Access Service Edge (SASE), combines wide area network (WAN) capabilities with network security functions to meet the spirit and intent of TIC 3.0, while supporting the security needs of today’s digital world.

Traditional security processes for remote access to federal environments require agencies to establish a security perimeter and deploy a virtual private network (VPN). To connect remote users to a network, traffic first runs through a stack of on-premise appliances, such as DMZ firewalls, then out through the TIC, where it must run through another stack of security applications before finally reaching its destination. This complicated process to decrypt, inspect, and reassemble security functions causes latency, and poor user experience and performance.

Rather than hair-pinning traffic through MTIPs or legacy TIC perimeters, and focusing security perimeters around applications, SASE flips the security model. It allows agencies to organize and move security functions to the location of the users and applications – often to the cloud. By creating perimeters around specific entities, such as users, federal employees have direct access to cloud, while security is pushed as close to the user/data/device as possible.

How to Get Started with SASE

As agencies move to SASE models to support cloud and digital transformation goals, they should first ensure that their solution uses a true multitenant architecture that can scale up or down on demand. If agencies attempt to stitch together a SASE stack with traditional networking security approaches, complexity and latency concerns will increase, while performance deteriorates.

A true SASE model will be a cloud-based, as-a-service model that provides simple, scalable, and flexible edge capabilities. SASE can unify security functions, including secure web gateway and zero trust network access. This reduces the significant cost and management overhaul that many agencies previously faced when adding security functions on top of current solutions to fill gaps across distributed architectures.

Risk Identification and Avoidance

Next, agencies should consider their risk evaluation model in their hybrid IT environment. Previously, agencies could easily track, control, and predict user experience on the network. But now applications are distributed across cloud and on-premise environments, creating a larger attack surface and new security challenges.

Under the SASE model, agencies can deploy a zero-trust network access (ZTNA) approach, verifying users before they access the network. Users are never placed directly on the network. But through secure, encrypted, inside-out connectivity and microtunnels, users have secure access to applications. This reduces the risk of exposing users or data to adversaries.

By building security functions, like zero trust, into the model, rather than separating security from the connectivity of services, SASE ensures that all users are inspected and secured across any location, network, or device. SASE ZTNA provides full visibility and control across complex environments, while improving the user experience.

Finally, agencies need to create goal-oriented security policies based around mission objectives, rather than complex multi-layered policy definitions.

New Age, New Security Approach

We’re in an age where agencies are becoming more digital, environments are becoming much more complex, and threats are continuously evolving. SASE provides a holistic security approach.

Stephen Kovac
Stephen Kovac is Vice President, Global Government, Head of Corporate Compliance at Zscaler, Inc. Stephen has responsibility for overall strategy, productizing, and certification of the Zscaler platform across all global governments. He also runs the global compliance efforts for all of Zscaler. His primary focus over the last years is FedRAMP, TIC/MTIP Policies, and ZTN for Federal. Under Stephen’s leadership, Zscaler became the first FedRAMP certified ZTN Platform and Secure Web Gateway. He is a 27-year veteran of the information technology and security industry with extensive experience in public sector and compliance. Prior to Zscaler, Stephen served as EVP of Strategy and Public Sector for VAZATA, a FedRAMP certified cloud provider. He also served as VP/CSO for BT Security, Vice President at Terremark Federal, a Verizon Company, and as Vice President of Verizon Public Sector. Mr. Kovac is a frequent speaker on the federal circuit, blogger, and highly quoted author on federal security and certifications.

Related Articles

- Advertisement -

Latest Articles