As agencies spread data across distributed cloud and on-premise environments, and more users work on mobile devices, traditional network-based security architectures (and legacy TIC environments) can’t meet the security demands of the increasingly distributed hybrid networks.
Today, agencies need a security strategy that identifies and provides secure access for the user/device in any location. Addressing the need, the TIC 3.0 policy provides agencies with more flexible guidance and use cases (traditional TIC, cloud, branch office, and remote users). In addition, the Cybersecurity and Infrastructure Security Agency (CISA) has developed a series of guidance documents, including the Use Case Handbook.
“Ultimately, there are a number of other use cases that we’re on the hook for: the Infrastructure-as-a-Service use case, the [Platform-as-a-Service], [Software-as-a-Service] use case, Email-as-a-Service and also the remote user. Those are the alternative use cases that are already embedded in the OMB memo,” said Sean Connelly, TIC Program Manager and Senior Cybersecurity Architect, CISA, in a recent NextGov interview. “At the same time, we’ve heard a lot of interest for a number of other use cases.”
As traditional network perimeters continue to dissolve, agencies need a new TIC use case that secures users on any device, in any location.
Secure Access Service Edge as a Use Case
A new networking and security model, termed by Gartner Secure Access Service Edge (SASE), combines wide area network (WAN) capabilities with network security functions to meet the spirit and intent of TIC 3.0, while supporting the security needs of today’s digital world.
Traditional security processes for remote access to federal environments require agencies to establish a security perimeter and deploy a virtual private network (VPN). To connect remote users to a network, traffic first runs through a stack of on-premise appliances, such as DMZ firewalls, then out through the TIC, where it must run through another stack of security applications before finally reaching its destination. This complicated process to decrypt, inspect, and reassemble security functions causes latency, and poor user experience and performance.
Rather than hair-pinning traffic through MTIPs or legacy TIC perimeters, and focusing security perimeters around applications, SASE flips the security model. It allows agencies to organize and move security functions to the location of the users and applications – often to the cloud. By creating perimeters around specific entities, such as users, federal employees have direct access to cloud, while security is pushed as close to the user/data/device as possible.
How to Get Started with SASE
As agencies move to SASE models to support cloud and digital transformation goals, they should first ensure that their solution uses a true multitenant architecture that can scale up or down on demand. If agencies attempt to stitch together a SASE stack with traditional networking security approaches, complexity and latency concerns will increase, while performance deteriorates.
A true SASE model will be a cloud-based, as-a-service model that provides simple, scalable, and flexible edge capabilities. SASE can unify security functions, including secure web gateway and zero trust network access. This reduces the significant cost and management overhaul that many agencies previously faced when adding security functions on top of current solutions to fill gaps across distributed architectures.
Risk Identification and Avoidance
Next, agencies should consider their risk evaluation model in their hybrid IT environment. Previously, agencies could easily track, control, and predict user experience on the network. But now applications are distributed across cloud and on-premise environments, creating a larger attack surface and new security challenges.
Under the SASE model, agencies can deploy a zero-trust network access (ZTNA) approach, verifying users before they access the network. Users are never placed directly on the network. But through secure, encrypted, inside-out connectivity and microtunnels, users have secure access to applications. This reduces the risk of exposing users or data to adversaries.
By building security functions, like zero trust, into the model, rather than separating security from the connectivity of services, SASE ensures that all users are inspected and secured across any location, network, or device. SASE ZTNA provides full visibility and control across complex environments, while improving the user experience.
Finally, agencies need to create goal-oriented security policies based around mission objectives, rather than complex multi-layered policy definitions.
New Age, New Security Approach
We’re in an age where agencies are becoming more digital, environments are becoming much more complex, and threats are continuously evolving. SASE provides a holistic security approach.