In 2007, the new Trusted Internet Connections initiative was an innovative way of protecting government networks that created a strong perimeter. Today, that’s not such an advanced idea.
The Small Business Administration, however, may have developed a method of network protection that meets TIC standards but uses modern tools and practices to do so.
With a combination of Azure Security Center, log analytics and cloud application security tools, “we’ve demonstrated that we can meet the spirit and intent of TIC without the TIC architecture,” says SBA CTO Sanjay Gupta at the Imagine Nation ELC 2018 conference in Philadelphia.
OMB Plans to Release Updated TIC Policy
SBA was one of the agencies conducting pilot programs on how to upgrade TIC, and the results have fed into a new security policy that should be announced soon, says Margie Graves, the deputy CIO at the Office of Management and Budget.
“The new policy is going to reflect the ability to adopt these cloud services as long as you meet the intent of the [security] controls,” she says. “We’re going to repeal and replace the old policy with a new policy, and the new policy will allow us to drive forward.”
Gupta said that as his agency moved to the cloud in 2017, TIC was an obstacle. “We began experiencing performance issues with TIC,” he says. We’d already started looking for ways to move forward in the cloud without TIC.”
The cloud-based tools that SBA chose for security gave the agency a “singular view into all our devices,” he says, and also gave the agency a way to provide the Department of Homeland Security (which runs the TIC program) the data it needed to ensure that SBA was following protocol.
With the Microsoft product, Gupta said, SBA was able to use dual homing to give DHS access to its data — “it was just another subscription” — in an efficient manner.
As the government continues to experience data breaches, new and tighter methods of security become more critical, said Michael Hermus, CEO of technology consulting firm Revolution Four Group and a former CTO at DHS.
“We have to fundamentally rethink our entire security architecture,” he said. “The future of security is not perimeter-based security. And guess what? If you look at the TIC reference architecture, it’s about trying to create and enforce a perimeter around your assets.
“This concept that, once you pass traffic through a bunch of that stuff and it comes out into a sanitized, safe, privileged network zone, it’s actually a really, really bad idea.”
Read more articles and check out videos from FedTech’s coverage of Imagine Nation ELC 2018 here.