Safeguarding Telework in Federal Government
In April, CISA issued interim TIC 3.0 guidance on telework security, which “provides security capabilities for remote federal employees securely connecting to private agency networks and cloud environments.”
The scope of the guidance was limited to scenarios in which teleworkers access sanctioned cloud services, according to CISA, but it was broadly supportive of different security architectures, including VPNs, virtual desktop infrastructure (VDI) and zero-trust security environments.
“When you think about TIC 3.0 and you think about the flexibility that it introduces into your environment, that’s the mindset that we have to take going forward,” Beth Cappello, deputy CIO at DHS, said during a recent webinar, MeriTalk reports. “No longer can it be a traditional point-to-point brick and mortar fixed infrastructure approach.”
What Is TIC 3.0?
When the Office of Management and Budget announced the Trusted Internet Connections initiative in 2007, officials hoped to slash the number of federal internet access points to no more than 50 and enhance network security. The TIC serves as a secure gateway between federal networks and external network connections, including connections to the internet.
However, since then, the nature of the network perimeter has become more amorphous as more agencies have migrated applications to cloud providers. Agencies complained that the TIC program inhibited their cloud migration efforts, and the White House and DHS began revamping the TIC initiative.
In December 2018, OMB first issued draft guidance to update the program to a version known as TIC 3.0. A year later, CISA issued new TIC 3.0 guidance “to assist agencies moving from wide network perimeters to micro-perimeters around individual or small groups of assets,” FedScoop reports.
Then in July, CISA released final guidance for TIC 3.0. Nextgov reports:
The recommendations included a reference architecture for agency implementation as well as the Security Capabilities Catalog. Even with the current guidance, agencies will need to remain cautious in how they implement TIC 3.0 relative to their unique environments so that they can securely leverage emerging and evolving technology, including SD-WAN and as-a-service cloud platforms.
TIC 3.0 adopts “a flexible framework to address and support advanced security measures across branch offices, remote users, cloud and other service providers, mobile devices, etc.,” according to the updated TIC program guidebook.
TIC 2.0 vs. TIC 3.0: What’s the Difference?
As Nextgov reports, “the first policy release and the subsequent TIC 2.0 issued in 2012 focused on agencies’ headquarters and didn’t give sufficient guidance for emerging technologies like cloud computing and mobile devices.”
TIC 2.0 “focused exclusively on securing an agency’s perimeter by funneling all incoming and outgoing agency data through a TIC access point,” according to CISA.
The new policy for TIC 3.0 “focuses on strategy, architecture, and visibility,” according to CISA, “recognizing the need to account for multiple and diverse architectures rather than [a] single perimeter approach like TIC 2.0.”
Consequently, TIC 3.0 divides agency architectures by trust zones, and it shifts the emphasis “from a strictly physical network perimeter to the boundaries of each zone within an agency environment to ensure baseline security protections across dispersed network environments,” the playbook states.
Such a shift is the most fundamental change from the legacy TIC program, according to CISA. TIC 3.0 is also descriptive, not prescriptive, and does not take a one-size-fits-all approach. On that note, the guidance allows agencies to take a risk-based approach to accommodate varying risk tolerances, and the playbook says that “in cases where additional controls are necessary to manage residual risk, agencies are obligated to apply the controls or explore options for compensating controls that achieve the same protections to manage risks.”
Additionally, TIC 3.0 is environment-agnostic and readily adaptable.
Perhaps most significantly, TIC 3.0 is designed to support cloud adoption, since it allows for a direct connection from the user to the cloud. TIC 3.0 also allows cloud service providers to seamlessly and transparently patch applications for users.
Another key use case enabled by TIC 3.0 is branch offices, which assumes there is a branch office of an agency, separate from the agency headquarters, that uses the main office for the majority of its services (including generic web traffic). TIC 3.0 supports agencies that want to enable software-defined WAN technologies.
And, perhaps in a bit of foresight, TIC 3.0 also supports remote users.
Securing Telework Environments Through TIC 3.0
That support was critical, and it explains why CISA issued interim guidance in April to allow agencies to adapt TIC 3.0 for telework as the pandemic was becoming more widespread.
The guidance is intended only to address the current teleworking surge and is not meant to be part of the TIC 3.0 program set or to support a TIC 3.0 use case; it will be deprecated at the end of 2020.
The document is intended to provide general guidance to agencies to “increase telework and collaboration capacity to meet the growing demands on their existing services.” That may require an increase in bandwidth, VPN and cloud services, and the deployment of new cloud services and authorization of the use of nongovernment furnished equipment.
The guidance provides three methods for teleworkers to communicate with agency-sanctioned cloud services. Traditionally, teleworkers had set up a trusted connection to agency resources via technologies such as VPN or VDI. To do so at a large scale requires additional network resources and can lead to degraded performance, so the guidance notes that teleworkers “can access cloud services directly with protections being applied on the provider and teleworker resources via transport layer security (TLS), VPN or VDI,” FedScoop reports.
“Policy enforcement placement and protections are applied at the CSP and on teleworker resources,” the guidance states. “Capabilities may be duplicated with those traditionally handled by agency campus services so long as policy enforcement parity is ensured.”
Under a second approach, “teleworkers first establish a protected connection to the agency campus and then make connections to” cloud services via that connection.
“Policy enforcement can be performed at the teleworker, agency campus, and CSP,” according to the guidance. “Teleworkers may establish the connection to agency campus resources for additional business functions alongside connections to the CSP.”
However, teleworkers may see reduced performance because of “increased network latency, stacked network encryption, increased likelihood for network congestion, concentrator licensing bottlenecks, and/or other resource exhaustion.”
A third option allows teleworkers to access agency-sanctioned cloud resources through a cloud access security broker or another Security as a Service provider.
How Will Telework Security Evolve in Government?
Security for teleworkers is continuing to evolve. Over the course of the pandemic, the Small Business Administration “had to scale its network to handle a workforce of 20,000 personnel, about five times what it was before the coronavirus pandemic,” Federal News Network reports. However, the office that issued personal identity verification cards at the agency had been shut down.
To help, SBA CISO James Saunders says the agency has used its cloud identity infrastructure to launch “conditional access” to “put users on a trusted network using a trusted device to login using a username and password,” the publication reports.
Meanwhile, the State Department is migrating to a “zero trust-like solution,” Robert Hankinson, the director of the agency’s office IT infrastructure, tells Federal News Network. The agency already had classified systems to support remote access, firewalls and other equipment.
“Through this process, we found that we owned already most of the equipment and the technology that we needed to make this reality. The difference was how it was configured, where they were positioned, how they were used, and the culture and the mindset around that,” he says. “Security for the Department of State was largely a castle-and-moat sort of thing — big high walls, that everything sits on the inside.”
Now, the State Department is thinking of shifting to zero trust as part of a larger “smart infrastructure effort,” Hankinson says.