These competing priorities create a huge challenge for agencies.
When the Trusted Internet Connections initiative was first introduced more than a decade ago, the goal was to improve security in government IT systems by limiting the number of individual external network connections to the internet.
Before implementing TIC architecture, federal agencies could connect to the internet however and wherever they wanted, resulting in hundreds of different connections for each agency. With more than a hundred different agencies and federal executive branch departments, this created thousands of unique points of entry to the internet, making it nearly impossible to monitor and secure each connection.
Implementing TIC required agencies to create specific ingress and egress points, thus providing the government with a methodology for securing those connections. TIC’s overall goal was to enhance agencies’ ability to monitor for malicious incoming network traffic—and it’s served that purpose well.
However, TIC was designed for the traditional, on-premises data center. With so much data now in the cloud and more being added every day, agencies have less monitoring control. Why? Because, while it may initially pass through a TIC on its way, that data then resides in the cloud, meaning agencies lose the opportunity to monitor who is accessing and leveraging that data.
Furthermore, TIC predates the federal government’s current "cloud-first" policy, which focuses on increasing cloud adoption—a major federal IT modernization goal. These competing priorities create a huge challenge for agencies. After all, while the goal of the TIC program is to limit the number of network Internet connections, cloud computing relies on leveraging numerous internet access points for efficiency and speed.
So, how can agencies translate TIC policies to ensure the best security for their cloud-first endeavors?
Replicate TIC Infrastructure
To start, federal agencies can work with cloud service providers to replicate a TIC infrastructure in the cloud. CSPs can implement monitoring services and data flow logs to track who is leveraging your data and applications and the endpoints from which they’re being accessed. This enables agencies to monitor for malicious traffic, just as a TIC traditionally would.
Keep in mind, you’ll need a CSP solution that is already FedRAMP-approved or is capable of passing the approval process to ensure its cloud service offering meets certain security requirements. FedRAMP was established to provide a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. This, in turn, ensures effective, repeatable cloud security for agencies. Given the vast amount of data in agencies’ care, incorporating this type of infrastructure provides agencies with an opportunity to inspect and protect that data as it enters and exits the cloud, replicating the on-premises security that agencies have in place today.
Start at Application Level
When it comes to securing network infrastructure for agencies, security is typically put in place to protect the infrastructure as a whole, including everything and everyone on the network, with TICs in place to monitor traffic. So far, this approach has worked just fine. But, as federal agencies shift deeper into cloud technologies and store more data and software off-premises, the limitations of such traditional security practices will become more apparent.
Instead, security should be written into these cloud environments and applications as they are developed, instead of retroactively implementing security measures which only rely on the networks on which these applications live, as has traditionally been the case. Not only will this help to better protect these applications and cloud environments, but it also creates defense in depth should any malicious actors breach the infrastructure security gate.
Secure the Data Itself
With so many agencies and organizations migrating to public cloud environments, it’s difficult to guarantee that other systems within that cloud are entirely secure, creating potential vulnerabilities for your data. Instead of focusing solely on securing the cloud environment as a whole, agencies should focus on securing the data itself.
Start by identifying where your data is stored and which data requires enhanced security. Once you’ve established a better understanding of your data, you can implement a data security strategy to protect the most sensitive information.
As cloud adoption continues, it’s critical that we make those environments—and the data stored within—as secure as possible. Although seemingly at odds with one another, it is possible to bring TIC and cloud-first policies together toward the common goal of protecting agencies’ sensitive federal data—not to mention the countless citizens those agencies serve.
Greg Kushto is a vice president of sales engineering at Force 3.