The final TIC 3.0 guidance released in July provided Federal agencies with increased flexibility for ensuring security in their cloud and mobile solutions as they drive forward on their modernization journeys. How are the new trust zones and zero trust working together? How is the new guidance helping agencies modernize while maintaining security?
We sat down with Bryan Rosensteel who serves as a Cyber Security Architect of Public Sector at Cisco’s Duo Security to get his take on the new and improved TIC 3.0 guidance.
MeriTalk: The final TIC 3.0 guidance released in July aims to help agencies introduce more flexibility as they continue to increase use of cloud and mobile solutions. From your view, how will TIC 3.0 support agencies as they progress in their modernization journeys, particularly in this age of maximum telework?
Rosensteel: The last time the TIC documentation and guidance was revisited was over 10 years ago. The world we were living in then was fundamentally different than today. If you think back to TIC 2.0, it was working under the assumption that most agency employees were in the building or on the corporate network accessing resources outside the network – that’s the way it was architected and designed.
We don’t live in that world anymore – and that has become abundantly clear over the last six to eight months of extreme telework. Now, more than ever, agencies need a more modern architecture that supports users, workloads, and cloud applications outside of the network. But they also still need the visibility and security architecture to support those use cases – and that’s exactly what the TIC 3.0 guidance is designed to provide.
It’s no accident that it’s very closely related to the zero trust guidance; you’ll notice there’s commonality in the authors of both guidance paperwork pieces. It’s about helping agencies support these use cases where users are everywhere and anywhere, as are applications and workloads.
MeriTalk: When the draft TIC 3.0 guidance was released toward the end of last year, some commenters noted that the policy’s “trust zones” stood in opposition to CISA’s goal of creating a zero trust environment. How do you feel CISA addressed this in the final guidance?
Rosensteel: The zero trust guidelines extended nomenclature around micro-segmentation – which is the concept of pinning access from a user on a device accessing an application and then micro-segmenting that request. Zero trust is the overarching layer of security or architecture – it’s identity-based, identity-centric. It’s all about visibility, and that’s directly related to the TIC 3.0 trust zones, which are almost an EINSTEIN-like replacement of knowledge.
Trust zones are complementary to zero trust. The core of the trust zones is the “denied first mentality” – and that is very zero-trust related. Trust zones are built around the sensitivity of data and applications, and ensuring proper access and control is given to particular types of data. In some ways, this is loosely analogous to Single Sign On [SSO] trust for a group of federated applications. While TIC 3.0 supports a level of trust, there is still the requirement to authenticate and monitor using zero trust best practices.
These zones help the user know what’s going on with each access request and make sure that we can trust the request. Or in other words, they make sure the device is in good posture based on the agency policy and that the user has proven their identity as the correct person to access that data. Trust zones and zero trust environments are kind of like peas and carrots – they work together. Given some of the same authors for NIST SP 800-207 zero trust guidance also worked on TIC 3.0, this synergy is not surprising.
MeriTalk: Let’s go a little deeper there. How do you see these two principles (trust zones and zero trust) working together to help agencies improve security, build resiliency, and create flexibility?
Rosensteel: Trust zones make it easy to improve visibility. Think of what we did with EINSTEIN and TIC 3.0 – we were looking at threat data and requests, and making sure we had knowledge and understanding of the traceability of each request. If you break things down into micro-segmentation and traceability of networks and application access, it gives you a better, more targeted slice of the overall picture, and an easier way to look at vulnerabilities. Rather than needing to look at your entire environment and pick a needle out of a haystack, now the haystack is much smaller, so that visibility is important and helps minimize the threat surface to its lowest common denominator. Trust zones and zero trust work hand-in-hand to accomplish that.
MeriTalk: How is TIC 3.0 providing agencies with the opportunity to continually innovate and modernize, while still ensuring environments are secure?
Rosensteel: Modernization doesn’t happen in a vacuum, and of course it was happening even before TIC 3.0 was in draft. TIC 3.0 was the result of the realization that we needed a security architecture that could adapt to what the agencies were already thinking of doing. For instance, the Cloud First strategy – which evolved into the Cloud Smart strategy – calls on agencies to make the best decision about each asset or application they deploy. Do you use a SaaS application, put that application in the cloud, or bring it on premise? Then you need to make sure you wrap the security architecture around the model you choose.
In the older TIC guidance iterations, flexibility was just not a part of the design and solution, and this made sense given the challenges TIC was originally drafted to address. Obviously, now technology is very different, as is the modern IT landscape. TIC 3.0 allows agencies to modernize and innovate faster, because it moves away from the “one solution to rule them all” approach of the past to a more flexible, less-rigid set of solutions based on the needs of the data and applications.
MeriTalk: Looking at the implementation process, as agencies move data to the cloud, mobile devices, and outside agency boundaries, they want to ensure that High Value Assets and information are protected. What zero trust models or other cyber security best practices should agencies take to ensure those assets are fully protected?
Rosensteel: This is the crux of the zero trust lifestyle choice that agencies must make with regards to security. You’re focusing on the thing that matters most, which is protecting the agency data. The last few years have been super exciting in public sector technology and a lot of it is due to the acceleration to cloud adoption on the application and workload side. And, we’ve also had an acceleration on mobile adoption from the endpoint side and the end user access perspective.
It’s significant because if you think back to March, zero trust helped us move down that path to support extreme telework environments. Agencies already had an innovative modernization program which was relying on or leveraging cloud applications and cloud resources. Zero trust is just the natural inevitable security model for that type of innovation and modernization that agencies were already pursuing.
This extreme telework environment we’re in now isn’t going anywhere until at least 2021 or 2022. We’re going to need to have the flexibility to provide telework as an option even beyond that. A year ago, if you started at an agency, they might ask if you’d prefer MacBook, a Windows tablet, or a Chromebook. Similarly moving forward, they’re going to offer employees different options for telework – either full telework or hybrid telework – depending on how people work best. So we need to make sure that agency high value assets are protected, regardless from where or from which devices users are trying to access them. Zero trust is the key to that.
MeriTalk: Speaking of telework, the TIC 3.0 Interim Telework guidance provided Federal agencies with security capabilities during the surge of remote work due to COVID-19, including a game plan to securely connect to agency networks and cloud environments. In your opinion, how has this guidance aided agencies during the transition from telework? Any challenges you saw agencies encounter?
Rosensteel: Like everything else in technology, it’s a journey. When we started, a lot of agencies had already started moving toward modernization and more modern mobility programs. When the extreme telework situation happened and agencies went from 1% or 5% telework to 100% telework overnight, the first priority was to keep the lights on. Agencies had to make sure that everything scaled and that they had enough servers to support the remote access load.
As the world shifted, we needed to look at authentication differently. One agency we work with encountered a challenge in that they did not have enough government-issued devices to provide to their employees. As they considered putting their authenticator on employees’ personal devices, they were concerned they wouldn’t be able to accurately track and trust that authentication. It brought to light the fact that having a strong authenticator doesn’t necessarily mean you have strong authentication.
The current environment has shone a giant spotlight on identity. It’s more than just proof of possession or that the individual has memorized a password. We need to look at the device used, the security posture of that device, and where the authenticator resides. By incorporating all of this into our authentication workflow, that is how we built strong authentication.
The TIC 3.0 Interim Telework guidance addressed these challenges, enabling agencies to use alternative authenticators, build dynamic workflow into authentication, and lay the groundwork for zero trust.
MeriTalk: How do you see agencies evolving in this area now that the transition to maximum telework is behind them?
We’re going to need to go back and revisit some of the decisions we made, because when we made them it was out of a necessity to quickly get things up and running. We might need to rethink some of our choices from an architectural perspective. For instance, there might not be a need to have certain applications on premise, as it might be much easier to host them in the cloud so we’re not fully responsible for the scalability as it scales up and down. It’s important that agencies are thinking about accessibility and scalability around their delivery capability, as well as ensuring that the security is built in and not just bolted on after the fact.
We want to make sure that if we’re doing things quickly or in an extreme situation, we can’t forget to put security procedures in place. We need to revisit those decisions and make sure that security is built in from the ground up every time we decide about a new application.