Safeguarding Telework in Federal Government
In April, CISA issuedinterim TIC 3.0 guidanceon telework security, which provides security capabilities for remote federal employees securely connecting to private agency networks and cloud environments.
The scope of the guidance was limited to scenarios in which teleworkers access sanctioned cloud services, according to CISA, but it was broadly supportive of different security architectures, includingVPNs, virtual desktop infrastructure (VDI) andzero-trust security environments.
When you think about TIC 3.0 and you think about the flexibility that it introduces into your environment, thats the mindset that we have to take going forward, Beth Cappello, deputy CIO at DHS, said during a recent webinar,MeriTalk reports. No longer can it be a traditional point-to-point brick and mortar fixed infrastructure approach.
READ MORE:How are agencies approaching cybersecurity automation?
When the Office of Management and Budget announcedthe Trusted Internet Connections initiativein 2007, officials hoped to slash the number of federal internet access points to no more than 50 and enhance network security. The TIC serves as a secure gateway between federal networks and external network connections, including connections to the internet.
However, since then, the nature of the network perimeter has become more amorphous as more agencies have migrated applications to cloud providers. Agencies complained thatthe TIC program inhibited their cloud migration efforts, and the White House and DHS began revamping the TIC initiative.
In December 2018, OMB first issued draft guidance to update the program to a version known as TIC 3.0. A year later, CISA issued new TIC 3.0 guidance to assist agencies moving from wide network perimeters to micro-perimeters around individual or small groups of assets,FedScoop reports.
Then in July, CISA released final guidance for TIC 3.0.Nextgov reports:
The recommendations included a reference architecture for agency implementation as well as the Security Capabilities Catalog. Even with the current guidance, agencies will need to remain cautious in how they implement TIC 3.0 relative to their unique environments so that they can securely leverage emerging and evolving technology, including SD-WAN and as-a-service cloud platforms.
TIC 3.0 adopts a flexible framework to address and support advanced security measures across branch offices, remote users, cloud and other service providers, mobile devices, etc.,according to the updated TIC program guidebook.
MORE FROM FEDTECH:What are the fundamentals of zero-trust security?
As Nextgov reports, the first policy release and the subsequent TIC 2.0 issued in 2012 focused on agencies headquarters and didnt give sufficient guidance for emerging technologies like cloud computing and mobile devices.
TIC 2.0 focused exclusively on securing an agencys perimeter by funneling all incoming and outgoing agency data through a TIC access point,according to CISA.
The new policy for TIC 3.0 focuses on strategy, architecture, and visibility, according to CISA, recognizing the need to account for multiple and diverse architectures rather than [a] single perimeter approach like TIC 2.0.
Consequently, TIC 3.0 divides agency architectures by trust zones, and it shifts the emphasis from a strictly physical network perimeter to the boundaries of each zone within an agency environment to ensure baseline security protections across dispersed network environments, the playbook states.
Such a shift is the most fundamental change from the legacy TIC program, according to CISA. TIC 3.0 is also descriptive, not prescriptive, and does not take a one-size-fits-all approach. On that note, the guidance allows agencies to take a risk-based approach to accommodate varying risk tolerances, and the playbook says that in cases where additional controls are necessary to manage residual risk, agencies are obligated to apply the controls or explore options for compensating controls that achieve the same protections to manage risks.
Additionally, TIC 3.0 is environment-agnostic and readily adaptable.
Perhaps most significantly, TIC 3.0 is designed to support cloud adoption, since it allows for a direct connection from the user to the cloud. TIC 3.0 also allows cloud service providers to seamlessly and transparently patch applications for users.
Another key use case enabled by TIC 3.0 is branch offices, which assumes there is a branch office of an agency, separate from the agency headquarters, that uses the main office for the majority of its services (including generic web traffic). TIC 3.0 supports agencies that want to enable software-defined WAN technologies.
And, perhaps in a bit of foresight, TIC 3.0 also supports remote users.
READ MORE:Find out how SIEM tools enhance federal cybersecurity.
That support was critical, and it explains whyCISA issued interim guidancein April to allow agencies to adapt TIC 3.0 for telework as the pandemic was becoming more widespread.
The guidance is intended only to address the current teleworking surge and is not meant to be part of the TIC 3.0 program set or to support a TIC 3.0 use case; it will be deprecated at the end of 2020.
The document is intended to provide general guidance to agencies to increase telework and collaboration capacity to meet the growing demands on their existing services. That may require an increase in bandwidth, VPN and cloud services, and the deployment of new cloud services and authorization of the use of nongovernment furnished equipment.
The guidance provides three methods for teleworkers to communicate with agency-sanctioned cloud services. Traditionally, teleworkers had set up a trusted connection to agency resources via technologies such as VPN or VDI. To do so at a large scale requires additional network resources and can lead to degraded performance, so the guidance notes that teleworkers can access cloud services directly with protections being applied on the provider and teleworker resources via transport layer security (TLS), VPN or VDI,FedScoop reports.
Policy enforcement placement and protections are applied at the CSP and on teleworker resources, the guidance states. Capabilities may be duplicated with those traditionally handled by agency campus services so long as policy enforcement parity is ensured.
Under a second approach, teleworkers first establish a protected connection to the agency campus and then make connections to cloud services via that connection.
Policy enforcement can be performed at the teleworker, agency campus, and CSP, according to the guidance. Teleworkers may establish the connection to agency campus resources for additional business functions alongside connections to the CSP.
However, teleworkers may see reduced performance because of increased network latency, stacked network encryption, increased likelihood for network congestion, concentrator licensing bottlenecks, and/or other resource exhaustion.
A third option allows teleworkers to access agency-sanctioned cloud resources through a cloud access security broker or another Security as a Service provider.
Security for teleworkers is continuing to evolve. Over the course of the pandemic, the Small Business Administration had to scale its network to handle a workforce of 20,000 personnel, about five times what it was before the coronavirus pandemic,Federal News Network reports. However, the office that issued personal identity verification cards at the agency had been shut down.
To help, SBA CISO James Saunders says the agency has used its cloud identity infrastructure to launch conditional access to put users on a trusted network using a trusted device to login using a username and password, the publication reports.
Meanwhile, the State Department is migrating to a zero trust-like solution, Robert Hankinson, the director of the agencys office IT infrastructure, tells Federal News Network. The agency already had classified systems to support remote access, firewalls and other equipment.
Through this process, we found that we owned already most of the equipment and the technology that we needed to make this reality. The difference was how it was configured, where they were positioned, how they were used, and the culture and the mindset around that, he says. Security for the Department of State was largely a castle-and-moat sort of thing big high walls, that everything sits on the inside.
Now, the State Department is thinking of shifting to zero trust as part of a larger smart infrastructure effort, Hankinson says.
- Cyber security and the Internet of Things - Lexology - November 16th, 2020
- Save over $6,400 off this Complete InfoSec & Business Continuity Bundle - Neowin - November 16th, 2020
- Official Government Cybersecurity Guidance Offers Six Focus Areas for Banks of All Sizes - Lexology - November 16th, 2020
- Internet Security Audit Market is Expected to Exhibit an Upward Growth Trend Across Widespread Verticals | Affluence - The Think Curiouser - November 16th, 2020
- Internet Of Things Security Market 2020: Global Opportunities, Regional Overview, Top Leaders, Size, Revenue and Forecast up to 2020 2026 - The Daily... - November 16th, 2020
- Internet of Things (IoT) Security Technology Market Size 2020 | Opportunities, Regional Overview, Top Leaders, Revenue and Forecast to 2027 -... - November 16th, 2020
- 6 security shortcomings that COVID-19 exposed - CSO Online - November 16th, 2020
- iboss Named Finalist for Best Network Security Solution in the 2020 ASTORS Homeland Security Awards - PR Web - November 16th, 2020
- Microsoft: Move Away From Phone-based Multi-factor Authentication - TechDecisions - November 16th, 2020
- Global Cable Operator Markets, 2020-2025 by Technology, Residential Services (Wireless, Internet, Entertainment, Security, Home Automation, and IoT... - November 16th, 2020
- Why fintech security must never be an afterthought Wall Street Call - Reported Times - November 16th, 2020
- Global Internet Security Market Share, Quantitative Analysis, Drivers & Restraints, Future Trends and Forecast Research Report 2026 by Global... - November 10th, 2020
- Internet Security Software Market Size, Share, Types, Products, Trends, Growth, Applications and Forecast 2020 to 2027 - TechnoWeekly - November 10th, 2020
- How the Internet of Things Security Infrastructure in India can be improved? - Analytics Insight - November 10th, 2020
- Global Internet of Things Security Market 2025 Potential Scope for Growth in This Pandamic: Check Point Security Software Technologies, Cisco Systems,... - November 10th, 2020
- What is a RAT? How remote access Trojans became a major threat - CSO Online - November 10th, 2020
- China's largest hackathon sees Windows 10, iOS 14, Chrome, and more hacked - TechSpot - November 10th, 2020
- How governments, companies can address evolving needs of increasing tech-savvy Filipinos - Philstar.com - November 10th, 2020
- Global IT Security Market 2020 Growth Potential, Production, Revenue And COVID-19 Impact Analysis 2025 - The Think Curiouser - November 10th, 2020
- Internet of Things (IoT) Security Market Will Generate Massive Revenue In Future A Comprehensive Study On Key Players - TechnoWeekly - November 10th, 2020
- Global Internet Security Market 2020 | Know the Companies List Could Potentially Benefit or Loose out From the Impact of COVID-19 | Top Companies:... - November 8th, 2020
- Misinformation, not vote tampering, is our most critical election threat - SecurityInfoWatch - November 8th, 2020
- Top 7 Ways to Hide Your IP Address in 2021 - Techstory - November 8th, 2020
- Internet Security Software Market Current and Future Trends, Leading Players, Industry Segments and Regional Forecast By 2029 - Eurowire - November 6th, 2020
- Know Your Role: You Are Part of the Security Team - ClearanceJobs - ClearanceJobs - November 6th, 2020
- 'This is how it was all supposed to work': The EI-ISAC readies for Election Day - StateScoop - November 6th, 2020
- Two reasons your Wi-Fi is slow, and how to fix them - CNET - November 6th, 2020
- Keeping Yourself Safe on the Internet at University - TechBullion - November 6th, 2020
- IT Security Spending in Government Market Expected to Flourish By 2025 with Top Key Players- IT Security Spending in Government are: Check Point... - November 6th, 2020
- Arson, water damage: Paper ballots are fragile. But there's a reason we don't vote online - CNET - November 6th, 2020
- Live News Streaming Figures for #Election2020 Highlight Misinformation Threat - Infosecurity Magazine - November 6th, 2020
- Florida Invests in Security Controls Ahead of #Election2020 - Infosecurity Magazine - November 6th, 2020
- How to Organize Employees to Cooperate in Threat Mitigation - Infosecurity Magazine - November 6th, 2020
- The best antivirus protection for Windows 10 in 2020 - CNET - November 2nd, 2020
- Internet Security Firewall Market to Reap Excessive Revenues by 2020-2029 - Eurowire - November 2nd, 2020
- Global Internet Security Market Expected to reach highest CAGR in forecast period :HPE, IBM, Intel, Symantec, AlienVault - TechnoWeekly - November 2nd, 2020
- Poll shows that many feel more vulnerable to online threats during the pandemic - Wiltshire 999s - November 2nd, 2020
- Internet of Things (IoT) Security Market To Witness Significant Growth By 2020-2028 - TechnoWeekly - November 2nd, 2020
- Post-2020 election, Covid vaccine is biggest disinformation threat on the internet: Former Facebook security chief - CNBC - November 2nd, 2020
- Internet of Things (IoT) Security Market Demand (2020-2026) | Covering Products, Financial Information, Developments, Swot Analysis And Strategies |... - November 2nd, 2020
- Career in cybersecurity or ethical hacking: Where to study, starting salary and job interview questions - India Today - November 2nd, 2020
- Internet Of Everything (IoE) Market Status and Trend: Top Key Players, Industry Dynamics, And Regional Scope 2020 - Aerospace Journal - November 2nd, 2020
- Security Pros Have Role in Combatting Disinformation - Infosecurity Magazine - November 2nd, 2020
- How Safe Is the US Election from Hacking? - The New York Review of Books - November 2nd, 2020
- Internet watchdog warns of rise in scammers' activity - New Zealand Herald - November 2nd, 2020
- Homeland Security notified after hackers leak names of local residents who reportedly submitted invalid ballots - iFIBER One News - November 2nd, 2020
- Global Internet of Things Security Market Expected to reach highest CAGR in forecast period :Check Point Security Software Technologies, Cisco... - November 2nd, 2020
- Network Security: Don't Trust And Verify - IT Jungle - October 23rd, 2020
- Akamai Reveals State of Internet: Threats to Retailers - Solutions Review - October 23rd, 2020
- Verisign Reports Third Quarter 2020 Results | Business | The Daily News - Galveston County Daily News - October 23rd, 2020
- Global Internet Security Software Market Analysis, Drivers, Restraints, Opportunities, Threats, Trends, Applications, And Growth Forecast To (2026). -... - October 23rd, 2020
- Nokia Threat Intelligence Report warns of rising cyberattacks on internet-connected devices - GlobeNewswire - October 23rd, 2020
- Cybersecurity and a potential Biden White House: Past tech priorities resurrected - SC Magazine - October 23rd, 2020
- Virgin Media has an important new feature, but switching it on will cost you - Express - October 23rd, 2020
- WISeKey and OpSec Security Partnership Establishes Trust Between Brands and their Customers through Improved Customer Engagement - GlobeNewswire - October 23rd, 2020
- Internet Of Things Iot Security Market Economic Perspective And Forecast To 2027 - PRnews Leader - October 23rd, 2020
- Why cybercriminals have 'Gone Vishing' during the COVID-19 Pandemic - Bdaily - October 23rd, 2020
- Insights on the Digital Security Control Global Market to 2027 - Strategic Recommendations for New Entrants - GlobeNewswire - October 17th, 2020
- More than 25% of Cypriots concerned about internet security - Cyprus Mail - October 17th, 2020
- 5 things you can do to secure your home office without hiring an expert - We Live Security - October 17th, 2020
- Beyond Speed and Reliability: Security Is a New Differentiator - Security Boulevard - October 17th, 2020
- Nationwide and Generali Global Assistance Partner to Enhance Identity Theft Protection - Insurance News Net - October 17th, 2020
- Global Internet of Things (IoT) Security Product Market 2020 Impact of COVID-19, Future Growth Analysis and Challenges | Cisco Systems, Inc, IBM... - October 17th, 2020
- Is BlackBerry (TSX:BB) Stock a Buy on the Latest News? - The Motley Fool Canada - October 17th, 2020
- Global Internet of Things or IoT Security Market to Reach $22 Billion+ Valuation by 2027, Largely Due to Blockchain Adoption - Crowdfund Insider - October 17th, 2020
- Internet Security Market with COVID-19 Recovery Analysis 2020 | Rapid Adoption of BYOD Policy to Boost Market Growth | Technavio - Business Wire - October 8th, 2020
- Tenable and the CIS Enter Partnership to Bolster Cyber Hygiene - AiThority - October 8th, 2020
- How to Build Smart Banks that Connect Customers with Modern DX - AiThority - October 8th, 2020
- #NCSAM: Is Connected Ever Going to be Protected? - Infosecurity Magazine - October 8th, 2020
- Cyber Security Awareness Month is here! - We Live Security - October 2nd, 2020
- Internet security Market Potential Growth, Size, Share, Demand and Analysis of Key Players Research Forecasts to 2027 - The Daily Chronicle - October 2nd, 2020
- Latest Report on Global Internet of Things (IoT) Security Market Analysis, Growth, Opportunity and Regional Insights 2026 - The Daily Chronicle - October 2nd, 2020
- Remarks by Henrietta Fore, UNICEF Executive Director, at Security Council meeting on universal connectivity & access to digital technology in... - October 2nd, 2020
- Lessons learned from firsthand experience on how to avoid internet fraud and other forms of cyberattacks (opinion) - Inside Higher Ed - October 2nd, 2020
- COVID-19 Update: Global Internet Security Audit Market is Expected to Grow at a Healthy CAGR with Top players: Symantec, Intel Security, IBM, Cisco,... - October 2nd, 2020
- Internet Security Market 2020: Potential growth, attractive valuation make it is a long-term investment | Know the COVID19 Impact | Top Players: HPE,... - September 30th, 2020
- The Top Internet of Things (IoT) Authentication Methods and Options - Security Boulevard - September 30th, 2020
- Is your business looking for an extra layer of security - here's why a VPN may be the answer - TechRadar - September 30th, 2020
- A business connected to the cloud needs cloud-ready security, connectivity - Techgoondu - September 30th, 2020
- The 6 key races you haven't heard of that may help decide how we secure our elections - POLITICO - September 30th, 2020