TIC 3.0: Get Ready for Zero Trust

TIC 3.0 is the latest update to an initiative first designed to consolidate the number of network connections and attach defense and monitoring solutions to the security perimeter.

The new policy reflects the evolution of enterprise security, which emphasizes the protection of data rather than the dissolving or constantly shifting perimeter. Rather than directing agencies to shut down the perimeter, the policy provides them with a framework for defining different zones of trust within their environment – and it recognizes that agencies need the latitude to interpret TIC 3.0 based on the requirements of their specific environments.

The hope is that agencies won’t have to bend over backward to satisfy TIC anymore. Instead, they can leverage the new use cases to find better ways to extend services to the distributed enterprise — remote offices and individuals working outside the traditional network perimeter — and provide a secure way to adopt technologies like cloud, mobility and the Internet of Things (IoT).

GovLoop held a roundtable event earlier this year in collaboration with Zscaler and Amazon Web Services (AWS), featuring TIC 3.0 policy leaders and representatives from several agencies across the federal government. During the event, officials say as TIC continues to evolve to meet the times, a zero-trust use case is its future. Zero trust is a security strategy based on a “never trust and always verify” mentality, and it emphasizes the constant protection of data instead of stagnant defense of the perimeter.

Security experts have noted that TIC 3.0, with its focus on assigning trust scores to users and defining more granular “zones of trust” within a network, provides some building blocks for a zero-trust architecture.

Zero trust, which was first defined by an analyst at Forrester Research in 2010, assumes that unauthorized users or systems are bound to get on a network, so it’s important to put security at the level of individual datasets, applications and other resources.

Sean Connelly, TIC Program Manager, Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), noted that interest in zero trust was high, although not all agencies were quite ready for it yet. “I have to be careful when I talk about zero trust in terms of TIC because there are some agencies that want to turn the whole architecture over to zero trust. From a TIC perspective, we need to be inclusive of the technology from 1999, if you will, and also from 2029. But we will have a zero-trust use case coming out at some point. “One thing to understand is that, typically, we only have one or two agencies doing a pilot for a use case. But there’s so much interest in zero trust, I expect we’ll have many agencies doing a zero-trust pilot,” he said.

One way to implement zero trust is to “separate the meat and the milk,” said John MacKinnon, Global Telecommunications Partner Development Manager for the Worldwide Public Sector at AWS. At any given time, an agency is likely being inundated with traffic from hostile actors, whether they are cybercriminals, nation-states or political hacktivists. So, how can they deflect these attacks while safeguarding user experience inside the system?

The goal is to focus on this traffic at the edge, via the cloud, and not let it reach the data center.

“I don’t want to have that stuff sitting in the same data center as mission-critical [assets]. Because if somebody overwhelms the firewalls and all the stuff is in there, then the fox is in the henhouse. This is another case for zero trust,” MacKinnon said. “In a traditional cybersecurity approach, I check your ID at the front door, then I let you go anywhere in my house. Wouldn’t it make any more sense for me to check your ID at the [network’s] edge with two-factor authentication, and then only allow you to go to the things I give you access to?”

This is one of five takeaways expert discussed regarding TIC 3.0 during the roundtable event, for the rest of the takeaways, download GovLoop’s e-book “Time for Modern, Secure Networks: The TIC 3.0 Initiative.”

Photo credit: GovLoop


Leave a Comment

Leave a comment

Leave a Reply