Can the SBA Prove Its Cloud Security Is Equivalent to TIC?

As cloud-based data storage for government has edged into the practical realm in recent years, federal agencies have struggled with addressing a decade-old initiative: Trusted Internet Connections. Designed to secure on-premise network systems across the federal government, it’s become an impediment to cloud migration.

But that may change soon.

The Small Business Administration and another unnamed agency are conducting a pilot that, if successful, will enable a workaround to the TIC, explained Guy Cavallo, SBA’s Deputy CIO, at GovLoop’s recent event “Cloud and Cyber Combine to Protect Gov Data.” The agencies are testing separate cloud solutions — Microsoft Azure at SBA and Amazon Web Services at the other.

“If we can prove to [the Office of Management and Budget, Homeland Security Department and General Services Administration] that the security protections will be equivalent to the TIC,” Cavallo said, “then you will see a memo come out from OMB saying, ‘If you follow the format, we will publish the architecture. You don’t have to go through the TIC.'”

He explained that TIC, which began implementation with a memo released on Nov. 20, 2007, “does not play well with the cloud.” But the security features that come with Azure are substantial and comparable, he added.

For example, the service provides worldwide traffic visibility, which means the SBA can view where exactly computers are trying to access its systems. Recently, Cavallo explained, his team noted 13 attempted connections from Vietnam. The SBA does not maintain offices in that country, so it blocked those IP addresses from future attempts to access. Additionally, the service provides information about the system email accounts most frequently targeted, and account passwords that pose security risks.

During his keynote presentation, Cavallo referenced a quote from Belaji Yelamanchili, Executive Vice President of Enterprise Security Business at Symantec, stating that the average enterprise uses 75 distinct security products. That overload becomes a vulnerability because it slows attacker detection speed.

“We think the cloud is more secure,” Cavallo said. “So [whatever is] not nailed down, we’re moving it to the cloud.”

The SBA managed to adopt a cloud solution in a mere 82 days — a notable feat, especially considering where the agency was when Cavallo first came on in 2016. At that time, it still utilized up to 55 Windows Server 2003 machines, for which Microsoft had ceased to provide security updates.

To avoid this in the future, agencies need to explore whether the systems they’re implementing will notify administrators of new updates. “People let this happen because there’s no alert,” he said. “There’s nothing in your network going, ‘You guys don’t have security patches on this traditional model.'”

For some, however, cloud data storage remains something of a mystery. Where exactly is it? And who owns it? That uncertainty can be a deterrent.

Cavallo recommended that those still unsure go visit the data centers from which services operate. Compared to old data centers built for on-premise operations around 2000, visiting the modern data centers feel like stepping into the future, he said.

On the fiscal front, cloud services have been growing steadily more affordable as other providers enter the market. “The price competition is there,” Cavallo explained.

Moving forward, keep an eye out for news from OMB on this cloud security pilot. If the two agencies are successful, it could pave the way for notably quicker cloud migration in federal government agencies.

Leave a Comment

One Comment

Leave a Reply

Kaitlin Moller

Wow! Thank you so much for the insight. I especially liked Guy Cavallo’s quote: “People let this happen because there’s no alert,” he said. “There’s nothing in your network going, ‘You guys don’t have security patches on this traditional model.'”

So true! Sounds like it was a very informative event. Great post, Joe.