The recent and rapid adoption of cloud, mobility and related technologies has dramatically altered the federal IT environment. While these technologies have facilitated the development of a whole new range of IT services, they have also created new cybersecurity concerns.
Traditionally, agencies have relied on perimeter-based security solutions. These methods worked (to some extent) when most employees were working within the perimeter and accessing applications and data through the data center. But more and more frequently, that’s not the case.
Branch offices or employees working remotely often are accessing applications and data through the cloud. Under the Trusted Internet Connections (TIC) policy, network traffic was required to be routed through the security controls in the data center, which led to numerous problems with performance and security.
Hence the genesis of TIC 3.0, which enables agencies to create a more distributed network architecture, in which the security controls can be moved to the cloud in closer proximity to users. Expectations are high that TIC 3.0 will significantly improve security in today’s cloud-based IT environment. But in order to achieve the full benefits, agencies are recognizing they must also adopt a Zero Trust security model.
Zero Trust, like TIC 3.0, recognizes perimeter-based security is no longer sufficient. This is due in part to so many users or systems working outside the perimeter; further, malicious actors have become far more proficient at stealing credentials and getting inside the perimeter. Consequently, the best policy is to trust no one.
The Zero Trust security model ensures security in an environment in which cloud, mobility and related technologies have diminished the effectiveness of perimeter-based security. Zero Trust also recognizes that in this era of phishing attacks and stolen credentials, there is no meaningful distinction between internal and external threats. Everyone on the network must be seen as a potential threat.
Practically speaking, that means every time a user (or system) requests access to applications, data or other network resources, the network should verify identity and privilege, and whether the user or system should have access to that resource.
To move forward, successful agencies will leverage TIC 3.0 and Zero Trust in tandem.