A future-proof security model for a modern, mobile government
The shift to telework has required many federal agencies to consider new security approaches to fill in the gaps between traditional network-centric security that is not built to scale to a dynamic telework environment, the IT network architecture, and various cloud architectures.
To address these complexity and cybersecurity issues, agencies are turning to policies including CISA's Trusted Internet Connection (TIC) 3.0 that provide guidance on reducing risks and enabling secure connections to government networks.
TIC 3.0 opens the door for modern, hybrid cloud environments, and provides agencies with greater flexibility. Rather than focusing on a physical network perimeter that no longer exists, the guidance recommends considering each zone within an agency environment to ensure baseline security across dispersed networks. As agencies continue to support a remote and distributed workforce, this security approach will be critically important.
In a recent webinar, I spoke with Guy Cavallo, former Deputy Chief Information Officer, Small Business Administration and now Principal Deputy Chief Information Officer, Office of Personnel Management; Gerald Caron, Director of Enterprise Network Management, Department of State; and Sanjit Ganguli, Vice President of Product Strategy, Zscaler about how TIC 3.0, Secure Access Service Edge (SASE), and zero trust are helping agencies securely migrate to cloud and modernize IT environments.
A TIC 3.0 use case to secure the edge
To improve cloud security and provide a consistent user experience, especially as government moves closer to the network edge, agencies are adopting a new security model, SASE. SASE is an identity-based security perimeter that allows users to connect to their data and clouds securely – from any location.
Rather than hair-pinning traffic through MTIPs or legacy TIC perimeters, and focusing security perimeters around applications, SASE flips the security model. It allows agencies to organize and move security functions to the location of the users and applications. SASE moves essential functions, including secure web gateway firewalls, zero trust capabilities, data loss prevention, and secure network connectivity – all into a cloud-based paradigm. By creating perimeters around specific entities, such as users, Federal employees have direct access to the cloud, while security is pushed as close to the user/data/device as possible.
SASE and TIC 3.0 have changed how agencies approach network visibility initiatives. Cavallo said that once SBA switched to a SASE infrastructure, employees were no longer disconnecting from the remote server multiple times a day, but were able to stay logged on and secure. With SASE, IT administrators know where their employees are logging in and can ensure that their environments are secure.
Cavallo emphasized that with SASE, SBA had seven-times more people connecting to the server than they had in previous months. This infrastructure, along with the telework shift, allowed more SBA team members to connect to the server remotely and take advantage of the agility and scalability of the technology.
Moving to a SASE model will help agencies reduce IT costs and complexity while providing a better experience for users and constituents. At the same time, agencies will reduce risks, reduce their security footprint, and provide much better security for internal applications, data, and the overall IT environment.
Protecting data in a multi-cloud world
When it comes to working in multiple clouds, ensuring that data is protected, even during architectural changes, is critical.
A zero trust security model has been a vital part of how organizations protect users and data for the past 10 years, but more agencies are adopting zero trust as they continue to support remote work and provide secure access.
Zero trust means agencies grant users access based on four principles: identity, location, device and data. This simple concept becomes more complex when there are more users, locations, and devices and users are connecting to different data centers. As technologies advance, agencies look to how they can truly support the secure access needs of their applications and services, especially as they've been migrating to the cloud.
"Talking about zero trust and protecting data, you have to know where your data resides," said Caron. "First of all, you need to know what the categorization of that data is, how that data flows, and what normal looks like. If you don't know what normal looks like, how do you know how to protect it?"
As agencies adjust their security perimeter to protect users and data across multiple clouds, data centers, and remote locations, they will need to provide access based on user identity through a zero trust security model. This reduces the complexity of multiple interfaces and delivers a better user experience.
A modern security approach
COVID-19 has shown the importance of the extensibility and scalability of the cloud and has been a forcing factor, expediting modernization initiatives – including security modernization, and the ability to do SSL decryption at scale and proactively monitor threats in real-time to share data with the Department of Homeland Security.
With a SASE cloud-based model that includes zero trust capabilities, agencies have the ability to expand their network and be one step ahead when it comes to cybersecurity—a glimpse into how federal networks will be designed and secured in the future.
Stan Lowe is global chief information security officer at Zscaler.