Is it time to rethink the TIC?
Current restrictions on internet gateways complicate agencies' move to the cloud, so the Office of Management and Budget is exploring new security architectures.
For nearly a decade, Trusted Internet Connections have centralized and secured the gateways through which agencies can connect to the public internet. What sufficed for sending email and visiting websites, however, is increasingly problematic as agencies move to adopt cloud services -- so the federal CIO's office is working to reinvent the TIC.
"We have challenges with the TIC architecture, because a lot of us are operating in hybrid environments," acting federal CIO Margie Graves said at BMC's June 7 event on digital enterprise management. She recalled an example from her time at the Department of Homeland Security, where a modernization effort involved moving systems into the Amazon Web Services cloud. To make the migration work, Graves said, it "required that we place a server at AWS to run our TIC architecture -- and then we found that we had latency issues associated with that."
Graves said her office and others are working closely with the Office of American Innovation on a wide range of IT-related reforms -- including possible new hiring authorities and ways to streamline the Authorization to Operate process -- and are in the midst of a 90-day sprint. An overarching goal, she said, is to "modify those things that no longer work or are sending people in the wrong direction. And one of the first things we’re tackling is our TIC policy. You’ll see something different coming out ... in how we might deliver TICs in a different kind of way."
Encryption is "not a panacea," Graves said, but agencies need to start thinking about security at the data layer, rather than perimeter defense and network-based security. "A stateless architecture," she said, is "the only way we're going to be able to fully adopt cloud services, and mobility, and Internet of Things, and all the technologies that are out there."
Graves also stressed to feds in the audience that "the alternative architectures that we’re exploring for delivering the TIC capabilities do not negate the necessity to maintain your cyber posture." Understanding the level at which an agency's data must be protected, making that data auditable, and the various TIC protections "are all important things," she said. "But they don’t necessarily have to be done with the architectures we have today."