Why TIC and cloud don't mix

The Department of Homeland Security's top cyber official told Congress that changes to two IT security programs will help reconcile the government's desire to modernize in the cloud and accommodate remote employees while still shoring up protections for federal networks and systems.

The Trusted Internet Connection program was launched in 2007 to reduce the federal government's attack surface by cutting internet access points. That initiative pre-dated the "cloud-first" policy launched in 2010, and the two programs have struggled to sync up ever since.

Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, acknowledged that the goal of reducing access points fit the old-school, IT-ownership model that cloud is replacing.

"In the traditional or historic on-premise environment of having a server room or having a data center where you know where the equipment is and you can sit on the pipes and focus them down, TIC was important," Krebs told the House Appropriations Committee in a March 13 hearing. "Going forward -- particularly as we shift through IT modernization to cloud, because cloud is efficient, its scalable, it's flexible to meet modern workforce demands -- TIC won't work."

The federal government relies on more than 228 different cloud providers, and the White House has repeatedly emphasized cloud adoption as a central pillar of its IT modernization efforts. Last year, the Trump administration ordered agencies to update their TIC policies to remove any barriers impeding further cloud adoption, while DHS rolled out a revamped policy that is designed to reconcile the cloud vs. security contradiction inherent in previous versions.

Krebs laid out a model that he claimed would able to better take advantage of the cloud but also push certain security requirements onto vendors and providers.

"The alternative model -- which in the end will actually be more efficient and save the taxpayer money because we're not owning the infrastructure -- is we are setting a set of security outcomes and requirements for the cloud providers, saying, 'This is the kind of information we need, you need to send it back to us' and then we can analyze it," said Krebs.

Rep. Dutch Ruppersberger (D-Md.) pointed out that TIC policy also inhibited teleworking.

"Counter to the idea of reducing connections to the internet, the federal workforce is actually moving in the opposite direction with more and more employees working remotely," he said.

The Government Accountability Office has consistently tracked significant year-over-year increases in the number of federal employees who telework. According to data from the Office of Personnel Management, 34 percent of federal employees in 2016 reported working remotely, while 54 percent said they don't only because some type of obstacle prevents them from doing so. Only 12 percent reported that they do not work remotely by choice.

Krebs said DHS is relying on another revamped cybersecurity program, Continuous Diagnostics and Mitigation, to help change out older systems and technology at federal agencies and build in more capabilities to accommodate cloud and remote employees while, again, relying on private sector "agility" to ensure certain security requirements are maintained.

"We are ultimately going to shift from a model where we own the infrastructure, we own the sensors, and instead we're putting out a baseline policy and a series of outcomes that we're looking to achieve so we have everybody playing by our rules rather than we're doing the operations and maintenance on equipment," said Krebs.