The Cybersecurity and Infrastructure Security Agency (CISA) released a draft version of a Trusted Internet Connections (TIC) Use Case focusing on access for remote users and user-owned mobile devices, setting the stage for more direct network access to agency and cloud-based resources.
The draft guidance released today builds on the TIC 3.0 Interim Telework Guidance document that CISA released in April. It keeps the same three network security patterns, but offers more details on security capabilities, appropriate trust zones, and architecture. The use case is focused on devices that do not connect directly to network infrastructure, meaning that it can also apply to BYOD mobile devices that use cellular networks to connect to agency resources.
“CISA expects the security guidance will help agencies improve application performance, reduce costs through reduction of private links and improve user experience by facilitating remote user connections to agency-sanctioned cloud services and internal agency services,” said Matt Hartman, acting assistant director at CISA’s Cybersecurity Division.
The network security patterns supported by the use case are:
- Secure remote user access to the agency campus;
- Secure remote user access to agency-sanctioned cloud service providers (CSPs), and;
- Secure remote user access to the web.
For remote user access to the agency campus, TIC 3.0 would allow for connection: through an agency VPN with multi-factor authentication (MFA); through a virtual desktop environment, directly to the agency campus through protected connections and consistent protections at the agency level; or through a cloud-access security broker (CASB) or other security-as-a-service (SECaaS) tool, although only at a medium trust level.
For access to a CSP, the draft guidance authorizes access through an agency VPN, through a CASB, or direct access with protections like MFA and TLS. The guidance recommends that agencies set both CSPs and remote users as medium trust zones.
For direct access to the web – the “riskiest” security pattern included – agencies may allow connections through traditional VPNs or virtual desktops, through a CASB connection at a medium trust level, or through direct connection from devices with protections at the user device level, although CISA notes it is unlikely to achieve parity with the agency environment, and that additional protections may be required for agency environments connected to the device.
“Regardless of the options chosen, due diligence must be practiced ensuring agencies are protecting their information in line with their risk tolerances, especially in instances where security policies are being applied by a third party on an agency’s behalf, or in locations outside the agency’s traditional sphere of control,” the guidance notes.
Another key consideration is the necessary collection of telemetry data for security programs like Continuous Diagnostics and Mitigation (CDM) and the National Cybersecurity Protection System (NCPS). The draft guidance acknowledges that requirements fall outside of the TIC program’s control, and notes that due to the often-infrequent access to remote user devices, “agencies may need to obtain telemetry from a variety of vantage points in order to provide a view of a remote user device equivalent to what might be available from an on-premises deployment.”
Comments on the draft guidance are due by January 29, 2021.