As Federal agencies and organizations are looking to make the move to zero trust security architectures, the Trusted Internet Connections (TIC) program should help guide that transformation, Sean Connelly, TIC program manager for the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) said May 12 at MeriTalk’s CDM Central: the Age of the Cyber Defender virtual conference.
Most recently, CISA released the TIC 3.0 traditional use case guidance and branch office use case guidance to help give agencies more flexibility in their architectures.
“I think the interesting one will be the branch office,” Connelly said. “This is really the beginning of that new architecture, these alternative options for the agencies, no longer having to hairpin their agencies’ traffic through those TIC access points and you can start leveraging the distributed SASE model we’re all familiar with, Secure Access Service Edge.”
“So, it’s new opportunities, I think you’ll start seeing come out with the branch offices,” Connelly added.
The TIC office is currently in the process of adjudicating public comments on its remote user use case guidance, which, along with its original telework use case guidance, has been credited with aiding Federal agencies’ pivot to telework amid the COVID-19 pandemic.
A zero trust use case is also on the horizon, but first CISA is working on use cases for infrastructure-as-a-service, platform-as-a-service, email-as-a-service, and software-as-a-service. Connelly said the agency hopes to have those all released by the end of the year.
Connelly called zero trust principles an evolution from Network Access Control (NAC) protocols that were in vogue around 2010-12.
“It kind of died away but I think it was interesting, you start to see the zero trust principles, even in NAC,” Connelly said. “I’m encouraged because a lot of what we see now through zero trust is really just an evolution if you will, of what they were trying to do somewhat with the NAC principles about a decade ago.”
“This really speaks to the fact that zero trust isn’t a product. It isn’t a particular tool, it’s really more of a mindset and looking at a zero trust architecture, figuring out what you can use in your existing environment this is not something that we’re starting from scratch that we have to build from the ground up,” said Lisa Lorenzo, senior director of transformation strategy for Zscaler.
Recently, there’s been a broader discussion about zero trust and what that means in the wake of the high-profile hacks and intrusions that have made national news.
“It’s really becoming not only a brand itself but more it’s an awareness at the business executive level that I think we haven’t had in a while,” Connelly said. “So, there is a higher level of visibility or just awareness of that things need to change. And this is probably the North Star for us to tack towards.”