The Cybersecurity and Infrastructure Security Agency suggested a series of Trusted Internet Connections (TIC) 3.0 adaptations agencies can make so employees can securely connect to federal networks and cloud environments during the “surge” in telework caused by the coronavirus.
TIC 3.0 introduced a multi-boundary approach to network security in guidance released by the Office of Management and Budget in September and detailed by the Department of Homeland Security‘s CISA in December. But telework presents “unique” cybersecurity risks necessitating new security patterns and capabilities to detect, mitigate and prevent such threats, according to temporary TIC guidance released Wednesday afternoon.
The guidance presents three alternatives for teleworkers to communicate with agency-sanctioned cloud services.
Traditionally teleworkers first establish a trusted connection to agency resources like a virtual private network (VPN) or virtual desktop infrastructure (VDI). Aggregating all teleworker traffic through a single location enforces security policy, but to do so at scale requires additional resources, increases costs and decreases performance.
Instead, teleworkers can access cloud services directly with protections being applied on the provider and teleworker resources via transport layer security (TLS), VPN or VDI, says CISA’s guidance.
“What they’re thinking about now with the emergency telework guidance is being a little more prescriptive,” Sean Frazier, advisory chief information security officer of federal at Duo Security, told FedScoop. “Being able to say, ‘Hey, we’ve got these use cases we’ve put together. We’ve got these architectures. Here are some ways you might achieve this specifically around telework.'”
A second option, the hairpin back through headquarters, sees teleworkers establish a protected connection to the agency and then make connections to cloud services through that shared path with a traditional VPN. The downside is teleworkers may see reduced performance from increased network latency, stacked network encryption, network congestion, concentrator licensing bottlenecks, and other resource exhaustion.
The final option is a connection from teleworkers to cloud services through a cloud access security broker (CASB) or another security-as-a-service (SECaaS) provider. Traffic can be directed to the CASB through client agents, proxy settings or Domain Name System (DNS) means.
CISA’s guidance also lists all the TIC security capabilities for telework.
“Increasing capacity and capabilities for remote telework and collaboration may require an increase in existing services such as internet service provider (ISP) bandwidth, VPN, and cloud,” reads the guidance. “In some cases, agencies may find that there is a need to deploy new cloud services and authorize the use of nongovernment furnished equipment (non-GFE) or [bring your own device] to facilitate access to remote resources to meet demands.”
Licensing upgrades may be needed to acquire more cyber tools and services for situational awareness and risk management, the document adds.
Vendors are encouraged to map their cyber capabilities to the guidance, but CISA said it won’t validate such mappings — leaving that to agencies.
CISA intends to phase out the guidance as the coronavirus pandemic and telework subside, but certain features will be integrated into the TIC 3.0 remote user use case as it continues to be developed.
Every agency should be thinking about how the guidance can move them closer to an enabled telework force even after the national emergency ends, Frazier said.
“I would like to see this be supportive of a continuing initiative. Just thinking of traffic, these kind of events that happen regionally — snowmageddon is one example, there are tornadoes in the southeast,” Frazier said. “If something happens, the public sector — whether it be state, local or federal — needs to have continuity no matter what.”