Why Does TIC 3.0 Overlook Zero Trust Network Access?

For many years, each federal agency had their own points of presence on the internet and an array of security stacks around them resulting in chaos and lots of costs. Then, in 2007, the trusted internet connection (TIC) was introduced by the Bush administration. The TIC was intended to reduce the number of internet touch points to 50 from a collective estimate at the time of 8,000—and standardize security stacks to create better economies of cost, reliability and trust at a time when public and private cloud adoption was a new concept for the federal government.

The answer to whether it worked came quickly and the kindest definition was, “Sort of.” While it is true TIC 1.0 reduced the number of touch points to the outside world, it did not really have the advanced cyber tools needed for detection and remediation. Further, it did not scale. Congestion and complaints were almost immediate from the agencies’ user communities.

Then came TIC 2.0, released in 2012 and declared complete in 2016. This involved more industry partners to create more scalable and integrated touch points, hence the term managed trust internet point services (MTIPS). MTIPS allowed for trusted industry partners to bid on providing TIC services to agencies if the telemetry still went back to the Department of Homeland Security (DHS).

But, like all ideas that need to evolve, TIC 3.0 was introduced in 2019. In TIC 3.0, the TIC locations and security stack were updated again. While each agency is supposed to still limit their individual TIC footprint, it allows for the distribution and virtualization of the TIC stack. With the push toward a cloud-first strategy, this makes perfect sense … get the ingress and egress points of presence of U.S. federal government agencies closer to the workloads, e.g., the work the Department of Defense (DoD) has done with cloud native access point (CNAP).

What does not make sense is the lack of a call for Zero Trust Network Access (ZTNA) to be put into the TIC 3.0 design. The May 2021 Executive Order mandating all agencies and departments come up with a Zero Trust security strategy tragically leaves out direction on the TIC. Zero Trust security is an architectural framework accounting for the entire OSI stack. Agencies need to be thinking what tools they use to gain front end access, but also what tools they use to decide what access inside the environment.

There is a growing trend in commercial companies called café networks. A café network treats everyone like a visitor and allows no one to be directly landed on the workload hosting network(s). In other words, every person and their device are a guest and therefore transitory.

The U.S. federal government needs to add ZTNA guidelines to the OMB immediately. When you combine this with efforts like CLAW from the DHS, you can accomplish a few quick goals:

1. Get everyone and everything off the network(s)
2. Gain deeper visibility and control of users and devices with a tool like Appgate SDP
3. Replace VPNs which still front end much of the TIC access points and create high risk for breaches
4. Allow the government to have an aggregated data lake to react, create and direct access policies from

By adding tools like Appgate SDP, which can react in near real time with CLAW, you can create a TIC architecture that is distributed, secure and responsive. For the OMB memo to succeed, we must move to Zero Trust Network Access tools like Appgate SDP that allow for constant vigilance and near real time reactions to threats. It is long past the time to adopt the manta, defense wins championships (or in the case, a strong and integrated end to end defense keeps us safer).

For more on how our Appgate Federal Division assists agencies on their Zero Trust security journey, visit www.appgate.com/federal-division.

Additional ZTNA resources:

Blog: 2022 Federal Predictions: Zero Trust Security
On-demand webinar: Zero Trust for Critical Infrastructure
Podcast: Crawl, Walk, Run: Zero Trust for Cloud