Revisiting the Trusted Internet Connections as cloud matures
- By Derek B. Johnson
- Mar 14, 2019
If government wants to take advantage of the cloud, accommodate remote employees and shore up protections for federal networks and systems, changes are needed, according to a top cyber official at the Department of Homeland Security.
The"cloud-first" policy, which was launched in 2010, is difficult to sync up with the 2007 Trusted Internet Connection (TIC) program that aims to reduce the federal government's attack surface by reducing the number of internet access points, according to Christopher Krebs, director of DHS' Cybersecurity and Infrastructure Security Agency.
The goal of cutting access points fits the old-school, IT-ownership model that cloud is replacing, Krebs acknowledged. "In the traditional or historic on-premise environment of having a server room or having a data center where you know where the equipment is and you can sit on the pipes and focus them down, TIC was important," Krebs told the House Appropriations Committee in a March 13 hearing.
"Going forward -- particularly as we shift through IT modernization to cloud, because cloud is efficient, its scalable, it's flexible to meet modern workforce demands -- TIC won't work," he said.
The federal government relies on more than 228 different cloud providers, and the White House has repeatedly emphasized cloud adoption as a central pillar of its IT modernization efforts. Last year, the Trump administration ordered agencies to update their TIC policies to remove any barriers impeding further cloud adoption, while DHS rolled out a revamped policy that is designed to reconcile the cloud vs. security contradiction inherent in previous versions.
Krebs laid out a model that he claimed would able to better take advantage of the cloud but also push certain security requirements onto vendors and providers.
"The alternative model -- which in the end will actually be more efficient and save the taxpayer money because we're not owning the infrastructure -- is we are setting a set of security outcomes and requirements for the cloud providers, saying, 'This is the kind of information we need, you need to send it back to us' and then we can analyze it," said Krebs.
Rep. Dutch Ruppersberger (D-Md.) pointed out that TIC policy also inhibited teleworking.
"Counter to the idea of reducing connections to the internet, the federal workforce is actually moving in the opposite direction with more and more employees working remotely," he said.
The Government Accountability Office has consistently tracked significant year-over-year increases in the number of federal employees who telework. According to data from the Office of Personnel Management, 34 percent of federal employees in 2016 reported working remotely, while 54 percent said they don't only because some type of obstacle prevents them from doing so. Only 12 percent reported that they do not work remotely by choice.
Krebs said DHS is relying on another revamped cybersecurity program, Continuous Diagnostics and Mitigation, to help change out older systems and technology at federal agencies and build in more capabilities to accommodate cloud and remote employees while, again, relying on private sector "agility" to ensure certain security requirements are maintained.
"We are ultimately going to shift from a model where we own the infrastructure, we own the sensors, and instead we're putting out a baseline policy and a series of outcomes that we're looking to achieve so we have everybody playing by our rules rather than we're doing the operations and maintenance on equipment," said Krebs.
This article was first posted on FCW, a sibling site to GCN.
Derek B. Johnson is a former senior staff writer at FCW.