The Cybersecurity and Infrastructure Security Agency rushed out the interim guidance to make teleworking easier for federal employees using cloud services.
The reason CISA developed the document in an accelerated timeframe is, in part, due to the pilots agencies such as the Small Business Administration and the departments of Justice and Energy completed over the past year.
Sean Connelly, the Homeland Security Department’s TIC program manager, said in an interview on Ask the CIO in March that the use cases, like the one for branch offices or remote workers, are heavily influenced by those pilots that proved that flexibility and security don’t have to be opposite sides of the same coin.
“One of the things we recognized is when we talk to an agency and the solution they are building out may only be focused on a small segment of the services provided by a cloud provider,” Connelly said. “One of the things we need to do is work with multiple pilots to capture that broad spectrum of cloud services that are available. It’s also important to us that when agencies are articulating what their vision is to understand their data flows. Agencies really need to understand the data they need to protect. Agencies need to understand the flows that come out from the systems, where they are going and different users who will be using it, not just federal employees, but the public, system to system and hybrid or multi cloud. We need agencies to explain that to us as they are building out and choosing those pilots.”
Connelly said SBA’s TIC pilot was the gold standard where it connected to cloud security tools to look at on premise and cloud network services. Instead of trying to match TIC requirements control-by-control, SBA focused on the outcomes, which was understanding and acting on threats and network vulnerabilities in real time.
“One of the interesting things with working with Energy’s team was we built out the baseline for how they wanted to secure their environment, but they recognized they wanted some security solutions above and beyond what TIC was offering at the time. TIC is that baseline and agencies are welcome to go beyond the baseline.”
The telework or branch office case study provides a subset of the security capabilities that are applicable to the current telework surge and that can be used to prevent, mitigate and detect some of the emerging threats. Federal News Network first reported the development of this guidance last week.
“As agencies move away from traditional network architectures for remote access, there will be a greater reliance on authentication mechanisms to validate the remote user,” DHS states in the guidance. “Teleworkers require access to resources on the agency campus, agency-sanctioned cloud services, and on the public web. Each of these security patterns presents unique risks and corresponding security capabilities for appropriate use.”
The guidance also introduced new security requirements that are unique to telework, such as those around unified communications platforms and data protection at rest and in transit.
“Virtual meeting participants need to exercise caution and awareness of the content they are sharing to ensure that only authorized content is shared,” the document states. “Participants also need to be aware that any content shared may be shared more widely than they intended; other attendees may be using screen capture devices or otherwise recording any and all content, whether by microphones and/or cameras broadcasting undesired additional content or extraneous content when sharing screens. Particular care should be taken when sharing and receiving files, as well as when providing remote control to a computer, especially if left unattended.”
The guidance will remain in effect through the end of calendar year 2020.
Stephen Kovac, the vice president for global government at ZScaler, said one of the big lessons learned from the pilots is that one vendor may not solve all problems or challenges.
Kovac said the pilots changed over time and added more tools to collect different or more data.
“DHS is encouraging the need to interoperate and have a use case to add external services on top of the TIC requirements,” he said.
Zero trust, IoT other pilots in the works
Connelly added the use cases are vendor agnostic and can be used by multiple vendors.
“As we built out these alternative solutions and new use cases, the branch office use case is a perfect example, I’m very cognizant of scope creep of TIC and I want to make sure it stays to what we are focused on. Traditional TIC was north-south traffic. It wasn’t focused on the branch office going to the headquarters or the branch office going to the data center. But as we start with TIC 3.0, having this branch office use case where the branch office can go directly to the web or directly to the cloud provider, now the scope for TIC is relevant in terms of those connections that go back to the headquarters or data center. Now we need to provide guidance around that in a way we didn’t need before. The branch office is now a possible pivot point for threat actors and we need to be aware of that.”
Connelly said the federal chief information officer’s and chief information security officer’s councils will roll out the use cases later this summer or early fall. Other topics for use cases could include zero trust, internet of things and unified communications. Connelly said CISA and the councils will ask agencies for their input and where they want to focus next.
CISA will release the final TIC 3.0 guidance before the use case pilots.
“We may need to use five or so agencies, especially with zero trust, to build out that one use case,” Connelly said.
Kovac added the CIO and CISO councils should focus on the use cases that would benefit the greatest number of agencies.
“Whether it’s software-as-a-service or a zero trust solution or a mobile workforce solution, there is an application at every agency,” he said. “Focusing on those low-hanging fruit early will get us some really solid uses cases that everybody can take advantage of so we aren’t writing 10 use cases for one solution. It’s one use case.”