FedInsights by MFGS, Inc. and Micro Focus Government Solutions

TIC 3.0, format preserving encryption of data gives agencies hope against cyber attacks

Addressing Federal Cyber Threats

Effectively, TIC 3.0 really isn't that much about networking. It's really about data protection and privileged access management. Who is on the network? What's happening on the network? What data is on the network, and how is it being protected? While TIC 3.0 is mandated, it's already in force. Although the vast majority of agencies, perhaps all, are behind on addressing those things, part of it is just sheer procurement delays based on their existing TIC 2.0 and Enterprise Infrastructure Solutions (EIS) networking procurements. But the reality is TIC 3.0, I think, is the silver bullet and it's a mandate. While it doesn't specifically have any dollars behind it, it does completely round out the vast array of cybersecurity challenges that CIOs, IT leadership and chief information security officers are having to deal with.

Challenges Agencies Face in Cyber

There's tools that scan your entire application portfolio and database infrastructure to identify where you've got PII, where you’ve got HIPAA data, but also where you've got duplicate data,” he said. “Now, obviously, that's not a magic finger snap, but at least you understand where your vulnerabilities are so that you can begin to put in place programs to reduce the redundant data, the obsolete data, as well as address the question of privilege access management.

The Cybersecurity and Infrastructure Security Agency released three emergency cyber directives in the last five months. Agency CIOs and CISOs have had one fire drill after another to patch critical vulnerabilities in software.

Of the three breaches—Solarwinds, Microsoft and Pulse Secure, the Solarwinds breach caused the most problems. CISA reported at least nine agencies were impacted directly, while every agency had to scramble during the first few weeks after the breach became known.

The Solarwinds breach isn’t just a one off. It’s part of a growing threat surface.

The Identity Theft Resource Center (ITRC)  found in its 2020 Data Breach Report that supply chain attacks are increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor.

ITRC says 668 entities were impacted by third-party or supply chain attacks last year.

These types of attacks become more complex as agencies live in a mixed environment of legacy and newer technologies.

John Fanguy, the federal chief technology officer for cybersecurity at Micro Focus Government Solutions, said agencies can prepare for the next cyber attack and ensure their missions are resilient by taking several important steps, starting with implementing Trusted Internet Connections (TIC) 3.0.

“Effectively, TIC 3.0 really isn’t that much about networking. It’s really about data protection and privileged access management. Who is on the network? What’s happening on the network? What data is on the network, and how is it being protected?” Fanguy said on the Innovation in Government show sponsored by Carahsoft. “While TIC 3.0 is mandated, it’s already in force. Although the vast majority of agencies, perhaps all, are behind on addressing those things, part of it is just sheer procurement delays based on their existing TIC 2.0 and Enterprise Infrastructure Solutions (EIS) networking procurements. But the reality is TIC 3.0, I think, is the silver bullet and it’s a mandate. While it doesn’t specifically have any dollars behind it, it does completely round out the vast array of cybersecurity challenges that CIOs, IT leadership and chief information security officers are having to deal with.”

CISA recently released new use cases for traditional TIC and the branch office connections. It’s still working on the use case for remote workers.

As agencies start to understand what the uses require, the path toward better cybersecurity gets a bit easier.

“The way EIS, the $50 billion GSA program, was let includes software-defined networks (SDN) and that effectively created new capabilities that TIC 2.0 did not address. TIC 3.0 programs wisely looked broader than just SDN and created a very comprehensive thorough set of key requirements that, perhaps, will serve as the next 15 years,” he said. “TIC 3.0 really has five main requirements: manage the traffic, protect traffic, confidentiality, protect traffic integrity, ensure service reliance and ensure effective response.”

He added that TIC 3.0 opens the door a bit wider for other cyber approaches like zero trust, privileged access management, data confidentiality, format preserving encryption of data and a number of other things.

These additional cybersecurity protections will go a long way to protect data, which in the end is every organization’s most valuable asset.

Even with the recent Solarwinds breach or the PulseSecure VPN vulnerability, the goal wasn’t penetrating the initial technology. It was gaining access to the network and then the data.

Fanguy said protecting the data and minimizing its usefulness through the application of new controls that come with TIC 3.0 and by using format preserving encryption of data is the goal that every organization wants to achieve.

“There’s a number of solutions, including ours, which can deliver this. And it’s important to realize that format preserving encryption isn’t necessarily appropriate for everything. But for anything that’s HIPAA or personally identifiable information (PII) related, particularly for federal employees and citizens, it’s critical that that data be encrypted with format preserving encryption. It’s different than disk encryption and SSL,” he said. “Format preserving encryption is select field or subfield encryption using pseudonymized, tokenized keys that are secure, either in the cloud or on premises, based on your agency’s preference. The reality is, let’s say my Social Security Number is 41063157, so typically most applications would have the last four digits for any citizen or employee. So in the database, if we use this format preserving encryption, we change the first five characters to something that really doesn’t align to me as a person, but the last four characters are, so effectively we’ve made that Social Security Number associated with my name, useless to exploit traders.”

Before an organization can implement format preserving encryption of data, it first must understand what data it has.

Fanguy said many agencies struggle to understand what data that they have and the number of copies of data.

He said having duplicative data and not understanding what information is most valuable to the mission exacerbates and expands the threat attack surface at each agency.

“There’s tools that scan your entire application portfolio and database infrastructure to identify where you’ve got PII, where you’ve got HIPAA data, but also where you’ve got duplicate data,” he said. “Now, obviously, that’s not a magic finger snap, but at least you understand where your vulnerabilities are so that you can begin to put in place programs to reduce the redundant data, the obsolete data, as well as address the question of privilege access management.”

Fanguy added if agencies can reduce the value of the data to hackers, then agencies can diminish the financial value and impact of cyber attacks.

  • John Fanguy

    Federal Chief Technology Officer, Cybersecurity, Micro Focus Government Solutions

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts