Industry Trends

5 Security Priorities for Government Agencies as TIC 3.0 is Announced

By Felix A. De La Torre and Jr. | October 29, 2018

The Trusted Internet Connection (TIC) Initiative is a program created by the federal government with the aim of consolidating the number of external internet connections within agencies. With fewer official exit points to the internet, IT teams can more efficiently manage security efforts for traffic flowing through government networks.

Recently, an update to this initiative was announced. Known as TIC 3.0, this update modernizes the current version 2.2 of TIC, Managed Trusted Internet Protocol Services (MTIPS), which allowed government agencies to use consolidated models to host their presence with authorized providers, such as CenturyLink, Verizon, and AT&T.  This enabled agencies to provision much of their security services from these providers, thereby removing the need to manage security on-premise.  

What Does TIC 3.0 Mean for Government Agencies

TIC 3.0 aims to address the very real change that cloud use has brought to government networks.

The use of new cloud providers such as AWS and Microsoft Azure introduce inherent concerns around visibility into traffic and the ability to maintain control over that traffic. Understanding how data is used and stored in the cloud is especially important, as many providers use a shared responsibility model where organizations utilizing cloud services are responsible for the security of the data they store within the cloud, while the provider is responsible for maintaining security of the cloud itself. 

With this in mind, government agencies that use a public cloud need to have a clear understanding of the security control requirements dictated by a shared security model. TIC 3.0 provides government agencies with the guidance they need to adopt public cloud in a secure way that minimizes exposure to risks, data breaches, and data leakage. This initiative is being made possible by enforcing a variety of security policies and best practices, such as IT modernization and zero-trust models.

As government agencies prepare for TIC 3.0, they need to ensure they have support and controls in the following areas:

1) Situational Awareness

A key capability that TIC seeks to promote is situational awareness, meaning IT teams have a clear understanding of all of the data stored in their network, each device connected to the network, and team members and their level of authorization within the network. A regularly-updated account of this information makes it significantly easier for IT teams to anticipate and respond to threats. 

For government agencies to achieve this level of awareness, they need to take an architectural approach to security by deploying an integrated fabric that provides full network visibility and connects any coverage gaps. Achieving this requires integrating multiple solutions, often from a number of providers. For example, our Security Fabric not only offers native integration between Fortinet solutions, but also with tools from our partners that recognize the need for cross-solution integration. This fabric approach enables IT teams to connect disparate solutions already in their network, helping fill gaps in visibility and awareness.

2) Resilience

For TIC, resilience goes beyond high availability (HA). Security teams have long understood that strong cybersecurity solutions and policies must have the ability to failover so that business continuity is maintained, and the user experience is not interrupted. However, HA traditionally only addresses just one aspect of business continuity. Resilience, as it relates to TIC 3.0, refers to business continuity on a global scale.

In the past, if the physical data center went down there was no workaround unless the impacted agency had another physical data center they could connect to. TIC 3.0 enables agencies to avoid this issue through replicating their physical data environment and moving it into the cloud. This provides resilience that spans the globe as long necessary security has been built-in. This means government IT teams must ensure they have the security controls in place in accordance with the shared security model requirements in addition to compliance regulations. This results in a scalable solution that can stretch security policies into distributed cloud environments, such as deploying virtual FortiGate Next-Generation Firewall instances into public cloud environments and tying them back into a centralized management console, such as FortiManager, or a centralized monitoring console, such as FortiSIEM.

3) Risk Management

Risk management continues to be essential for government agencies and private organizations. It requires security teams to identify the level of risk facing their data and understand the overall impact to the agency should that data be compromised. This also enables them to prioritize assets and their protections. Now, with the addition of the cloud to their networks, they must take this consideration further, creating a risk management process that goes beyond the physical data center.

Effective risk management means having constant visibility into traffic and data movement in the cloud, as well as visibility into each asset stored across distributed cloud environments.

Agencies can achieve this by using a combination of tools to create an inventory of assets. They can then prioritize that list based on the level of risk for each asset, and detail consequences if that asset were compromised. This inventory is especially important as the number of headed and headless IoT devices connected to the network continues to grow. Agencies need to know where these devices exist within the distributed network, be able to restrict their access when necessary, and identify and isolate at-risk devices.  And since it’s impossible to respond to every security alert, this list will also help IT team prioritize their response to minimally-impactful attacks. 

Agencies can use their SIEM tools to conduct a risk impact analysis, offering visibility into vulnerable areas of the network, while Network Access Control (NAC) solutions can offer IoT visibility and protection. 

With a solid risk management plan, Government Agencies will always know where their most valuable data is and therefore be able to deploy additional security segmentation (ie, Zero Trust Networking concepts) to that data when needed.

4) Optimization and Modernization in the Workplace:

Optimization and modernization is a recurring initiative when it comes to government IT, evidenced by the Modernizing Government Technology Act, the Cybersecurity Executive Order, and now TIC 3.0. These modernization initiatives refer to a myriad of actions, such as updating older, slower equipment, adding additional layers of security such as cloud-based sandboxing, or implementing new security architectures in support of Zero Trust Networking (ZTN) and Software Defined Wide Area Networking (SD-WAN).

A large part of security modernization at the federal level involves decoupling security inspection from physical appliances and hardware and extending it to virtual systems as well.

Automation and scalability are additional critical elements, allowing cloud security to expand and contract as needed during high and low traffic to maintain high performance and comprehensive security. This enables agencies to implement optimized workflows that can dynamically scale as data grows.

An example of this is autoscaling, which Fortinet provides through our partnerships with providers such as AWS and Microsoft Azure. Autoscaling allows cloud security controls to grow and shrink with traffic. Scalable security can also be achieved through the deployment of multiple next-generation firewalls (NGFWs) that can be configured to scale during high traffic loads.

5) Validation

Validation brings all of the aforementioned points together.

It involves consulting regular security reports to understand what is installed, where it is installed, and which OS version it is running. Using security tools and policies to validate deployed assets helps IT teams ensure they are not leaving their network vulnerable to a host of exploits. Validation also allows IT teams to cross reference their efforts with existing guidelines, such as NIST, FISMA, PCI, etc.

Government agencies should focus on the successful implementation of DHS’s Continuous Diagnostics and Mitigation (CDM) program, as this will go a long way in assisting agencies in their quest for achieving validation.

The Stakes Are High for Government Agencies

Government agencies are tasked with protecting the personal data of U.S. citizens as well as sensitive or classified information. Neglecting to implement security in accordance with these five points means their ability to protect this information is severely impaired. This is especially true today as agencies are often understaffed, leaving few IT personnel available to monitor tools and alerts on a daily basis, let alone during a major incident that requires resources be diverted from daily tasks.

Having organized and automated security policies managed through integrated tools can make a huge difference in maintaining vigilance. Recent attacks on government agencies highlight the dangers of not regularly updating security measures, with data breaches resulting in citizens’ information being made available for cybercriminals and nation-state hacking groups to purchase. Being in charge of this information is a huge responsibility, so agencies must ensure they have the infrastructure in place to manage their risk. 

Final Thoughts

Government agencies understand that IT modernization is a necessity if they are to serve their constituents in an efficient manner, which is why so many have turned to the cloud. However, they must remember that IT and security modernization need to happen simultaneously.

TIC 3.0 aims to give government agencies the guidance they need to move workloads to the cloud securely, highlighting these five capabilities as essential steps in the process. Agencies can find plenty of assistance in their efforts from industry ranging from short-term consulting to complete managed services that can implement and operate network security principles.

Read More

Download our latest Fortinet Global Threat Landscape Report to find out more detail about recent threat landscape trends. Sign up for our weekly FortiGuard Threat Brief.

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.

Read more about how Fortinet secures government agencies.