As the United States federal agencies modernize their work environments around the world, the traditional local “castle + moat” security model must be eliminated. Therefore, modern security methods are needed to protect hybrid and multi-cloud architectures and protect modern networks.
Traditionally, we have labeled network traffic as east-west or north-south, but as more and more government users connect through devices outside the network boundary, this approach is no longer applicable. The concept of network traffic flow, which has been in use for 20 years, has become a cloud of smoke.
In order to shift to support management and protection of traffic in any direction, the TIC (Trusted Internet Interface) guidelines provide organizations with the necessary flexibility to move from traditional remote work security solutions (such as VPN) to support complex hybrids Or scalable network infrastructure in a multi-cloud environment.
When the US federal IT and cyber security leaders adjust their network architecture, they should follow the TIC 3.0 guidelines and readjust their security posture, focusing on protecting users and data traffic at any location, rather than just protecting certain specific networks Location.
Security: Use zero trust to mitigate threats
In order to protect the infrastructure when employees work in any location, organizations need to use a zero-trust model. Zero trust means that the organization does not trust any users at all. The IT team needs to grant secure access to users in any location and using any device.
“Zero trust is not just an architecture, which must be kept in mind at all times. Zero trust is a philosophy and a cultural change that needs to be accepted by the entire organization.” Sean Connelly (TIC Project Manager and Senior Network Security Architect, CISA ) In an event in December.
Please note that as time goes by, trust will gradually disintegrate, and it must be continuously re-evaluated through algorithms and models. To this end, organizations should choose a robust identity and access management solution. Then, access control is established through network analysis, telemetry, and external intelligence.
When developing zero trust use cases, organizations should continue to refer to TIC 3.0 and the NIST Zero Trust Architecture Guidelines. The TIC 3.0 guidelines can help organizations establish trusted zones to protect network components with similar protection requirements, such as cloud containers, office locations, applications, endpoints, or user identities.
Through the trusted zone, organizations can block horizontal traffic, and zero trust is used to protect access security within the same trusted zone and between multiple trusted zones. This combination is essential for organizations. They can verify user identities before granting access through zero trust, and reduce the size of the trusted zone to protect the security of embedded computing resources, thereby limiting the organization’s attacks noodle.
For trusted zones and zero trust, there is no one-size-fits-all solution that is suitable for all organizations, but federal IT leaders should comprehensively consider the size, number, classification, composition and communications of their trusted zones to develop one Customized security solutions to meet the mission needs of the organization.
Flexibility: Modern security that adapts to complex architectures
To provide institutions with the necessary flexibility, the previous version of TIC relied on additional enterprise-level firewalls, web proxies, detection sensors, and other perimeter defense mechanisms. Nowadays, because employees work in remote or mixed environments, and all agencies follow the modern TIC 3.0 guidelines, security protection measures can be placed closer to the resource itself, so that everything is brought together on one access point.
In addition, because the data is generated in the cloud, unless it is moved out of its initial position, the data will gradually accumulate mass and gravity. In order to ensure the security of access points and adapt to this “Data Gravity” (Data Gravity), organizations should adopt the Secure Access Service Edge (SASE) security model.
Following the SASE model, organizations can reduce data gravity and subvert the traditional security model, transfer necessary security functions to the cloud, so that users can access data and networks from any location, while placing security functions as close as possible to users/devices/data s position. Through the SASE model, CISA has subverted many services, such as the “Continuous Diagnosis and Mitigation” project, which protects the location where data is generated. In addition, the US General Services Administration has also adjusted its enterprise infrastructure solution model in this way.
Look to the future
This year, CISA plans to release more use cases-including cloud, branch, and remote office use cases specified in the U.S. Administration and Budget Office M-19-26 document, as well as on zero trust, Internet of Things, partner networks, and the United States General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS) and other potential use cases. In addition, it also includes a guide on the Web Application Programming Interface (API).
Looking to the future, government network managers should continue to combine security with users and data. In order to introduce new ideas and make substantial progress, agencies need to carry out pilot projects and obtain financial support.
With each attack, the enemy will become smarter and more cunning. Supply chain attacks targeting SolarWinds IT management software vulnerabilities have affected more than 18,000 public and private organizations. This highlights the risks associated with the deployment of modern digital services that rely on traditional security methods. The only viable protection method is defense-in-depth, including zero trust, secure access to the service edge, and cloud workload protection. Ensure that your partners are flexible to react and take countermeasures immediately to increase the coverage of the multi-layer security platform when needed.
As a community, if we want to prepare for what may happen in the future, then the first priority is to pay attention to the need for modernization.
The Links: CXA-P1212B-WJL NL3224BC35-22
