Government agencies have been encouraged to modernize their IT infrastructure so they can operate more efficiently and deliver services more effectively. At the same time, keeping their networks secure is an absolute priority. It’s possible to accomplish both, but only if IT policymakers reconcile Trusted Internet Connection (TIC) mandates with FedRAMP standards.
Right now, TIC and FedRAMP controls are based on different standards. This disparity creates a challenge for agencies trying to introduce secure cloud platforms into their IT environments.
When the federal government mandates that internet traffic go through a TIC, the process is cumbersome. Users have to get on a TIC for every application and then exit the TIC when they’re done with the original application.
In an ideal process, when users enter through a cloud-based TIC, they’d enter a trusted cloud environment. They should be free to seamlessly float between applications without exiting.
FedRAMP standards make this possible. It’s an effective standard because it defines a common playing field for technology suppliers. The controls required by FedRAMP encourage a community of trust as software and hardware vendors interact to provide cloud solutions to agencies. Different apps living up to the same standards and controls can sit side-by-side in the same data centers. Agencies can count on a trusted cloud environment.
Enabling Zero Trust
Ensuring that TIC and FedRAMP work together is key to securing remote networks. The ways that agency employees access networks has changed completely in the past decade. Consequently, agencies are rethinking their approaches to security to account for employees who telecommute, travel and use a variety of different devices.
The current interest in ‘zero trust’ approaches is a result of these trends. Agencies are emphasizing user management. If they know the users and can secure the users, then the application is secure.
Practically speaking, network security is secondary to user security. What matters is that the agency can validate a user as a trusted source and create an inside-out connection. When you have two trusted sources connecting with each other, the nature of the network and the device is irrelevant.
Strictly speaking, the internet is used as a signal to help create the connections but the user isn’t on the open internet. This murky area is where the TIC mandate creates a challenge.
Going forward, coordination between the two policies is essential. As the governing entities, GSA FedRAMP PMO and DHS have to coordinate on policy initiatives to ensure that one standard doesn’t interfere with the other.
For more information about implementing the right defenses and controls to secure your cloud-enabled architecture, visit www.zscaler.com.