What is Trusted Internet Connection (TIC) 3.0?

Zero Trust has been a goal for organizations increasingly since it’s introduction in 2010; TIC 3.0 is a Federal mandate. TIC 1.0 and TIC 2.0 were almost exclusively focused on network access security. TIC 3.0 is primarily focused data and user behavior, reflecting both the evolution of modern threats, as well as the weaknesses inherent in network-only security.

According to the latest NIST guidance published in August 2020 (Zero Trust Architecture - nist.gov), zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources such as data.

Specifically, zero trust assumes there is no implicit trust granted to assets (like data) or user accounts based only on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise owned network boundary.

Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network elements, as the network is now no longer sufficient to ensure security posture of the resource. Below we outline zero trust dimensions, and give general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture.

Sara Mosley, strategic architect at the Department of State, said in a recent article that TIC 3.0 and zero trust are dimensions of a new security philosophy accelerated and highlighted by the pandemic.

Learn more about Zero Trust.

We know that the federal government updated its trusted internet connection policy, but why was a change necessary and what improvements were made over version 2.0?

An unfortunate legacy of perimeter security, the sole focus of TIC 1.0 and TIC 2.0, is a pervasive false sense of security. By hyper-focusing on keeping intruders outside the wall of protection, enterprises were vulnerable to inside threats. Breaches of security often went undetected for many months.

According to the Cybersecurity and Infrastructure Security Agency (CISA), in TIC 2.0, TIC security secured the perimeter of an agency by funneling all incoming and outgoing data to one access point. In 3.0, agencies are granted more flexibility to choose security plans that best fit their own network and specific needs.

The latest generation of the Trusted Internet Connection (TIC 3.0) will make it easier for agencies to modernize as they upgrade their network and data center infrastructures. "TIC 3.0 provides the agility that we need to move forward," said Allen Hill, director of the Office of Telecommunications Services in GSA's Federal Acquisition Services, during mid-November public meeting on the agency's $50 billion, 15-year Enterprise Infrastructure Solutions (EIS) contract.

The TIC effort, which aims to keep federal web traffic secure, began more than a decade ago, when agencies secured traffic with its scores of dedicated data centers, security devices and virtual private networks. Since then, federal agencies have pivoted to cloud technology with its more efficient, scalable and remote data transmission methods that render those older protections obsolete.

EIS incorporates software-defined network services that dramatically expand network parameters as well. TIC 2.0 diverse routing around network bottlenecks that Software Defined Networks (SDN), and it constrains routes that can be used, he said.

"As cloud became key to modernization efforts," TIC 2.0 "became a limitation," said John Simms, deputy branch chief of the Cybersecurity Assurance Branch in CISA's Federal Network Resilience Division. Simms said his agency is looking to see how TIC 3.0 can secure cloud environments. "We don't only have to think about the network perimeter, or the network traffic, but about the applications themselves and how we can be smart about employing technologies to secure those application stacks and data and monitoring."

CISA, GSA and the Chief Information Security Officer Council are developing TIC 3.0 pilot programs and use cases for specific applications, said Shawn Connelly, TIC program manager and senior cybersecurity architect at CISA. The current use cases cover infrastructure-as-a-service (IaaS), software-as-a-service (SaaS), email-as-a-service (EaaS) and platform-as-a-service as well as branch office applications, but, according to Connelly, agencies can suggest more.

"TIC 3.0 gives agencies room to get on pilots for new interpretations" for use cases, he said. CISA will work with the agency during the pilot period to develop best practices, make the application interpretation more vendor-agnostic and see how it might be used across the federal government,” Connelly said.

CISA, said Connelly, is currently talking to agencies about a zero-trust use case and a partner-collaboration use case.

In TIC 3.0, agencies can implement security measures closer to their data and establish trust zones and use cases rather than rerouting data to access points for inspection. Such flexibility is especially useful when dealing with Software as a Service (SaaS) technology and when employees are working remotely.

TIC 3.0 recognizes perimeter-based security is no longer sufficient. This is due in part to so many users or systems working outside the perimeter; further, malicious actors have become far more proficient at stealing credentials and getting inside the perimeter.

TIC 3.0 includes five security objectives that allow federal agencies to make the transition to the zero trust model:

• Traffic Management – Validating trusted internet connections and ensuring that authorized activities are secure. Monitoring who has access to specific data, why access was granted, and whether access is still necessary.
• Traffic Confidentiality – Keeping information on what data is being accessed, who is sending it, and who is receiving it private and secure. Checking that only authorized personnel have access to traffic data.
• Traffic Integrity – Maintaining the integrity of data while in transit. Preventing data from being altered and/or detecting any alteration.
• Service Resiliency – Ensuring continuous operation of security systems. Threats are constantly growing and evolving and system continuity in the face of new threats and technology is vital.
• Timely and Effective Responses – When threats are detected, reaction time is of the essence. TIC 3.0 promotes effective reactions, the adaptation of future responses, the implementation of new policies, and the adoption of new countermeasures when a system has been breached.

Traffic Management within TIC 3.0 will, “observe, validate and filter data connections to align with authorized activities, least privilege and default deny.”

The challenge of effectively managing traffic is knowing where data is and who or what should have access to it at all times – at rest and in transit. In order to gain that knowledge, agencies need tools that develop a consistent, overarching view of identities inside and outside organizations. An effective tool collects and curates identity governance data, providing insight into who has access, why access was granted and whether that access is still needed. Continuous monitoring and updates provide a single source of truth for identity and access.

Agencies can begin by assessing where they are in the security matrix relative to identity and access management (IAM). IAM is a multi-tiered model in which each level of security provides a foundation for successive levels.

• Level one security has four components. First is single sign-on and perhaps some level of federation at the department level.
• Level two is the capability to do user provisioning in an automated, auditable fashion – as opposed to a would-be user receiving a piece of paper or an email to create a user form.
• Level three is user self-service to ensure users are authenticated for access, recent permissions, past use, etc., in an auditable fashion.
• Level four is delegated administration.

TIC 3.0 requires that only authorized parties can discern the contents of data in transit, sender and receiver identification, and enforcement.

The challenge of protecting traffic confidentiality centers on encrypting data in transit, including unstructured data, and confirming the identities of senders and receivers. One solution is technology that embeds kernel drivers into the file system stack of Windows and non-Microsoft systems, operating transparently to the end user. A driver intercepts files, encrypting and decrypting data on the fly, and works with all applications and file types.

Organizations can use policy rules to ensure the automatic encryption of data in real time, without slowing workflow. These solutions also enable monitoring of data at runtime, including the capture and analysis of such information as when and where a file was opened and how it was used.

Protecting traffic confidentiality involves format- preserving encryption, and level two of identity access management spans a half-dozen or so capabilities.

1. First is multifactor authentication, including a spate of new login capabilities introduced during the pandemic, in response to the increase in remote work.
2. Second is increased visibility around governance, with regard to who has access to various assets.
3. Third is privileged access management, deals with different levels of security that system administrators can access and guard.
4. Fourth is a virtual directory of users and capabilities that is regularly updated and never static.
5. Fifth are service security and change monitoring, and next are data security and encryption.

Service resiliency promotes resilient applications and security services for continuous operations as the technology and threat landscape evolve. Mission effectiveness requires system continuity and reliability. Guaranteeing uptime can be a challenge when demands on a system spike or a network is under attack, especially if the IT team is stretched thin. Automating mundane and repetitive tasks, and adding in workflow processes can lighten the load on human workers and keep operations running. Specialized software has the capacity to handle half or more of incident response tasks. Workflow automation and AI can interrogate endpoints, configure firewalls, isolate computers in a network and lock user accounts. These technologies also assist human analysts by gathering data to speed analysis and undertake remediation. In use case studies, integrated AI and machine learning can speed investigation of and response to incidents by a factor of 10. When it comes to threat detection and response, every second counts. A powerful security information and event management (SIEM) platform will detect, analyze and prioritize those threats in real time. Effective platforms also support security operation centers (SOCs) with workflow, response and compliance management. An industry-leading threat correlation engine will promote effective security analytics in an SOC.

TIC 3.0 promotes timely reaction and adapt future responses to discover threats; defines and implements policies; and simplifies adoption of new countermeasures is the key goal of incident response.

The inside threat today exists largely in the form of application code and application security. On average, applications used by government agencies are 80% custom code or open source code. They’re not from a vendor that has enterprise-grade software testing capabilities nor even responsibility. Cyber incidents and breaches are, 85% of the time, the result of custom or open source code. That code is the real opportunity for security problems.

Research conducted by Sonatype found that:

• there’s now more than 3.7 million unique Java open source software component releases in the Central Repository,
• 800,000 unique JavaScript packages are in npm,
• 1.2 million unique Python component releases housed in the PyPI repository, and 1.6 million .NET component releases in the NuGet Gallery.
• There are also more than 2.2 million containerized applications housed in Docker Hub – up from 900,000 the previous year.

To put this in perspective, on average, developers had access to more than 21,448 new open source component releases every day, since the beginning of 2018.

At present, organizations routinely respond to large volumes of alerts and threat data requiring immediate attention. To manage the unrelenting flow of critical data, agencies in the future will leverage more machine-driven automated activities. Agencies moving toward TIC 3.0 will benefit from technologies that help organizations to have a central place for collecting alerts and threat feeds – and to respond and remediate incidents at machine speed.

Multi-factor authentication (MFA) make it possible to centralize authentication and authorization management. Streamlined management from a single solution cuts costs and bolsters security. Solutions that can leverage open standards allow for quick integration and protect against security breaches and the risk of vendor lock-in. The built-in flexibility of an advanced authentication framework allows for customizing security protocols and methods, plus improvement of the overall user experience.

Format-preserving Encryption (FPE) is a new kind of encryption used to cipher a plain text preserving its original length and formatdescribed by NIST standard (SP 800-38G) is extensively vetted and validated by the cryptographic community, and ensure any exfiltrated data is useless. This type of security solution, such as Voltage, can be implemented easily to existing applications.

Security Orchestration, Automation and Response (SOAR) software can automate three major categories of activities, all traditionally executed manually by analysts:

• Automated triage: Instead of a tier-1 soc analyst reviewing the alert and doing manual triage, Arcsight SOAR can do an automated triage. This could be running certain checks to eliminate basic false positives, looking up assets, IPs etc to adjust severity levels, maybe to consolidate multiple different alerts into a single incident case and even automatically dispatching the ticket to the right member or group within the SecOps teams. The goal with this kind of automation is to eliminate Tier-1 work as much as possible over time.
• Data Collection and Correlation helps color the incident with relevant data to understand an incident better. Looking up a user in Active Directory, checking if someone has swiped his badge into the building, collecting hashes of all running programs on a particular computer and fetching all web browsing logs of a user from Arcsight Logger are examples of such SIEM log management and data collection activities. In the SOAR jargon, these are called enrichments; data to help understand the situation better. Automated data collection in general has amazing benefits; as soon as you see an incident on your screen, all the relevant data might have been already collected and presented to you on the same screen. No need to go places and collect data manually. Typically, ArcSight SOAR can consolidate 5,000 alerts to a manageable individual 250 incidents, thereby decreasing SOC analyst workload even before we start working.
• Automated Containment: You can take actions on infrastructure and security devices to contain an ongoing attack; blocking an IP on the firewall, a URL on a web gateway, isolating a computer on the NAC are examples to such actions.

The power of these type of automation is that you can mix and match all these categories and build end-to-end playbooks with full automation, if you wish.

System resiliency and risk management also both stand to benefit from the implementation of TIC 3.0.

Use cases involving zero trust, Internet of Things (IoT), interagency communication, and SaaS are all expected to be published as TIC continues to evolve. These use cases will provide guidance to agencies as they configure platforms and services to be in accordance with 3.0.

Overlays have also been made to use platforms provided by outside vendors to make sure TIC security capabilities are fully functional across platforms.

Agencies can participate in TIC pilots for scenarios which are not yet covered in use cases. This collaborative process is supported by leadership such as CISA and OMB and could produce new use cases for technology used by the federal government.

Micro Focus is committed to being a partner in the digital transformation of enterprises, businesses, and federal agencies. Our open and flexible software helps companies make the transition to embracing the technology of the future, including providing TIC 3.0 services and solutions. Learn more about Micro Focus Government Solutions which can help you modernize and secure your network and data center infrastructures with TIC 3.0 and Zero Trust.