The Trusted Internet Connection (TIC) is Dead. Long Live the TIC!
Merry Christmas from the West Coast!
"Come out to the coast, we'll get together, have a few laughs..." - John McClane
We’ve talked a lot over the course of the past year about IT modernization and zero-trust security and the shift into a risk-based approach to identity & security policy. Well, now it’s all coming home to roost and it’s just as enabling and disruptive as we thought it would be.
While I was all ready to pack in the year and do the EOY (end of year) assessment of all that we’ve lived through in 2018 (and man, it’s a lot). This little ditty drops on our doorstep.
After much waiting with baited breath, and much hand-wringing on what would be or would not be codified in policy, the OMB (Office of Management and Budget) has finally dropped the new Trusted Internet Connections (TIC) draft policy and boy is it a doozy…in the best possible way.
While it’s still draft (get your comments in soon!), there’s a lot to like about the direction the TIC guidance is headed. First of all, it rescinds the previous directives which required all internet traffic to be “dragged back” to the agency network for control and inspection, regardless of where the traffic originated and where it was headed. This was great in 2004 when most endpoints were desktops and it was very easy to define what was internet access and what wasn’t. As I’ve said before (a lot), mobile and cloud changed all of this and the “square peg, round hole” problem has been evident for years.
This evolution of the TIC definition and requirements changes all that. It takes into account not only the environment(s) we find ourselves in today, but also gives us the tools to adapt as things change. And things always change.
The fact that it’s specifically called out that this is to be re-evaluated on a recurring basis is huge. One of the things that has always driven me crazy about government technology policy is that it has (in the past) rarely taken into account the rapid rate of industry change. Technological change has only accelerated in the last 10 years which has exacerbated this oversight. By all indication, this policy has left room by first, re-evaluating the policy but second, also allowing security leadership in government to move to a more “risk-based” posture to make more timely decisions about agency security - more than we’ve ever done before.
The other piece of this that gives me hope is the ongoing support for additional agency use cases. There are some of the biggies called out in the policy itself but again, there is enough flexibility here that if agencies identify additional use cases (which, they undoubtedly will), the policy can be used to help address them.
So is the policy, as it stands, perfect? Of course it isn’t. I can still hear folks saying “yea, this is great, but how do I get there?”. This is a common refrain I hear from security practitioners across government. My hope is that this policy, alongside some of the great work coming out of the CIO Council (specifically the zero-trust working group) will provide a clear roadmap of not only what to do, but how to do it.
Some might say this would be a miracle. A few years ago i might have agreed, but…….
“It’s Christmas, Theo. It’s the time for miracles.” - Hans Gruber.