Security news that informs and inspires

TIC. TIC. Time is running out for TIC

Trusted Internet Connection (TIC) made a lot of sense back in 2007 when the Internet was new (at least for the government). Even though Internet-usage was accelerating in the private sector, we in government had yet to feel the full force of the two major tectonic shifts in IT—mobile and true cloud adoption. But we could tell it was coming.

Something was in the air and we could feel it. Everything we thought we knew about TIC was about to change.

Here we are in 2018, yes, 11 years later, and we are still wrestling with TIC and debating its relevance in the information-based world we find ourselves in. In some ways, TIC has been distorted and perverted to fit the current model, where more users live and work outside the perimeter. More data lives and works outside the perimeter. We had to do adjust TIC to maintain compliance with “the letter of the law” and to support data visibility guidelines. Some agencies had to drag all the data and all that traffic back through their already over-burdened and latency-riddled networks.

Sticking with TIC isn’t working.

Once upon a time there was an agency——well-known for its physical agility in responding to events that happen quickly and without warning——that had to live by the requirements of TIC. Smack-dab in the middle of this agency’s IT hurricane (cloud and mobile shift) a real event happened. The agency jumped into action to fulfill its mission as it had done countless times before, but this time things were different. Folks had trouble communicating. Email slowed to a crawl or messages weren’t delivered at all. Not optimal when every second counts in a real event.

This agency had done this before and while it’s never a perfect scenario, the agency thought it had worked out this part of the environment over the last 10 years. What happened?

Cloud + Mobile + TIC happened.

The IT Hurricane

This agency was moving its applications to the cloud (good) and users were using commercial off-the-shelf (COTS) mobile devices (also good). Because of TIC, however, all the traffic to and from these devices had to go from the agency’s corporate data centers 6000 miles away, and then back again another 6000 miles. Instead of making a beeline to the cloud service, the data had to go across many (20? 30?) hops over public and private networks.

Talk about over the river and through the woods to the datacenter we go.

TIC was never designed for this use case. It was designed for a time when all, or most, users lived and worked within “the walls” of the organization, and all, or most, of the corporate data sources also lived and worked within those same walls. Users occasionally wandered onto the Internet to pay some bills or log in to MySpace.

Yes, MySpace was “a thing” when the TIC was implemented.

We now have more users with mobile devices requiring access outside “the walls,” and more and more corporate data sources (O365, Salesforce, Workday, etc. etc. etc.) living outside the walls. It doesn’t make any sense to keep dragging that traffic back inside your network. Sure, stopping means you may lose some visibility, but you’ll gain in the areas of performance (reduced latency) and security (a bad internal actor or process can no longer intercept that traffic). I would argue that with TLS 1.3 and beyond, inspecting SSL traffic will become harder and harder, anyway.

Rethinking TIC won’t be a popular opinion for some. There are substantial data visibility concerns that comes from moving away from TIC. I see and hear the struggle.

TIC 3.0 is being floated under the White House IT Modernization banner and I’m encouraged that things like agency flexibility and agility are being discussed. Even so, I see a lot of headwind to change that we still need to overcome. To those who say the TIC needs to stay, of course it does. There will still be an agency “network” with access requirements where the TIC makes perfect sense. However, this change is happening whether you prepare for the event or not.

The big “things” driving this change (cloud and mobile) will not be denied. This coupled with younger folks entering the workforce with an insanely high expectation for speed, performance and availability (have you ever heard your kid scream when Snapchat is slow) will make the TIC wholly obsolete in our cloud/mobile future.

What TIC does or can do to promote a risk based approach to cloud adoption can be and is handled by existing models such as FedRAMP. Other considerations for endpoint control and security can be handled through existing CDM (specifically CDM for mobile) and future-proofing Zero Trust models.

The TIC is dead. It just doesn’t know it yet.