Stephen Kovac, vice president of Global Government and head of Corporate Compliance for Zscaler, recently spoke with ExecutiveBiz regarding TIC policy reform, the opportunities and benefits of TIC modernization and its impact on the federal market in 2020.
“TIC 3.0 isn’t a silver bullet. It opens the door for progress and encourages agencies to share use cases for improved transparency into what does and does not work.”
ExecutiveBiz: Why have you been such an advocate for TIC policy reform?
“The legacy TIC/MTIPS infrastructure was not designed to handle the bandwidth requirements of today’s Cloud First/Cloud Smart government. As we all know, agencies are moving applications and infrastructure to cloud. Federal employees are more mobile and need on-demand access to information resources. And, we have a continued avalanche of information generated from IoT, AI, and machine learning technologies that needs to be managed, analyzed, and kept secure.
We have a tremendous opportunity to modernize government, taking advantage of hybrid cloud environments – but the TIC/MTIPS infrastructure has been a major roadblock holding agencies back. This is why I believe the TIC policy update is so important. TIC 3.0 gives agencies more flexibility while still meeting the intent of the original TIC policy – keeping federal data and systems secure.”
ExecutiveBiz: What work are you doing with federal agencies on TIC pilot programs?
“We are working on “TIC-in-the-Cloud” pilot programs and deployments with numerous agencies. Under this approach, the agency sets policies and securely connects the right user to the right application with a multi-tenant FedRAMP-compliant cloud security platform. Unlike traditional hub-and-spoke architectures, where traffic is backhauled over dedicated wide area networks (WANs) to centralized gateways, the cloud approach routes traffic locally and securely to the internet over broadband and cellular connections.”
ExecutiveBiz: What are the benefits and opportunities of TIC modernization?
“The flexible new guidelines encourage agencies to innovate and move more quickly to the cloud, increasing user performance. Thankfully, they also allow agencies to modernize away from perimeter-based TIC/MTIPS solutions to cloud-based multi-tenant solutions that allow for any and all users to access the same security policies on any device from anywhere in the world.
The agency can eliminate costly appliances, strengthen cybersecurity by delivering consistent protection to users everywhere they go, and reduce latency – improving the user experience and productivity.
This said, given TIC 3.0’s more flexible approach, agencies need more support. They need access to TIC use cases (successful and otherwise) as outlined in the updated policy, so they can review results for environments with security requirements similar to their own, including considerations for emerging technologies and evolving threats. They can learn from others in a centralized catalog of TIC 3.0 use cases as they develop their own solutions while keeping the original intent and spirit of the TIC mandate.”
ExecutiveBiz: How do you expect TIC modernization to influence the federal market in 2020?
”The new policy will help accelerate cloud deployments, but there will be confusion. Industry will come forward with many different solutions. Agencies should be wary of lift-and-shift approaches, and they should verify solutions are true multi-tenant cloud platforms providing a complete suite of security-as-a-service offerings. You don’t want to move your challenge from the data center to the cloud and miss the opportunity to improve security and user experience.
Simply virtualizing a physical TIC ultimately makes the problem worse – you want multi-tenant cloud security stacks built to scale up and down on demand. You want a zero trust environment. Agencies need to be able to take advantage of the “cloud effect,” which allows CSPs to globally update hundreds of patches a day with lessons learned from their cloud platforms across the globe.
Plus, the policy change will bring many unproven players into the market that don’t have the certifications or authorization proving they meet the stringent demands of the federal marketplace. This is a mature space in the commercial sector. For the last eight years, the world’s largest companies have been moving users, applications, and security away from the perimeter. Companies looking to provide these services to the federal government should have FedRAMP, IL, and ITAR, at a minimum. If not, you should be asking why!
Zscaler’s patented technology gives agencies this opportunity. Each agency sets security policy to follow the user. The Zscaler FedRAMP-certified cloud determines trusted and untrusted connections to make routing decisions appropriately and create a zero trust-optimized TIC environment. TIC 3.0 isn’t a silver bullet to fix every cloud challenge. It opens the door to progress and, importantly, encourages agencies to share use cases for improved transparency into what does and does not work.”