Stephen Kovac, vice president of global government and head of corporate compliance at Zscaler, spoke to ExecutiveBiz regarding the Cybersecurity and Infrastructure Security Agency’s recently released Trusted Internet Connection 3.0 Interim Telework Guidance and how it will assist with the public sector’s remote work.
“I praise the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) for the TIC 3.0 Interim Telework Guidance. This was a very smart and well-timed move. It shows that they’re engaged and understand the critical, pressing Federal agency and industry problems.”
ExecutiveBiz: Can you expand on the differences between virtual private networks (VPNs) and zero trust networks, and how the TIC guidance will expedite agencies’ telework efforts?
“One of the pillars of zero trust is that you have to be able to identify all users. By wrapping policies around the users, agencies can use zero trust to verify who the user is and then grant access to where that user can go.
Once agencies identify the user and their key security and access policies, they can then create a fully encrypted microtunnel between the user and the destination by developing an inside-out connection. Then, a broker will grant permission for an authorized user to go to an authorized application. This will create the encrypted microtunnel, which establishes a seamless and trusted connection between users and applications.
Zero trust technology allows IT administrators to link users directly to applications, without ever putting users on the network or requiring traffic to be backhauled to a data center and through multiple security appliances. In addition, unlike legacy remote access technologies and VPNs, zero trust networking done right should not allow outside listeners or east-west traffic on the network. And, all of this can be done with a direct-to-cloud approach.
Think about it this way, criminals can’t attack what they can’t see. If you never let the adversaries in the ‘building’, they will not have anything to steal. This is how zero trust performs. On the other hand, VPNs give adversaries the ‘address and keys to the building’ allowing access to the agencies’ crown jewels. You pick which makes more sense…”
ExecutiveBiz: With the shift, how can organizations integrate and enable a secure remote connection model?
“Prior to the guidance, the government’s VPN model didn’t scale. Federal employees who were connecting through work from home internet pipes were attempting to access limited ports on a VPN concentrator at a TIC/Managed Trusted Internet Protocol Service (MTIPS). Then, that traffic was backhauled across small network pipes back into the agency datacenter located in the cloud. This caused work to slow down, if not shut down, for many agencies.
Instead, the fastest way to connect is to go directly to the cloud, without this cumbersome backhauling. The new TIC 3.0 policy is all about new ways for agencies to find modern solutions to access the internet and applications from the location where they are teleworking. TIC 3.0 now states that you can go directly to the cloud to access secure applications.
Thanks to the DHS, agencies can now use cloud-based Security-as-a-Service (SaaS) providers to scale instantly and protect the growing remote user base – and that’s the key to success. SaaS-based applications or applications hosted in a destination cloud are approved options if they meet certain criteria.
So, how do agencies do it? They need to look for cloud providers that provide zero trust, can scale instantly, and are FedRAMP authorized.
Agencies now have direct access to the cloud, but they cannot lose the ability to track the information. The platform that organizations choose still needs to be able to collect the necessary telemetry data, provide it to the National Cybersecurity Protection System (NCPS) and meet National Institute of Science and Technology (NIST) Special Publication 800-53 controls.”
ExecutiveBiz: How does Zscaler’s business continuity program expedite Federal contract work as well as work from home policies?
“Our approach to cloud is global. Even though our FedRAMP cloud is a separate boundary, it all works together – we call this the cloud effect. All of our clouds run in a N+2, meaning that they are always talking to each other and replicating on top of each other.
The most important differentiator is the size of our footprint and hundreds of datacenters that we have around the globe and at the edge in each country. If something bad happens in Italy; Australia; Russia; Sao Paulo, Brazil; or St. Petersburg, Florida, we are able to stop it at the edge and immediately update our global/Federal cloud infrastructure within seconds. We are processing 100 billion transactions a day and we’re doing over 150 thousand security updates a day on all of our clouds, including our FedRAMP clouds. This is the definition of what Gartner termed as, Secure Access Service Edge (SASE).
Agencies should be demanding this level of security. We cannot accept using this Coronavirus Aid, Relief, and Economic Security (CARES) Act money to be fooled by security companies that are better at press releases than security releases. Of course, there are security appliance providers that will virtualize their hardware, put it in an AWS, Google Cloud Storage, or Azure Government Cloud and call it a FedRAMP authorized SASE solution. To me, that is like installing a bunch of VCRs in a few data centers and calling it Netflix…We all know how that ends!
The other key is scalability. We’re always checking capacity and we always run our clouds at 50 percent or below capacity. That is part of our System Security Plan. Zscaler stands for the Zenith of Scalability – so, we are always looking at scale and we always have room to scale.
Plus, through our proprietary load balancing, users are going to find the nearest Zscaler cloud with the best availability. In doing this, customers will have the same experience wherever they are and from whatever device they are on.”
ExecutiveBiz: How has Zscaler mapped its services to the suggested TIC objectives and security capabilities?
“I think we’re all going to be changed after this experience. I don’t think anybody is going to go back to the way we were. With remote access technology, I can now connect to customer or internal meetings and never leave my home. And, I think people are accepting the fact that telework is a reasonable way to get work done.
I think the new guidance and its evolution has taught us a lesson in the way we can operate in the future. A telework environment will be the new normal. And, in this new world, scalability and cloud security become tremendously important. We, at Zscaler, are built for the change to this new world. We know that people are going to stay in this model and we are ready.
Zscaler is also adding more nodes to our FedRAMP clouds and upgrading to the FedRAMP High and Impact Level 5 baselines, which we expect within a couple of weeks.
We are dedicated to the mission of ensuring that agencies can make this CISA guidance effective for them. This is a great opportunity for Federal, state, and local governments to look at the guidance and understand what it’s saying ‒ which is to modernize remote access for the future, but with qualified and authorized services. Once they do that, there will no longer be a stigma around people working from home within the government.
Government employees will be able to work more effectively, and more securely. This guidance gives them the path to get there. I think it was very well thought out and gives new opportunities for agencies to take the situation we’re in and turn it into a positive outcome. And, that’s a great play.”