Across the federal government, agencies are rethinking their telework policies and practices in light of the COVID-19 pandemic. While most agencies anticipate full-scale remote work will not last, many are expected to offer telework as an option to a larger number of employees and on a more frequent basis. This will create a more distributed environment that leverages cloud- and mobile-based solutions.
Federal agencies can look to the Trusted Internet Connections (or TIC) policy for guidance in bringing secure remote access to users and branch offices. Originally established in 2007 to enhance network security, TIC 3.0 serves as a general framework for supporting remote access to federal data and networks, including those in the cloud.
At most agencies, the assumption was that most users would be working within the network perimeter. Remote users and remote branch offices were typically connected to the data center through virtual private networks (or VPNs).
Unfortunately, that approach doesn’t scale, as agencies painfully discovered during the pandemic. With the increase in remote users and the growing reliance on cloud- and internet-based applications, agencies saw a massive surge in VPN traffic, which took a toll on performance.
Part of that performance hit was due to something called tromboning, where traffic that is ultimately destined for the cloud or internet must first travel to the data center and then is routed to wherever it needs to go. Tromboning traffic is a legacy security strategy, but users feel its effects in decreased responsiveness.
That leads to user frustration. Users might bypass the VPN by turning it off and using the internet directly, risking exposure. For example, they might upload documents to a shared internet folder and accidentally share it with the wrong person, or share the wrong folder.
Consider a remote government user who connects to the agency’s network each day to work on projects, send emails, check in with colleagues and maintain records. The user needs to access cloud services as part of their job, as well as for basic internet tasks. Currently, all of that traffic moves through a VPN connection backhauled to the data center. When an influx of users suddenly all use the same VPN setup, performance quality suffers from tromboning.
SASE is a cloud-based services architecture that combines wide-area networking with network security services like CASB, Firewall as a Service and zero trust network access to ensure secure access no matter where users, applications or devices are located. Like LEGO bricks, the wide area networking or VPN pieces snap together with the cloud security services to act like a single unit. Users connect to the SASE cloud service, and from there, they can access the data center, the internet or other destinations.
TIC 3.0 templates help agencies create secure remote access and provide a much better user experience than traditional virtual private networking.
SASE remote access is a game-changer. Let’s say our remote government user needs to complete a timesheet. Using a single interface, the user can connect securely to the data center, complete the timesheet, access data in the agency’s public cloud, and then head to the internet to locate background information for a report. All of this can be done securely from a PC or mobile device, from home or on the road, with the same overall look and feel.
This article is an excerpt from GovLoop Academy’s recent course, “Secure Your Agency for Long-Term Remote Work and Maintain TIC 3.0 Compliance,” created in partnership with Palo Alto and Verizon. Access the full course here.