EMERGING CYBERSECURITY
Zero trust and
the quest for cloud security
To build trusted environments in the cloud, the government needs to combine the power of FedRAMP and TIC
Stephen R. Kovac
Vice President of Global Government and Compliance, Zscaler
know that the apps and environments they choose adhere to the FedRAMP standard, and vendors have the opportunity to develop a strong community of trust among themselves, which is essential for success.
Shared services and
IT modernization
Another part of the equation is the Trusted Internet Connections initiative, which mandates that all agencies’ internet traffic go through a trusted connection. Yet the TIC relies on archaic hub-and-spoke architecture to secure the network and protect users, meaning users must be on the network to
be secure and all internet traffic must be backhauled through the TIC to be protected.
As agencies begin to modernize, TIC solutions need to move to the cloud. However, TIC is based on the Federal Information Security Modernization Act and other controls, not on FedRAMP. To modernize the TIC, it is essential to bring FedRAMP and TIC controls together.
Users should be able to access the cloud via a trusted connection and seamlessly flow from one FedRAMP-approved
app to another without having to be reauthenticated. When FedRAMP and
TIC work hand in hand, it can dramatically increase performance for users. The Office of Management and Budget, Department of Homeland Security and General Services Administration have begun to work together to strengthen both initiatives and have committed to a formalized TIC policy update.
The concept behind FedRAMP of “build once, deploy many” should also apply to
IT modernization. There’s no reason for
IN THE PAST 10 years, we’ve gone from government employees rarely working outside the office to
applications residing in the cloud and
users working from remote locations.
As transformation continues, traditional networks are shrinking, but now reliance on the cloud and the internet raises a tough question: How do you provide the same level of security across a variety of devices on a network you don’t control?
The key is building a zero-trust environment, which means focusing
on securing the user and protecting the application. This is done by creating inside- out connectivity so that applications are “dark” to unauthorized users and never exposed to the internet. It ensures that the right user is securely connected to the right application.
The government is moving in the right direction. Recently, ACT-IAC created
a working group to review zero-trust solutions. In addition, the Federal Risk and Authorization Management Program helps create a trusted environment. Agencies
deepOV/RedlineVector/Shutterstock/GCN Staff
S-50 | SPONSORED CONTENT