Zscaler comments on the Report to the President on IT Modernization

[Inlining a best-effort version of the attached comment below. Download the original attachment in the issue above to see the original comment.]

Response to White House Office of American Innovation Report to the President on Federal IT Modernization Submitted by Zscaler

Introduction

Thank you for the opportunity to provide feedback on the report of the White House Office of American Innovation to the President focused on Federal IT modernization released for public comment on August 30, 2017. We are encouraged by the report’s strong emphasis on improving cybersecurity by promoting network modernization and consolidation through 1) the protection of high-risk, high value assets, 2) modernization of the Trusted Internet Connection (TIC), 3) consolidating network acquisitions and management, as well as calls for government to better leverage cloud and related innovative technologies. We believe the report’s focus is on-target and look forward to working with you as we move forward with the recommended actions. As a leading provider of cloud-based cybersecurity solutions we offer the following comments and recommendations for your consideration.

Modernizing the TIC

The report calls out the existing perimeter-based security model employed by Federal agencies today, formalized in OMB Memorandum M-08-05, Implementation of Trusted Internet Connections (TIC) as having created challenges for agencies wishing to take advantage of cloud services and offers a series of recommendations and actions to begin to address these challenges. While we fully support the report’s overall recommendation of modernization of the TIC, we believe this is best accomplished using an approach not discussed in the report – one that moves the TIC away from the perimeter and to the cloud, aka “TIC-in-the-Cloud.” We discuss this approach in greater detail below.

Going forward, a key objective of modernizing the Trusted Internet Connection (TIC) should be to abstract security from the networks such that policies, not networks, securely connect the right federal employees to the right application of Internet service, regardless of location and network. As agencies accelerate adoption of cloud services and government employees become more mobile accessing those internet resources, the concept of perimeter-based secuirty and protecting the network to secure users and data, becomes increasingly irrelevant. We encourage the Trump Administration to consider moving TIC security controls, as well as other advanced security services, to a modern cloud-based, shared services platform for better protection, visibility and control of agency user traffic to the internet.

From our perspective, the original goal of the TIC initiative, launched 10 years ago, was to reduce, standardize and optimize agency connections to the Internet. This initiative significantly improved the Federal Government’s security posture and incident response capability because the network perimeter was well defined. IT systems and applications resided in data centers, and employees were connected on the government network.

Agencies are attempting to move to the cloud for greater agility, a faster pace of innovation, and lower costs, but have been impeded by the current TIC architecture. Cloud applications and Internet services play a vital role in government employees personal lives and they expect to be able to have the same level of seamless access to applications, wherever they are hosted, from any device, from any location at work. We believe these trends are indicative of the broader digital transformation agenda, as organizations increasingly succeed or fail based on their IT outcomes.

Unfortunately, the current TIC architecture, which requires security appliances that are designed to protect the network, does so with placement at a limited number of gateways - which forces traffic to be backhauled over a hub-and-spoke network design. This adversely impacts service performance and availability, prevents ubiquitous mobile access, and increases overall cost. These challenges are exacerbated by an increasing number and diversity of sophisticated threats and a rapidly advancing threatscape that exploits the limitations of security appliances running in isolation.

We believe that a perimeter-based architecture to protect employees and data is increasingly irrelevant in a cloud and mobile-first world. Organizations depend on the internet, a network they do not control and cannot secure, to access critical applications that power their business.

Shared Services

The Report calls out shared services as an enabler of future network modernization, further clarifying that the desired end state is one in which agencies leverage cloud computing for email and related collaboration tools and improve existing security through the implementation of shared security services. The Report also highlights the need to “bring cloud to the government” – utilizing multi-tenant Government-owned and -operated infrastructure akin to modernizing the existing shared service centers and to “bring government to the cloud” – the recommended default approach. With this model, Government will utilize and is characterized by multi-tenant commercially owned infrastructure. It is the latter on which we will focus our comments. We believe it is imperative that government clearly define “shared services” so that it may ensure the right approach to achieving its objectives. Can a FedRAMP certified, public, multi- tenant cloud solution be an acceptable use case for shared services? CIOs are under pressure to maintain legacy systems while providing business users new capabilities more quickly. Consequently, FedRAMP certified cloud-based solutions can be an attractive option for agencies, because they enable alignment with the shared services Executive Order and GSA’s 10-year Shared Services Delivery Vision.

To be an effective solution, cloud service providers (CSP) must provide interoperable, software- as-a-service applications that can deliver common administrative functions across service areas. Moreover, agencies can leverage this approach to implement new funding and investment models that facilitate procurement of additional cloud-based shared services.

The Federal IT community originally thought CIOs would only consider the shared services model for highly commoditize services with low- to moderate- security levels. That is not the case. Government CIOs are looking for, and willing to invest in, advanced security services, such as TIC in the cloud, or secure VPN replacement that is delivered as Software-as-a-Service and deployed on a FedRAMP high Infrastructure-as-a-Service platform, or built in FISMA high facilities. Moreover, it is becoming increasingly obvious that the classical approach to shared services and cloud offerings are on a collision course, as government tries to centralize the shared services model while providers can now deliver elastic services on a consumption-based model. As these models converge upon each other, they underscore why and how a government can effectively use shared services models.

Another challenge we should consider as agencies move away from the dedicated decentralized model, is how to avoid marketing and product naming procurement game traps. The report mentions that it is important to be wary of on premise solutions that are sold with cloud terminology that do not actually meet the NIST Essential Characteristics of cloud computing. This is critical, because many of the old school switch, router, firewall, IPS/IDS etc. manufactures are pitching the virtualization of their product in the big IaaS clouds and calling it a cloud or shared service, when in fact all you have done is moved the same problem to a different and truly more complex management model. Often, products that claim to offer private cloud infrastructure fail to deliver on cloud promises by missing key aspects such as rapid elasticity, on-demand self-service, or resource pooling. These solutions are virtualized hardware, and not a true multi-tenant shared services offering. In most cases, the true multi-tenant service offering is developed as a custom software, built to provide services in the public cloud environment. The exact opposite of virtualizing the current hardware. There should be a strong focus on vendors that developed their software and services for the SasS model, and less focus on a box provider that can virtualize. In this model, the SaaS provider operates the “services” in a private sector data center (for fed i.e. AWS/AZURE), but connects through a variety of different secure connections, from the desktop to the mobile device. As the report states, “Secure connections could include HTTPS, TLS, peering, etc.” This model supports the report’s claim that SaaS can be utilized for secure, critical applications that are only available to Government users on a Virtual Private Network (VPN) or other network-level isolation.

For example, to provide a cloud-based TIC, you cannot just virtualize the EINSTEIN Platform and all the devices behind it. This simply compounds the problem. You must look to a Security- as-a-Service vendor that was born in the cloud and understands how to operate in a multi-tenant environment dealing with the challenges of encryption, FIPS compliant algorithms, and compression technology that functions and scales in the cloud at rates that fix the latency issues of today’s TIC. This is our strength and DNA.

As agencies review shared security services they must look for FedRAMP certified SaaS solutions built to the moderate- or high- standard. As an example, agencies should consider multi-tenant cloud solutions focused on delivering world-class cloud-based security-as-a-service. Built on a certified Infrastructure-as-a-Service platform, these products reduce costs by eliminating legacy devices in the field that drive up the cost of providing quality security at the perimeter. This type of solution also supports modernization of the Trusted Internet Connection (TIC) by enabling faster cloud migration and adoption, driving cost efficiencies in government operations, and improving government’s overall security posture. Recommendations:

The IT Modernization Recommendations to the President should be modified in the Network Modernization and Consolidation section to reflect a new approach to security that moves TIC functions away from perimeter-based, single-tenant appliances to a multi-tenant, cloud service model. Delivering a “TIC-in-the-Cloud” capability eliminates the need for traditional on- premises security appliances that are difficult to maintain and require compromises between security, cost and user experience. Moving the security layer from the data center to the cloud can deliver the security functionality needed to enable government users secure access to authorized applications and services based on agency policy, regardless of device, regardless of location.

Companies like Zscaler deliver the internet security stack as a service, continuously applying policies and threat intelligence to protect organizations from data leakage, malware and other advanced threats. Cloud-based security can help the federal government accelerate their IT transformation to the cloud and migrate from legacy “hub-and-spoke” networks to a modern direct-to-cloud architecture. And by moving security and access controls from the data center to a FedRAMP-compliant distributed cloud, the Federal Government can provide consistent protection to government users everywhere they go, while benefiting from the efficiencies and economics that cloud services provide.

Why a “TIC-in-the-Cloud”?

Modernizing the Federal Government’s internet security architecture, and delivering a “TIC-in- the-Cloud” capability, a cloud-based security platform can:

Extend an agency’s network perimeter defense to protect all employees, regardless of device, regardless of location, on and off government network
Improve operational efficiencies and decrease costs through a shared-services, multi- tenant platform
Provide choice in security services required by agency
Inspect all traffic, including encrypted traffic, for cyber threats
Accelerate and optimize the way employees connect to Office 365, AWS and other FedRAMP cloud services for a better user experience, while ensuring proper security and access controls
Significantly reduce MPLS and other networking costs required to backhaul traffic destined for the internet
Reduce the costs and complexity associated with maintaining perimeter-based appliances
Improve situational awareness and overall security posture The graphic below illustrates the concept of a “TIC-in-the-Cloud.” Security and access controls are moved from decentralized, perimeter-based appliances to a shared-services, cloud-based proxy. All Internet and FedRAMP-designated traffic from agency locations and end points will pass through this cloud proxy for advanced security and policy checks. This model also maintains all connections to NCPS.

Thank you for the opportunity to comment on the White House Office of American Innovation Report to the President on Federal IT Modernization and we appreciate your consideration of our recommendations. We believe strongly that overall IT security will be enhanced by moving TIC to the cloud – extending network security to all employees, increasing efficiencies and reducing costs, while providing for greater shared services and multi-tenant platforms and accelerating agency migration to the cloud.

Information about Zscaler

Zscaler was incorporated in 2007, during the early stages of cloud adoption and mobility, based on a vision that the internet would become the new corporate network as the cloud becomes the new data center. We predicted that with rapid cloud adoption and increasing workforce mobility, traditional perimeter security approaches would provide inadequate protection for users and data and an increasingly poor user experience. We pioneered a security cloud that represents a fundamental shift in the architectural design and approach to network security. Our approach applies policies set by an organization to securely connect the right user to the right application, regardless of the network. Unlike traditional “hub-and-spoke” architectures, where traffic is backhauled over dedicated Wide Area Networks, or WANs, to centralized gateways; our solution allows traffic to be routed locally and securely to the internet over broadband and cellular connections. We offer two principal cloud services:

• Zscaler Internet Access, or ZIA, securely connects users to externally managed applications, including SaaS applications and internet destinations, regardless of device, location or network. ZIA sits between users and the internet and is designed to ensure malware does not reach the user and valuable government data does not leak out. • Zscaler Private Access, or ZPA, offers authorized users secure and fast access to internally managed applications hosted in enterprise data centers or the public cloud. While traditional remote access solutions such as VPNs connect a user to the government network, ZPA connects a specific user to a specific application, without bringing the user on the network, resulting in better security.

Zscaler offers the federal government an opportunity to securely embrace the business value of cloud and mobility by modernizing the TIC.

GSA / modernization