Describe trusted internet connections

  • 3 minutes

Government agencies connect to Cloud Service Providers by using a cloud access point through a trusted internet connection

The next significant artifact was not legislation, but a memorandum.

In the early 2000s, the IT industry saw a shift from companies who owned and operated their own data centers, to companies who simply rented hardware or co-located their hardware by data center providers. This approach achieves massive amounts of cost savings. But those cost savings can easily be eroded if the connection to the data center or the connection out to consumers is insecure.

Recognizing that this change was coming and that it would be more cost effective for the U.S. Government to host its systems with data center providers, in November 2007, the Office of Management and Budget, through Memorandum M-08-05, introduced the Trusted Internet Connection Initiative.

Governing connectivity to cloud service providers

The memorandum states that when the Federal Government connects to a data center or the cloud, it must do so using a trusted internet connection, or "TIC." In the Department of Defense, the TIC is referred to as the "CAP," or Connection Access Point.

Technology to be used when connecting to cloud service providers

The TIC memorandum intends to minimize the number of connections the Federal Government has to the Internet to 50. It uses hardware-based devices to bridge the gap between on-premises networks and cloud service provider networks. It also requires the usage of logging tools to capture individual packets.

Securing connection to cloud service providers

When securing network traffic, there are two approaches typically undertaken: securing the message (usually by encryption) and securing the channel (usually by encrypting the channel protocol). When either is compromised, it is critical that a security response be in place to address.

The TIC memorandum establishes US-CERT as the organization that would handle security response actions. It mandates that each agency would be responsible, by January 2008, to create a Plan of Action and Milestones (POA&M) to implement trusted internet connections.

Complying with the TIC memorandum

The TIC memorandum also notes that those POA&Ms need to be sent to the Department of Homeland Security for review. By doing so, one agency ensures that the other agencies are securing their connections in the proper manner.

Importance

TIC has evolved quite a lot since 2007, moving away from heavy hardware-focused devices to more software-defined networking and guidance. TIC implementations are covered in greater detail in a separate module, but it’s important to understand the intent of this memorandum.

More information on the Trusted Internet Connection initiative may be found on CISA's Trusted Internet Connections site.