WIXLIB

SOLUTION BRIEFTIC 3.0 – Securing the Government Cloud EdgeKey Use CasesThrough modernizationof the Trusted InternetConnection, agenciescan employ new PolicyEnforcement Points (PEP)to increase cloud adoptionand embrace cloud usecases. Detect, monitor, and restrictunsanctioned cloud serviceswithin the agency and remoteendpointsPerform Tenant Restrictions forEnterprise SaaS Services, such as,Office 365Provide collaboration controlto prevent agency data frominadvertent disclosureSecure agency sanctionedcloud services by detectingcompromised accounts, insiderthreats, and malwareProvide zero trust and contextualaccess controls for agencyenterprise applications in thecloudAudit and remediate cloudworkload misconfigurations toprevent unauthorized accessConnect With Us1TIC 3.0 – Securing the Government Cloud Edge

SOLUTION BRIEFBusiness ProblemThe Trusted Internet Connection (TIC) initiative hassought to improve the cybersecurity posture of theFederal Government by reducing the total numberof internet Points of Presence (POP), and introducingnetwork security technologies at the perimeter thatdetect threats and protect agency networks. Thetraditional network perimeter continues to erode thanksto new collaboration technologies and the advent ofcloud service providers. As a result, agency data nolonger resides in fixed silos behind the network firewall.Alternative approaches to protecting agency data storedat the endpoint or in sanctioned cloud service providersis needed.With the recent increase of teleworking, the utilizationof agency sponsored cloud solutions require cloudnative compensating security controls to provide newmechanisms for monitoring cloud services, protectingagency data, and the ability to remediate incidents asthey occur. The demand for remote work has stretchedlegacy VPN infrastructure capacity to its limits. Newtechnologies for protecting end users and endpointsshould be employed to complement an agency’straditional Trusted Internet Connection (TIC). Dueto significant increased demand of teleworkers DHSCybersecurity and Infrastructure Security Agency (CISA)released the TIC 3.0 Telework Use Case. This guidanceenables agencies to incorporate new technologies toimprove agility, scale, and reduce reliance on on-premiseresources. McAfee has developed the GovernmentCloud Edge to address these gaps.2TIC 3.0 – Securing the Government Cloud EdgeTraditional TICCloud Service Providers(IaaS, PaaS, SaaS)MTIPS/TICAPAgencyMobile UsersFigure 1. Traditional Trusted Internet Connection (TIC)McAfee Government Cloud Edge (GCE)In order to fulfill the requirements outlined in the TIC 3.0security capabilities handbook new Policy EnforcementPoints (PEP) are needed that address the goals ofmaintaining consistent protection of agency users,devices, and data. McAfee’s Government Cloud Edgeis comprised of three foundational technologies thatensure TIC 3.0 use cases are solved: MVISON Cloud (CASB) Web Protection Data Loss Prevention (DLP)

SOLUTION BRIEFAttempting to manage or maintain these disparatesolutions from multiple vendors creates significantoverhead and is prone to misconfiguration errors.Investigating any security event across disparatesolutions requires manually stitching together reportsfrom individual products and repositories to identify thesource of the incident.Utilizing McAfee’s Government Cloud Edge, you canachieve: Consistent Visibility and control over data from deviceto cloud Integrated access control and threat protection for thecloud and webCloud-native and hybrid architectures with enterprisescale and resilienceThe TIC 3.0 Teleworking Use Case is accelerating a shiftbeyond the network to a new cloud edge. McAfee’sGovernment Cloud Edge enables remote users tooperate with maximum productivity while ensuringappropriate security policies and governance are inplace as they would be for the traditional TIC.TIC 3.0Cloud Service Providers(IaaS, PaaS, SaaS)LegendTeleworker to Cloud Hosted ApplicationsMTIPS/TICAPWebProtectionMobile UsersPolicy Enforcement Point (PEP)GlobalThreatIntelligenceManagement EntityMVISIONCloudAgencyAgency TeleworkerFigure 2. Modernized Trusted Internet Connection (TIC) 3.03TIC 3.0 – Securing the Government Cloud EdgeFigure 3. TIC 3.0 – Teleworker Use CaseMcAfee Government Cloud Edge (GCE)(CASB SecAAS)

SOLUTION BRIEFConsistent Visibility and Governance overAgency Data from Device to CloudAs cloud adoption continues to shift agency resourcesand data from the network perimeter to cloud providerenvironments, the primary control points for dataprotection shift. Devices can access cloud data fromanywhere, and data can be created in the cloud andshared cloud-to-cloud without ever residing on a deviceor passing through a traditional TIC stack. This makesthe device and cloud focal points for data protection,with web traffic in the network remaining as a usefulmechanism to control unsanctioned cloud services,prevent malware, and manage general internet accesswhile honoring the original intent of the TIC. Manyagencies have established DLP programs for their onpremise environments, where significant time has beeninvested defining classifications for what data is sensitiveto their agency, working with multiple stakeholders, suchas, counsel, privacy officers, and data owners to gatherdata protection requirements.Implementing Data Protection in the cloud used torequire rebuilding these DLP classifications in the cloud.This resulted in excessive time spent replicating preexisting work already completed for data on devicesand in the network, with potentially inconsistent policyenforcement from different DLP engines. Data lossthrough collaboration or shared links in the cloud wasinvisible to on-premises DLP. McAfee Government CloudEdge streamlines the implementation of DLP in the cloudby sharing data classifications and DLP engines betweenall policy enforcement points (PEP): the device, network,and cloud. Utilizing McAfee ePolicy Orchestrator4TIC 3.0 – Securing the Government Cloud Edge(ePO) software as the starting point for creating andmanaging classifications, you can then synchronizeyour classifications between on-premises DLP andCASB, applying them to policy for any cloud service andcloud-to-cloud traffic that would otherwise bypass yournetwork. All devices, whether in or out of your managednetwork, can all be protected by the same DLP rules.ePOPolicies/IncidentsMVISION CloudCloud DLP EnginePoliciesIncidentsDataClassificationDLP EngineEndpoint DLPRev. ProxyAPISMTPSanctioned/ShadowSaaS/EmailFigure 4. Comprehensive Data Protection Across Agency Devices,Network, and CloudPerforming data protection management in a centralizedlocation saves time - enabling faster investigations andbetter reporting while eliminating the need to combinemultiple data sources. Investigations and reports aremore accurate, with fewer opportunities for mistakesmade from manually combining data. Instead, datais combined automatically by McAfee ePO software.Incident data is all-encompassing and consistent, usingthe same DLP engines and classifications across eachenforcement point and combining their event data.

SOLUTION BRIEFUnified Access Control and Threat Protection forthe Cloud and WebCloud services come with various levels of risk and canbe accessed by both managed and unmanaged devices(BYOD). Enterprise cloud services, such as, MicrosoftOffice 365 have published application programminginterfaces (APIs), which allow Cloud Application SecurityBrokers (CASBs) to connect directly for visibility andcontrol over data that enters the service, data createdin the cloud, data shared cloud-to-cloud, or anywhereexternally. Cloud-native threats that occur within theseservices can be detected by user and entity behavioralanalytics (UEBA) that correlate activity across all cloudservices agencies have authorized. Recently allowedby the TIC 3.0 guidance, personal devices can accessagency instances of Office 365, but be restrictedfrom downloading sensitive agency data by the CASBpreventing data ncyCampusLegendPolicy Enforcement Point (PEP)Management Entity (CASB)Microsoft Office 365High Trust ZoneMedium Trust ZoneUnmanagedDevicesFigure 5. Monitoring and Protection of Enterprise Software as a Service (SaaS) Applications5TIC 3.0 – Securing the Government Cloud EdgeLow Trust Zone

SOLUTION BRIEFIn addition to enterprise SaaS applications, agenciesmust ensure that applications which have been migratedor built in Infrastructure as a Service (IaaS) publiccloud providers, such as, Amazon Web Services (AWS),Microsoft Azure, or Google Cloud Platform (GCP) areproperly monitored and have compensating securitycontrols to allow for direct connections. McAfee’s Government Cloud Edge (GCE) CASB solutionsacts as a Policy Enforcement Point (PEP) ManagementEntity to provide the additional controls listed:App AMGMTApp M MGMTApp GSecurity Configuration Monitoring: Identify IaaS andPaaS resources with non-compliant security settingsto remediate misconfigurations that coud lead to cloudworkload or data compromiseConfidential Data Visibility: Gain visibility of regulated /high-value data stored in cloud data storage services,such as, AWS S3 Buckets or Azure Blob StorageAdvanced Threat Protection: Detect compromised usersaccounts, insider or privileged user threats, and malwareActivity Monitoring and Forensics: Capture andcategorize an audit trail of all activities that occurwithin the CSP for forensic investigationsMGMTLegendPolicy Enforcement Point (PEP)MVISION Cloud (CASB)Cloud Services ApplicationRemoteUserHigh Trust ZoneInternetMobileMedium Trust ZoneMGMTAgencyCampusLow Trust ZoneFigure 6. Monitoring and Protection of Agency Infrastructure as a Service (IaaS) public cloud service providers and enterprise applications6TIC 3.0 – Securing the Government Cloud Edge

SOLUTION BRIEFMost agencies believe they use less than 50 cloudservices — McAfee has determined that agenciesoftentimes use closer to 2,000. That is a wide range ofservices to protect. However, 90% of data lives in theenterprise services that agencies sanction, with 42%living in collaboration services like Office 365 alone. TheShadow ITremaining 10% of data lives in unsanctioned services,which are often referred to as “Shadow IT.” Despiteholding a fraction of sensitive data, they typically posethe highest risk, meaning they don’t meet securityrequirements like encrypting data at rest or achievingcompliance certifications, such as, FedRAMP.LegendPublic CloudBranch to Campus Internal ApplicationsThe WebBranch to Cloud Service Provider (CSP)Branch to InternetSaaS PaaS IaaSPolicy Enforcement Point (PEP)Management EntitySecurity as a ServiceWeb GatewayCloud ServiceLaptopsRemote OfficesAgency CampusMVISION CloudWeb GatewayFigure 7. Secure Web Gateway enhanced with Shadow IT Detection for secure access to agency sanctioned cloud service providers7TIC 3.0 – Securing the Government Cloud Edge