Using AWS Verified Access and SD-WAN to streamline and secure remote application access for federal employees

Many US federal agencies have adopted a hybrid workplace model, which has increased the need to enable access to applications from anywhere to support distributed agency employees. Agencies can no longer rely on traditional network access methods, such as virtual private networks (VPN) and conventional wide-area network (WAN) technologies, to provide employees and users with a reliable and secure remote access experience.

VPN and multi-protocol label switching (MPLS) technology developed in a time when applications primarily existed in an on-premises data center and a security perimeter around the data center was all that agencies needed. However, the adoption of the cloud and recent trends in employee mobility by federal agencies has extended the perimeter to the internet. Federal agencies need an alternative to remote-access VPNs and MPLS to support the security , visibility, and user experience required in a cloud-first era.

In this blog post, learn how traditional connectivity methods affect the agency employee experience while accessing applications. Then, discover how AWS Verified Access from Amazon Web Services (AWS) and software-defined wide-area network (SD-WAN) can improve the employee experience while accessing enterprise applications while maintaining reliability and security .

The challenge of remote application access for federal employees

Most federal agencies adhere to the Trusted Internet Connections 2.0 (TIC 2.0) model for securing internet points of presence and external connections for the government. However, TIC 2.0 requires all incoming and outgoing agency data to funnel through a physical TIC access point based on traditional on-premises network architecture, which can introduce challenges for network administrators trying to support a distributed workforce. Network administrators must increasingly rethink how to secure distributed users in real time, provide fine-grained access policies to applications, and streamline centralized logging to accelerate the analysis of security and connectivity opportunities.

The TIC 2.0 model described in the following Figure 1 provides centralized network connections, security controls, and monitoring. Traffic from a remote site is first back-hauled to a central location using technologies such as client VPN, site-to-site VPN, and MPLS. Back-hauled traffic is inspected centrally before a user can be granted access to applications hosted on a cloud service provider (CSP) or exit to the internet – but this model can add additional latency as distributed users use one exit point to the cloud and the internet. After the user traffic is inspected, traffic is routed to the AWS Cloud using AWS services such as AWS Direct Connect or AWS Site-to-Site VPN for connectivity to applications hosted on AWS.

Figure 1. A high-level architecture in which users access AWS through trusted internet connections. Traffic from agency employees in branch offices or the internet is backhauled through a corporate data center before accessing AWS services.

A more flexible architectural approach to enable remote access

In September 2019, the US Office of Management and Budget (OMB) released Memorandum M-19-26, which replaced prior TIC-related memorandums and introduced TIC 3.0 guidance. TIC 3.0 recognizes the need to account for multiple and diverse security architectures, rather than a single perimeter security approach. This flexibility allows agencies to choose how to implement security capabilities in a way that fits best into their overall network architecture.

Moving to a TIC 3.0 architecture provides opportunities for federal agencies to improve the user experience while increasing security posture. TIC 3.0 provides more opportunities to support the growing numbers of federal employees working remotely and connecting to cloud environments by enabling federal agencies to speed up adoption of technologies like SD-WAN. With SD-WAN, federal agencies can remove bottlenecks and improve the customer experience by enabling direct routing of traffic with advanced controls based on application characteristics. SD-WAN solutions complement Zero Trust solutions like AWS Verified Access that focus on specific use cases and traffic patterns, by creating a network that can support virtually any application traffic. Learn more about how US federal agencies can apply TIC 3.0 to AWS workloads.

Using AWS Verified Access to streamline and secure remote application access for federal employees

By migrating to a TIC 3.0 architecture, federal agencies can use AWS Verified Access to provide secure access to applications without requiring the use of VPN with three key features:

First, AWS Verified Access evaluates each application request in real time using Zero Trust principles and multiple security factors, such as identity and device posture. Agencies can manage identity through AWS IAM Identity Center (successor to AWS Single Sign-On) or any OpenID Connect (OIDC) compatible solution. AWS Verified Access can also leverage device-level data with browser plugins from supported third-party trust providers, such as JAMF for macOS devices and Crowdstrike for Windows devices. Plugins retrieve client device information and share it with AWS Verified Access through a browser extension.

Second, AWS Verified Access lets administrators define fine-grained access policies through Cedar, a language for defining permissions as policies, which describe who should have access to what.

Third, AWS Verified Access can protect against common web exploits and bots by integrating with AWS WAF, a web application firewall. Using AWS Verified Access, network administrators can create a faster, more streamlined user experience by using the Internet to access applications hosted on AWS instead of back-hauling through an on-premises datacenter first.

Figure 2 illustrates an architecture to enable agency employees to securely connect to enterprise applications with AWS Verified Access. This example uses AWS IAM Identity Center to verify user identity. At the time of publication, AWS Verified Access integrates with Application Load Balancer, Network Load Balancer, or an elastic network interface in Amazon Elastic Compute Cloud (Amazon EC2). Refer to the Verified Access endpoints documentation for more details.

Figure 2. An architecture model in which agency employees can access AWS services directly over the internet. AWS WAF provides protection against common web exploits and AWS Verified Access evaluates every request and provides access to the application.

Software-defined wide-area network (SD-WAN) and Trusted Internet Connections

Federal agencies can further improve customer experiences when moving from a TIC 2.0 to a TIC 3.0 environment by integrating SD-WAN solutions with the AWS Global Infrastructure. SD-WAN is a highly orchestrated, intelligent overlay-network that uses multiple VPNs and advanced path selection logic to optimally leverage diverse transport paths between WAN sites.

Federal agencies can choose various AWS Partners to deploy SD-WAN. A common approach is to deploy SD-WAN services on Amazon EC2-based virtual appliances in AWS Regions to extend the SD-WAN fabric to the AWS Cloud. These Amazon EC2-based SD-WAN appliances can then leverage Connect attachments to AWS Cloud WAN or AWS Transit Gateway to exchange routing information and integrate with the agency’s private networking in AWS. AWS Cloud WAN provides a central dashboard for making connections between your branch offices, data centers, and Amazon Virtual Private Clouds (Amazon VPCs)—building a global network with only a few clicks. AWS Transit Gateway connects your Amazon VPCs and on-premises networks through a central hub. Once on the network hosted in AWS, agencies can route traffic through AWS security services such as AWS Network Firewall and third-party solutions, often enabled by Gateway Load Balancer, to provide the desired visibility and controls on the traffic.

To provide security against common web exploits and bots, federal agencies can protect resources with AWS WAF. Learn how to simplify SD-WAN connectivity with AWS Transit Gateway Connect and the solution options available for inline traffic inspection.

The resulting network enables direct routing between systems over elastic networking constructs that can rapidly scale up or down based on user behavior and application requirements, while still providing the visibility and controls required for a TIC 3.0 environment. More details on these approaches can fit into a larger network and the benefits of leveraging the AWS Global Infrastructure and networking services can be found in the blog series, “Introduction to Network Transformation on AWS – Part 1” and “Introduction to Network Transformation on AWS – Part 2.”

Figure 3. Using SD-WAN with AWS Cloud WAN, agency employees access AWS services over the internet using SD-WAN and AWS Cloud WAN to route traffic to the Inspection VPC. Traffic is inspected by the AWS Network Firewall and then employees can access the application.

Figure 3 illustrates an example of traffic flowing between users in a branch office and enterprise applications hosted in a VPC on AWS. Note that the traffic from the branch office routes directly to the SD-WAN virtual appliance in AWS. The architecture in Figure 3 bypasses the corporate data center and avoids the inefficient traffic back-haul described in Figure 1. Once the traffic reaches AWS Cloud WAN the traffic is routed through an Inspection VPC where the traffic is inspected before routing to the VPC where the enterprise applications run. If desirable, additional monitoring and control solutions can be deployed in the inspection VPC and traffic can be routed through each solution before returning to AWS Cloud WAN. For example, an agency may have a web application firewall, a next generation firewall, and a performance monitoring solution that the network traffic traverses when traffic flows are routed to the inspection VPC. The response traffic from the enterprise application to the in the branch is routed back over the same path, avoiding potential issues with the connection state. Additionally, administrators can use a private underlay network in-place of or alongside the internet connectivity depicted in Figure 3 by connecting branch offices over private networking like MPLS via AWS Direct Connect connections to a virtual private gateway associated with the transit VPC.

Conclusion

With the flexibility provided by TIC 3.0, agencies can use AWS Verified Access and SD-WAN technologies to increase efficiencies and security in remote access for applications for distributed employees. By updating legacy architectures with cloud-based solutions, federal agencies can utilize the virtually unlimited capacity of AWS Global infrastructure without long-term commitments or usage minimums to adapt to changes in traffic patterns, compliance requirements, and threat landscapes. Integrating a mix of AWS native services and partner solutions, many of which are available through one-click deployment in the AWS Marketplace, can help agencies quickly provide the right tools to secure and operate their environments, while providing an optimal user experience for the agency’s employees.

Do you want to learn more and get hands-on experience with AWS Verified Access? Get started with this AWS Verified Access Workshop.

Engage with your local AWS account team and SD-WAN provider to learn how you can integrate with AWS and how this approach can help improve customer experience in your environment.

Read related blog posts on the AWS Public Sector Blog:

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.

Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.