The Oklahoma Office of Management and Enterprise Services, state government’s technology and cybersecurity agency, maintains the state data network and supports over 180 customers that serve Oklahomans every day. With the abrupt transition from office buildings to telework during the COVID-19 pandemic, OMES needed a solution to enable state employees to continue serving from home without sacrificing the cybersecurity measures necessary to protect state and citizen information.
In 2020, OMES replaced the legacy virtual private network (VPN) solution with Zscaler Private Access (ZPA) as the state’s VPN to provide a secure, encrypted avenue for state devices to connect to the internet even when using public and home wi-fi. However, Zscaler takes that solution further by employing a zero-trust approach to state systems and applications. This allows Oklahoma OMES Cyber Command to verify not only the employee's identity every step of the way, but also devices they use, the locations from which they access and numerous other critical access control factors.
Over the past few months, Zscaler released new features, including Workload Segmentation, Cloud Access Security Broker and Digital Experience, to elevate cybersecurity and stop threats earlier and easier. In conjunction with ZPA, OMES also invested in Zscaler Internet Access (ZIA) to protect all users, working from any location, on any state-issued device, on any network.
Problem
In early 2020, the State of Oklahoma moved to a mass-telework model for the first time in history. The previous castle-and-moat security approach worked when employees connected to the state network on-site within state office buildings. However, it was never intended to support a remote workforce beyond the protection of the government’s metaphorical castle walls.
In addition to the sudden change, employee and citizen needs were greater than ever during the pandemic. Outdated remote connectivity solutions, built for an environment that was no longer relevant, could not meet the increase in volume and scalability demands. This posed significant vulnerabilities that made the state more exposed to modern cybersecurity threats and attackers, which increased drastically during this time.
Our state agency customers experienced several outages as the legacy solutions were overwhelmed with external logins and service requests. Even with the state’s significant investment in infrastructure to support the VPN environment, the resiliency was not up to necessary standards.
Solution
Oklahoma has been revolutionary in taking the next steps of advancing older VPN tools and modernizing the technology to support the state’s hybrid and remote workforce.
“Oklahoma is leaps and bounds ahead of other states from a digital transformation perspective,” said PJ Joubert, Zscaler representative for the state. “Calling ZPA a VPN solution is like saying the telephone and mobile phone are both the same phone.”
Key to Oklahoma’s success was replacing the typical VPN solution with a zero-trust access platform, transforming the way employees connect to state applications. This approach verifies who can access state apps and information and limits exposure to the internet and potential threats.
Extending the OMES network to 30,000 remote users would have posed extreme risk to state infrastructure. Instead, employees connect to the network via Zscaler’s Zero Trust Exchange cloud. From there, the platform performs posture checking, authentication and inspection seamlessly in the background. Once completed and approved, the employee is then connected to their application within this secure environment, where the application is never exposed to the internet.
The less exposure to the internet the better, as this greatly reduces cybersecurity risk.
Additional new features from Zscaler include three critical defensive and support solutions: Workload Segmentation, Cloud Access Security Broker and Digital Experience.
Zscaler Workload Segmentation (ZWS) applies similar zero-trust protection as ZPA, but instead of protection between users and applications, ZWS applies zero trust between application-to-application communication so advanced threats like ransomware or supply-chain attacks – which try to move laterally between applications to exfiltrate sensitive data or shut down and encrypt systems – are stopped before they are allowed to proceed.
Zscaler Cloud Application Security Broker allows the state to protect and control which data is saved and accessed in the cloud. It aligns access to data within certain cloud applications, enforces policies against this data, and removes or quarantines data that might be infected with encrypted viruses or malware.
Zscaler Digital Experience is a monitoring solution that provides end-to-end visibility and troubleshooting of performance issues for any user or application, regardless of location.
In the last two years, OMES and Zscaler have proactively protected the state and agency employees from well over 100 billion advanced threats, including ransomware, malware, viruses, worms, key loggers and sites containing malicious content. Without these protections, these threats would have accomplished their end goal of compromising state systems and exfiltrating sensitive data.
Strong partnerships with technology leaders like Zscaler are vital to OMES’ commitment to help state government function at its best. Implementing these new features enhances Oklahoma’s cybersecurity posture across all cloud environments and provides more granular identity-based controls for accessing the state network. The update applies similar protection to applications hosted in the state’s primary data center, encrypts information at rest and amplifies visibility into support issues users may experience, all the way down to individual hardware components on their workstations.
“Zero-trust application access and cloud-delivered cybersecurity enables the Oklahoma Cyber Command to improve policy enforcement, threat prevention and data protection, bridging the gap to enable state employees to work from anywhere,” said Matt Singleton, state chief information security officer.