Illinois CISO Adam Ford administers Okta to secure resources for more than 8,000 state employees.

Apr 20 2023

Single Sign-On Applications Support Zero Trust for State Agencies

Governments provide secure access to critical resources through identity and access management solutions.

End-user experience was a top priority for the Illinois Department of Innovation and Technology when it deployed Okta Workforce Identity Cloud to more than 8,000 employees in early 2020.

The Illinois state government faced employee challenges as the world shut down during the pandemic. With nearly everyone working remotely, the department needed a quick and seamless way to secure employee access to critical applications, says CISO Adam Ford.

The Okta single sign-on solution supports Illinois’s zero-trust environment by authenticating every user who seeks access to the state’s closed network. It’s easy for employees to use and has been so successful that Illinois has introduced it to its roughly 13 million residents, Ford adds.

That a government agency or any organization might turn to single sign-on, or SSO, to establish zero-trust security comes as no surprise to Keatron Evans, principal cybersecurity adviser at Infosec Institute.

    ZT Sidebar


    “To truly enforce zero trust, where everybody and everything has to authenticate every time, that’s really only going to be possible with a single sign-on solution,” Evans says.

    At organizations where employees need access to myriad applications in order to do their work, “trying to remember every login and password becomes an impossible challenge,” Evans says.

    IT departments like SSO solutions because they prevent employees from adopting bad password habits, he adds. “And, most important, they allow them to roll out multifactor authentication in a way that’s not disruptive to end users.”

    Click the banner below to learn about getting zero trust architecture right.

      Using Okta SSO to Enforce Multifactor Authentication

      As an SSO solution, Okta “sells itself” to those who use it, Ford says. The cloud-based platform is easy to integrate from an IT perspective, and it supports a number of two-factor authentication options, including push, U2F and WebAuthn.

      Since his team introduced the identity and access management (IAM) tool to the state’s workforce three years ago, “the more we’ve used it with different systems, the more we’ve heard from people that they like it and the more we’ve seen its benefits,” Ford says.

      Today, those benefits extend not only to employees but to citizens as well. Soon after the state government’s initial deployment to its workforce, it turned to Okta again to provide secure public access to a vaccine verification system and to the state’s unemployment insurance program.

      EXPLORE: 5 keys to avoiding common mistakes in incident response.

      Now, Illinois residents can interact with state services through an Okta-powered platform called ILogin. It lets users choose from four different multifactor authentication methods, including through the Okta Verify app, and it permits password recovery and resets via text, phone call or email.

      Agencies considering single sign-on should “not get caught in paralysis by analysis” when it comes to choosing an IAM vendor, Ford says.

      “There are several leaders in the industry, and any one of them can help you be successful. Don’t worry about picking the perfect SSO solution; just make it a strategic goal and go,” he says.

      How Virginia Is Staying Ahead of Cyberthreats

      As Northern Virginia district operations systems manager with the Virginia Department of Transportation, John Kornhiser leads an IT team tasked with a very specific mission.

      “We support the technologies needed to keep traffic moving on the roadway,” Kornhiser says.

      Key to that work is a custom application that integrates and processes data gathered from every corner of the district. Data from traffic video cameras, highway message boards and emergency services dispatch feeds all comes together in the traffic management system the team operates out of its VDOT office.

      About five years ago, cybersecurity became “a huge focus” for the agency, Kornhiser says. A ransomware attack had seized the traffic management system in neighboring Washington, D.C., and VDOT realized that it wouldn’t be long before cybercriminals turned their attention toward its department.

      “One of the first things we decided to do was improve security around the way that we gave employees and contractors remote access to VDOT resources,” Kornhiser says.

      DIVE DEEPER: How New York is working toward a single, verified login.

      With that in mind, Kornhiser’s team shopped around and eventually settled on a Cisco solution called Duo. With Duo, VDOT’s traffic management system is protected because it sits within a zero-trust security environment, Kornhiser says.

      Duo is a single sign-on tool that relies on multifactor authentication and, in this case, sits atop the Cisco AnyConnect service. The Software as a Service technology thwarts cybersecurity threats by verifying users’ identities before they can touch VDOT’s systems.

      “You have a username and password, but then you also have a secondary form of authentication that comes in the form of a randomly generated code,” Kornhiser says.

      Created instantly at sign-in, the code is delivered to another device or account previously confirmed as being under the user’s control. “Even if the hackers know your password, they’re not getting anywhere without that additional authentication,” Kornhiser says.

      VDOT’s system has remained safe since the agency’s Duo deployment. In fact, Kornhiser says, the solution has been so successful that it’s now being used across all five VDOT regions.

      Source: National Association of State Chief Information Officers, The People Imperative: The 2022 State CIO Survey, October 2022

      How Iowa Leaders Are Helping Citizens Connect

      Much like Illinois, Iowa needed a solution that would allow it to quickly connect citizens to critical resources and services, says Darwin Ten Haken, an enterprise architect in the Iowa Office of the CIO. At the same time, state government workers were shifting to telework, so any platform the state chose to pursue would also need to offer security for employees.

      The team ultimately decided to use Okta because it integrates easily with Microsoft Active Directory and works well with the state’s human capital management system. Employees today can log in to their Okta accounts from anywhere.

      “They go to their dashboards and they have a single sign-on for all the applications they need to do their jobs. And back in IT, we know they’re secure because they’ve gone through the authentication process,” Ten Haken says.

      That process is simple, of course — just a text or a call or an app-based verification — but Ten Haken’s team has full control through its policies to require additional authentication measures when needed. “If they’re on their workstations, MFA may not be necessary every time they sign on,” he says. “That’s different than if they’re using an off-premises network, where we’re going to ask for it more often.”

      In December, the state completed its most recent SSO upgrade to a new solution called Okta Identity Engine. The platform allows for improved customization, especially in the realm of user experience.

      “We’re moving toward being more proactive securitywise, but we also know it’s really important to keep life easy for employees,” Ten Haken says. “I think that if we can continue to do both of those things successfully, we’d consider that a win-win.”

      LEARN MORE: Why IoT botnets remain a critical cybersecurity threat to state and local governments.

      Photography by Bob Stefko

      Learn from Your Peers

      What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.