Jan 29 2024

State Agencies Coordinate Individual Solutions for Zero-Trust Teamwork

Cybersecurity solutions work together to ensure verification of users and devices.

Several years ago, cyberattackers from a hostile nation-state made their way onto the network of a North Dakota K–12 school district, but they didn’t infect the district with malware or ransomware. Their purpose, state IT leaders suspect, was to use the school district as a launchpad to infiltrate the state’s National Guard, which provides physical security for a sizable stockpile of nuclear weapons.

But thanks to the state’s zero-trust architecture, the attackers never made it past the school district’s firewall.

“Any entity on our network has to talk through a firewall to any other entity,” says Ryan Kramer, enterprise infrastructure architect for North Dakota Information Technology. “I am not a fan of alert-only solutions. If you’re hit by a scripted, automated attack, the attackers will have persistence in the target environment by the time you detect it. You might be able to close the door that they came in, but it’s too late by that point.”

Doug Robinson, executive director of the National Association of State Chief Information Officers, says the recent growth in cyberattacks — both in volume and sophistication — is spurring more state governments to take a hard look at cybersecurity solutions and practices that support a zero-trust architecture. In a zero-trust model, organizations require strict identity verification for all users and devices, whether they are within or outside the network perimeter.

“IT leaders realize that they need a much stronger approach,” Robinson says. “Human error can create unintentional insider threats, and organizations need to have a much more expansive view of their environment than the traditional point security solutions they’ve had in the past.”

Click the banner to read CDW’s white paper on enhancing zero trust for your agency.

Always On, Zero Trust Requires Continual Authentication

As part of North Dakota’s zero-trust strategy, the state has deployed more than 100 Palo Alto Networks firewalls, creating nearly 1,000 separate virtual LANs that segment network traffic to keep threats from spreading.

“We can’t assume our servers are clean,” Kramer says. “We assume they’re compromised, and then we limit the number of other servers they can get to.”

Kramer says that procurement has also become a powerful tool to enforce zero trust, as the state can insist that vendor’s implement certain standards as a condition of purchase.

“Zero trust is not a switch that you can turn on and off,” he says.

Zero-Trust Solutions Resemble a Team of Superheroes

Adam Ford, CISO for the state of Illinois, compares cybersecurity solutions to a team of superheroes, such as the Justice League or the Avengers.

“This notion of bringing together different capabilities in furtherance of the common good, it’s an apt metaphor for our journey into this zero-trust approach to security,” he says. “It’s a real shift from the castle-and-moat philosophy that we’ve had in technology for decades. With the rise of these modern attacks, such as ransomware, and these sophisticated organizations that can penetrate the castle walls, you now must have a plan for what happens when someone gets inside.”

The state’s zero-trust solutions include multifactor and single sign-on tools from Okta, enterprise cloud security solutions from Zscaler and Splunk’s security information and event management tool. Occasionally, while talking about the tools, Ford will liken one of them to a specific comic book character.

“Splunk is a little like Professor X from X-Men,” he says. “He always had an idea of what was going on with everybody. Splunk is where we get that overview — even while we still have the Wolverines of the world out there slashing people and healing our network.”

Source: Illinois Department of Innovation and Technology, “The Zero Trust League Superheroes of Cybersecurity,” August 2023

The state’s zero-trust strategy, Ford says, is rooted in an acknowledgement that it has become impossible for any organization to implement foolproof protection against cyberthreats. That means adopting tools that promote visibility and limit attackers’ movement throughout the state’s IT environment.

“We just assume that there is an attacker in our environment all the time, and then we try to take countermeasures to stop them,” Ford says. “We’ve seen outsized benefits. We have a lot more visibility, and a lot more control.”

WATCH: New Jersey Judiciary CIO Jack McCarthy explain pillars of zero trust in this video.

Zero-Trust Automation Tools Help Bring Everything Together

The Michigan Department of Technology, Management and Budget commissioned a study several years ago to assess the state government’s IT environment against zero-trust principles. The state scored better than officials expected, and they realized that this was the result of several ongoing cybersecurity efforts. So, officials decided to bring those projects together under the umbrella of a zero-trust program.

“Zero trust is top of mind for everybody in the industry right now,” says Jack Harris, Michigan’s CTO. “It really has come to the forefront since COVID-19, because of the number of people that are working remotely and the need to secure remote access.”

To implement its zero-trust strategy, Michigan relies on a wide range of cybersecurity solutions. For instance, the state uses a number of identity and access management tools, including the privileged-access management platform Delinea, as well as VPNs and an IBM single sign-on tool. Network segmentation and access control are also critical. Here, Michigan relies on a mix of Cisco and Check Point firewalls, as well as network access control solutions from Cisco.

“When you log in to the enterprise network with your laptop, you don’t authenticate only with your identity credentials,” Harris says. “Your laptop also gets queried by the system: Are you a state-issued laptop with certifications? Do you have a valid user ID? Are you in a building that you shouldn’t be in?”

To manage its zero-trust architecture, Harris says, the state relies heavily on automation tools. “This involves a lot of data, and it’s happening very fast,” he says. “So, automating all of these processes and our ability to query repositories is key.”

When Michigan launched its zero-trust program, the state had about 70 related projects in motion. Many of those have wrapped up, but others have since begun, and the current number of zero-trust projects still hovers around 70.

“It's a journey,” Harris says. “It’s not a destination.”


Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.