As ransomware attacks continue to increase across the public sector, states are partnering with local government to provide shared services. Referred to as “whole of state”, this collaboration leverages the expertise and resources of multiple government agencies.
According to a report from the National Association of State Chief Information Officers (NASCIO), “State governments are increasingly providing services to county and municipal governments, including endpoint protection, shared service agreements for cyber defensive tools, incident response, and statewide cybersecurity awareness and training.”
Zscaler was fortunate to participate in a roundtable discussion with several state leaders through ATARC (Advanced Technology Academic Research Center) to discuss how state and local government agencies can successfully plan, develop and execute a zero trust strategy through a whole of state approach.
We’ve gathered highlights from the roundtable into a white paper - Adopting a Whole of State Zero Trust Approach. Here is a summary of the discussion about the benefits of improved cybersecurity posture across state and local governments.
Same Problems, Few Resources
State and local governments often work with far smaller IT budgets than their federal counterparts. Yet states have tens if not hundreds of thousands of endpoints to secure from the massive increase in remote work (WFH) due to the pandemic.
The panelists agreed, however, that this is not a reason to delay a move to zero trust. A first step can be to take an inventory of hardware and software to know where your organization stands in terms of cybersecurity. From there, solutions can be researched to fill in the gaps and create an overall strategy.
One state cybersecurity chief shared that with their Whole of State approach, the state of North Dakota has offered many tools at low or no cost. In addition, they went to the state insurance agency and were able to secure a discount for any of the entities - counties, cities, schools and others - that adopt the state tools. This helps ease the rapidly increasing cost of cyber insurance. The state then is not only offering tools that are cheaper than the entities can purchase on their own, but if they adopt the tool set and methodologies that the state is using - such as zero trust - then they also receive a discount on insurance and lower long-term IT security costs.
A Larger Attack Surface
The rapid transition to WFH because of COVID lockdowns opened new avenues for cybercriminals to exploit. Virtual Private Network (VPN) was the most commonly used method among the panelists, even though it is not as secure as most people think.
Check your VPN settings if VPN traffic is overwhelming your network. Sometimes outdated or incorrect settings can increase bandwidth needs. Ultimately, moving to a zero trust VPN-free solution can be the most effective way to meet WFH needs for State and Local users. One large county was able to rapidly deploy the Zscaler Zero Trust Exchange to 18,000 county-owned devices in just three weeks.
Making zero trust a reality
Panelists had several suggestions on how to best manage zero trust transitions at the state and local levels.
- Inventory any connected apps, services and devices that access internal network resources and divide them into three groups: those that can readily be migrated to zero trust architecture, those that first require upgrades, and those that cannot migrate. This gives you a holistic view and allows you to prioritize to form a comprehensive transition plan.
- Get stakeholder buy-in to find solutions to well-defined problems. Demonstrate zero trust benefits to various stakeholders by tackling “low-hanging fruit” first. Have regular meetings with partners throughout the state to understand what their issues and concerns are, and how working together is beneficial to each city, county, school, hospital, or library.
- Get user buy-in and commit to education and enablement to give a clear understanding of the user role in keeping the organization secure.
One state leader shared that in a state-wide quarterly training program of over 200,000 users on how to spot a phishing email, there was a .9 correlation between user avoidance of fake phishing emails and those who completed training.
The transition to zero trust is a journey, not a sprint. It requires a mindset shift from the traditional castle and moat security models that were effective when the network could be contained inside a perimeter. As data and applications have migrated to the cloud, so must the network architecture that preserves security and the user experience.
With attractive modern security solutions that provide a more comprehensive approach to securing agencies by connecting the right user to the right application based on the organization's policies, state and local agencies can stay a step ahead of attackers and keep our constituents’ data protected. Zero trust tackles today’s most difficult challenges that encompass security, networking and enabling the modern workspace. Whole of State is an effective approach for government to deploy these types of solutions quickly and efficiently, maximizing IT resources across agencies.
Read the full white paper here.
Zscaler is a trusted partner to over 100 public sector organizations and their partners. Visit our State and Local page for more information on how Zscaler provides a cloud-smart approach to securing a hybrid workforce and stopping ransomware attacks.
Other resources for State and Local Government: