New York City Department of Education Migrates from VPN to Zero Trust

Securing user devices at an unprecedented scale

In an environment designed to nurture student curiosity, New York City Department of Education (NYC DOE) cybersecurity professionals work to find a balance in supporting children’s need to push boundaries while keeping them secure and safe from access to harmful websites and suspicious and unsolicited applications. Protecting the complex, decentralized infrastructure for the largest school system in the US is demanding on the best of days. The NYC DOE footprint includes more than 1,800 schools across more than 1,500 physical locations and approximately 30 administrative offices.

When the COVID-19 pandemic forced schools to move to distance learning, the NYC DOE found it needed to support remote instruction at an unprecedented scale while strengthening its security posture. It accomplished exactly that with Zscaler, implementing Zscaler Private Access in just 90 days followed by Zscaler Internet Access a few months later. 

Demond Waters, CISO at the NYC DOE, sought out a unified solution that would be flexible enough to manage fluctuating levels of bandwidth and provide multiple layers of security. With the mindset that no system is entirely invulnerable and threats may already exist on the network, the team adopted a zero trust approach to extend application access privileges only to verified users and devices based on context and policy. As an alternative to disparate point products, the Zscaler Zero Trust Exchange platform offered a robust and comprehensive security solution. In about four months, the NYC DOE installed the Zscaler agent on 400,000 iPads, 600,000 Chromebooks, and numerous PCs. 

“We needed a holistic solution that would help us identify issues faster and enable easier management across our different partners,” Waters said. “That’s exactly what we found in Zscaler.”

Five pillars of zero trust protect a large and diverse user base

The NYC DOE has an expansive network consisting of 80,000 access points and 2 million devices, with a throughput of 260 Gbps. Use cases vary from educators accessing proprietary learning applications to high school seniors working on advanced digital programs to classroom Chromebooks shared among several students throughout the day. The NYC DOE’s mission is to foster students’ curiosity and support their learning journeys; the security team’s mission is to protect those journeys.

To support that endeavor, the security team starts with the zero trust mindset of “never trust, always verify.” 

“The nature of government programs, which are regulated in line with specific protections such as the Children’s Internet Protection Act (CIPA), closely aligns with zero trust principles,” Waters explained. 

The NYC DOE uses the five pillars described by the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model as a guide to implement its security policy. With the Zscaler Zero Trust Exchange in place, the security team knows they are not only meeting, but surpassing the government’s security thresholds to receive funding as part of the E-rate program. Meeting that threshold is crucial to receive the discounts that help fund NYC DOE’s internet access and maintenance of telecommunications services.

Knowing the NYC DOE needed to go beyond the minimum E-rate requirements to protect students’ learning journey, the security team helped the organization down the path of zero trust maturity. “With Zscaler we’re able to successfully address each of the zero trust pillars—identity, device, network, data, and applications and workloads,” Waters noted.

Increased visibility and control over traffic prioritizes instructional applications and secures users

Prior to Zscaler, to maintain CIPA compliance, the security team initially deployed point products to block malicious, inappropriate, or distracting websites (examples: social media, gaming, or adult content) that could harm academic integrity. These solutions addressed this only minimally, as overall network traffic was not inspected, leaving the team blind to many internet threats.

The NYC DOE needed broader protection for SaaS applications that teachers and students use regularly, including Microsoft 365, Google Cloud Platform, Salesforce, Workday, and instructional applications, such as the district’s learning management system (LMS). 

The security team deployed Zscaler Internet Access (ZIA), part of the Zero Trust Exchange platform, to secure direct internet access for its more than 1 million users across 32 school districts. ZIA immediately began inspecting all TLS/SSL internet traffic at scale without impacting performance. In just 90 days, it detected and blocked 644,217 threats hidden in encrypted traffic, boosting the district’s security posture.

With the Zscaler URL filtering capability in ZIA, the security team now has granular visibility into where traffic is going on the internet. Users are protected from visiting inappropriate sites, and the bandwidth control functionality enforces policy that prioritizes learning applications over recreational traffic.

“When we started using Zscaler, we discovered pockets where internet usage was being consumed for non-instructional purposes. We’re able to communicate that to individual schools and make better security and policy decisions to support learning,” Waters explained.

Users express rousing support for seamless and secure access to private applications with zero trust

Before the pandemic, the DOE had 1,000 VPN licenses for senior staff and system administrators. When the pandemic forced schools into remote learning, Waters and his team needed a way to securely connect educators and students at a distance while enabling access to private applications.

The security team evaluated three options: keeping the existing traditional VPN solution, using virtual desktops, and deploying Zscaler Private Access (ZPA).

VPN was ruled out quickly due to the potential for split tunneling to compromise the DOE network, as it exposes some network traffic to the internet without encryption. Virtual desktops mimicked the experience of sitting inside the school building for many school administrators, but it worked poorly on Mac devices. The security team found that ZPA gave them greater control and was the most secure and user-friendly option.

Most applications users need to access are in the cloud, but there are proprietary applications in NYC DOE’s data centers, on personal desktops, or elsewhere on the network. With Zscaler, users can securely and easily gain access to the information and resources they need. Built-in policy enforcement ensures users are only allowed to access authorized applications.

“Since rolling out ZPA, the response from users has been so positive that we're exploring more departments and groups to deploy with,” Waters recalled. “And our security team is thrilled too, as it gives them greater control over managing access to applications, keeping them secure, and providing great user experience."

Fewer classroom interruptions, more user experience insights

The NYC DOE’s large decentralized networks form a complex system, where application issues often show up due to insufficient bandwidth, underpowered and overused wireless access points, and hardware or software version mismatches. As a result, the security team launched a Zscaler Digital Experience (ZDX) pilot to gain visibility across all devices, networks, and applications to identify and resolve issues more quickly.

Early in the pilot, the team observed how ZDX AI-powered root cause analysis points them directly to applications or devices experiencing problems. During one computer lab class, some devices were running more slowly than usual. (With the NYC DOE's five-year technology update cycle, newer devices are often running next to older ones.) In this instance, the support team was able to rapidly pinpoint the cause of the issue through ZDX, update necessary software on PCs and tablets, and get students back to learning more quickly.

“Deploying Zscaler in NYC DOE’s complex environment has demonstrated powerful benefits for system administrators and instructional staff. ZDX is a huge help when we have to troubleshoot and resolve issues. Now, we can pinpoint the root cause of an issue (such as latency or packet loss), take corrective action, and enable our teachers to get back crucial classroom instruction time,” Waters explained. “We now use ZDX to discover and correct the root causes of poor user experience when faculty and staff are on premises; at the same time, remote users enjoy more consistent connectivity and longer periods of uptime.”

CrowdStrike and Zscaler offer endpoint-to-application visibility

By integrating Zscaler and CrowdStrike, the NYC DOE benefits from endpoint-to-application visibility and granular policy controls based on shared threat intelligence and automated responses. CrowdStrike sends device health data for the district-issued 400,000 iPads, other MacOS devices, and Microsoft Windows systems to the Zero Trust Exchange, which automatically adopts its network access control policies by limiting or granting access when the context of the user or device changes.

The Zscaler-CrowdStrike integration builds a stronger threat defense. From the endpoint, CrowdStrike collects endpoint health data from the operating system and sensor data to calculate a Zero Trust Assessment (ZTA) score for each device. Zscaler adaptively enforces access policy by comparing the device ZTA score to NYC DOE’s baseline score. If a device meets or exceeds the baseline score, access is granted; if not, access is denied.

The DOE integrated Zscaler and CrowdStrike early on and found immediate benefits from their combined threat intelligence. “We had a potential incident involving a third-party and reached out to Zscaler and CrowdStrike for threat intelligence. Zscaler quickly came back to us with detailed information that I was able to pass on to my team. Everyone was impressed by the level of detail that helped us better protect our users,” Waters recalled.

Partnering with a trusted vendor through every stage spells success

During implementation, the security team began working with the Zscaler Professional Services and Customer Support teams. These teams continue to bring valuable insights to the NYC DOE today.

“During deployment, we greatly benefited from the Zscaler technical account managers and customer success teams. Regular calls and updates have helped our security team navigate Zscaler in our environment,” Waters said. “We rely on them when we have questions and are impressed with their responsiveness and ongoing attention.”

The security team has found a trusted resource in the Zscaler security reports as well. Any time a new senior leader joins, the Zscaler quarterly block report is one of the first items shared. In a three-month timespan, Zscaler prevented 5.5 billion policy violations, blocked 235.7 million security threats, and processed 240.3 billion transactions.

“Some companies lose sight of their customers as they grow. Zscaler has never turned us into a ticket or charged us for faster response times as other vendors have. One of the best things Zscaler has brought to us is their customer success team. It's a true partnership,” Waters related.

Zero trust architecture supports education at a massive scale

The NYC DOE needed a security approach that could keep up with the demands of an evolving user base and scale without compromise. Across 32 densely populated school districts, students and educators test the limits of its network, spending more and more time with internet-based instructional resources. The NYC DOE found that a zero trust network architecture best supports its growth by:

• Providing direct connectivity to the cloud: NYC DOE schools are increasingly reliant on internet-based learning resources inside the classroom.
• Protecting data using context-based policies: Zero trust policies grant access requests based on identity, device, content, and application, meeting CIPA compliance requirements.
• Reducing risk by eliminating the attack surface: Connecting users directly to the internet and private applications rather than to the network removes the risk of lateral threat movement.
• Enabling reliable remote access: Distance learning requires protection for remote users and devices that connect to the internet and applications from anywhere at any time.

“Our users have varying levels of experience with technology, and students want to click on everything, so a zero trust architecture is an obvious fit for the NYC DOE. We have to operate within a model of ‘trust no one, verify everything.’ Zscaler is instrumental in achieving that level of security,” Waters explained.

Looking ahead to apprenticeship programs, authentication, guest Wi-Fi, and deception

As the NYC DOE advances its zero trust maturity model, the security team plans to continue building out protection in line with the five pillars of zero trust. At the top of the list of priorities is to go deeper with authentication, which will help Zscaler enforce policy with greater specificity and provide detailed logging and reporting. 

Waters is excited about adopting the Zscaler Guest Wi-Fi for students who bring devices to school. Many of the NYC school buildings are more than 100 years old and have poor access to 4G or 5G mobile service, so students often resort to finding workarounds to connect to the school Wi-Fi. With Zscaler Guest Wi-Fi, traffic is automatically routed to the Zscaler platform for full inline content inspection. 

Waters and his team are also eager to learn more about Zscaler Deception, which detects advanced in-network threats that have bypassed existing defenses. Zscaler Deception plants decoy servers, applications, and databases to lure bad actors and prevent high-risk human-operated attacks.

“There’s so much more we can do with the Zscaler Zero Trust Exchange—we’ve only scratched the surface,” Waters shared. 

Looking ahead, Waters is passionate about growing the NYC DOE cybersecurity apprenticeship program for students who intern with the security team. When students join the team, they take on real-world problems, work with vendors, complete security certifications, and give presentations. 

“Cybersecurity needs an apprenticeship program just like electricians and doctors have. Our students are creating scripts and thinking outside the box. It’s a real learning experience for them, but also for us, because they have a different way of thinking than we do,” Waters related. “I look forward to getting them acquainted with zero trust and with Zscaler.”

Zscaler at the NYC Department of Education: security at massive scale

The NYC DOE operates at a greater magnitude than most educational organizations. Securing the largest school system in the US takes a zero trust security philosophy and dedicated teams to execute the pillars of protection that keep student information, devices, and applications safe.

With the Zscaler Zero Trust Exchange, the NYC DOE safeguards the educational journey for more than 1 million students and 150,000 teachers and administrators. Together, the NYC DOE security team and the Zscaler Professional Services team ease complexity and improve access to secure internet, SaaS, and private applications for tomorrow’s leaders.

“Zscaler has been a dedicated and responsive partner,” Waters said. “They’ve always made us feel like a valued collaborator, and we look forward to what’s next.”