Oregon Secretary of State Vastly Reduces Latency and Phases Out VPN with Zscaler

Transitioning from legacy architecture to zero trust for enhanced security and data protection

The Oregon Secretary of State (Oregon SOS) security team knew that to maintain the accuracy and integrity of public data, they needed to replace much of their legacy infrastructure—including on-premises VPN. The recent shift to hybrid work prompted by the pandemic further underscored gaps in security as employees accessed state systems from unsecured networks at home or at cafés, libraries, and other locations.

Most employees (70%) are remote, and 30% are in the office on a regular basis. Everyone uses agency-issued devices—laptops, desktops, and mobile phones—which are confined to work-related activities.

To align with the latest advancements in security, the Oregon SOS decided to adopt a zero trust approach to security, based on the principle of “never trust, always verify.”

“Most legacy systems operate on an assumption of trust. For example, with VPN, you’re either authenticated or you’re not, and once you’re in, you can access any resource you want. Zero trust, on the other hand, grants access based on critical factors such as what resources users are authorized to access, what devices they are using, and the security postures of their devices,” said Daniel Thiems, CISO, Oregon Secretary of State. 

"Zero trust provides checks and balances and important security functionality that our legacy systems were incapable of,” he added.

Ensuring the confidentiality, integrity, and availability of public data

The Oregon SOS is responsible for protecting public data such as voter registration information, campaign finance contributions, and audit and business registry data. To protect data from tampering and misuse, Thiems and his security team needed a solution that could block access to malicious sites, increase visibility into encrypted traffic, and provide secure remote access to the internet and internal applications.

In their evaluation of various zero trust platforms, they had four main criteria. The ideal solution needed to be:

• A cloud-native platform that could be managed remotely
• Easy to integrate with the agency’s existing technology stack
• Comprehensive and flexible enough to address specific use cases
• Affordable and scalable

The Zscaler Zero Trust Exchange™ was the only solution that met all their requirements.

Phase 1: ZIA proxies traffic at scale and blocks access to malicious web content

The agency is taking a measured, iterative approach to its digital transformation. The security team started its zero trust journey by seeking a web proxy to protect users from malicious content, enforce web usage policies, enable secure access to SaaS applications like Microsoft 365, capture log data for analysis, and increase visibility into encrypted traffic. 
Within a week, they deployed Zscaler Internet Access (ZIA) and quickly realized their goals shortly thereafter.

The team set up granular policies with Zscaler URL filtering to block users from visiting potentially unsafe sites. They also leveraged File Type Control to protect users from accidentally downloading known malicious file types.

“As soon as we implemented ZIA, we saw an exponential increase in traffic visibility, especially for encrypted internet traffic. Now, we can perform in-depth log inspection and content analysis for malicious threats. ZIA gives us insights into where users are going and helps us better educate them on possible threats they may encounter,” said Thiems. “I’m impressed by how robust ZIA is. We’ve just begun to scratch the surface on what’s possible.” 

Phase 2: ZDX decreases time-to-troubleshoot by over 50%

Next, Oregon SOS implemented Zscaler Digital Experience (ZDX) to resolve recurring connectivity and system issues. Thiems recalled how, in the past, users were submitting tickets frequently.

“They used to complain that Microsoft Teams or other SaaS applications were running too slowly. Using ZDX, the security team can more accurately and rapidly pinpoint problems, which are often the result of a rural connection with low bandwidth, an issue with the physical hardware, or the Wi-Fi creating a choke point. We can remedy that much more quickly for users than we could previously.” He added that, since ZDX is completely transparent to users, they can do their work without interruptions or slowdowns.

ZDX has reduced the time-to-troubleshoot of help-desk tickets by more than 50%. The security team has the information they need readily available, and AI-generated alerts give the team advance notice on potential issues. “We can pull ZDX up anytime and dive into the metrics to see what's going on. The level of detail available to us shortens the time spent troubleshooting, freeing up our security engineers to focus on bigger initiatives,” said Thiems.

Phase 3: ZPA deployment results in improved connectivity for 15 private applications

Prior to Zscaler, the Oregon SOS was using legacy VPN technology to access internal applications and on-premises databases, but the login process was slow and complicated. Users were often frustrated by login complexities and latency. Legacy VPN also expanded the attack surface and exposed the network to lateral threat movement. 

When Thiems deployed Zscaler Private Access (ZPA) to secure connectivity to the agency’s 15 unique internal applications, he and his team received favorable responses from users. “We received a lot of positive feedback on how easy it was to access internal resources. ZPA has been a huge benefit to users and has streamlined many of our processes,” Thiems shared. “We were surprised by the increase in speed and bandwidth with ZPA compared to the legacy VPN; users are connecting faster and wasting less time waiting.” 

The team continues to find more use cases for ZPA. For example, they were recently tasked with setting up virtual desktop infrastructure (VDI) in their demilitarized zone (DMZ). Thiems was concerned about the risk of exposure and potential compromise. To solve the problem, the team leveraged the advanced segmentation functionality of ZPA to minimize the attack surface and thereby secure the environment.

Next up: Delving deeper into zero trust

Thiems is identifying new use cases to get the most value out of the Zscaler Zero Trust Exchange platform. “Our priority is to take full advantage of what we pay for today and achieve a complete implementation where we’re utilizing everything we can in Zscaler to protect our environment,” he remarked.

Now that Zscaler is on all laptops and desktops, the team plans to gradually roll out ZIA and ZPA to state-issued mobile devices, deploying to small groups of users at a time.

“Providing a consistent user experience is key to user adoption. We recently rolled out ZPA to one of our managers who often works from his phone. He was able to log in and access internal resources as if he were onsite. Now, he can easily access what he needs from his phone or tablet. With Zscaler, we've seen consistency across users, devices, and operating systems. It's the same smooth user experience regardless of device or location,” explained Thiems.

Integrations build a robust defense-in-depth strategy

The CISO and his team have always taken a “defense in depth” approach to security by leveraging key integrations. To ensure SaaS data is protected, the Zero Trust Exchange seamlessly integrates with Microsoft 365, Salesforce, Citrix ShareFile, Microsoft Azure AD, and other cloud applications. Zscaler’s integrated inline data loss protection (DLP) capabilities include protection for data at rest and in motion, encrypted traffic inspection, and advanced threat protection. 

“We’ve prioritized these integrations to make sure that Zscaler is inspecting those files at rest and that nothing is accidentally shared with unauthorized users,” said Thiems. 

The Zscaler-CrowdStrike integration enables bidirectional threat intelligence and output logs that the security team can query. The CrowdStrike Falcon platform calculates a Zero Trust Assessment (ZTA) score for every device it manages and shares it with Zscaler. Based on that score and other contextual factors, Zscaler enforces application access policies, granting or denying access, or providing intermediate, read-only access via browser isolation. Zscaler and CrowdStrike work together to provide cross-platform insights, improve visibility into indicators of compromise (IOCs), prevent lateral movement of threats, and speed up response and remediation. 

The agency has also integrated Zscaler with the Splunk security information and event management (SIEM) system. Zscaler log data is streamed into Splunk, providing enriched telemetry and insights into application and web usage, access activity, and the overall IT environment. Splunk then provides robust analytics with risk-based alerting (RBA) and user and entity behavior analytics (UEBA) to identify abnormal patterns and anomalies for easy threat detection. This accelerates triage, investigation, and response. 

“Given our mission to manage and oversee elections, we regard our environment as critical infrastructure and are focused on integrating our solutions to create a collaborative ecosystem. We feed the data from these solutions to Splunk for further analysis. The additional data from Zscaler enables automated threat response, making us more efficient and proactive,” said Thiems.

Zero trust results in quantifiable benefits

Since deploying the Zero Trust Exchange, Oregon SOS is reducing its business risk by inspecting 92% of encrypted traffic. The security team has set up policies from the Zscaler management console that grant or deny application access based on the user, device, and data. They have prevented 7M policy violations per quarter. 

Thiems also gained deeper insights into traffic by analyzing logs. The volume of transactions processed with Zscaler reached 100M in just three months, and the scale of data is providing rich information. “The reporting from traffic analysis is above and beyond what we could do before,” Thiems said.

Additionally, latency has been markedly reduced for 99.7% of internet transactions. 

Freeing up resources for mission-critical initiatives

Rapid implementation and the ability to convert the Zscaler proof-of-value (PoV) environment to production in a matter of weeks has not only freed up time and resources, but also enabled the security team to devote more attention to the agency’s mission to protect the public interest while helping elevate the state government’s security posture and adherence to the CIA triad.

Maintaining secure and honest elections is a top priority for the Oregon SOS. As Thiems pointed out, safeguarding elections and ensuring public data integrity and availability under tight budget constraints requires creativity and resourcefulness. 

“Our Zscaler implementation was done in half the time of other solutions, enabling our team to focus on critical projects and ensuring that we’re effective guardians of the state’s finances and data,” he said. “Most public sector organizations face the same challenge of having to do more with less. We’re always working to be the best possible stewards of taxpayer dollars, and Zscaler helps us get the most out of our investments.”