Oklahoma CISO says pandemic accelerated zero-trust implementation
With more than half of the Oklahoma state government’s 30,000-person workforce still performing their duties remotely a year into the COVID-19 pandemic, statewide Chief Information Security Officer Matt Singleton said Tuesday the health crisis encouraged his team to drastically accelerate its implementation of new cybersecurity measures like zero-trust identity management.
Over the past 18 months — and particularly since March 2020 — Singleton said his division within the state Office of Management and Enterprise Services has completed 38 “significant” initiatives, including new cloud proxy servers, a new VPN and replacements of endpoint detection, antivirus and network intrusion systems.
Zero-trust security — a model in which security measures are implemented at every level of a network and all endpoints are considered potentially malicious — was a natural evolution for Oklahoma’s state government before the pandemic hit, Singleton said, but the onslaught of near-universal remote work only underscored its importance.
“We had 30,000 employees with state assets designed to be behind a castle wall,” he said. “We don’t have a castle wall anymore. We used to use these things on secure networks, now on commercial networks sitting next to a personal device.”
Changes
Singleton, who was named Oklahoma’s CISO in 2019, also said that, like many states, Oklahoma struggled in the pandemic’s early days to figure out if state employees — most of whom did not have work-issued laptops — should use their personal devices or bring home agency equipment to telecommute. OMES settled on a combination, while waiting for bulk laptop orders to be filled. Still, he said, that only precipitated the need for greater network security.
With the adoption of the zero-trust model, the biggest differences Oklahoma state workers now see when logging in are “a lot more multi-factor authentication” and logos for the new security software Singleton’s office acquired, he said. The new proxy servers and VPN were provided by Zscaler, a cloud-security vendor that’s also worked with other state governments, like Alaska’s, while the antivirus services come from CrowdStrike, Singleton said.
The new security stack is also designed to be more orchestrated, he said.
“The cool thing is that as part of a zero-trust ecosystem, they integrate with each other,” Singleton said. “We see something on our endpoint platform, that’s smart enough to notify our threat detection platform.
Long term
But there are still longer-term software integration issues at play, he said, some of them lingering from the IT consolidation process Oklahoma went through beginning in 2012.
“We’ve got to untangle the hairball,” he said. “When you’re trying to allow state workers to have remote access, you really have to understand how all those things talk to each other. Because the consolidation was not complete, we had to do a lot of discovery and design on the fly.”
And Singleton said he expects that even when the pandemic finally fades, many state employees will continue working remotely, from major population centers like Oklahoma City and Tulsa to remote corners of the Oklahoma Panhandle. His own team, he said, is still 98% remote today. That only reinforces the impact zero-trust security and user training can have, he said.
“We’ve got a dispersed workforce now,” he said. “That’s a pretty big attack surface, and we’re really pushing hard on security and awareness training.”
But with the zero-trust approach being implemented, Singleton also said he’s starting to turn his attention to other areas, including third- and fourth-party risk management, as well as supply-chain management, an issue laid bare by the recent compromises of SolarWinds network monitoring software and the Microsoft Exchange Server application.
There were no indications of compromise in Oklahoma’s use of SolarWinds, Singleton said, “but we’re using it as an opportunity to pivot.”