Security-as-a-Service Transformation for State and Local Government

Traditionally, each State agency built out its own network and designed its own security architecture. Each one of these IT and security silos in a State agency, lead to continued duplication of effort and ever increasing costs for the overall design. As a result of these inefficiencies, State and Local government agencies established consolidated Enterprise Architecture Frameworks with the goal of a unified way in which agencies would modernize their information technology networks. An enterprise framework helped ensure that agencies and mission partners could share information securely while reducing wasted manpower and continued infrastructure expenditures.

Moving from a network-centric to resource-centric framework

Most legacy enterprise designs are network centric, meaning that the focus is on securing the network itself with the assumption that once the network is secured, resources and users will be protected as well. This belief has been experientially proven wrong and there are many examples of exploitations that have occurred because too much trust was placed on the secured network. What State and Local Governments need now is a modern approach that adopts the zero trust architecture as it is being defined by NIST. All data sources and computing services are considered resources access to resources is determined by dynamic policy including the observable state of client identity, application, and the requesting asset and may include other behavioral attributes. The enterprise ensures that all owned and associated devices are in the most secure state possible and monitors assets to ensure that they remain in the most secure state possible The enterprise collects as much information as possible about the current state of network infrastructure and communications and uses it to improve its security posture.

Zscaler Internet Access

Zscaler Internet Access (ZIA) is a secure internet and cloud service provider (CSP) gateway delivered as a service. Think of it as a secure on-ramp to the internet and CSP — all you do is make Zscaler your gateway to the CSP. For on-premise installations, simply set up a router tunnel (GRE or IPsec) to the closest ZIA Public Service Edge. For mobile employees, you can forward traffic via our lightweight Zscaler Client Connector or PAC file

The main function of the IAP and CAP within the SSA is to provide a comprehensive and robust security stack to protect the DISN from the internet and CSP, respectively. ZIA has a proven track record of providing this a comprehensive and robust security stack to protect its customers worldwide, from the internet and the CSP. ZIA sits between your users and the internet or CSP, inspecting every byte of traffic inline across multiple security techniques, even within SSL.

Zero trust access is based on key tenets

Application/service access no longer requires access to the network or use of VPN inside-out connections ensure apps and services are invisible to unauthorized users. App segmentation, not network segmentation, connects users to a specific app or service and limits lateral movement Secure network communication is achieved via end-to-end encrypted TLS tunnels ZPA provides a simple, secure, and effective way to access internal services. Access is based on policies created by the IT admin within the ZPA Admin Portal and hosted within the Zscaler cloud. On each user device, a piece of software called Client Connector is installed. Client Connector ensures the user’s device posture and extends a secure microtunnel out to the Zscaler cloud when a user attempts to access an internal service.

Both services integrate with an agency’s existing identity providers via an industry standardsbased SAML 2.0 connection and also have the ability to stream transaction logging information to the agencie’s SIEM architecture. This means that Zscaler will integrate with the agencie’s existing cybersecurity platform and big data initiatives. Both ZIA and ZPA can be extended on-premises allowing for highly efficient traffic engineering. ZIA provides cloud-based protection at the perimeter, and ZPA provides a zero trust architecture to protect connections within the office.

Stronger through partnerships

Zscaler provides a robust and mature security-as-a-service platform but leverages tight integration with industry partners to ensure that the service can be easily deployed and integrated for a bestof-breed overall solution. Zscaler performs some basic device posture checking as part of the ZPA service and takes that capability further through integration with endpoint detection and response (EDR) companies, such as CrowdStrike, Carbon Black, and SentinelOne. By integrating with leading industry partners, Zscaler ensures that the EDR capability is active on the endpoint before connecting a user to any resources. ZIA and CrowdStrike also share threat intelligence between their clouds, meaning a threat signature detected by Zscaler anywhere around the world can be detected on an endpoint subscribed to the CrowdStrike Falcon service. Zscaler also integrates with a variety of SIEM vendors, such as Splunk, Elastic, ArcSight, and others to make it easy for those solutions to ingest our real-time streaming data.