The City of Boston Moves Securely to the Cloud

Modern infrastructure demands modern security

Like cities across the country, Boston’s IT team has worked to reduce its data center footprint and shift its infrastructure, applications, and data to the cloud.

Leading the effort is Greg McCarthy, the City of Boston’s Chief Information Security Officer. “Our goal is to provide responsive, modern citizen services,” he said. “We have taken steps to modernize our infrastructure and shift to a ‘cloud first’ mindset—when and where it makes sense. Today we manage fewer on-premise servers, we can scale to meet new compute demand more quickly, and we’ve reduced costs and energy consumption.”

The team made progress, but as the city relied more and more on web-based applications and infrastructure, new challenges followed—including an inefficient and unreliable internet security solution. It is now increasingly important to ensure employees can safely access web-based applications and data.

Reducing risk with zero trust

The city needed secure, scalable, cost-effective cloud access for its 5,500 users to improve workflow efficiency and reduce user frustration.

“As we considered options, we wanted to shift to a cloud security platform and take a zero trust approach,” said McCarthy. Zero trust models are built around the idea that an organization should not inherently trust any user or network.

The City of Boston issued an RFP to support the continued shift from an on-premises infrastructure to cloud, and, after evaluation, selected Zscaler Internet Access (ZIA), a cloud security platform that includes a secure internet and web gateway solution.

“ZIA gives us a security stack as a service from the cloud—so we are not managing additional hardware,” explained McCarthy. “We are connecting through our firewall, proxying our traffic. This means we can connect authorized users directly to externally managed applications (our SaaS applications, internet destinations) without placing them on the network.”

As a result of deploying ZIA, the security team has reduced the opportunity for malware and other threats to get onto the internal network or move laterally across it. ZIA also provides visibility into user activity and is helping to keep Boston’s cyber team aware of all applications running in the environment.

The Boston team also rolled out a new identity management solution and deployed a new access portal, working with SailPoint, Bing, and Radiant Logic, and will continue to evolve cyber defenses to meet employee and mission needs.

Reliable web filtering + blocked security threats = efficient teams

The security team has made significant strides thanks to the updated infrastructure, and can keep up with rapidly growing web traffic.

In the first quarter of 2019, the total bandwidth consumption grew 47% over the same period in 2018. In the first quarter of 2019 alone, the Zscaler cloud security platform blocked 1.2 million security threats and prevented 33.1 million web access policy violations, keeping the city’s applications and data safe.

More consistent filtering has resulted in a significant decrease in IT trouble tickets. Previously, the help desk managed 10–15 tickets per week related to website misclassification; tickets have been reduced to one or two per month.

Advice: collaborate early

McCarthy suggests that cyber teams carefully consider requirements and goals before exploring potential web security solutions. “Know what you want—having clear business requirements is important.”

He also recommends including cross-functional teams in decisions and planning early in the process. “Include the networking team from the very beginning,” said McCarthy. “Ultimately, you are now routing traffic a different way, so it is important they are involved early, as well as the security team.”

Collaboration is also important as the organization defines the in-depth threat protection needed. “From a policy perspective, you need to have HR, legal, and labor relations teams in the room to help define what you are blocking and the policies you are applying,” recommended McCarthy. “The security team will consider the security operations perspective, which will be different from HR or legal perspectives.”

“Like every city and government agency, we need to provide access to web-based shared services and the open internet,” said McCarthy. “And we need to support users working from multiple devices and many locations including remote locations. Our zero trust approach and ZIA have helped us improve security and reduce user frustration. Ultimately, that’s what it’s all about—delivering secure, modern citizen services to the City of Boston.”