A large and diverse state, Colorado faces more than 8.4 million cyberthreats per day, many of which are highly customized and targeted to circumvent traditional defenses. A mix of legacy network firewalls and virtual private networks (VPNs) deployed across various state departments and agencies became too costly and time-consuming to keep up with a constantly evolving threat landscape.
Colorado chose the Palo Alto Networks® Next-Generation Security Platform to transform its security infrastructure, gaining greater visibility and control over network traffic with intelligent and automated prevention against known and unknown cyberthreats. This comprehensive security solution is a core component of the state’s Secure Colorado initiative, which aims to safeguard network assets while enabling employees unencumbered access to information, so agencies can provide efficient, effective services to Coloradans.
DEFENDING AGAINST TARGETED CYBERATTACKS
Like most states in the U.S., Colorado runs a wide range of departments and agencies to serve its 5.3 million residents. Everything from education and human services, to agriculture and transportation, to public health and natural resources are supported by state agencies. As such, the state shoulders a great responsibility to protect private information that’s been entrusted to these agencies, whether by organizations or individuals.
In the digital age, protecting information shared across myriad computer networks and systems is a constantly evolving challenge. New, more sophisticated and persistent threats emerge almost every day — from ransomware and botnets to malicious port scans and distributed denial-of-service attacks. The state of Colorado is subjected to more than 8.4 million such threats on a daily basis. In many cases, the attacks are highly customized and targeted to circumvent traditional defenses.
Colorado has taken extraordinary steps to secure its network and the information assets under the state’s care. One major step is Secure Colorado, a strategic three-year data protection initiative through the Governor’s Office of Information Technology (OIT). Suma Nallapati, Colorado’s Chief Information Officer, states, “Our vision for Secure Colorado is to drive best-in-class security measures across every aspect of state operations. This includes choosing the right security technology, adopting industry best practices, and applying the most prudent security policies. Ultimately, we’re striving for elegant solutions that safeguard our network assets while enabling information access to support the state’s mission of providing efficient, effective and elegant services to Coloradans.”
ONE PLATFORM FOR MULTIPLE SECURITY NEEDS
Previously, Colorado had a variety of legacy network firewalls and virtual private networks (VPNs) deployed across various departments and agencies. However, this model was becoming time-consuming and costly to manage.
With more and more computer systems accessing the Internet, and a growing population of mobile users, the state also wanted better visibility into network traffic to identify the number and types of threats. Obtaining this kind of information from the legacy firewalls required exporting data from each device and painstakingly running that data through a set of custom tools.
Recognizing the need for a new approach to network security, the state conducted extensive evaluations and testing of the leading security offerings. After reviewing a long checklist of requirements spanning cost, reporting capabilities, and industry reputation, the state of Colorado chose the security platform from Palo Alto Networks.
David McCurdy, OIT’s Chief Technology Officer, comments, “We wanted an integrated approach to security, which provides an amazing portfolio of intrusion prevention, data filtering, VPN, policy control, and other core capabilities all in one platform. We’re finding a new level of security in this platform and it is taking us to a whole new level, not only securing our network but also providing users with safe, reliable access to the information they need."
The Palo Alto Networks Next-Generation Security Platform consists of a Next-Generation Firewall, Threat Intelligence Cloud,and Advanced Endpoint Protection. It delivers application, user, and content visibility and control, as well as protection against known and unknown cyberthreats. The Threat Intelligence Cloud provides central intelligence capabilities, and automates the delivery of preventative measures against cyberattacks.
Colorado’s OIT deployed Palo Alto Networks PA-7050 next-generation firewalls in two state data centers with failover to ensure continuous availability in case one of the sites suffers an outage. The PA-7050s are positioned at the entry point of the state network, thereby securing all departments and agencies from a single vantage point.
OIT also augmented the PA-7050s with Palo Alto Networks security subscriptions. For example, Threat Prevention protects the network from advanced threats by scanning content within allowed traffic for threats, including exploits, viruses, and botnets. URL Filtering complements App-ID™, already built into the firewalls to provide enhanced visibility and control of all application and Web activity. And WildFire® automatically detects unknown malware and stops these advanced attacks before the network is compromised, without requiring manual human intervention.
With this level of comprehensive protection, attacks on the state’s network are stopped cold before they ever have a chance to inflict damage. In fact, when previously unknown threats are identified anywhere in the world, Palo Alto Networks creates new protections that are distributed globally to all its WildFire subscribers. For Colorado, that means its PA-7050s are automatically updated to proactively guard against emerging threats.
“Our security solution goes far beyond just a couple of big iron boxes,” says McCurdy. “We’re connected to an entire ecosystem that autonomously watches over the global threat landscape to keep us protected.”
Because the state is able to replace multiple network and security products with a single natively integrated platform, McCurdy estimates this could ultimately save the state millions in product upgrades and replacement costs – and countless hours of management overhead.
Fewer Steps to Stronger Security
Another essential component to the state’s complete, new next-generation security solution is Palo Alto Networks Panorama™ management appliance. With Panorama, OIT can view all firewall traffic, manage device configurations, push security policies out across the entire network, and generate detailed reports, all from one central location. This saves numerous manual steps and valuable time when updating or producing.
For example, OIT recently installed a small solution connected with the PA-7050 to secure network access for one of the state’s remote agencies. In the past, controlling this device and updating it with patches would require a staff person to drive out to the agency and manually apply the updates. With Palo Alto Networks, remote devices are automatically updated when OIT updates the PA-7050.
McCurdy notes, “When you’re getting into hundreds and thousands of devices, the more manual steps you take out of configuring and updating, the more secure your network is going to be.”
Night-and-Day Visibility Improvement
One of the most important aspects of ensuring network security is having advanced visibility and control. Colorado has the best in the business.
“We wanted visibility and control,” McCurdy observes. “We can see exactly what’s on our network, classify the good traffic from the bad, and eliminate everything that’s not authorized. It’s making a revolutionary difference in our ability to prevent cyberthreats.”
This same level of control will become increasingly important as more and more mobile devices come onto the network. This is also where performance of the PA-7050s makes a huge difference. Network security is always a balancing act between preventing malicious intrusion and ensuring unencumbered authorized access. Mobile users have especially high expectations when it comes to performance.
“The Palo Alto Networks platform is built from the ground up to not just enforce security, but also do it as fast and efficiently as possible,” says McCurdy. “That’s important for us to be able to deliver the performance our users expect. We’ve seen a 20–40% efficiency improvement with this platform, which enables better flow in terms of how much traffic we can securely move through the network.”
Security Posture Stands Up to Growing Threats
The combination of security automation, simplified management, and real-time reporting translates into significant time and financial savings for the State. The biggest factor is fewer staff hours required to track down information and manually manage remote devices.
“Managing our security infrastructure is so much cleaner and easier,” McCurdy remarks. “The amount of time we get back is extremely valuable because it allows our staff to focus on strategic projects and decision-making, instead of driving around configuring and updating devices.”
McCurdy estimates that OIT will shift hundreds of hours per year from traditional repetitive tasks to proactive security response and threat analysis.
While the battle between external threats and internal defense mechanisms is seemingly never-ending, the state of Colorado is now well-armed to deal with threats today and into the future. What’s more, the benefits and value Colorado realizes from the Palo Alto Networks Security Platform are only expected to increase as OIT rolls out additional platform capabilities and codifies security best practices across all departments and agencies.
Nallapati concludes, “We’re changing our security posture to reflect the realities of today’s cyber threats. We now have the tools to implement best-in-class next-generation security measures, with many capabilities we didn’t have before. This is a major step forward in meeting the objectives of Secure Colorado and allowing us to confidently assure citizens that information on our network is properly protected.