Lolland Municipality tightens the security reins with Zero Trust implementations
Lolland Municipality needed a security architecture to suit their strategy of working with data more flexibly and in a more mobile way.
In collaboration with Globeteam, Lolland Municipality implemented elements from the Zero Trust security paradigm.
The IT department has been provided with several tools to manage the user organisation’s access to data and systems. The users are less likely to compromise the organisation’s information security.
As part of a larger digitisation journey, Lolland Municipality is increasing their focus on information security. The aim is to make it easier for the municipality to manage security across an increasingly hybrid workplace. They also want to make it more difficult for users to make errors, no matter where they are, who they are, which unit they are using, or what they want access to.
Digitisation plays a larger role in Lolland than in other municipalities. At the very top level, their strategy is to be a digitally visionary municipality.
“For us, of course, digitisation is about learning to deliver the services that are expected by citizens. But it is also about creating more opportunities for the citizens to, for example, be more self-sufficient via self-service solutions. We have to be able to save resources, and they have to have the experience that the quality of public services is constantly improving.
If we want to use more data and more technology then we must have security under control,” says Ditte Ploug, Head of Sector at Lolland Municipality.
In need of a more flexible security concept
In order to support these digital visions and the corresponding security challenges, Lolland Municipality chose to work with several components of the Zero Trust security paradigm.
Simply put, Zero Trust is about not automatically trusting a user who is trying to access data or a system. On the contrary, you expect a security breach, and, thus, you only let users and units in who can be validated.
“The trend surrounding the hybrid workplace has pierced the old perimeter approach, where we built a castle with a moat around it. Today, our users have to be able to access data anytime and anywhere. We need security principles that fit that type of flexibility and for that Zero Trust is suitable,” says Thomas Rysgaard, Team Leader at Lolland Municipality’s Digitisation Unit.
Sparring partners and hardcore technicians
Lolland Municipality has chosen to work closely with Globeteam, not only on the implementation of the Zero Trust architecture, but also on overall IT visions for the municipality.
Globeteam has helped us with sparring, advice, licence review, workshops and implementation. They helped us with running an adoption track explaining the opportunities of Microsoft 365 to the organisation through workshops and e-learning. However, Globeteam were also equipped to step into the control room with hard core technical skills to make the solutions work."
Construction of and compliance with rules
Rysgaard explains that Globeteam, among other things, has helped build a security foundation around
Azure AD Multi-Factor Authentication (MFA) and established Conditional Access policies. In plain English, this means that in the future Lolland Municipality should be able to better keep track of who tries to gain access to what from which devices and under which circumstances (time and place, among other things). In other words, the municipality will have a tighter-knit net to catch suspicious and inappropriate user behaviour.
“For example, if anyone tries to log on a private service like Facebook with their corporate email address, we can make them aware that that is a bad idea. The systems can react proactively if there is sensitive personal information in an email, chat or in documents, so users can be made aware that they are about to send this information out into the world. That is the balance we need to maintain; not chaining the users in terms of security but influencing them in the direction of good data processing”, says Thomas Rysgaard.
Secure use of mobiles and apps
Yet another example of strengthened security within Lolland Municipality is that they will also keep a closer eye on employee mobile devices. Not in the sense that employees are prevented from using their private devices for work, because we know they do that. We just control what they will be allowed to do.
“We put in an MFA process which means that if they, for example, want to read their emails on a private device, they have to multi-factor validate themselves to be able to do so.
Private apps are allowed to be installed on the device along with Office apps. But they cannot, for example, copy something from Outlook and insert it into a private app that we do not control.
There might be certain users who for various reasons need to violate the limitations that we set. But in that case, we will ask them to justify their need to violate the security policy, and then we will log that reason,” says Thomas Rysgaard. He finishes by saying:
“We are also of the opinion that we should not be a security hammer hitting users over the head all the time. No good can come from that. We have to be the one informing the employees when they are doing something wrong.”
More about Zero Trust:
Can I help?
Do you want to hear more about how Globeteam can help you with a similar solution, please feel free to contact me at +45 3074 7474 or pls@globeteam.com