Local Government Case Study
How Northern Rockies Regional Municipality Transitioned to a Zero-Trust Enabled Work From Anywhere Environment with Agilicus AnyX
Executive Summary
CONTACT US
COVID-19 caused a sudden disruption in the IT workflow of Northern Rockies Regional Municipality. “People suddenly transitioned from always working in an office to connecting remotely, trying to get their home PC, or a work PC transported to a different location. Our threats just exposed ourselves. We had fairly tight control of applications and communications methods, now we are opening up RDP and putting up a paved highway into our network. We have machines we have never seen before connecting into our network. This was a scary time for an IT leader.” – Robert Blain.
Once the dust had settled, and it became clear the world was not returning to pre-2020, Northern Rockies took a step back to re-assess the future of “Remote Work”, recognizing that it was not going to be as simple as “Work from Home” or “Work from Office” anymore.
Northern Rockies stopped to assess their needs: identity & authentication, multi-factor, remote access, external users, on the go access, and legacy applications. After partnering with Agilicus, they had a holistic solution, in both the time budget, and monetary budget they could afford.
Key Achievements
Implemented Single Sign-On Identity and Authentication for Northern Rockies staff, as well as third-party support staff
Provided SCADA remote access with Multi-Factor Authentication for operators of Northern Rockies water plant.
Improved efficiency in Copier to Cloud storage (box.com) connectivity while improving security posture
Enabled Northern Rockies to work from anywhere, on any device, increasing team satisfaction and productivity
“Agilicus is the tool I wish I had in my toolbox from the start.”
– Robert Blain, Manager of Technological Services, Northern Rockies Regional Municipality.
Customer Profile
The Northern Rockies Regional Municipality, nestled in the northeastern expanse of British Columbia, Canada, is characterized by its vast and remote landscape comprising 10% of the provincial land mass and a population of approximately 5,000.
The municipality provides essential services to its residents. These services encompass a wide range, including the crucial provision of water and wastewater treatment, ensuring the health and safety of the community. The maintenance of roads as well as the provision of fire protection and emergency response services are also key priorities, supporting accessibility and security within the region.
In addition to these core services, the Northern Rockies Regional Municipality also provides other administrative and support services to its constituents including land use planning, building permit issuance, bylaw enforcement, and community development initiatives.
Challenges
Stepping back to reconsider and rethink after the sudden surge of pragmatic decisions made at the start of Covid- 19, Northern Rockies realized they had several key challenges to switch from “make it work” to “make it right” on the next phase. Reverting to pre-2020 became apparent as a non-option, meaning anyone can work from anywhere is the new norm.
Some specific challenges that came out of this realization include:
Controlling Risk
Usability & Efficiency
Network Limitations
Equipment Limitations
Ensuring Compliance
Point Solution Cost
“We had fairly tight control of applications and communications methods, now we are opening up RDP and putting up a paved highway into our network.”
Controlling Risk: Being geographically remote means nothing for cybersecurity risks – everybody is just a ping away on the Internet. When Northern Rockies transitioned from all on-site to Work From Home during Covid-19, their risk profile instantly went from low to high instantaneously. Skillsets, budgeting, and staffing did not move at the same speed. They remained a small municipality with stretched budgets. Applications formerly only on-premise with known people using them locally suddenly had a much broader attack surface possible.
Municipalities were investing in insurance as a means of reducing the financial exposure, but changes in the insurance landscape were catching up. In order to be insurable, you had to control the risks.
Key challenges in controlling the risk included items that Northern Rockies did not yet have in place:
Strong identity & authentication of staff, vendors, and contractors
Multi-factor authentication
Tighter access controls than a VPN could achieve to reduce blast radius
Usability/Efficiency: Expanding the envelope of IT support into staff homes and personal devices was not sustainable. The resources were inherently on-site, on premise. And some of those resources were not going to change any time soon (tax, payroll). Northern Rockies needed a means for task-workers to use the resources they needed, from the location they were at, in a way that the IT team could manage and support. The solution needed to be something that was simple and familiar to these workers, and not require major changes to workflow or retraining.
Networking Limitations: In the summer of 2024 Northern Rockies experienced unprecedented wildfires. These fires impaired the communications infrastructure. Key critical infrastructure, including the water treatment plant needed ongoing maintenance, but it was unfair to ask staff to go and live there during a period of evacuations.
Northern Rockies acquired a satellite internet system to solve the telecommunication infrastructure, but found that it could not work with VPN technologies since it did not have a public IP nor the ability for inbound connectivity.
Legacy Applications and Equipment Limitations: Like many municipalities, workflows around email and shares had grown entrenched. Smart devices including printers and copiers were often left out of the cloud services due to lack of consistent identity and authentication. This created needless toil for the staff using them. In the case of Northern Rockies, there was a new copier that could not integrate with their Box.com cloud service, forcing staff to swivel-chair data.
A key budgeting tool also proved difficult to use. It could work via Remote Desktop, but then each user needed a remote desktop machine to log into. Theoretically it could work remotely, but its use of a share hindered this. The application proved too slow to use natively over a VPN due to network latency.
Compliance: Northern Rockies had found during their risk evaluation that multi-factor authentication was going to be required, and had specific applications that didn’t natively participate in any form of modern identity or authentication. CISA (Critical Infrastructure Security Agency) shows that implementing multi-factor authentication makes you 99% less likely to be hacked.
The idea of selecting, implementing, training, operating a multi-factor authentication for all first and third party users for all applications was seen as too expensive in both time and money for the limited resources of the company.
Point Solution Cost: Existing point solutions included web-based HMI access for their SCADA environment were proving difficult to maintain and expand. The overall implementation and operation cost of the various point solutions was hard to manage at the pre-Covid scale, and expanding that strategy to all applications and users was outside the scope and budget available.
“The difference in cost of an identity provider versus the cost of the entire Agilicus platform was $1. I can’t find a VPN for $1. We needed that identification of the user, we paid for that, and the rest was a freebie, that’s how I sold it to my executives. And it wasn’t a smoke show, it was things we would use.”
Solution Evaluation
Northern Rockies evaluated different methods:
VPN per user with local application install
- Overlapping IP Addresses
- Software/Client required on device
- Firewall/Network configurations needed
VPN per user with remote desktop
- Does not support Multi-Factor Authentication
- All-or-nothing access to local applications
- Shared password to access RDP
Remote Desktop Gateway
- All-or-nothing access to entire network
- Exposes the network to lateral traversal
- Perimeter based security (Castle & Moat)
Full cloud & SaaS migration
- Long-Term deployment to get live
- Complete retraining and new workflows
- Does not meet budget / time constraints
Each came back to some of the same challenges:
Lacking consistent identity and authentication
Licensing/managing software on remote machines
Dual infrastructure of remote machines with location remote desktop machines
Applications like SCADA physically tied to infrastructure
Inconsistent abilities between staff and vendors/contractors
Inability to work with specific network challenges such as satellite
During this evaluation, Northern Rockies attended a webinar delivered by Agilicus, explaining the mantra of “Any User, Any Application, Any Device, Any Network”, delivered via a Zero Trust Network Architecture.
Evaluating the Agilicus AnyX platform, Northern Rockies found it ticked the key checkboxes:
Consistent identity and authentication for all first and third-party users using existing Identity Providers
Stitched the copier to box.com via SAML, consistent identity and authentication included a device
Identity Aware Proxy allowed simple, quick hook up to existing applications without rework
Operated with the various network technologies including satellite access
No software to install for end users, no specific hardware required
Provided multi-factor for all users, without new hardware, without changing or reworking legacy applications
“How are we going to do multi-factor. Who’s going to manage our identities. … Its not just MFA, it’s not just VPN. We looked at the economies and Agilicus was the same cost as one of the sub-pieces, but it did all of it. And it became, woah, something we couldn’t afford to not do.”
Agilicus AnyX Evaluation & Implementation
“This implementation didn’t take days/weeks to engineer, it took hours. The implementation probably took 15 minutes max. There was not a whole lot of learning, the uptake was very quick.”
Northern Rockies was able to fully implement Agilicus AnyX during the evaluation phase without financial risk, without new hardware, without changing any existing systems.
Agilicus AnyX is pre-integrated to Microsoft and Google identity providers, meaning it works with any user with a Microsoft account (Office 365, Entra, Outlook.com), or a Google account (Workspace, gmail), without any config. Regardless of company. This meant their staff and contractors could be enabled with no work, no-integrating existing applications.
Northern Rockies deployed the Agilicus Connector initially on a Docker container, and then on a Windows 10 virtual machine, as well as a Windows 7 physical machine in the water treatment plant, covering each segment of their network. The self-updating and self-maintaining nature of the connector made it fire-and-forget: once installed there is no configuration or maintenance needed. Once the Agilicus Connector was deployed, Northern Rockies enabled a Desktop to get to the SCADA server, a web interface (thin client) to get to the SCADA HMI, a share + web application for the budgeting tool, and a web application for the GIS.
Users now could open a web page, which would show a launch pad of applications, from any browser, on any device. Multi-factor was kept in the web domain for a simple seamless single sign-on experience no different than email.
End users instantly had access through only a web browser. No software to install or manage on their machines.
The blast radius was kept to the specific needs of each user – no lateral traversal or ransomware worries like in a VPN case.
With no VPN, there was no change in routing for each user, meaning their experience of accessing local devices was unchanged.
Results and Benefits
Specific outcomes included:
- Single Sign-On authentication for all users, regardless of role or company
- Simple revocation of rights, integrated with HR systems
- Multi-factor authentication to the SCADA plant, the key business systems
- Removal of VPN technologies, saving cost, saving risk
- Reduced cyber security risks by fine-grained authorization, full audit trail
- Remote access now usable, viable for SCADA operators of water plant
- Increased operational efficiencies
From a financial perspective, the project saved Northern Rockies money immediately. This savings came in several key areas:
1
Integrated multi-factor authentication meant no new stand-alone vendor
2
Integrated secure remote access meant no standalone VPN vendor
3
Reduced staff cost of managing external devices due to all-in-browser
4
Reduced license cost of duplicate licenses on external devices
5
Direct access for vendors and contractors without requiring site visits
In addition to the specific usage outcomes and financial benefits, another benefit was a significant reduction in risk due to the improved security posture:
- Fine-grained audit on all actions of all users (authentication, access)
- Reduced blast radius due to no VPN: a given user can only access a given application with their role, no need to worry about a bad USB key or a phishing email walking sideways
- Consolidate third-party IT risk into browser rather than OS + installed software
- Compliance with insurance requirements, industry best practices through multi-factor, zero trust.
In addition to the risk reduction, a significant benefit was obtained due to end user efficiency and satisfaction increases.
Single web-based launch pad for all applications
Single Sign On for all applications (no new identities or passwords)
No VPN start or fail
No VPN to interfere with video conferencing
Any device: tablet in the truck, PC at home, phone on the go
Conclusion
Efficiency and satisfaction went up, cost and risk went down.
Northern Rockies is now well positioned for the next 15 years of IT modernization. They have a strong identity and authentication system for all users. They have secure, seamless SCADA remote access for their critical infrastructure, unhindered by the complexities of satellite internet. They have increased their efficiency in key business workflows from paper to cloud. And, most importantly, their team can work from anywhere, on any device, on any network, increasing satisfaction and productivity.
Northern Rockies successfully transitioned from “all on site” to the chaos of COVID-19, to a modern zero trust enabled work from anywhere environment through the power of Agilicus AnyX.
Get In Touch
Ready To Learn More?
Agilicus AnyX Zero Trust enables any user, on any device, secure connectivity to any resource they need—without a client or VPN. Whether that resource is a web application, a programmable logic controller, or a building management system, Agilicus can secure it with multi-factor authentication while keeping the user experience simple with single sign-on.
info@agilicus.com, +1 519 953-4332
300-87 King St W, Kitchener, ON, Canada. N2G 1A7
info@partner.com, +1 555 555-5555
1 Main Street, Townsville, ON, Canada. POST-CODE