Digitally Enabling Workers with Secure Access to Web Applications through Zero Trust
One of Canada’s smartest cities is using the Agilicus AnyX platform to digitally enable mobile workers with secure access to web applications through a Zero Trust framework. Our customer provisioned a series of web applications to digitise analog processes, achieve compliance requirements, and deliver secure access for its diverse workforce, but faced a number of security and deployment challenges.
Read the case study and learn how Agilicus AnyX has been used to onboard over 1000 users and deliver frictionless secure access to custom web applications without the need for a VPN, new users names, passwords, or active directory licences.
Fill out the form to reveal the case study.
Enabling the Modern Workforce with Secure Access to Web Applications through Zero Trust
Situated outside of the Greater Toronto Area, our customer is recognised as one of Canada’s smartest cities and is home to many leading technology companies and universities. With a shared mandate of workplace health and safety, leadership, compliance, and fiscal responsibility, our customer is dedicated to ensuring service excellence for its citizens and employees. Our customer’s IT organisation provides technology support to the team of elected officials, staff, and volunteers to help achieve these mandates and deliver municipal services.
In order to deliver on these mandates, our customer commissioned several productivity and compliance applications from a third party, but faced considerable challenges in securely deploying them to the workforce.
Application deployment challenges
- Firewall could not handle inbound traffic as reverse proxy for multiple sites/apps
- Needed to keep app data in existing on-site system
- Wanted to get app in hand of users without new logins to existing system, new passwords, or active directory licences
- Users needed to be able to access the applications from anywhere, without a VPN
Leveraging Web Applications to Digitally Enable Mobile Workers and Improve Productivity
Our customer commissioned three business applications from a third party to improve productivity and help meet compliance requirements by digitally enabling end-user employees, contractors, and other personnel who are mobile and have no fixed workspace or location. These applications were critical for the organisation to digitise analog processes, streamline record keeping, manage costs, empower mobile users, improve productivity, and achieve various compliance requirements such as hours of service for commercial vehicle operators.
In order to achieve this objective, the IT organisation at our customer had to overcome several key implementation roadblocks and end-user challenges:
The existing firewall was not capable of handling inbound traffic as a reverse proxy for multiple sites and applications.
Requirement to keep data and application hosting on-site at the town hall.
There could be no new passwords, usernames, or active directory licences involved in the application deployment to avoid costs and weak credentials.
Nomadic, mobile, and deskless workforces without a fixed location where work is conducted needed to be able to connect without a company issued device or a VPN.
Many staff at the city are part of a mobile workforce that does not require a company issued device or they do not have tasks that require regular access to computers. However, the ability to leverage technology and productivity applications would significantly streamline the administrative duties that they must comply with.
Commercial Vehicle Operators
These users are off-premise and mobile. They do not have or require corporate issued devices to perform their duties and some may work as part-time contractors for the city. All commercial vehicle operators must log their driving hours for compliance with the Ministry of Transportation of Ontario. Our customer developed an application that would modernise this record keeping and better ensure compliance without burdening the end user operator.
Seasonal workers such as the lifeguards, park workers, and city maintenance personnel for our customer are required to complete online safety training. This compliance requirement is in place to help create a safe environment for staff and citizens. It is impractical to issue corporate devices or active directory licences to seasonal workers.
Volunteers and Extended Teams
The workforce for our customer comprises part-time employees, contractors, and volunteers in addition to the full-time staff. Technology solutions ensure that organisation resources could be digitised, preserve the privacy of city personnel, and help the volunteers and extended team members be more effective in their roles. The volunteers and extended team members do not require active directory licences or company issued devices to support the city.
Taking a digital first approach was only natural for our customer, but getting their users onboarded to the various productivity web applications was met with several implementation and cybersecurity roadblocks.
Stakeholders from the IT and Business Applications teams would be involved in the deployment process, each with their own unique requirements. In working with the IT organisation at the city there were several unique needs that were quickly identified, which had to date prevented the organisation from adopting web applications for productivity:
- “We think to keep our data we must host it. But, that means our firewall needs to handle multiple unique systems behind it by host name, which is a type of reverse proxy. It doesn’t handle that, our team doesn’t know how to make that happen, so we are blocked.”
- “We don’t want/won’t allow new usernames or passwords, they get written down.”
- “We must hold our data.”
While the applications created by the third party were built to spec and capable of driving new efficiency and productivity for the city, there were a number of implementation roadblocks that had to be overcome in order for deployment to the end users.
Like all municipalities, our customer must adhere to the Municipal Freedom of Information and Protection of Privacy Act and retain data to meet regulatory obligations. As a result, the city has chosen to be the custodian of its own data which also aligns with the internal backup strategy, need for data integrity, and self management of enterprise applications.
People are maintaining an incredible number of usernames and passwords. Having end-users manage yet another set of access credentials was viewed as both a burden and a cyber risk. The risk of weak and shared credentials being used would leave private applications open to brute force and credential stuffing attacks. Likewise, enforcing strict password policies would lead to the use of weak passwords, the credentials being written down, or stored insecurely.
The ability to manage user access and privileges was important to the IT team. Unfortunately adding licences to the active directory would be both expensive and impractical due to the transitory nature of some of the users (e.g, seasonal workers, volunteers, etc.). Considering a significant portion of the end-users would be seasonal, volunteer, or in the field, it also didn’t make sense to issue licences that came with business applications such as document editors. However, the team still needed the ability to add or remove users and manage their access privileges without adding new active directory licences.
Digital Workforce Enablement through a Zero Trust Network Architecture
Technology plays a pivotal role in the strategy and execution of municipal services at the city. The ability to extend secure access to remote and mobile workforces would only benefit the city in its mission to deliver service excellence for the citizens while fostering a safe work environment.
The Agilicus AnyX platform offers a Zero Trust Network Access solution that quickly and easily allowed our customer to onboard users, retain custody of their data, and deliver end to end security, all without the need for new usernames, passwords, or active directory licences.
By using the Agilicus AnyX platform, our customer would be able to scale adoption of its business and productivity applications, getting them into the hands of their remote and mobile end users.
What is Agilicus AnyX
AnyX removes the complexity of extending secure access to web applications for authorised employees and non-employees. The platform puts organisations in full control with role-based access controls and granular auditing logs.
Users can easily self-onboard as the platform federates identity and enables single sign-on. Organisations can maintain their native active directory and preferred identity providers of their partner organisations.
The AnyX platform ensures any user can securely connect to any application, resource, or desktop from any device while bolstering defences with a modern approach to cybersecurity.
No VPN – No Hardware – No Client
To ensure our customer could be the custodian of its data and be in control of their own fate, Agilicus introduced a hybrid cloud architecture through a three-tier approach to hosting the applications.
The web application runs in the web browser, while a database is hosted on site at our customer and serves as the ultimate data repository. A web server sits in the middle and acts as an API (application program interface), connecting the end user’s application with the hosted database.
These connections are each secured through Agilicus’ unique, identity aware web application firewall which sits between the end user and the web server. Another sits between the web server and the database backend ensuring the city could self host the databases. In this hybrid model where the backend data stays on premise, a workload firewall that uses mutual TLS and SPIFFE ensures only the specified application can access only the specified resources in the database.
The AnyX platform easily federates identity so that organisations like our customer can quickly onboard users and link an electronic identity with a given user’s privileges to specific applications and resources. Our customer was able to extend secure, convenient access via single sign-on to its users without having to add active directory licences by enabling social login.
That means, when a seasonal worker, part-time hire, or volunteer joins the organisation, they simply have to provide a Gmail or other such ID to be given access. Every user that needed to onboard was able to do so without requiring a single new password or username. This is an integral function of the Agilicus AnyX platform where by design no user names or passwords are stored.
In addition to Agilicus being able to federate identity, the AnyX platform provides administrators with the capability to enforce multi-factor authentication for any resource or application. Our customer’s users could easily be required to authenticate through a second factor to prove their identity and gain access to their business and productivity applications.
By leveraging a user’s electronic identity to provide access, our customer is able to benefit from role-based access controls and fine-grained authorisation capabilities. The result is simplified user management, where administrators can easily add or remove end-users from any application, instantly.
Role Based Access Controls
Role-based access controls allow administrators to grant privileges to users so that they may access information and resources they need for their jobs while preventing them from accessing unrelated resources that they do not have permissions for.
Simplified User Management
Users can be added or removed from any application instantly (seasonal workers, part-time employees, contractors, or other job actions).
The city quickly scaled the adoption of web applications onboarding over 1000 users without requiring new usernames, passwords, or active directory licences.
The zero trust framework through Agilicus AnyX was so effective the IT organisation soon delivered secure access to 10 web applications across city workers.
$100K Savings Per Year
Our customer was able to find considerable cost savings of at least $100 per user, per year by not having to purchase additional active directory licences or adopt another identity provider.
Digitising Analog Process
Additionally, shifting analog record keeping to digital better equipped city team members for meeting compliance requirements.
Some use cases included phone lists and directories, which when delivered via web application through AnyX enhanced individual personal privacy and data security without limiting accessibility to authorised staff and volunteers.
Our customer was able to quickly scale adoption of web applications across the city and onboard over 1000 mobile users and enable secure access to the respective business and productivity applications. That has allowed the city to accomplish compliance requirements, streamline administrative tasks, and drive productivity by leveraging technology and web applications. Most significant was the ability to achieve those objectives without compromising on cybersecurity standards and without having to purchase and issue new active directory licences.
The value of getting these mobile workforces online quickly became apparent with demonstrable business impact. The various teams at the city were suddenly able to shift from analog and in person methods of performing specific job functions to entirely digital, 24/7 accessible resources that would be available on any device. After the adoption of the initial run of applications and due to the scalable nature of the Agilicus AnyX platform, our customer quickly went from three productivity applications to 10.
Agilicus AnyX allowed the IT team to introduce web applications across departments with use cases varying from administrative services (payroll, HR, training, inventory management, directories and phone lists) to more tactile use cases such as fire services and bylaw enforcement. In fact, the Agilicus AnyX platform became a marquee solution for the Bylaw Department within the city and allowed this organisation to retire legacy handheld devices in favour of modern smart devices. This significantly reduced the cost of delivering bylaw services for the city while adding increased flexibility for the bylaw officers.