Business Case
#GR-56592 Enhance Cybersecurity for Cloud Core Business Systems (Next Generation Enterprise Resource Planning solution)
Enterprise-wide initiative
Confidential
Background
Today’s organizations need a new security model that more effectively adapts to the complexity of the modern environment, embraces the hybrid workplace, and protects people, devices, apps, and data wherever they’re located. The Department of Technology Solutions aligns the City’s information technology infrastructure and systems to the business needs of the City’s departments. The City's on-premise ERP solution is an essential tool when managing the City's financial and operational functions.
Currently, City employees have secure access to on-premise ERP applications via Global Protect VPN. However, Global Protect VPN will not provide adequate security access to the cloud-based next-generation Enterprise Resource Planning (ERP) applications. In addition, new cybersecurity insurance requires Multi-Factor Authentication for accessing systems with sensitive data.
Technology Solutions is leading the transition from an on-premise Enterprise Resource Planning system to a cloud-based ERP system. To access next-generation ERP applications effectively and securely from anywhere, City ERP users will need to transition from current on-premise Global Protect VPN model to a cloud-based Zero Trust Network Access framework (ZTNA).
Confidential
Current Business Problem
Current on-premise ERP users need a comprehensive cloud-based security approach that verifies the trustworthiness of all devices and applications from anywhere before granting access to the City's cloud-based next-generation ERP resources.
• City employees are required to connect and reconnect every 24 hours when securely accessing on-premise City network resources ; however, this will not be a viable secure option when transitioning to cloud-based next-generation ERP because Global Protect does not provide secure access to the cloud.
• Global Protect VPN lacks the control necessary to manage the next-generation ERP application security in the cloud.
• Global Protect VPN does not provide continuous trust verification (Multi-factor Authentication) and security inspection for cloud-based applications on mobile devices.
Confidential
Current Pain Points
• Not meeting the cyber security insurance requirement that key employees have to have MFA.
• Global Protect VPN technology does not resolve the problem of trusting all cloud network connections. It does not assume that all connections, even those within the network, are potentially compromised and in need of continuous verification.
• Global Protect VPN technology is not designed for cloud-based security.
• Hosting sensitive data in the cloud requires security that protects unauthorized access. The current security posture for the City does not possess this level of security.
Confidential
Desired Business Value
City of Durham's Strategic Plan Goal: Innovative & High Performing Organization
Initiative: Develop and implement a continuous improvement model that includes evaluation and process improvement to analyze and improve City services
The strategic goal of the Zero Trust Network Access (ZTNA) framework is to provide a more secure and reliable way to access the City’s cloud-based ERP resources. This approach focuses on verifying the identity of users, and continuously monitors the activity and access requests to ensure that they are authorized and not posing a security risk during the session.
Confidential
Future State Benefits
• City employees will receive single sign-on capabilities.
• City employees, based on position, will receive Multi-Factor Authentication.
• Security enhancements match cyber security insurance requirements.
• ZTNA framework will reduce risks by assuming that all user's connections are potentially compromised; helping to mitigate the risk of insider threats and data breaches.
• With ZTNA framework, the City's next-generation ERP users can work securely from anywhere globally (if approved) while accessing City cloud-based network resources, increasing their productivity.
• ZTNA framework will help the City remain compliant by providing a comprehensive cloudbased security approach to data protection and access control.
Confidential
Future State Benefits cont.
• ZTNA framework increases the security posture of cloud-based advanced threats including ransomware, and phishing by verifying the trustworthiness of all connections and users to the cloud-based ERP.
• ZTNA framework enhances the security of City of Durham's cloud-based ERP by verifying the identity of the users.
• The framework of ZTNA will ensure the protection of the City's next-generation ERP user's privacy by implementing strong authentication and encryption, and by controlling access to sensitive data in the cloud.
• The ZTNA framework will improve security by preventing cloud-based cyber-attacks and verifying the identity of all users, implementing continuous monitoring of network activity.
Confidential
Analysis of leading ZTNA platforms
Confidential
Comparative Analysis
Features Microsoft
Enterprise Application agreement
Continuous trust verification
Continuous security inspection
Protects all data
Secures all applications
Firewall in-use
Can be upgraded and reprogrammed
Detect and respond to anomalies in real time
Every access request is fully authenticated, authorized, and encrypted before granting access Least-privileged access
Confidential
Palo Alto
Comparative Analysis
• Microsoft and Palo Alto have similar features and capabilities.
• The City of Durham has a multi-year Enterprise Application agreement with Microsoft that includes ZTNA features.
• Palo Alto requires additional expensive annual licensing fees to access zero trust capabilities.
• In addition, Palo Alto and Microsoft ZTNA require an upfront one-time cost but Microsoft ZTNA professional services is one-tenth the cost of Palo Alto.
Confidential
Confidential
Recommended Solution
Recommended Solution: Microsoft ZTNA
Description
• Microsoft's Zero Trust Network Architecture (ZTNA) is a security framework that helps mitigate the risk of cyber-attacks by treating all users and devices as potential threats.
• Organizations with mature cybersecurity programs have implemented ZTNA to keep pace with the evolving threat landscape and regulatory compliance requirements.
Pros
• Improved security: ZTNA framework helps to prevent unauthorized access.
• Provides both MFA and single-sign on.
• Protects access to sensitive data in the cloud.
• Meets insurance requirement.
Cons
• Implementation requires professional services to implement.
Confidential
Why Microsoft's ZTNA security framework?
1. Microsoft ZTNA framework integrates seamlessly with other Microsoft security tools and systems.
2. The City of Durham is currently a licensed Microsoft customer.
3. User experience: Microsoft Zero Trust framework can provide a seamless experience for users by enabling secure access to resources from anywhere, at any time, and from any device without any additional cost.
4. Microsoft ZTNA framework enhances productivity while ensuring security.
5. Simplified management: Microsoft Zero Trust framework allows for a centralized security policy management, which simplifies the process of creating and enforcing security policies across multiple devices and platforms. This can reduce the administrative burden on IT staff and improve efficiency.
6. With Microsoft Zero Trust framework, the City's Cyber Security team can have a better view of who is working in the cloud, who is accessing what resources on-premise and in the cloud, and when the resources were accessed. This helps the City's cybersecurity team detect any anomalies and respond quickly to security threats.
Confidential
Recommended Solution - Project Financial Estimate
COST ESTIMATES FUNDING
* Total Project Funding Requested Year 1 includes New FTE Labor, External Labor and Non-Labor
Confidential
Description Implementation Costs (Hours) Post Implementation Run Costs Yearly (Hours)/ KTLO Departmental Funding Amount: $ 18,200 Labor $ (Hours) Internal TS Department: 166 Hours 80 Hours Funding Requested (Y/N): Y Business Analysis 50 Hours 0 Hours Internal Labor New FTE – Year 1 Costs $0 Cybersecurity Analysis 26 Hours 40 Hours Project One Time Costs (External) $138,059 Project Management 50 Hours 0 Hours Project Run Costs: $0 Cloud/ On-Prem Data Center Services 40 Hours 40 hours *Total Project Funding Cost $138,059 Funding within TS budget $18,200 Professional Services: $138,059 Additional funds requested for project $119,859 Engineering Hours: 475 $111,264 Project Management Hours: 118.75 $26,794 External Labor: $0 $0 Non-Labor $ Software: $0 $0 Hardware:
$0 $0
Risk Identification
Confidential
Description of Risk Risk Impact (High/Medium/Low) Mitigated (Y/N) Contingency(Y/ N) Poor Execution Low N N Vendor performance Low N N Cyber Security Low N N Project team turnover Low N N
Mitigation Risk (Costs)
Confidential
N/A
N/A
Contingency Risk (Costs)
Our ask...
We are asking the IT Governance Steering Committee to approve the business case for Microsoft ZTNA framework deployment in order to enhance the overall cybersecurity posture and prevention of unauthorized users from accessing and changing any configurations within the City of Durham's cloud/on-premise platforms.
Confidential
