North Dakota: IT operations faring well in the coronavirus pandemic

If it’s any indication as to how well North Dakota is faring under the coronavirus pandemic, it was just reported this week that the state is under serious consideration for hosting National Hockey League postseason games in Grand Forks. Obviously, such a decision would be clearly premature at this time, and there still are significant challenges ahead related to the pandemic in the Peace Garden State, and across the country.

However, this attitude and public confidence about the state’s condition in the era of the pandemic is could be attributable to the apparent resiliency and smoothness of the state government’s continuity of operations plan (COOP) and implementation.

North Dakota state Chief Security Officer Kevin Ford

In our recent discussion with North Dakota Chief Technology Officer Duane Schell and Chief Security Officer Kevin Ford, the portrait they sketch out on the state’s readiness is pretty impressive.

“Obviously things have been busy here, helping all the organizations that are in response mode, providing them with the data, providing them with technology, like most organizations we have shifted rapidly to a telework scenario, enabling almost 7,000 state employees that typically come to an office every day into a telework scenario. It was a big undertaking for us,” said Schell.

As other states have quickly recognized, the supply change presented significant challenges for North Dakota in terms of provisioning state employees for the telework environment. As part of the state’s pandemic or disaster recovery planning protocols there was a VPN infrastructure already in place.

“But obviously, pushing this kind of volume through it on a sustained basis was very new to us,” Schell said.

Pack up your employee desktops and take them home

He admitted that from a device perspective, many state agencies and government entities that his office supports already had laptops; however, many others had only their desktops in the office. “As I think everybody knows, supply chains have been backed up for a little while. So, we took the stance of whatever device you have is the device you’re going to go with. So we helped lots of employees pack up their desktop devices, move them home, and set them up,” said Schell.

He explained that to compliment the hardware side and to facilitate the transition they created numerous training videos, training curricula and other support methodologies.

While reaction and response to a hundred-year pandemic cycle across the country is revealing, government IT officials still have the mundane blocking and tackling issues to address on a day to day basis. Perhaps most troublesome and challenging are the ever increasing compliance mandates emerging from the federal government but also often from well-intentioned state government legislators as well.

According to Ford, this applies to North Dakota and then some. “North Dakota is pretty unique. We like to say we are one of the heaviest regulated organizations in the world,” Schell said. They have the usual suspects: HIPAA, IRS, Criminal Justice Information Services and so forth. “But in addition, as far as I know, we’re the only state that actually also runs its own bank. So we have a number of [Federal Deposit Insurance Corporation] regulations in place as well.”

North Dakota state Chief Technology Officer Duane Schell

I opined that this must facilitate North Dakota cannabis-related businesses access to financial services so challenging to other states, but that’s a topic for a future column.

Ford believes the largest struggle is just constantly balancing the various requirements of each of these regulations, building crosswalks so that each regulation aligns to the other so they can have an overall view of what has to be done to comply, by whom and by when.

“One of the biggest solutions to me or one of the things I’ve been advocating for a long time, would be to really standardize any federal regulation around one framework, potentially that’s in a cybersecurity framework, or the [National Institute of Standards and Technology] risk management framework, or something along those lines,” he said. Standardization is the key.

Another pressing challenge for state government is the identity and access management (IAM) issue. It’s most critical in normal times for secure access, but absolutely indispensable in our new telework environment. North Dakota is one of the more consolidated or centralized states in terms of its IT operations.

“At the core of IAM, North Dakota now has a single domain, single forest around our active directory domain,” Schell said. Consequently, the challenges that people have faced over the years with different identity stores is not nearly as significant now.

In addition the state has a separate inside facing active directory that’s more than a decade old for citizens and external parties for authentication.

“So I’m not just suggest we’ve got it all figured out. We definitely don’t and there’s a lot of work we want to do there, and we are in the middle of a project evolving that as well,” Schell said.

Some states relaxing MFA while ND doubles down

Ford added that one of the most interesting things he’s learned about the impact of the coronavirus on IAM in discussions with his colleagues in other states has been their move to actually relax multi-factor authentication (MFA) and access control. North Dakota in fact chose just the opposite.

“One of the things we chose to do here in North Dakota, particularly because we are so centralized, is we actually doubled down and made MFA mandatory for more or less the entire workforce as they moved home,” Ford said.

And the rollout has been a lot less dramatic than was anticipated. While he said that moving the workforce home and enabling MFA at the same time is probably not advisable in larger, distributed networks, for North Dakota, given its size and centralization, it was actually very easy.

Ford also elaborated further on identity proofing and the initiative involving modernization of the directory for citizens and other outside stakeholders.

“North Dakota, as Dwayne said, is building a directory so that citizens can have a citizen based login. And, and we are tying identity proofing to different levels of access to that login,” he said.

Zero trust critical cybersecurity component

In addition, zero trust is a critical component in North Dakota’s cybersecurity strategy as Schell explained.

“I think we were one of the early adopters in that practice. As we looked at our data center, which is where we started, but nowadays, it extends into various cloud type services,” he said. The state was able to adopt zero trust in a very fine grain, micro segmentation model across all of the applications in their data center.

Speaking of applications, many states again as a result of the pandemic and resulting job losses have faced a deluge of citizens trying to access online unemployment claims systems. These in most cases legacy systems 30-40 years old have had to be periodically shut down, even issuing cuing systems whereby system access is limited to days of the week based upon the first letter of last name. Fortunately North Dakota has so far encountered no serious disruption. Schell admitted that claims were coming in fast and furious; however Job Service North Dakota, which runs the program, has done a great job.

“They’re scaling up their staff, and our business partners that are supporting these technologies along with our own team have done a really nice job, making sure it continues to perform and meet the needs of the citizens of North Dakota,” Schell said.

I remarked that as a result of my discussions with dozens of state and local IT leadership around the country the last month, I believe that through their expertise, experience and hard work the role of the chief information officer and CISO have never been more critically tested, and valued. Employing a Churchillian phrase, perhaps their finest hour. It certainly applies to our friends in Bismarck.