Simplifying the IT experience for Illinois state employees and residents
With nearly 13 million residents, the State of Illinois represents a microcosm of the United States. It includes Chicago, the third-largest city in the country, along with many smaller industrial cities and rural, agricultural communities.
To serve this distinct constituency, the state organizes an equally diverse set of agencies, boards, and commissions. Before 2018, most took charge of their own IT needs, but that year the state legislature created the Department of Innovation & Technology by statute, branding it with the no-nonsense acronym, DoIT.
“Prior to DoIT, each agency ran their own siloed operations, created and built their own applications, and ran their own infrastructure,” says Jennifer Ricker, CIO for the State of Illinois and acting secretary of DoIT. “As a result, we had thousands of applications on pretty much every platform and technology stack you can think of. When residents interacted with them online, they had to remember a different login and password for almost every one.”
Ricker’s vision for DoIT is to deliver best-in-class, enterprise-level services and innovation to the state agencies of Illinois so they are positioned to efficiently serve the residents of the state. By unifying and consolidating decades of legacy applications and infrastructure, DoIT is working with internal partners to create a simple, seamless experience. “Residents should have one place to go and interact with the state, and it should be as easy as possible,” she says.
Countering an increasingly targeted and aggressive threat landscape
While user experience is a top priority, Ricker and her team are also charged with protecting residents’ personal information, state intellectual property, and taxpayer dollars in a world where government entities face increasingly targeted threats.
“The threat landscape changed in the past year, year and a half,” says Ricker. “We see a lot more public ransomware instances and we’re dealing with sophisticated threat actors. They’re professional, they’re good at what they do, and they constantly refine their methods.”
Demands on government agencies increased in the pandemic as well, and staff has been asked to respond quickly and creatively to meet those challenges. Decades of legacy technology, however, created obstacles both to innovation and to securing the state’s IT systems against evolving threats.
“Some of those systems have been maintained well, while others haven’t been given a second thought for many years,” says Adam Ford, CISO for the State of Illinois. “Not only are we dealing with a more robust set of cybercriminals but we’re dealing with the whole gamut of technologies. By eliminating legacy solutions and centralizing services, we’re able to apply common controls and run the state like an enterprise-class cybersecurity operation.”
A Zero Trust approach, with identity at the center
DoIT modernization initiatives all work toward simplifying employee and resident interactions with the state while reducing the attack surface. With those goals in mind, the team has adopted a Zero Trust strategy, in line with President Joe Biden’s executive order addressing cybersecurity on May 12, 2021.
“It’s important that we not only help residents protect themselves when they’re interacting with the state, but also that we make sure state employees and partners who are working on our behalf also implement advanced authentication, leveraging multi-factor authentication and intelligence feeds to grant data access only to those who should have access,” says Ford.
“A fundamental tenet of implementing Zero Trust is knowing not just your assets and your data, but your users,” he says. “It’s impossible to secure a modern environment without taking on identity and access management and becoming proficient with it.”
A flexible solution offering standardization, scale, and interoperability
The team opted to search for a cloud-based identity provider rather than developing an in-house solution. “Ultimately, we found that going with Okta as-a-service solution freed us up from the day-to-day management of infrastructure and environment so we could focus on providing secure and reliable services to the residents of the state,” says Ford.
Okta brings standardization, scale, and interoperability to DoIT’s modernization initiative. “Flexibility is key,” he says. “We need to integrate with a variety of systems many different ways, and we can’t just turn off a major government program while we figure out how to implement identity securely in front of legacy programs.”
As hybrid IT has become the new reality for state governments, Okta also gives Illinois the flexibility and extensibility to provide seamless access to new cloud-based tools and applications, while also leveraging existing on-prem investments under a single identity. By directly integrating with all of the existing on-prem Active Directories administered by the various state agencies, Okta greatly expedited the time it would take for DoIT to consolidate secure access to centrally managed applications. Through the use of Okta’s prebuilt AD connector, state employees can use their existing AD credentials for SSO access, all while partnering agencies retain operational control over their user identities.
“The nice thing about Okta is that it integrates or works with both cloud-based applications and on-prem solutions,” says Ricker. “Whether the application is on-prem or in the cloud, it makes no difference.”
Starting small to build trust in the solution
The team initially focused on modernizing digital interactions for two groups: residents accessing services externally, and state employees and partners accessing internal resources. Preliminary plans included a full workforce rollout followed by projects to enhance resident experience.
When the Covid-19 pandemic hit, plans changed. DoIT responded with a small, targeted project to reorganize IT operations and deploy Okta Workforce solutions to state employees. With the help of Okta Professional Services, the team deployed Okta Single Sign-On, Okta Universal Directory, Okta Adaptive Multi-Factor Authentication, and Okta Lifecycle Management in less than two weeks. “We currently have about 17,000 internal users, and we expect that to go up as we add more applications,” says Ricker.
This initial project not only secured access to critical applications and tools so state employees could serve Illinoisans remotely—it also helped the relatively new DoIT build trust with other state agencies. As the pandemic continued to spread, the team leveraged that trust and capitalized on their initial success to quickly meet additional challenges.
Amid growing public health concerns, the team pivoted to implement Okta’s Customer Identity products.
DoIT again started small, collaborating with Salesforce to build a contact tracing solution early in the pandemic that targeted 3,500 local health department staff members. “We leveraged Okta to get secure user logins for contact tracers throughout the state,” says Ford. “We wanted MFA and threat feeds from the outset since this information might be interesting to criminal actors in nation-states.”
Because of the existing integration between Okta and Salesforce, the team was able to stand up the solution in just a few weeks. “The pace at which government was able to adapt securely was a pleasure to witness,” says Ford.
Next, DoIT moved to streamline and secure Illinois’ unemployment insurance (UI) system. Federal response to the pandemic brought an explosion of UI claims. “With Okta powering authentication and authorization, we were able to quickly apply the ILogin solution to the unemployment insurance system and significantly reduce fraudulent distributions,” he says. “Residents could use multi-factor authentication, self-service their logins, and have confidence their data is secure when they interact with us.”
A vaccine verification system came next. “The application we've rolled out allows the public to access their up-to-date vaccine information and card,” says Ricker. From planning to full deployment, the DoIT team launched the application in less than three months. The Okta-supported application comfortably processed 78,500 new users in the first month and over 642,000 users after five short months, all with zero downtime.
“Applying Okta to these two critical applications helped us highlight to the administration exactly why the solution was so critical,” she says. “the value proposition was clear, we now have the momentum to use Okta across the other applications we support.”
Secure access to more services, with less friction
Okta sits at the heart of the State of Illinois’ resident experience efforts that will ultimately centralize all resident services under a single login. DoIT branded those two initial public-facing efforts “ILogin.” The team expects the project to help residents take advantage of more state services with less friction, while also keeping sensitive personal data secure.
In the intense threat landscape that states face today, balancing the user experience with security is “almost a unicorn,” says Ricker. “IT modernization is both key to the resident experience and key to security,” she says. “Those two things are top of mind for us, and that’s why Okta is so fabulous: It hits both of those marks.”
The UI and vaccine verification applications have added about over 1 million Illinois residents to ILogin so far, and that success proves DoIT’s user-centric strategy is working.
“Unifying the identity experience helps us better serve residents on the first help desk call,” says Ford. “In addition, we’re able to push forward self-service capabilities so they can reset passwords or manage their MFA themselves. Most are familiar with the process—they do the same thing when they login to their bank, or medical billing, or their credit card.”
A dedicated team. A long-term relationship.
The State of Illinois is still early in its Okta implementation. “We’ve had lots of initial success,” says Ricker. “We needed to run into the fire and get things in place right away. Now, we’re stepping back to make a long-term plan.” The team has already issued a directive requiring Okta integration as a standard for new applications, and they’re developing a plan to retrofit other existing applications.
“We’re building out an experience where Illinoisans can use one identity to access a variety of systems,” says Ford. “As we bring more systems online and integrated with Okta, government services become more accessible, more useful, and more secure.”
“I see Okta as a long-term solution,” says Ricker. “As we set this solution in motion, it becomes an easily repeatable process with lots of room to grow. My vision is that residents don’t have to think about where to go when they need state services. They just know ILogin.”
About the Illinois Department of Innovation & Technology (DoIT)
DoIT's mission is to empower residents, businesses, and visitors in the State of Illinois through high-value, customer-centric technology. The DoIT team delivers best-in-class innovation to client agencies, fostering collaboration and empowering employees to provide better services across the state.