The Idaho Department of Health and Welfare needed to implement a secure, federated single sign-on capability for internal systems and Microsoft Office 365. The agency chose F5 access policy and security solutions to simplify identity and access management. The result is a more flexible IT environment with strong security and fewer systems to maintain.
The mission of the Idaho Department of Health and Welfare (DHW) is to promote and protect the health and safety of Idahoans. The agency designs programs and services to help people live healthy and productive lives and to strengthen individuals, families, and communities. Like many government agencies, DHW faces tight budget constraints and limited resources even when people need its services most, so maximizing IT savings and efficiency is an ongoing job.
As part of this effort, for more than 13 years DHW has used F5 BIG-IP Local Traffic Manager (LTM) as a comprehensive solution for intelligent traffic management. In June 2015, the agency began implementing initiatives to further improve its IT efficiency. These included consolidating appliances and replacing them with blade chassis, strengthening security, and adopting Microsoft Office 365 cloud-based services.
By switching from its on-premises Microsoft server software—particularly Microsoft Exchange Server and SharePoint Server—to the Office 365 cloud, DHW will free up internal IT labor, management, and support resources. (Note that the agency is currently running Exchange Server in a hybrid configuration while the migration proceeds.)
However, to make the most of its Office 365 deployment, DHW wanted a seamless, federated single sign-on (SSO) solution. The solution would also have to be flexible enough to cost-effectively handle security and other enhancements, along with SaaS applications that the agency might add in the future.
DHW addressed its business requirements with four F5 VIPRION 2400 chassis. Each chassis supports up to four 2250 blades. The agency selected VIPRION for its scalability, flexibility, and support for easy appliance consolidation. DHW also chose F5 BIG-IP Application Security Manager (ASM) to replace Barracuda Web Application Firewall technology.
The agency considered several options for federation, including Microsoft Active Directory Federation Services. They decided to use F5 BIG-IP Access Policy Manager (APM) for authentication, federation, and identity integration with Office 365. The F5 solution enables them to maintain and strengthen the security posture of the agency with multifactor authentication for various user groups and business partners. “Supporting multifactor authentication is now easier than ever,” explains Corey Van Allen, Server Integration Lead at the Idaho Department of Health and Welfare. “I can now enable multifactor authentication in a few minutes.”
DHW evaluated the benefits of F5s Good, Better, Best optimized volume licensing bundles. They had deployed F5 BIG-IP DNS (formerly BIG-IP GTM) to handle traffic management across two DHW data centers, and opted for the Best licensing model to add key security features and capabilities. Best licensing proved the most efficient way to adopt advanced DNS and security modules which could be readily customized for the agency’s specific needs.
With its comprehensive F5 solution, the Idaho Department of Health and Welfare gains the authentication and SSO capabilities it needs to make a seamless, federated connection to Microsoft Office 365. Security is stronger, even for older applications, and the solution components are highly reliable and well supported.
DHW is significantly increasing efficiency while raising the effectiveness of their network operations. They are able to reduce the number of physical devices, and consolidate functionality into F5 appliances for traffic management, web application firewalls, VPN solutions, and access and authentication solutions. Their new deployment simplifies support and saves space.
The consolidation is a work in progress; so far, the agency has replaced 10 BIG-IP LTM devices onto a pair of VIPRION chassis in each data center.
Van Allen notes that BIG-IP ASM, which is replacing Barracuda, makes finding web app firewall (WAF) problems easier. “In the past, if Barracuda blocked an application’s actions, the available methods to track down the reason were very coarse—all or nothing, allow or don’t allow,” he explains. “The methods for BIG-IP ASM are more like a fine scalpel that we can use to dissect the problem and make subtle tweaks. It’s just incredible compared to what we were dealing with before.”
One reason this is so important is that some existing applications were not designed with modern security threats in mind, or those applications came from different vendors that take different approaches to security. “Some of our older applications are porous, in terms of security,” says Van Allen. But it’s not feasible to rewrite applications to match the enterprise-class security capabilities available from the Office 365 cloud. Instead, he says “We use BIG-IP ASM to protect them without crippling them.”
He adds, “I’ve completely embraced F5 as a security brand that I can trust. By choosing F5, DHW is tightening up security throughout the organization. My colleagues are buying into it too, the more they learn about it.” He says that increasing numbers of DHW employees are familiar with F5 technology and can learn how to use F5 products quickly. The result is a larger pool of talent to look at and solve security issues. And when training is necessary, Van Allen says, “The F5 instructors are really engaging. We bounce ideas off them and get great responses.”
A priority for DHW is a demonstrably secure hardware and software environment, in compliance with Idaho Technology Authority policies. The agency’s F5 solution provides comprehensive support for the critical security controls defined by the Center for Internet Security (CIS), which are at the core of the NIST SP-800-53r4 security framework recommendations for federal information systems.
Alvino Artalejo, Information Technology Bureau Chief for DHW, sees his F5 platform as key to meeting rigorous compliance requirements of his department. “The F5 BIG-IP Viprion deployment has enabled us to leverage the BIG-IP platform to meet security compliance of many of the CIS Top 20 Critical Security Controls. The alignment of the F5 Networks BIG-IP with the CIS Top 20 Critical Security Controls makes this platform a key component in our infrastructure for meeting security compliance.”
Van Allen found it quick and easy to get BIG-IP APM, F5’s access and security solution, up and running the first time in a test environment. “I set up a BIG-IP APM authentication solution within a few hours, versus days for a multi-server ADFS approach,” he says. He adds that the ADFS option, with its many Windows servers, would have consumed a lot of labor hours for both setup and day-to-day server maintenance.
DHW also sees SSO as a way to promote employee productivity and reduce the password management burden on IT. “We have SSO available for Office 365 now, which will make a world of difference for our employees in terms of more convenience and less frustration,” says Van Allen. And that’s just the beginning. The agency will eventually support SSO for accessing external applications beyond Office 365. “Employees won’t have the nightmare of signing in to separate systems with different credentials and manually synchronizing data among them.”
Continues Van Allen, “We’re in our infancy as to what we plan to do with BIG-IP APM. When we can implement a technology like this so easily, it’s very encouraging. BIG-IP APM is an amazing product.”
Regarding the reliability of the F5 products Van Allen has used over the last seven years, he says, “I think I’ve called F5 for support for three issues. One was hardware—I had a power supply go out. The second was a minor problem with a version upgrade. And the third was a bug we found in our VIPRIONs, which we readily solved.”
He explains that he and his colleagues rarely have to call because they can figure out problems on their own or consult the documentation on F5 DevCentral. On those rare occasions when they do call, says Van Allen, “The support staff is knowledgeable, fast, and efficient. It’s been a great experience.”
Van Allen concludes, “I’ve dealt with many vendors through the years, but F5 stands at the top, in terms of both people and technology. I’m ecstatic about working with this technology as we complete the move to Office 365.”