Betting on identity-first security pays off for City of Las Vegas

Gary Flood Profile picture for user gflood June 19, 2023
The City of Las Vegas’ use of Veza and Least Privilege means move to hybrid is proving safe

An image of the city of last vegas at night from the sky
(Image by David Mark from Pixabay)

The official leading IT at City of Las Vegas, Nevada says its transformation from a centralized, legacy infrastructure to hybrid multi-cloud is improving delivery and interoperability.

But the upgrade has also created potential new security risks, as data is now shared and stored across multiple systems and applications. 

So, to deliver this level of change, a new approach for employee access to organizational data has had to be introduced.

The good news is that doing so means the team is much better able to map identity to appropriate data access.

And by using a solution that does this across both SaaS apps and on-prem systems is improving overall access security, meaning the City is able to better meet its compliance requirements, and reduces its overall risk from data leaks or ransomware.

Las Vegas is Nevada's largest city and economic center, and so the City needs to provide public services for 650,000 residents and 42 million annual conference, leisure, and entertainment visitors.

We spoke with Mike Sherwood, Chief Innovation and Technology Officer at the city government of Las Vegas. He says:

Vegas is a great place to live and work, and though the pandemic kind of slowed things down a little bit for us, we’re coming back strong; there are a lot of great new entertainment venues coming online, and the need for people to work those is going to be there.

But great places always have challenges.

That centered on a need for the City’s systems to be both highly available and cost effective to run, but that was getting more and more challenging by keeping things on-prem, he says. 

A decision was therefore made to build in more cloud solutions to be able to provide services to the community in a faster way - but, he adds:

As we did that, we started realizing that we had a lot of people working on our systems, from developers to many different verticals in the organization.

Sherwood contrasts the situation of physical services, where it was a lot easier to control data access, and multi-cloud which is more difficult to manage.

This necessitated going to the market to find a secure way of protecting data, as it started getting exposed and shared to multiple new business systems.

This discovery process eventually led to a conversation with “identity-first security” specialist Veza, which markets an authorization platform that maps user identity to the data they have access to.

A new need: controlled application access

On the use of Veza, Sherwood explains:

There was no easy way for us to manage thousands of permissions across different systems for employees, contractors, interns, and consultants. Cloud can be very secure, but we’ve all seen developers create an environment so that it exposes data and information, and regardless of whether that’s test data or live data, who has access to it and what they can do with it is all important.  

The Las Vegas brand is about trust, and we had to provide systems that were both operational but also were going to be secure and safe to use. Therefore, managing our identities internally would be extremely important for us if we were to hybrid.

At the heart of Sherwood’s new way of handling identity management across this hybrid infrastructure is the concept of Least Permissions.

This concept—also known as ‘Least Privilege’—has emerged as one of the best tactics for preventing hackers or bad actors (either external or internal) compromising an organization, by mis-using privileged user account access to information.

To protect against such abuses, Least Permissions in the Las Vegas context, Sherwood says, means everyone should only ever get the specific access they need to perform a job - no more, no less. 

He adds,

Excessive permissions gives you more vulnerability to cyber criminals getting access to data they shouldn’t as they can get into your organization and move laterally, which is when data breaches happen.

Maintaining continuous compliance with regulations

Sherwood says there have been a number of clear wins from the move to a ‘Least Privilege’ approach to data access, which started to emerge soon after the software’s introduction three years back.

These include giving all his security, audit, and infrastructure teams one platform to manage access permissions. 

It also gives the City an easy way to assign least-permissive roles for all identities (human and machine) across identity providers, cloud providers, and data systems.

As this includes a wide range of software systems like Okta identity and access management, SharePoint, and the City’s Azure and AWS clouds, that’s very useful, he states.

It also means it’s easier to maintain continuous compliance with regulations like the Federal Government’s CISA cybersecurity standard and HIPAA patient data protection via context-specific access controls.

Sherwood says:

We’re a busy place, people are trying to get things done and move on to the next item. We are supporting that, but in the background we’re always checking to make sure that your User ID doesn't have access to data and information that it doesn't need. That’s also extremely important from a compliance point of view.

Possibly most importantly, since the software’s introduction Sherwood says he’s seen “zero issues” with people not having inappropriate access, and so “doing something they weren't supposed to be doing.”

He also estimates an overall efficiency increase of “probably 50%”, as prior to the systems’ introduction all identity was handled by the IT Team by hand.

Sherwood also likes the software’s ease of use. He says:

Sometimes you install these platforms, and the cost of the platform pales in comparison to the amount of training and uptime. I’m glad to say this has been very low cost to implement but also very low cost for training; it’s very intuitive, so I'm able to quickly deploy this as staff changes over and new users really have a quick and easy time getting familiar with the operation.

Summing up his experience, for Sherwood moving to identify-first security and Least Privilege access as default means, Sherwood adds: 

For probably one of the first times the City is close to industry best practice level because of our really solid handle on identities right across the organization.

A grey colored placeholder image