North Carolina’s Pitt County School district needed to centralize and manage secure, identity-aware access control for 25,000 K-12 students and 3,300 employees across dozens of locations. In adopting Pomerium, the school district achieved:
- Centralized auditing capabilities to their unified logging system
- Enforced Two-factor authentication
- A better remote access solution
Best of all, Pomerium works with their existing legacy infrastructure, meaning no dramatic shifts on their end.
With Pomerium, I can grant a Gmail account access to a remote server without the user knowing the password.
Cory Rankin, LAN Engineer at Pitt County
Pitt County School District’s Challenges
Like all complex multi-location organizations, Pitt County School district faced many recurring access control headaches:
- They needed to update their security system, but feared making adjustments on legacy applications
- They needed to limit their exposure to the threat of ransomware.
- They needed to layer uniform access control over critical legacy applications.
- They needed to limit attack surface area and lateral movement in the case of a breach.
- They needed a centralized access management solution for overseeing multiple locations.
- They needed a remote access solution that didn’t frustrate their end-users.
Faced with the above problems, Pitt County Schools district set out to look for an access management solution that would address their needs and maintain compliance with the Center for Internet Security (CIS) controls. Sensitive information about K-12 students was at stake and Pitt County Schools could not risk ransomware bankrupting the county.
Progressing to a Solution
With ransomware events increasing in frequency, Pitt County Schools began testing many potential solutions and found them all wanting. For example, Google’s Identity-Aware Proxy could not work with Pitt County Schools’ existing application stack and would have required extensive changes on their infrastructure to make it function.
After trying multiple solutions, Pitt County chose Pomerium to enforce centralized access management and multi-factor authentication. Pomerium helped them reduce user friction by avoiding the VPN’s security and network issues that frustrates their users. This enables Pitt County to minimize necessary maintenance man-hours and costs while modernizing their entire school district’s infrastructure against the evolving threat landscape.
Legacy Infrastructure Support
Pitt County Schools needed to layer security without making substantial changes to their legacy infrastructure, which contributed to their decision to use Pomerium. Pomerium supports any infrastructure or deployment environment from containers and clouds to on-premise, bare-metal, and virtual machines, making it easy to implement on top of applications that need to be protected.
Centralized Access Management
The district was drawn to Pomerium’s ability to provide centralized access, which enabled auditing capabilities and helped fulfill compliance mandates around CIS Controls.
The efficiency of [hierarchical authorization capabilities] in the console is dramatic. My goal would be to host everything behind Pomerium so that as soon as I drop someone out of a group, they can’t get to places they no longer have access to.
Remote Access Solution
The district’s engineers already knew the problem: VPNs were a horrible user experience. Users forgot to disconnect and were using the school’s network for non-work-related business. The security system ran on single-factor authentication and worked via all-or-nothing access, exposing them to the risk of lateral movement. Pomerium’s context-aware access helped the district elevate from a perimeter-based VPN security model to a zero trust-based model.
The user experience is not great for VPN. It’s confusing to know which traffic is going where if you’re doing split tunnel and then people forget to disconnect. You’re opening employees up to doing something on our property that they didn’t mean to.
Pitt County School district is looking to eventually put all applications behind Pomerium as their unified access control system, with strong confidence that their users and infrastructure are protected from bad actors.
After implementing Pomerium, Cory Rankin notes that their technicians need a quarter to half of the text exchanges to troubleshoot access issues than before, most of which can be solved remotely to reflect the needs of modern times. This means that additional security has been implemented without disrupting normal school processes — and in the case of troubleshooting access issues, Pomerium’s process is more efficient in comparison.
Finally, the users themselves are happy when the tech environment works as expected.
My favorite part where users are like: “Oh, it just works?” And it’s crazy. It didn’t work like that before. So that’s awesome.
To learn how your company can also benefit from deploying Pomerium on your infrastructure, get started here.