State of Oklahoma OMES

Oklahoma Office of Management and Enterprise Services partners with Cloudflare to streamline state infrastructure, mitigate DDoS attacks, secure legacy systems, cut costs, and provide world-class security to 180 state agencies

Overseeing everything from state finances and human resources to property, real estate management, and construction services, the Office of Management and Enterprise Services (OMES), is the backbone of the State of Oklahoma. Spearheading a “whole-of-state” approach to essential services, OMES strives to increase efficiency, reduce financial and administrative overheads, and eliminate the duplication of effort, making it easier for the state’s agencies and affiliates to focus on their core missions. As a part of its mandate, OMES also provides expert guidance and drives continuous improvement to support its agency stakeholders.

Challenge: Efficiently securing, transforming, and unifying disparate systems under threat

At the heart of OMES, the Information Services (IS) division oversees the vast infrastructure and technology that secures and connects nearly 180 state agencies, boards, and commissions to over four million Oklahomans. Michael Toland, State Chief Information Security Officer (CISO), explains the complexity of IS’s ongoing efforts and the challenges involved in gathering everything under the OMES umbrella:

“It has been more than a decade-long process,” says Toland. “Historically, each state organization had its own infrastructure, creating a hodgepodge of on-premises cloud and hybrid systems running on mainframes, Windows and Linux servers, and even some Macintosh workstations. That has left us in a situation where we have old systems trying to interact with our modern architectures.”

Understanding that a reactive, piecemeal approach to security, problem-solving, and infrastructure modernization was not a viable strategy for long-term progress, OMES wanted a strategic partner to help it proactively achieve the following goals:

• Secure all state agency web properties against emerging online threats
• Integrate seamlessly with existing tools and legacy systems
• Reduce administrative and financial overheads with centrally-maintained, state wide solutions

“A core goal of our whole-of-state approach is to ensure that every department has access to the best resources, best security, and the best software, putting our weakest link on par with our strongest and securing and making the state stronger overall,” Toland explains.

Before it could address its transformation goals, the State of Oklahoma had a more pressing problem — DDoS attacks affecting both its own and other public web services.

“There were six or seven attacks directed against .gov domains that lasted as long as 24 hours,” says Justin Baustert, OMES Oklahoma Cyber Command Defense Engineering Manager. “They didn't only target Oklahoma — other states and even other governments were affected.”

After identifying the incidents as NXDOMAIN flood attacks — automated assaults that overwhelm servers with requests for non-existent or invalid domain records — IS sought an immediate solution.

Solution: A Cloudflare partnership for whole-of-state application security, DNS management, and DDoS protection

To achieve higher levels of visibility into its security tooling, OMES chose to partner with Cloudflare directly. Its goal was to leverage Cloudflare’s knowledge and technical expertise firsthand while implementing the full range of Cloudflare application security and performance solutions, especially enterprise-grade DNS Management, against recurring attacks.

With Cloudflare DNS management — administered from either the Cloudflare interface or customer toolsets via the Cloudflare API — OMES was able to easily absorb the incoming DDoS attacks, strengthening the chain of trust with features like built-in, one-click DNSSEC.

“We wanted to manage DNS with our own tools and push our changes to Cloudflare,” says Christopher Little, Former OMES Linux and DNS Team Lead. “From a technical perspective, having the ability to use the tools we already had while leveraging the power of DDoS mitigation from a single vendor made Cloudflare our only option.”

OMES set up and configured Cloudflare DNS Management in four hours. It then mitigated the NXDOMAIN attacks and secured the State of Oklahoma’s websites over the next two days. Automated rulesets, machine learning, behavioral analysis, and threat fingerprinting native to Cloudflare Web Application Firewall (WAF), and Bot Management Protection provided additional security for layers 1 to 7 of the State of Oklahoma’s public infrastructure.

“We deployed Cloudflare over the weekend, moving everything from our primary, on-premises DNS so that Cloudflare could neutralize any further attacks on the global network before they hit our servers,” says Toland. “Deflecting the attacks that knocked down the state's public-facing infrastructure is a great success story for us — our appliances could never handle the volume Cloudflare can.”

A secure Cloudflare foundation for legacy applications and public services

Since countering the DDoS attacks, the State of Oklahoma has expanded Cloudflare’s role in its transformation and consolidation efforts. Leveraging Cloudflare’s single control interface and unlimited scalability, OMES is streamlining the way it manages and secures its public-facing and legacy systems, especially for the state’s smaller, less-resourced organizations.

“We use it primarily to protect our legacy applications, but Cloudflare DNS is the foundation of all our communications,” says Baustert. “If our DNS isn't working, neither is anything else.”

Local security improvements with national implications

According to Toland, the security benefits of folding OMES’ partnership with Cloudflare into Oklahoma's statewide transformation objectives have ramifications well beyond the state’s borders. Improving security locally contributes to an enhanced security posture across the entire US, especially as other states embrace Cyber Readiness Initiatives and promote the whole-of-state IT and cybersecurity ethos.

“In government, our systems are all interconnected — we are all integrated and we all share data,” says Toland. “If an agency or municipality with a weaker security posture experiences a breach, that vulnerability could creep across the entire country. Security is much simpler when everybody has the same tooling. With the services and expertise of Cloudflare universally available, we can identify, contain, and minimize the damage before it happens.”

Providing widespread access to Cloudflare solutions and services

Partnering with Cloudflare enables OMES to efficiently and cost-effectively secure around 180 state agencies and services — helping streamline operations for 32,000 employees and benefitting millions of users.

“With Cloudflare, we have been able to build out our capabilities while reducing our costs,” says Little. “By wrapping Cloudflare solutions into our service portfolio, we can distribute our expenses more effectively, improving the quality of service for every state agency irrespective of its size or budget.”

Having the expertise of Cloudflare engineers, security, and support teams on call also reduces the expense of maintaining redundant resources and helps bridge gaps in localized institutional knowledge.

A future of continuous improvement

Embracing the challenges of consolidation — despite the scope of its responsibilities and the size of the State of Oklahoma’s infrastructure — OMES continues to make widespread improvements to their web security and performance initiatives. Cloudflare is a central part of that transformation strategy.

“As part of our growth, we will continue our strategic planning and alliances with partners like Cloudflare who can guide and assist us, showing us how to extract full value from the services it offers,” says Toland. “To us, success means leveraging every Cloudflare feature available.”