Estonian Railways

Estonian Railways modernizes how it connects and secures critical IT infrastructure using Cloudflare

Since 1870, state-owned Estonian Railways has been responsible for the high-quality and safe operations of the country’s railway. Today, they manage more than 1,200 km of railroad tracks, including 61 rail stations — three of which are border stations (two at the Russian border, and one at the Latvian border).

As the owner of the country’s railway infrastructure, Estonian Railways also acts as a partner in solving cross-border issues, setting transit standards, and fostering Estonia’s passenger and cargo transport business.

Challenge: Reduce IT complexity and accelerate secure access and hybrid work

As a 155-year-old critical infrastructure provider, Estonian Railways has accrued numerous technologies – many of which (such as legacy VPNs) are increasingly cumbersome to maintain. However, with the COVID pandemic and once-isolated Operational Technology (OT) systems becoming more Internet-connected, they recognized the need to modernize their IT systems and reduce complexity.

Estonian Railways has also seen heightened cyber risks arising from the region’s geopolitical conflicts. As their chief information officer, Tonu Tammer describes, “The threat landscape is evolving. As a critical infrastructure provider, we are under constant attack not just from cyber criminals, but also hacktivists and state-sponsored actors.”

To support the organization’s mission to become the region’s most digitally advanced railway infrastructure — while also defending against cyber risks — Estonian Railways sought to:

• Modernize security for their users, apps, and networks by shifting to a Zero Trust model
• Simplify IT management and free up time by consolidating security vendors
• Improve their security posture by increasing visibility into cloud app usage

To address these goals, Estonian Railways turned to Cloudflare’s connectivity cloud for secure any-to-any connectivity.

Accelerating transformation with Zero Trust for secure access

When Tammer joined Estonian Railways, he recognized that the mix of legacy technologies would be challenging for his lean team to manage long-term. “We have a lot of legacy IT, which is very typical when it comes to OT and supervisory control and data acquisition (SCADA) systems. For example, one contract has lasted over 50 years,” he notes. Amidst this backdrop, the company’s growing hybrid workforce (which includes remote employees and third-party contractors and partners) also increases risk.

Estonian Railways decided to reduce their overreliance on outdated perimeter-based network security and shift toward Zero Trust for secure application access, instead.

After a public procurement process, Estonian Railways chose to consolidate with Cloudflare’s Security Service Edge (SSE) platform, namely: Zero Trust Network Access (ZTNA), secure web gateway (SWG), cloud access security broker (CASB), and remote browser isolation (RBI). Cloudflare collaborated with the local software partner, Mosaic OÜ, on the delivery.

In their first phase of deployment, Estonian Railways has made early progress on key Zero Trust access initiatives, including:

• Enforcing multi-factor authentication (MFA) for critical applications
• Managing and enforcing device posture checks
• Providing secure access to internal and public-facing web applications

“We can’t give everyone VPN access to consume whatever they want. It can’t be one key to open every door. Each user should only be able to access what they strictly need,” emphasizes Tammer. “With Cloudflare, we have better control and visibility over who, what, and how applications are accessed.”

As Estonian Railways migrates workloads to the cloud, network segmentation helps maintain business continuity. “We’ve used VPNs to connect a lot of different on-premises services, but they are like cardboard when it comes to security,” says Tammer. “Cloudflare allows us to build concrete walls around legacy apps while we migrate to a Zero Trust architecture.”

Furthermore, they have combined Cloudflare and Microsoft Entra and Intune capabilities to authenticate endpoint user device traffic, and enforce consistent device posture policies. Tammer says, “Combining Cloudflare and Microsoft is the simplest solution we have found that delivers all the possibilities of Zero Trust – without all the complexities. I’ve been pleasantly surprised with how seamlessly it all just works.”

Mitigating data loss and SaaS vulnerabilities

Cloudflare’s CASB service has given Estonian Railways a greater understanding of their SaaS security posture by identifying potential data leaks and misconfigurations with easy API integrations.

For instance, before Cloudflare, Tammer says, “Let’s say there were sensitive SharePoint files that should have been restricted to a small group of users, but were actually being widely shared internally. CASB suddenly exposes if that’s happening. We can take faster action to prevent unauthorized activity and minimize data loss.”

Cloudflare’s CASB API integrations for monitoring critical platforms like Microsoft, Atlassian, and ServiceNow also saves time. “Cloudflare’s connectivity cloud helps us put different clouds together in ways that we couldn’t do ourselves,” describes Tammer. “We could try to build the integrations ourselves, but it isn’t my job to twist different things together to perform basic functions,” describes Tammer. “Cloudflare lets me focus more on my actual job — making sure the overall system works and delivers value.”

Cloudflare’s overall ease of use also extends to its single-pane-of-glass management. Tammer says, “Unlike other cloud services that can overcomplicate things in their dashboard, Cloudflare has the right knobs when I’ve needed them. It’s comprehensive — not cumbersome.”

Accelerating and protecting web applications

Estonian Railways has further reduced complexity by consolidating key web application services onto Cloudflare. As Tammer notes, “Business needs are changing, and the way we do work is changing. It’s difficult to minimize all of our organization’s risks if we keep using so many vendors. Cloudflare has helped us reduce the amount of solutions and reduce technical complexity.”

Instead of multiple point solutions to connect to the Internet, the organization now uses Cloudflare’s content delivery network (CDN), web application firewall (WAF), DDoS protection, and real-time smart routing.

“Defense must be layered, like an onion. The hope is that, if one layer fails, you always have the next, and the next, and so on,” Tammer adds. “Cloudflare helps align all those layers so that the bad things won’t derail our organization.”

Tammer has been particularly impressed by the scale of Cloudflare’s network when it comes to protecting against DDoS and other web attacks, reducing latency, and serving content closer to Estonian Railways’ customers.

“With Cloudflare, most, if not all, of the traffic from our users actually gets processed in Estonia. We don’t need to backhaul traffic to some other data center, so round-trip times for network traffic are smaller,” Tammer explains. “The responsiveness of Cloudflare’s network is on a different level.”

What’s next: Evolving to a SASE architecture

To continue building upon their initial Zero Trust success for high-priority use cases, Estonian Railways ultimately plans to evolve to a secure access service edge (SASE) architecture. Compared to traditional network security, SASE offers several benefits such as reduced risk, more operational agility, stronger data policy enforcement, and improved hybrid work experiences.

In describing the journey to SASE, Tammer says Estonian Railways is creating “a harmonized approach for our end users to connect to our services, irrespective of where they’re located.”

He adds, “We need to separate the network paths that employees and partners use to connect to work applications from their personal Internet usage. Because if they’re connecting to our infrastructure, it needs to have all the necessary network encryption, security, and performance.”

“Transitioning legacy architecture isn’t easy,” Tammer concludes. “Each business use case is very nuanced, and it’s not one-size-fits-all. However, Cloudflare provides the toolbox we need to modernize our approach.”