The New Jersey Judiciary Court System was able to successfully complete what its chief information officer, Jack McCarthy, said was “six months of work in six days” – migrating its operations to a secure remote workforce model after the courts shut down due to the COVID-19 pandemic last spring.
The reason the court system was able to transition so efficiently was because of efforts to introduce security controls and technologies that actually long preceded the paradigm-shifting pandemic. Such efforts involved encryption, two-factor authentication, secure network access and cloud-based networking.
For many companies, “if security was done during the pandemic, it was probably too late,” explained McCarthy’s colleague Sajed Naseem, CISO of New Jersey Courts.
Even with life slowly returning to normal, the state’s court system is now reimagining how it will leverage its streamlined architecture and secure workforce protections to conduct remote business moving forward, according to McCarthy and Naseem, speaking at a Monday session at the 2021 RSA conference.
The migration was no easy task: New Jersey Courts employ roughly 13,000 people in about 700 sites across the state’s municipalities and counties. The system also supports approximately 100,000 attorneys and 40,000 police officers. Prior to the pandemic, most employees worked on desktops, with only about 2,500 iPads and laptops distributed – and all data and electronic documents (from 150 different web applications) would feed into one egress point at a data center in Trenton’s central Administrative Office of the Courts.
Pre-pandemic, only 100-or-so employees would work from home at a time, largely on the weekends. And while the court system's VPN could ostensibly accommodate a safe of 2,500 staffers, McCarthy said its true capacity may actually have been as little as 500.
McCarthy was on the golf course last March when he received a call from Jersey's chief justice saying the courts would be shut down due to the pandemic. This immediately kicked off a sweeping business continuity and work-from-home initiative that emphasized user and data security.
This initiative had several key goals, the first of which was to improve efficiencies. The security and IT staff accomplished this by cutting out redundancies. The philosophy: “Let's do what we could to rewrite systems, migrate them over to more modern platforms and allow our staff to continue working,” said McCarthy.
Fortunately, the court system had previously commenced a migration to the cloud, which “allowed us to keep our developers up and running,” explained McCarthy. “They didn't have to come back to the data center through a VPN; they could connect directly to either AWS or whatever… they were using to do their work.”
Secondly, to keep the electronic court system operations up and running, the IT team in a matter of three days built a website for front-end payments and doc submissions, though the back-end work would at least in the interim have to be conducted manually.
“It was crude, but it was based on a lot of the policies and platforms that we [had] already put into our electronic court system, and what it was basically meant to do was fill gaps,” said McCarthy. “Fast forward to now: it no longer fills gaps; it's actually going to probably become our primary software… because it was built in such a modern way [that] it doesn't have a lot of the complexity and a lot of the baggage that some of our own systems had.”
To move employees home virtually overnight, the court system sent employees home with their PCs, essentially treating the desktop as if they were laptops. The reason this option was safe and secure: several years earlier, the IT and security teams completed an initiative to encrypt every device in the judiciary system. “So we knew that PC walking out of the building was already encrypted,” said McCarthy. “We knew when it connected back to us, we'd be protecting the transmission from the person's house back to us.”
Still, the court system would also have to significantly increase its capacity. Therefore, McCarthy’s and Nassem’s teams implemented a new VDI, upgrading from about 100 concurrent sessions to roughly 1,500 concurrent sessions. The court system also bolstered its VPN capacity to handle about 7,500 concurrent sessions.
The servers were overworked, but it bought a week’s worth of time to migrate some of the court system’s VPN capacity to AWS via a PEGA business process management platform connection. The courts now can leverage this additional cloud-based capacity as needed in the future.
While modernization of the network posed several new security risks related to identity and access, these issues were largely tempered by various controls that McCarthy and Naseem had introduced over the years. This includes two-factor authentication, which had already been used internally by the court staff, but was expanded to other applications currently used by various governmental partners including police and attorneys.
Also prior to the pandemic, the IT and security teams had been working on a secure network access initiative that was over time expanded to incorporate several key concepts, including institute a zero-trust policy, blocking risky ports to prevent off the exploitation of prominent security vulnerabilities, updating remote desktops with patches and anti-virus, and blocking rogue devices that attempt to connect to the system.
Another issue was how to run the courts remotely. The state judiciary system had already been running virtual courts on the weekends conducting about 40 sessions per week. But using Zoom as its new platform, the court system was able to increase that to 400 sessions per week.
Today, more than a year after the pandemic shutdown, the courts hold “a few hundred thousand remote court events,” said McCarthy, including some civil trials, but not criminal ones.
McCarthy expects that the courts system will continue to evolve how it conducts business under the new secure IT setup, ultimately saving a lot of citizens from having to trudge to a physical court location to settle minor cases such as small claims or landlord-tenant disputes. “Those days are gone and we're not going to be doing that in the future.”