But before all this, Harris had to help lay the project's groundwork in 2006 by convincing then-state CIO Teri Takai and other officials that network changes would benefit the state.

"We had to convince our Office of Enterprise Security that what we were building would be secure and meet their standards," Harris said, "and we took a lot of time with them to make sure that they understood."

The MDIT decided on the Cisco Unified Wireless Network so users could have a single vendor solution that could meet scalability, operational and security needs. The new network offers high-speed connectivity over a wider area, and is easier to run and keep track of because it's centrally managed on compatible equipment, unlike the former heterogeneous environment. According to Linn, Michigan has a long-term contract with AT and T, which supplies the state with Cisco technology. Having one solution for so many functions makes operations smoother, in her opinion.

"Michigan is very Cisco-centric, if you will. We look to them first," she said, adding that she did consider other solutions before choosing Cisco for the wireless LAN project. "I was looking at Nortel and the other solutions out there, and Cisco was the overwhelming winner. They met all of our requirements with security, and ease of deployment and integration with our other tool sets."

Lockdowns and Upgrades

Linn is confident that Version 2's security is superior to Version 1's. One reason is because Version 2 has more physical security layers in place when nonstate personnel connect.

"When someone comes into a state building," she said, "they have to pass a security guard, and they get visitors' passes and things like that." Once in the building, they must take extra steps to connect their mobile equipment. "With our wireless network, they must have a physical device that is owned by the state to connect onto our secure network, so a guest will not come in and connect wirelessly using their own laptop."

Guests are restricted on how much bandwidth they can consume so they don't impede network operations and their Internet access is tracked by a security appliance. All Web transactions are logged through security servers. This way, administrators can view Web usage patterns, and audit user history and other data to help them protect the network and make policy decisions.

Employees must provide authentication protocols to access Michigan's network, but that method was irritating with Version 1. State workers carried small devices called fobs, which are keychain-sized gadgets with tiny screens that display a random number every 90 seconds. The fobs were synced to the network, so when a state employee wanted to access the network from a computer, he or she had 90 seconds to enter the number shown on the fob.

The MDIT discontinued with this method in Version 2, opting for less cumbersome authentication that requires passwords in a radius and an active directory system. Radius environments may ask users to provide unique identifying information like a network address, phone number or data about the physical access point or location from which the user is attempting to access the network.

Harris and Linn are pleased with the MDIT's current network, and so are others in the department. The state nominated the wireless LAN project for consideration in the 2009 National Association of State Chief Information Officers Recognition Awards and won in the Information Security and Privacy category.

But as technology and threats change, security also must change. The MDIT will keep this in mind as it modifies the wireless network.

"As more devices are integrated to what is assumed to be a ubiquitous Wi-Fi environment," Harris said, "we have to be able to secure these other devices that may or may not have a person attached to them."

Hilton Collins, Staff Writer Hilton Collins  | 

Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.