Minnesota IT Services (MNIT) — Security Gap Analysis

Why MNIT Needs a Cloud Enterprise Browser

64% of systems are now cloud-hosted. The browser is the new perimeter — and MNIT's security stack has a publicly identified gap there.

58% of 2025 incidents involved compromised credentials
64% of on-prem systems migrated to cloud
$2.8M avg cost of a public sector data breach
2 MN school districts hit by ransomware in 60 days

Breaking — Minnesota Ransomware Pattern (April–May 2026)

Spring Lake Park Schools (April 2026) and Delano Public Schools (May 20, 2026) were both hit by ransomware within 60 days, causing school closures and FBI engagement. K-12 leads all entity types in the 2025 Cybersecurity Incident Report with 81 reported incidents. Both districts fall under MNIT's Whole-of-State program mandate.

Confirmed Security Stack Gaps

MNIT's Own Analysis Identifies Browser-Layer Blind Spots

MNIT's public security stack documentation — cross-referenced against the 2025 Cybersecurity Incident Report, the 2023–2027 Strategic Plan, and Q1 2026 Quarterly Report — reveals three converging gaps that a cloud enterprise browser directly addresses.

● Confirmed Gap

Secure Web Gateway (SWG)

No dedicated SWG service is confirmed in MNIT's Whole-of-State stack or executive branch service catalog. With 64% of systems now cloud-hosted, web traffic is the primary attack surface — and it has no dedicated inspection layer.

● Confirmed Gap

Browser Isolation / Remote Browser Isolation (RBI)

No browser isolation capability is listed in any MNIT public document, service catalog, or Whole-of-State program description. The 2025 CIR report cites web-delivered threats as a primary attack vector — with no browser-layer control in place.

● Status Unknown

Zero Trust Network Access (ZTNA)

Zero Trust is mandated in MNIT's 2023–2027 Strategic Plan as "Always Verify" — but no single ZTNA product is confirmed deployed. The gap between policy mandate and implementation is where breaches happen.

● Status Unknown

Cloud Access Security Broker (CASB)

With 228 production cloud migrations completed in Q1 2026 alone, cloud data governance is critical. CASB status is not publicly disclosed — creating potential blind spots for data exfiltration via cloud-hosted applications.

● Partial Coverage

Data Loss Prevention (DLP)

Data Protection Services are active for the executive branch, but scope isn't fully disclosed and doesn't extend to Whole-of-State partner entities — including the K-12 districts now experiencing active ransomware.

● Largest Stated Gap

Real-Time Incident Response

MNIT's own 2025 Cybersecurity Incident Report explicitly identifies real-time incident response support as "the largest current gap" for under-resourced entities. Prevention at the browser layer reduces the need for reactive response.

2025 Cybersecurity Incident Report

The Attack Patterns Point Directly to the Browser

MNIT's first annual report under Minnesota's Cybersecurity Incident Reporting Law (Minn. Stat. 16E.36) covered 269 in-scope incidents from December 2024 through November 2025. The distribution reveals a consistent pattern: credential theft, social engineering, and web-delivered malware — all occurring in the browser.

156 / 269
incidents involved compromised credentials or passwords — 58% of all incidents
222M
MDR security events detected in the same period — showing the scale of active threats
107K+
threats with potential government impact identified
$300M
estimated value of breaches prevented — showing what's at stake per incident

Incident Types — Browser-Addressable Highlighted

Compromised account / password
95 incidents
Social engineering / phishing
11 incidents
Potential data exposure
20 incidents
Malware (general)
6 incidents

AI-Enhanced Threats Are Accelerating These Numbers

MNIT's own 2025 CIR report explicitly calls out adversarial AI use to improve the speed, scale, and realism of social engineering attacks. Compromised credential incidents rose 32% nationally in H1 2025 (Microsoft). Traditional perimeter defenses have no visibility into AI-generated phishing pages rendered in real time inside the browser.

Cloud Migration Context

The Browser Is Now the Primary Work Environment

64%
of on-premises systems migrated to cloud as of Q1 2026
64%
Target: 80% by end of Q2 2026 (June 30 deadline)
228
production migrations completed in Q1 2026 alone — more than half of all 2025 migrations
  • Every system migrated to the cloud becomes a browser-accessed application. MNIT's aggressive migration timeline means the browser is now the primary interface for state employees, not a legacy network client.
  • Traditional perimeter security (firewalls, on-prem proxies) loses visibility the moment workloads move to Microsoft Azure, Microsoft 365, or other cloud platforms. MNIT's OLA cloud audit confirmed a strong foundation — but web gateway and browser isolation are not part of that stack.
  • LoginMN (SSO/IAM) protects identity at login — but offers no protection against browser-delivered credential harvesting, session hijacking, or malicious content rendered after authentication.
  • Whole-of-State partners — 375 entities, 87 counties, 3,300+ eligible entities — are accessing cloud services through unmanaged or lightly managed browsers with no unified security policy.
  • MNIT's TVMU resolved 1,716,362 vulnerabilities in Q1 2026. Many of those originate in browser-exploitable software. A cloud browser eliminates the browser as an attack surface entirely.
Solution Alignment

How a Cloud Enterprise Browser Closes MNIT's Gaps

A cloud enterprise browser moves web execution off the endpoint and into an isolated, policy-enforced cloud environment — neutralizing the browser as an attack surface while enabling Zero Trust access to cloud applications.

🔒

Eliminates Credential Theft at the Source

Browser isolation prevents credential harvesting by rendering suspicious pages in a remote container — phishing pages load but keystrokes never reach the real site. Directly addresses MNIT's top incident type (95 compromised account incidents, 58% of all incidents).

Source: 2025 CIR Report — Incident Types Table

Zero Trust Enforcement at Every Web Session

Cloud enterprise browsers apply Zero Trust policy continuously — authenticating, authorizing, and validating every web session in real time. This is MNIT's stated "Always Verify" mandate from the 2023–2027 Strategic Plan, implemented at the access layer.

Source: MNIT Strategic Plan 2023–2027 — Objective 6
📉

SWG + RBI in a Single Cloud-Native Service

Replaces the need for a separate SWG appliance and RBI infrastructure. Both confirmed gap categories in MNIT's stack are addressed by one platform — reducing procurement complexity for the Whole-of-State program.

Source: MNIT Security Stack Gap Analysis
🏛

Extends Protection to All 3,300+ Whole-of-State Entities

Cloud delivery means no agent installation, no endpoint requirement. K-12 districts (81 incidents — the highest-volume category) and under-resourced counties can be protected with a browser-based policy — no infrastructure needed.

Source: 2025 CIR Report — Entity Type Table; Delano & Spring Lake Park ransomware events
🤖

AI-Aware Threat Prevention

Cloud enterprise browsers can inspect and sanitize AI-generated phishing pages and social engineering content in real time — including zero-hour threats that signature-based DNS filtering (MDBR) cannot detect. MNIT's CIR report explicitly flags adversarial AI as an escalating threat.

Source: 2025 CIR Report — Key Trend Data
📊

DLP for the Cloud Era

Browser-level DLP controls prevent data exfiltration through web-based channels — copy/paste, form submission, file upload — regardless of which cloud application the user is in. Extends MNIT's existing Data Protection Services to cloud-hosted workflows.

Source: MNIT Security Stack — DLP: Partial status
Strategic Alignment

Built on MNIT's Own Zero Trust Mandate

MNIT has codified Zero Trust as a named strategic security framework. A cloud enterprise browser is not a new concept to introduce — it is the implementation layer that makes the existing mandate real at the browser.

"Always Verify (Zero Trust) security framework that authenticates, authorizes, and continuously validates users before granting or maintaining access to applications and data."
— MNIT 2025 Annual Report & 2023–2027 Strategic Plan
"Collective, continued investment in people, processes, and technology will advance our cybersecurity maturity and help Minnesota prepare for and defend against emerging threats, including AI-enabled attacks."
— CISO John Israel, Letter to Legislature, January 2026
  • Authenticate: Cloud enterprise browsers enforce identity verification at every session — not just at login. Integrates with LoginMN (Entra ID / Microsoft MFA) already deployed by MNIT.
  • Authorize: Application-level access policies are enforced in the browser — users see only what they're permitted to access, even within broad cloud platforms like Microsoft 365.
  • Continuously validate: Unlike a VPN or network perimeter that grants persistent access, every web session is inspected and validated in real time — session-level Zero Trust, not just login-time trust.
  • GovRAMP/FedRAMP alignment: MNIT is actively pursuing GovRAMP. Cloud enterprise browser platforms with FedRAMP High authorization align with MNIT's compliance trajectory and simplify the GovRAMP path for Whole-of-State partner services.
  • CJIS & HIPAA coverage: Browser isolation ensures that sensitive criminal justice and healthcare data accessed through web applications never touches an endpoint that could be compromised — a key compliance requirement for law enforcement and health agency partners.

The Browser Gap Is Documented. The Funding Is Active. The Window Is Closing.

MNIT's own reports name the gaps. Two Minnesota districts just experienced ransomware. Cloud migration is at 64% with a June 30 deadline. The alignment between MNIT's strategic priorities and a cloud enterprise browser is direct — and quantifiable.

Request a Briefing for MNIT Saint Paul Incident Case Study →