Matt Ramberg is Vice President of Information Security at Sanmina, a sprawling electronics manufacturer with nearly 60 locations in 20 countries on six continents and approximately 35,000 employees around the world.
Like most companies, Sanmina, a big name in contract manufacturing, is adapting to a new IT environment. The 42-year-old Fortune 500 company with fiscal 2021 revenue of more than $6.76 billion was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.
With manufacturing facilities around the world, it also sees its technological needs stretching to the limit.
7,500 employees are working remotely and this number continues to grow in the wake of the COVID-19 pandemic.
When Ramberg thinks of security in this sense, the first thing he thinks about is the company’s data. In particular, he wants to ensure that the company knows exactly where this data is located.
“We’re most focused on intellectual property,” he said The registry during an interview here at cybersecurity provider Zscaler’s Zenith Live 2022 conference in Las Vegas. “You get that intellectual property, particularly in manufacturing – and we touch a range of industries, automotive and communications and defense and aerospace – and the biggest concern we have…is preventing data loss.” DLP is a very difficult area. It’s dates [that is the focus] specifically because of the influx of cloud-based solutions.”
Sanmina employees have long used Google Workspace – formerly Google G Suite – a collection of cloud-based business applications and collaboration tools.
“But now you have this roaming workforce, this mobile workforce,” Ramberg said. “There’s Box, there’s Dropbox, there’s 8,000 file-sharing sites and you can work out until you’re blue in the face, but there are concerns that someone — and I don’t mean even from a malicious perspective — is putting them.” [data] in Dropbox because they have an account there and want to keep it safe. They just published our IP.”
Even Sanmina customers use different file-sharing tools, which creates another data overload problem that companies must adapt to. He doesn’t necessarily call it a concern – he believes Sanmina has it under control – but in such a highly distributed enterprise environment, making sure they know this is where the data is is his top priority.
With so much data, moving to the cloud and a highly mobile work environment, there are many threats to consider – from ransomware to phishing – data sovereignty issues and a growing list of regulations surrounding data and privacy, from the European Union’s GDPR and the California Consumer Privacy Act (CCPA). In addition, the various Sanmina factories around the world need to communicate with each other, regardless of which country they are in and how that country handles data and cyber threats.
In the face of all this, Sanmina became an early adopter – and now a vocal supporter – of the growing movement towards zero trust frameworks. Given the venue, it’s not surprising that the company relies heavily on Zscaler technology for its Zero Trust technologies, but for Ramberg, Zero Trust fits right in with its increasingly decentralized business.
“We really got into it,” he says. “In the beginning it was a buzzword. ‘Here’s the latest and greatest.’ We really looked at that and it made sense. If there are five servers and I literally only have access to one – only have credentials for one – why would I even want to see the other four? It just made perfect sense. The fact that “It’s like that, lateral movement is eliminated. If I’m set up to just talk to this one server and not be able to laterally move anywhere, that sounds pretty nice, the whole zero trust thing.”
With so much data and applications being created and accessed outside of the central corporate data center, the traditional security architectures of firewalls and castles and moats designed to keep threats out are becoming obsolete. They work well when users, applications, and data are inside the firewall, but that’s often not the case anymore.
Zero trust frameworks assume that no user, device, or application on the network can be trusted. Instead, they rely on identity, behavior, authentication, and security policies to inspect and validate everything on the network and determine issues such as access and permissions. Most cybersecurity vendors are expanding their Zero Trust capabilities, and Zscaler has built its entire strategy around this idea since launching its first product in 2008.
About eight years ago, Sanmina introduced Zscaler Internet Access (ZIA), a collection of cloud services that uses artificial intelligence (AI) techniques to inspect all Internet traffic—including SSL decryption—to protect against ransomware and other threats. In 2017, the company introduced Zscaler Private Access (ZPA) to replace the VPNs it used for its mobile workers. ZPA only gives users access to the data and applications for which they have credentials and not to the network, reducing the chance for cybercriminals to gain access to the network and move laterally through the organization.
“We looked at them and said, ‘VPNs stink. They just stink,’” says Ramberg.
Along with the list of VPN security concerns, there were also limitations on the number of connections they could manage, slowing down network performance and requiring users to constantly re-authenticate to use them. Sanmina had 13 VPN appliances around the world that needed to be managed, upgraded, patched and replaced with more hardware at the end of their life.
ZPA “provides the same tunnel, but doesn’t put anyone on the network. This was one of our biggest concerns with VPNs. he said, adding that attackers could often obtain credentials for a server. With ZPA: “If you don’t have credentials for this server, you shouldn’t even be able to see it. If I don’t issue a key to this door, why am I even allowing you to see it? this door?”
Sanmina also uses ZPA to manage what vendors and partners have access to, he said.
Since then, the company has added other Zscaler services, including SLL inspection and cloud browser isolation, and is reviewing new capabilities the provider is adding, including an Internet of Things (IoT) and operational technology (OT) service that is based on of the event was announced this week, which Sanmina will use for communication within its production facilities.
Ramberg says he understands that Zero Trust is somewhat similar to what virtualization and cloud were when they were new — vaguely defined terms that vendors put on many of their products. However, as Sanmina adopted the cloud, it became clear that the company’s attack surface was expanding and it needed to adapt its security features to counteract this.
The first step was to put full disk encryption on laptops, but that was a stopgap measure. The move to a Zero Trust architecture addresses security needs as Sanmina’s people and data become more distributed.
“We had to adapt, but we liked the whole idea,” said Ramberg. “We jumped in with both feet and didn’t look back. We really embraced it.” ®
https://www.theregister.com/2022/06/23/sanmina-zero-trust-zscaler/ Contract electronics provider Sanmina buys into Zero Trust • The Register