How Sandvik managed the shift to a Zero Trust framework

How Sandvik managed the shift to a Zero Trust framework

Sebastian Kemi, Chief Information Security Officer at Sandvik, discusses how the organisation has shifted to a Zero Trust-based security infrastructure as a way to combine new technologies with its business strategy of constant innovation. We hear how it worked with Zscaler to deliver on this.

Sandvik is a global engineering company that provides equipment and tooling systems to a range of industries including mining, construction and industrial heating. Founded in 1862, the company holds around 6,000 active patents and is a world leader in manufacturing and machining, mining and rock, rock processing and materials technology.

In 2020, Sandvik transitioned from a traditional Virtual Private Network (VPN) to a Zero Trust work-from-anywhere model to provide employees with flexible and secure access. Sandvik’s long-term goal was to overhaul its existing VPN technology, as connecting and securing remote workers was becoming a significant challenge. That vision generated a change momentum within the business over a period of months, but activity had to accelerate rapidly when the COVID-19 pandemic forced a sudden switch to remote working.

More than a technology change

The drive for transformational change originated from multiple places within the business, with the end-user experience meeting technological reasons to make the shift. “People had got used to consuming cloud services wherever they were through their smartphones,” said Sebastian Kemi, Chief Information Security Officer at Sandvik. “Then they’d come back to enterprise IT, with on-premise solutions for mail and such like, and it was too cumbersome.”

Kemi put together a team that comprised members from across the business, representing the various stakeholders. Employee access must be secure, as well as flexible. Sandvik recognised the importance of this business driver and as such, the transformation initiative sat with the security team within network IT.

Defining business outcomes

The team started with the programme’s objectives. Kemi stresses the importance of clear business drivers in transformation programmes. “Rather than talk about a product, or technology shift, we talked about the business goals: where do we want to go? What steps do we need to take to get there? You need to remove the product conversation from this stage; otherwise, it becomes tech people finding a good solution and trying to enforce it, with nobody really understanding why,” said Kemi. 

He pointed out that earlier application migrations to the cloud had caused internal frustration, with some people wanting to move back to the legacy solution. “I think that was because we concentrated on the technology change,” he said. “When we started talking about the long-term goal, the perception change trickled down really fast. People need to see what the benefits are.”

Selling the long-term strategy

The team then set about engaging senior leadership and management, ensuring they understood the strategy and were behind it. These leaders would get questions from their team members and would need to give out the same message. Alongside this engagement activity, the team prepared the proposal for what the programme would deliver, why and how the change would be managed.

This preparation stood Sandvik in good stead to make a change when the pandemic situation demanded it. In less than five days, 20,000 Sandvik employees around the world were migrated over to the Zscaler Zero Trust Exchange platform. Zscaler Private Access, a building block of the platform, was tested over the weekend with 30 users and subsequently rolled out to equip employees working from home. It was a wholesale change to Sandvik’s network approach, implemented at speed, but employees quickly realised that they could still get access and do their work and the change was well received.

“There was a lot of trust to take that decision on the Friday,” said Kemi. “We could have increased capacity, but we turned the company inside out from a network perspective and it just worked.”

The transformation enabled Sandvik’s global lines of business to keep running smoothly, despite the challenges of the pandemic. Longer-term, it equips Sandvik with a convenient, flexible and scalable solution that secures remote access, while minimising attack surfaces and access barriers.

Continuous evolution

Naturally, the programme did not conclude once the new solution had gone live. Included among the team’s many activities was the dismantling of the legacy infrastructure, to contribute to the initiative’s cost efficiency. Without a clear line of sight to retiring legacy solutions, Sebastian explains, the company will incur ongoing costs supporting a diminishing population of users yet to migrate. 

As a large organisation, committed to enhancing customer productivity, profitability and sustainability, Sandvik evolves with the times to maintain its competitiveness. Change is a constant for all organisations and with that comes continuous learning and improvement. Kemi gives three pieces of advice for major change programme managers embarking on similar transformation initiatives.

“Firstly, sell the long-term goal. You need to talk about what you want to accomplish, rather than IT. Secondly, establish a team made up of the right people, from across the company and lastly, instead of a large preparation programme, make the change and fix the small problems you will have. Even if you plan for 12 or 18 months, you will still run into problems. Be flexible enough that you can adapt when you need to.”

Sebastian Kemi, Chief Information Security Officer at Sandvik, discusses the project in more detail and outlines the benefits of working with Zscaler.

What were the driving factors behind the decision to partner with Zscaler – what was it about its offering that appealed to you?

As an organisation, innovation and productivity have been a central focus for Sandvik for over 160 years. Within my role, I focus on supporting digitalisation for the business. I recognised it was instrumental to modernise the legacy network infrastructure. Deploying the cloud-based Zscaler Zero Trust Exchange was part of this journey as it gave us the tools we needed to go directly and securely to the Internet without the administrative burden of managing hardware. We were able to achieve the desired flexibility and agility we were looking for to enable the transformation of our architecture as the foundation of a cloud-first approach.

What did you hope to achieve when commencing the project and have you delivered on this?

We started the relationship with Zscaler eight years ago and since then it has been a constant journey in support of our digitisation strategy. Our mission has been to carry out a complete network redesign to provide secure access on an application level rather than a network one. Globally we had a complex IT structure, where traffic had to be backhauled from branch offices to regional data centres and then sent through an additional security layer. The security hardware added to this complexity not only through constant life cycle management, but also to our performance issues.

We were looking for a solution that supported our digital shift and provided the desired flexibility, availability and confidentiality. The switch to a cloud-based security service met our demand for security and enabled the network redesign to local Internet breakouts at the same time. The use of Zscaler Internet Access and Zscaler Private Access has changed the operational model of the whole IT department as we are now able to monitor all data streams in a single consolidated view, which has reduced the administrative burden enormously.

What business benefits have you seen since migrating over to the Zscaler Zero Trust Exchange platform and how resilient is your security posture today?

When you are in charge of bringing a transformation strategy to life you continuously have to sell your vision to the business stakeholders and align technology with the business strategy. In the case of Zscaler’s Zero Trust, it was easy to convince the C-level as the platform provided the answer to many business cases. Mergers and acquisitions is one example of such a business case where Zscaler helped to unlock additional potential. Integrating the networks of two organisations is a very specialised and time-consuming process and really not the ideal situation from a security perspective as we are looking for more loosely connected scenarios. As a serial acquirer, Sandvik has now matured the process of delivering full connectivity to the applications of a bought organisation within a few hours by deploying Zscaler Private Access.

How connected and secure are your remote workers since the rollout and how does this allow for seamless operations across the business?

When the pandemic started we were actually able to move our 42,000 global employees to Zscaler Private Access over a single weekend, which showcases the agility of a cloud-based model. Today, we don’t need to have the users on the network anymore. We are able to grant access on an application level, based on business policies.

The same strategy that is applied to user access can also be applied to IoT and OT environments and this is a tremendous shift in how we can secure the core of the company. Our mining equipment and machinery, such as our autonomously driven mining trucks, will become more and more data-driven. We are in the process of changing the way we operate our OT-infrastructure as well – with Zscaler enabling us to secure those workloads from the machines and other connected devices.

How important is Zero Trust for secure business performance?

As an engineering company with operations in 160 countries, managing users and devices remotely can sometimes be challenging. With a Zero Trust-based security infrastructure we have found a way to combine new technologies with our business strategy of constant innovation. New approaches allow us to stay ahead of the game and with Zscaler we can unlock new potential and therefore we are constantly evaluating new opportunities for our business.

Browse our latest issue

Intelligent CISO

View Magazine Archive