Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.
Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.
With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.
7,500 employees work remotely and, in the wake of the COVID-19 pandemic, that number keeps growing.
With this in mind, when Ramberg thinks about security, what first comes to mind is the company’s data. In particular, he wants to make sure the company knows exactly where that data is.
“Where we focus the most is IP,” he told The Register during an interview here at cybersecurity vendor Zscaler’s Zenith Live 2022 conference in Las Vegas. “You get that intellectual property, especially in manufacturing – and we touch a number of industries, automobile and communications and defense and aerospace – and the biggest concern we have … is that of data loss prevention. DLP is a very difficult area. It’s data [that is the focus] expressively because of the influx of cloud-based solutions.”
Sanmina employees have long used Google Workspace – formerly Google G Suite – a collection of cloud-based business applications and collaboration tools.
“But now you’ve got this roaming workforce, this mobile workforce,” Ramberg said. “There’s Box, there’s Dropbox, there are 8,000 file-sharing sites and you can do training until you’re blue in the face, but there’s concern that somebody – and I don’t even mean from a malicious standpoint – they’ll put [data] in Dropbox because they have an account there and they want to keep it safe. You just released our IP.”
Even Sanmina customers use varying file sharing tools, creating another data sprawl issue company has to adapt to. He doesn’t necessarily call it a worry – he believes Sanmina has it under control – but in such a highly distributed corporate environment, making sure they know here the data is is his largest focus.
With so much data, the shift to the cloud, and a highly mobile work environment, there are many avenues of threats to consider – everything from ransomware to phishing – issues of data sovereignty and a growing list of regulations around data and privacy, from the European Union’s GDPR and the California Consumer Privacy Act (CCPA). In addition, the various Sanmina plants around the world have to talk to each other regardless of what country they’re located in and how that country manages data and cyberthreats.
Given all that, Sanmina became an early adopter – and now a vocal advocate – of the growing movement toward zero-trust frameworks. Given the venue, it’s not surprising that the company relies heavily on Zscaler technology for its zero-trust technologies, but for Ramberg, zero trust is the right fit for his increasingly decentralized company.
“We really embraced it,” he says. “Early on, it was a buzzword. ‘Here’s the latest and greatest thing.’ We really looked at it and it made sense. If there are five servers and I literally only have access to one – have credentials only to one – why should I even see the other four? It just made complete sense. The fact that is it eliminated lateral movement. When I’m set up to only talk to that one server and can’t laterally move anywhere, this sounds pretty nice, this whole zero-trust thing.”
With so much data and so many applications being created and accessed outside the central corporate datacenter, the traditional security architectures of firewalls and castles-and-moats, designed to keep threats out, are increasingly outdated. They work well if the user, applications and data are inside the firewall, but that’s often no longer the case.
Zero-trust frameworks assume that no user, device, or application on the network can be trusted. Instead, they rely on identity, behavior, authentication, and security policies to verify and validate everything on the network and to determine such issues as access and privileges. Most cybersecurity vendors are building out their zero-trust capabilities and Zscaler has based its entire strategy on the idea since its first product rolled out in 2008.
About eight years ago, Sanmina adopted the Zscaler Internet Access (ZIA), a collection of cloud services that use artificial intelligence (AI) techniques to inspect all internet traffic – including SSL decryption – to protect against ransomware and other threats. In 2017, the company brought in Zscaler Private Access (ZPA) to replace the VPNs it was using for its mobile workers. ZPA gives users access only to the data and applications they have credentials for rather than access to the network, reducing the chance for cybercriminals to gain access to the network and move laterally through the company.
“We looked at them and said, ‘VPNs stink. They just stink,'” Ramberg says.
Along with the list of VPN security concerns, there were also limitations on the number of connections they could manage, which slowed network performance and users had to constantly reauthenticate to use them. Sanmina had 13 VPN appliances around the world that had had to be managed, updated and patched and, when they hit end-of-life, had to be replaced with more hardware.
ZPA “is providing the same tunnel, but not putting anyone on the network. That was one of our biggest concerns with VPNs. When you give someone VPN access, what can they get to?” he said, adding that attackers can often get credentials for a server. With ZPA, “if you don’t have credentials for that server, you shouldn’t even be able to see it. If I’m not going to issue a key to that door, why am I even going to allow you to see that door?”
Sanmina also uses ZPA to manage what vendors and partners have access to, he said.
Since then, the company has added other Zscaler services, including SLL Inspection and Cloud Browser Isolation, and is looking at new capabilities the vendor is adding, including a service for Internet of Things (IoT) and operational technology (OT) announced at the event this week, which Sanmina will use for communications within its manufacturing plants.
Ramberg says he understands that zero trust in some ways is similar to what virtualization and cloud were when they were new – vaguely defined terms that vendors were putting on a lot of their products. However, as Sanmina was adopting the cloud, it became apparent that the company’s attack surface was expanding and it needed to adapt its security capabilities to address that.
The first step was to put full disk encryption into laptops, but that was a stop-gap measure. The move to a zero-trust architecture is addressing the security needs as Sanmina’s workforce and data become more distributed.
“We had to adjust, but liked the whole idea of it,” Ramberg said. “We jumped in with both feet and haven’t looked back. We really embraced it.” ®