In manufacturing, limiting costs, satisfying special requests from production units, and protecting IP are key issues. From basic light bulbs to specialized LEDs, OSRAM has been the world’s foremost maker of light products for one hundred years. As the company grew, so did its number of offices and locations, and the network that connects them all together.
As it evolved alongside the company, OSRAM’s network became highly decentralized, efficiencies declined and IT struggled to maintain the level of security and responsiveness it desired. That’s when a chance encounter led OSRAM’s IT team to test the next-generation firewall from Palo Alto Networks. Learn why OSRAM was so impressed with Palo Alto Networks that it quickly reconfigured its network to standardize security on it.
Spotlighting IT Issues
OSRAM knows the light business. It should, arguably it’s been the top light manufacturer in the world for over 100 years. A massive, global manufacturer with 20,000 users at over 100 sites in 50 countries, OSRAM must diligently protect its Intellectual Property (IP) and be extremely efficient operationally. This means keeping IT costs down and limiting the time and money it devotes to addressing security concerns.
Most of OSRAM’s traffic is internal, but it provides extranet services for three websites that host catalogs, and supports customer applications and connections with business partners through VPN tunnels. Each branch office connects to the company’s datacenters via MLPS and a local Internet access point. “Our network was highly decentralized with different rules for access at sites,” says Steffen Siguda, Corporate InfoSec Officer and Data Protection Officer, OSRAM. “This wasn’t extremely efficient nor as secure as we wanted, and it frustrated traveling staff when they tried to connect.”
Network Puts IT in the Dark
OSRAM’s decentralized network was cumbersome to maintain, costly, and made it difficult for IT to respond quickly to the needs of the business. “We must keep IT costs down while being highly responsive,” says Siguda. “In manufacturing, we use a lot of customized applications and get lots of requests for tweaks to policies to accommodate production. Our network is very heterogeneous and has to support a variety of needs. For example, a special banking app may want to talk to other apps, or a service support app a supplier is using to service on-site equipment needs to talk to another app or system.”
The huge, decentralized network at OSRAM, with thousands of users distributed across many sites, hindered IT’s ability to support the business quickly and efficiently, and to track changes. “In a highly decentralized IT landscape, it was always a challenge to learn things like which VPN router or IT device had been changed,” says Siguda. Fulfilling business requests was time-consuming and inefficient. “It took a half a day of work to accommodate changes because we had to do global configuration changes manually for 78 proxy servers. At one point we had over 1,000 lines of configuration in our previous firewall solution.”
OSRAM’s decentralized network, IT management burdens, and lack of network visibility detracted from security. “We had no global view or monitoring of security,” says Siguda. “If something went wrong in India, China, or Brazil, it was impossible to search the log of every proxy server to identify the problem. We couldn’t get a consolidated view to address a threat or infection. We needed visibility and a global view of devices to improve security and make uniform changes, and better protect our IP and business.”
A Light Bulb Goes On
Siguda and his colleagues weren’t actively looking for a solution to their problems, but a solution found them anyhow. “My boss asked us to meet a friend to hear about a so-called ‘next-generation’ firewall,” says Siguda. “We weren’t that interested, but we met him anyway and he gave us a demo firewall from Palo Alto Networks. He told us to install it in virtual wire behind our existing Cisco firewall, and then he’d come back in two weeks.”
The enterprise security platform from Palo Alto Networks consists of a Next-generation Firewall, Threat Intelligence Cloud, and Advanced Endpoint Security. The firewall delivers application, user, and content visibility and control, as well as protection against network-based cyber threats integrated within the firewall through a purpose-built hardware and software architecture. The Threat Intelligence Cloud provides central intelligence capabilities, as well as automation of the delivery of preventative measures against cyber attacks.
Siguda and his team spent two hours setting up the Palo Alto Networks PA-2050 next-generation firewall. “We let it run for two weeks and it gave us a great overview of our apps, systems, and users,” says Islam Masoud, Security Operations Manager for OSRAM. “Plus, our 1,000 lines of configurations instantly went down to just 75 rules.”
Siguda was equally surprised. “The filtering capabilities let us see exactly what we’re doing in the network, where to allow VPN protocols, and more—so many things were answered in seconds, and we could easily help someone with an app issue in minutes,” he says. “We were totally surprised by the capabilities of a modern security system like Palo Alto Networks. We fell in love with the PA-2050 and told our boss’ friend he didn’t need to take it back, and immediately ordered a second one. It fit so well we didn’t look at any other options.”
Flipping the Switch
Within weeks, OSRAM replaced the legacy firewalls at its main datacenter that protect its primary Internet connection. “The migration to Palo Alto Networks was so smooth it didn’t interrupt our daily work at all,” says Masoud. Next, OSRAM swapped out its three main firewalls, then decided to replace all 78 of its proxy servers with 56 Palo Alto Networks PA-200 next-generation firewalls. “We calculated that replacing the 78 proxy servers with the PA-200s would be really cost-effective,” says Siguda. OSRAM also purchased and deployed six PA-5020, two PA-2050, two PA-3020, and five PA-500 next-generation Palo Alto Networks firewalls.
OSRAM added Panorama from Palo Alto Networks to efficiently and centrally manage all of its firewalls and policies. Panorama, running as a VMware virtual machine, provides centralized management and logging capabilities for OSRAM to easily manage all security platforms from one location and interface, and quickly deploy uniform polices to all devices. It also added a subscription to GlobalProtect™, which extends OSRAM’s secure application enablement policies to all users—including mobile—
regardless of location or device used for access.
The deployment of Palo Alto Networks was uneventful. “It was extremely easy and all done in two to three hours,” says Siguda. “We took out the box, set up an IP, hit a button, clicked and told the person at each local site around the world to remove the cables and proxy servers. No local tweaks were required because the configuration is done globally, and distributed through Panorama. We just clicked and synchronized everything.” OSRAM is using all the features of the Palo Alto Networks firewalls, including URL filtering (PAN-DB), WildFire, Threat Prevention including IPS, and as a VPN gateway for employees to access the network.
Results Light Up
Due to standardizing security on Palo Alto Networks, OSRAM has reaped a variety of benefits. These include better efficiencies and lower IT management costs, increased security, and the ability to satisfy requests for exceptions to rules faster. “With Palo Alto Networks, we deliver better service, more securely, faster, and more accurately, and do so using fewer resources,” says Siguda.
IT at OSRAM is now far more responsive. “It used to take half a day to accommodate changes,” says Masoud. “Now, users can request access to things on their own and get an instant, automatic reply based on our rules, instead of us having to look at each one and decide.” Adds Siguda: “We’ve reduced the need for exceptions by a factor of 10 because configuration is now app-based, so generic settings cover access to a banking site trying to use SSL to a different port, for example. The time we spend managing Internet access issues has dropped 50%.”
OSRAM appreciates Palo Alto Networks unique, comprehensive approach to security. “The difference between app- versus port-based firewall security is dramatic,” says Masoud. “Cisco is totally port-based and difficult to manage, especially on non-standard communication requests. The app awareness of Palo Alto Networks allows us to shrink our rule sets considerably, and gives us information we can read and use. Previously, we couldn’t make anything out of our logs. Now it’s so easy: we just click, look, and understand. It’s like going from zero to 100 kilometers per hour in seconds.”
Other efficiencies and better service include access for remote users. “We want a quality, global, uniform experience for all our users,” says Siguda. “Everyone should follow the same rules and enjoy the same access, whether they’re at other sites or traveling. Now they do.” Adds Masoud: “Users tell us they have faster online access, which improves productivity.”
Removing the Fog
The granular network visibility of Palo Alto Networks firewalls, and their extensive reporting capabilities, have elevated security. “Our previous proxy servers had poor visibility, so it took forever to find the source of a botnet or some other infection,” says Masoud. “Now, we can identify and monitor stuff globally at all our sites that we just couldn’t see before, such as the top apps in use, the top threats, usage patterns, and more, all in one quick view.”
“Troubleshooting speeds have increased significantly. You click, find the source of a problem, correct, update your policies, and you’re done. With other tools like sniffers, analyzers and others, it took 4-5 hours, with Palo Alto Networks it takes seconds. Our monitoring and troubleshooting speed has improved by over 50%,” says Siguda.
OSRAM is saving in ways it didn’t even envision when it installed Palo Alto Networks. “By quickly catching things like typos in DNS and SNMP servers and traffic connections, we’ve eliminated a ton of unneeded traffic that we didn’t even know was there,” says Siguda. “Palo Alto Networks has reduced the noise in our logs by 95%. It’s removed the fog so we can clearly see what’s really going on in our network.”
Panorama is also shedding light into traffic and network activity, and enhancing security. “We can view global traffic and activities and change and issue rules right away,” says Masoud. “If there’s a malware attempt, in one click I can address the target IP and distribute the security solution to everyone all over the world. This wasn’t easy in the past with a decentralized network; by the time we got to the malware it would be all over the place. With Panorama, we can apply rules and fixes to every device in seconds.”
Palo Alto Networks GlobalProtect is also delivering results. “GlobalProtect secures and facilitates access for all company devices,” says Siguda. “We use it with distributed gateways and like that a roaming user doesn’t need to do anything to connect. Before, they had to choose a regional VPN access point. The process was slow and the connection usually wasn’t optimal. GlobalProtect gives end users better service and ensures our rules are applied. In the past, we had to ask users to follow the rules and hope they would. In IT, either you can enforce something or forget about it happening.”
OSRAM plans to look deeper into the capabilities of WildFire from Palo Alto Networks. WildFire provides integrated protection from advanced malware and threats by proactively identifying and blocking unknown threats commonly used in modern cyber attacks.
It Does Cut Vegetables Too
In addition to countless hours saved from standardizing security on Palo Alto Networks, streamlining tasks, and automating policy deployments and updates, OSRAM is saving $100,000 per year in hardware and software license costs by replacing its 78 proxy servers with the PA-200s. “This figure doesn’t include the additional savings from reduced maintenance and support, which we believe would save about another $100,000 total over five years,” says Siguda.
Siguda and Masoud appreciate their improved ability to support the business. “We can meet requests within minutes, instead of hours or days,” says Masoud. “We like that if people need something they know the security guys will get it to them quickly. Upper management has noted this.” Adds Siguda: “There’s no way to put a dollar figure on having something state-of-the-art that can support new and upcoming business cases like streaming media, voice access, or accessing external training providers. Requests like these used to be a constant hassle, but are now just a click away for users.”
OSRAM also finds it difficult to put a figure on the enhanced security it receives from Palo Alto Networks. “Before we were blind to some things, but now we’ve raised overall security without expending more resources,” says Siguda. “I tell my peers in IT that Palo Alto Networks is ‘simplicity within complexity.’ I think their firewall could even cut vegetables, meaning, you can more or less do anything with a packet. You can slice and dice it, and then look at Palo Alto Networks GUI and even a non-technical person can understand what’s going on. It’s a sophisticated, but simple to use firewall, that makes IT guys happy and your company safe.”
This customer story is available in German.