$6b mega contract electronics vendor Sanmina jumps into zero trust

Company was an early adopter of Google Cloud, which led to a search for a new security architecture

Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.

Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.

With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.

7,500 employees work remotely and, in the wake of the COVID-19 pandemic, that number keeps growing.

With this in mind, when Ramberg thinks about security, what first comes to mind is the company's data. In particular, he wants to make sure the company knows exactly where that data is.

"Where we focus the most is IP," he told The Register during an interview here at cybersecurity vendor Zscaler's Zenith Live 2022 conference in Las Vegas. "You get that intellectual property, especially in manufacturing – and we touch a number of industries, automobile and communications and defense and aerospace – and the biggest concern we have … is that of data loss prevention. DLP is a very difficult area. It's data [that is the focus] expressively because of the influx of cloud-based solutions."

Sanmina employees have long used Google Workspace – formerly Google G Suite – a collection of cloud-based business applications and collaboration tools.

"But now you've got this roaming workforce, this mobile workforce," Ramberg said. "There's Box, there's Dropbox, there are 8,000 file-sharing sites and you can do training until you're blue in the face, but there's concern that somebody – and I don't even mean from a malicious standpoint – they'll put [data] in Dropbox because they have an account there and they want to keep it safe. You just released our IP."

Even Sanmina customers use varying file sharing tools, creating another data sprawl issue company has to adapt to. He doesn't necessarily call it a worry – he believes Sanmina has it under control – but in such a highly distributed corporate environment, making sure they know here the data is is his largest focus.

With so much data, the shift to the cloud, and a highly mobile work environment, there are many avenues of threats to consider – everything from ransomware to phishing – issues of data sovereignty and a growing list of regulations around data and privacy, from the European Union's GDPR and the California Consumer Privacy Act (CCPA). In addition, the various Sanmina plants around the world have to talk to each other regardless of what country they're located in and how that country manages data and cyberthreats.

Given all that, Sanmina became an early adopter – and now a vocal advocate – of the growing movement toward zero-trust frameworks. Given the venue, it's not surprising that the company relies heavily on Zscaler technology for its zero-trust technologies, but for Ramberg, zero trust is the right fit for his increasingly decentralized company.

"We really embraced it," he says. "Early on, it was a buzzword. 'Here's the latest and greatest thing.' We really looked at it and it made sense. If there are five servers and I literally only have access to one – have credentials only to one – why should I even see the other four? It just made complete sense. The fact that is it eliminated lateral movement. When I'm set up to only talk to that one server and can't laterally move anywhere, this sounds pretty nice, this whole zero-trust thing."

With so much data and so many applications being created and accessed outside the central corporate datacenter, the traditional security architectures of firewalls and castles-and-moats, designed to keep threats out, are increasingly outdated. They work well if the user, applications and data are inside the firewall, but that's often no longer the case.

Zero-trust frameworks assume that no user, device, or application on the network can be trusted. Instead, they rely on identity, behavior, authentication, and security policies to verify and validate everything on the network and to determine such issues as access and privileges. Most cybersecurity vendors are building out their zero-trust capabilities and Zscaler has based its entire strategy on the idea since its first product rolled out in 2008.

About eight years ago, Sanmina adopted the Zscaler Internet Access (ZIA), a collection of cloud services that use artificial intelligence (AI) techniques to inspect all internet traffic – including SSL decryption – to protect against ransomware and other threats. In 2017, the company brought in Zscaler Private Access (ZPA) to replace the VPNs it was using for its mobile workers. ZPA gives users access only to the data and applications they have credentials for rather than access to the network, reducing the chance for cybercriminals to gain access to the network and move laterally through the company.

 "We looked at them and said, 'VPNs stink. They just stink,'" Ramberg says.

Along with the list of VPN security concerns, there were also limitations on the number of connections they could manage, which slowed network performance and users had to constantly reauthenticate to use them. Sanmina had 13 VPN appliances around the world that had had to be managed, updated and patched and, when they hit end-of-life, had to be replaced with more hardware.

ZPA "is providing the same tunnel, but not putting anyone on the network. That was one of our biggest concerns with VPNs. When you give someone VPN access, what can they get to?" he said, adding that attackers can often get credentials for a server. With ZPA, "if you don't have credentials for that server, you shouldn't even be able to see it. If I'm not going to issue a key to that door, why am I even going to allow you to see that door?"

Sanmina also uses ZPA to manage what vendors and partners have access to, he said.

Since then, the company has added other Zscaler services, including SLL Inspection and Cloud Browser Isolation, and is looking at new capabilities the vendor is adding, including a service for Internet of Things (IoT) and operational technology (OT) announced at the event this week, which Sanmina will use for communications within its manufacturing plants.

Ramberg says he understands that zero trust in some ways is similar to what virtualization and cloud were when they were new – vaguely defined terms that vendors were putting on a lot of their products. However, as Sanmina was adopting the cloud, it became apparent that the company's attack surface was expanding and it needed to adapt its security capabilities to address that.

The first step was to put full disk encryption into laptops, but that was a stop-gap measure. The move to a zero-trust architecture is addressing the security needs as Sanmina's workforce and data become more distributed.

"We had to adjust, but liked the whole idea of it," Ramberg said. "We jumped in with both feet and haven't looked back. We really embraced it." ®

Other stories you might like

  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Zero Trust: What does it actually mean – and why would you want it?
    'Narrow and specific access rights after authentication' wasn't catchy enough

    Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.

    In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.

    Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.

    Continue reading

Biting the hand that feeds IT © 1998–2022