Many CISOs understand at an intellectual level that in today’s perimeter-less world a data centric security architecture makes perfect sense, but they haven’t moved forward. Why? One possibility is that they’re working under the assumption that it will require too many layers and take too long. If you fall into this category, then I submit the story of John Graham, CISO of Jabil, a Fortune 100 contract manufacturer who built the Jabil data centric security architecture:
- With just three key technologies
- All delivered through security as a service
- In less than six months
First, a little background. When John Graham joined Jabil one of the first things he did was bring in consultants to do a security assessment. A key finding was that because of the company’s rapid growth they had “a one size fits all, low level perimeter-based security model.” Based on John’s collaboration with the business unit leaders, he determined that what they needed was a tiered approach that would provide the business units with the ability to choose the level of control based on the BU’s customers’ security expectations and requirements. In essence, they needed a baseline level of security that met the overall company policies, but also higher security levels and controls for the business units that needed it. For example, all the business units needed to protect information such as Jabil’s pricing information, tool sets, molds, and employee data, but some business units also needed to protect highly sensitive customer CAD drawings and product details.
As Mike Ring, Senior IT Manager, Threat and Solution Architect on the Jabil security team said, “we needed to move fast, but we couldn’t consume and support that much change with the current team and we were headcount challenged, so we shifted from an in-house approach to a vendor management approach.” In short, they came to the conclusion that all components of the security architecture had to be available as a subscription or managed service.
The Jabil security team built their data-centric security architecture with three key building blocks:
- Data Loss Prevention
- Secure Web Gateways
- Single Sign On
Data Loss Prevention (DLP). DLP was the key building block that provided the visibility and controls needed to protect all their sensitive data. Key requirements here were the ability to monitor and control structured and unstructured data such as CAD files, contextual awareness to understand the way employees were using and moving sensitive data, and language support in APAC.
Secure Web Gateways (SWGs). SWGs were a key building block to monitor internet traffic to protect against the introduction of malware and enforce company internet policy compliance. Key requirements here were a wide range of protocols supported, network sandboxing and cloud-based service.
Single Sign-on (SSO). SSO was the third key building block to execute the identity policy across users, devices and applications. Key requirements here were support for SAML and cloud applications.
As they deployed this architecture, Jabil did three smart yet unconventional things that helped ensure the program’s success:
- Branded the architecture as a company program. John Graham branded the whole architecture as the “Employee Access EcoSystem” with its own logo and a consistent communication plan to get employees on board and help them understand how everyone would benefit.
- Resurrected a failed project through simplification. Almost a year before John arrived, Jabil had started a sophisticated Identity and Access Management project that still hadn’t been deployed. John’s team realized that what they really needed was just the SSO component, so they stripped the project down to just SSO and got it deployed in weeks.
- Used a “bottoms up” approach to data protection policy. Instead of getting caught up in trying to build consensus on the data protection policies with the Business Unit (BU) leaders, John’s team deployed the DLP agents on the endpoints, collected the data and the took the information to the business unit leaders. Initial egress reporting on the data leakage from USBs, for example, enabled Jabil’s security team to have more collaborative conversations with the BU leaders. It opened the BU leaders’ eyes to the risks and enabled the security team to develop and continually modify the policies with the BU leaders support.
According to Graham, “our Employee Access Ecosystem is a large step forward in 'easing' the access challenges for each employee, while adding needed controls across Jabil and customer data.” And in fact, Jabil was recognized with the 2015 Tech Exec Networks (T.E.N.) Information Security Executive (ISE) Southeast Project of the Year Award. For more details on the deployment Mike Ring of Jabil did a webinar with us that you can view here. Or you can visit the Jabil Blog to learn more.
