A Fortune 100 bank faced compliance violations for its inadequate ability to prove separation of development and production environments. Potential penalties included heavy fines and cessation of its ability to trade on the Nikkei exchange. The bank’s business, credibility, and reputation were at stake. They failed an audit after executing millions of dollars worth of trades and were under pressure to deliver by a specific timeline. The risk of repeated audit failure was everyone’s problem, but the bank didn’t have a clear solution. Network-based solutions meant reconfiguring a major portion of the network and involved a heavy burden of infrastructure upgrades and re-IPing. The significant fiscal and operational expenses of this approach were untenable – as was the service outage to the business.

One of the largest and fastest-growing players in the Software as a Service (SaaS) industry needed to deploy two new data centers in two countries to support customer and geographic growth plans. They were facing rapid growth and increasing east/west data center traffic. They needed a solution that would protect customer data and scale into the future – a requirement that would be hard to meet with network segmentation and expensive with high-capacity data center firewalls in every rack. They were also looking for a way to more cost effectively segment while maintaining their agile software development culture. From the drawing board to deployment, the company needed to roll out and secure the new data centers in less than six months with live customer data while meeting stringent internal and regional security and compliance requirements.

Baillie Gifford, a global asset management firm, was seeking a solution that would provide granular assurance of client data protection on an ongoing basis. The firm wanted to deliver a higher level of scrutiny than traditional segmentation methods could provide. However, re-architecting its network infrastructure was not an option due to the potential risks and costs involved. The firm was also considering leveraging cloud for efficiencies and to avoid vendor lock-in, but was concerned about governing the environments consistently.

A Global 250 bank was struggling with mandatory SWIFT compliance due to the complexity and time-consuming nature of building granular and consistent micro-segmentation policies using their standard firewall-based approach. The bank was also facing challenges such as security product overload, a rapidly changing threat landscape, scarcity of qualified security personnel, and the need to move into a hybrid cloud in a secure manner. The bank needed a more flexible and less complicated solution that could address their critical security, compliance, and data protection requirements without compromising the need to move at the speed of their global business spanning multiple continents and time zones.

A Fortune 1000 enterprise SaaS provider sought to secure a new greenfield data center without restricting application traffic for its automated compute environment. The stakes and costs for a new data center were high. Complex automation was critical to this SaaS provider’s current and future plans, including public cloud. In automated environments, DevOps cannot accept any solution that breaks automation or slows down their work, which is essential to keeping billions of dollars of revenue flowing. Customer SLAs (spelled out in contracts) cannot be violated without financial penalty. This created tension between automation and contractual obligations. Security architects needed to transform an operationally unsustainable system – one that required supporting five different segmentation solutions including firewalls, Calico, VMware NSX, and switches. Every time the organization adopted a new technology, they adopted a new segmentation solution, which made them have to build their own backend to synchronize all of the different solutions. This created security sprawl.

A leading eCommerce retailer was facing a challenge in achieving PCI compliance for its payment infrastructure. The company's network was flat, and penetration testing revealed vulnerabilities that could expose its payment infrastructure to malicious activity if perimeter defenses were breached. The company needed to quickly segment their Cardholder Data Environment (CDE) from the rest of their applications to avoid critical findings during the PCI audit. The challenge was to isolate systems processing credit card data and mitigate lateral movement attacks in a heterogeneous hardware platform environment.

A Fortune 100 healthcare service sold a part of their business and associated infrastructure to a foreign entity. Both businesses needed to realize the synergies immediately. However, without an understanding of how the company’s own applications were interconnected, their teams were unsure of what part of their IT infrastructure the new acquirer potentially touched and risked breaking business-critical applications by arbitrarily cutting communications. The company’s attempts to identify application dependencies using the network provided limited visibility, preventing them from confidently segmenting the acquired assets.

Ixom, a leading industrial chemical manufacturer based in Melbourne, faced multiple IT challenges securing legacy applications that require unsupported platforms for continued operations, as well as the desire to network harden critical IT infrastructure to decrease the risk from vulnerabilities. With a portfolio of global businesses across geographies, cloud infrastructure was critical to gaining efficiencies. Yet governing cloud environments posed its own security challenges. A transition from Multi-Protocol Label Switching (MPLS) routing to a Software Defined Wide Area Network (SD-WAN) allowed Ixom’s core IT team to decouple controls from the network for more agility and effectiveness. Adopting a Zero Trust security approach, they sought a whitelisting solution to limit exposure by preventing unauthorized access to any system. But manual methods proved untenable, both to architect and maintain.

One of the world’s largest multinational banks sought to transform new and re-platformed application deployments when it became clear that its legacy infrastructure was perpetuating security debt. The organization’s go-forward strategy meant all new applications and new versions of older applications would launch ringfenced, with segmentation baked in at deployment. However, technology options decreased as software-defined networking failed to live up to its promises and did not solve the organization’s long-term heterogeneity problems (containers and public cloud). New applications were launching, but still without segmentation – compounding the problem the bank aimed to resolve. As the issue persisted with a new data center, which had been justified based on improved security, the pressure for segmentation grew because enhanced security was one of the justifications of the new data center. Open banking standards required the bank to rapidly create new applications in order to maintain its competitiveness. The organization had built a fully automated self-service portal for developers that could not be used because automated segmentation was not in place. The bank needed a highly automated solution that supported digital transformation. Now under pressure from the application teams, the security, cloud, and containers teams were strongly aligned to deliver a solution that met the needs of the business.

One of the largest banks in the world sought to rapidly modernize aging IT systems that run the bank’s critical infrastructure. The bank’s board of directors consequently approved a $1B data center revitalization, creating an opportunity for blank-slate security transformation in a greenfield data center deployment. As a result of the board’s approval, the CIO decided to re-platform and migrate 5,000 applications with 33,000 workloads. An aging infrastructure running on older operating systems posed systemic risk to the bank’s ongoing operations. In addition, there was a lack of staff who understood how those applications actually worked. Simply migrating the status quo to a new environment created unnecessarily high IT risks in cybersecurity, resiliency, and obsolescence, posing a threat to the business with board-level scrutiny.

The IT team for one of the country’s largest medical groups was initially overwhelmed by the scope of its network segmentation project in terms of time, expense, and ongoing maintenance. The team had to refocus on its core objectives: segmenting applications and segmenting people from servers and environments. The team was concerned about the 5% of attacks that could potentially infiltrate their network and remain undetected for a long time, learning about their environment. They needed a solution that could limit access from day one and prevent a desktop from pinging a server.

The talent agency was facing increasing costs and systems from acquisitions, along with a central data center that was already out of space. The agency adopted a hybrid cloud strategy, with a key success factor being a multi-cloud model to avoid vendor lock-in with one large incumbent. However, maintaining several different and incompatible security solutions for each cloud and the data center wasn’t operationally viable. The agency had to seamlessly support high-profile clients; outages and downtime – planned or unplanned – were unacceptable. The board-level decision for multi-cloud adoption required deployment, but the final solution had to be effective enough to defuse objections among a multiplicity of motivated stakeholders.