When one of the world’s largest companies maps out a future-ready security plan, it needs a scalable, flexible solution to fit its complex environment. Multinational conglomerate Siemens is a perfect example. Even as it contended with the complexity of multiple non-standard systems typical of a company that continually acquires other entities, it aspired to an elevated security posture built on Zero Trust principles. It found what it needed with Microsoft Security solutions.
“We chose the best of suite approach with the Microsoft 365 E5 solution, and now we have an overview of our environment that helps us to react in real time and defend against attacks proactively.”
Thomas Mueller-Lynch, Service Owner Lead for Digital Identity, Siemens
An engineering company at its heart, Munich-based Siemens runs on innovation, applying its inventiveness to industries as diverse as digital enterprise solutions, transportation, building-security equipment, and much more. Security underpins that innovation, protecting the vital research and development information critical to Siemens’s ongoing success. A footprint that extends to offices in 200 countries around the world—and an evolving global landscape of compliance and security regulations—complicates cybersecurity.
When Siemens pivoted from a steadfast on-premises strategy to a cloud-first approach, it turned to Microsoft Security solutions as the base for its Zero Trust posture. Guided by a multidisciplinary internal team, it implemented a range of security solutions in Microsoft 365, like Azure AD with Conditional Access as a policy engine, Microsoft Information Protection, Microsoft Defender for Endpoint, Microsoft Defender for Identity, and much more, creating the blueprint for ongoing, dynamic security enhancements.
Reimagining cybersecurity for a future-ready cloud migration strategy
As a 20-year cybersecurity manager at Siemens, Cybersecurity Officer and Program Lead for Zero Trust at Siemens IT Worldwide Peter Stoll is closely attuned to the challenges of the work he loves. “The sheer size of Siemens challenges us as to how we provide the best possible security,” he explains. “We like to make sure we get the benefits of emerging technologies, so change is a constant. At the same time, malicious actors target large companies. That’s why we emphasize cybersecurity.”
To best coordinate the encompassing nature of a full-on cybersecurity program, Siemens formed its Cybersecurity organization, a cross-functional, multidisciplinary unit—a community, in Stoll’s words. “Cybersecurity is a driver of digitalization, cloud adoption, and much more. It requires a joint effort across the organization, including business, IT, and operational perspectives.” He partners with Thomas Mueller-Lynch, Service Owner Lead for Digital Identity at Siemens, merging their respective organizational perspectives. “Identity is one of the cornerstones of our cybersecurity for the future,” Mueller-Lynch asserts. “And because cybersecurity drives digitalization throughout the organization, we need a joint approach.” Mueller-Lynch was eager to push forward with the Cybersecurity community. “This was an opportunity to create an impact at Siemens,” he says. “We planned a complete rollout of the security capabilities included in Microsoft 365 to enhance information security.”
This journey began in 2014, with Siemens consolidating its on-premises Active Directory instances in preparation for cloud migration. The company started with Microsoft 365 E3 for Exchange email and the full suite of productivity apps. In 2019, Siemens began its Enhanced Microsoft Security Program, progressing to Microsoft 365 E5 to realize the advanced security capabilities in that solution.
Extending the same sense of community, in 2018 Siemens developed its Charter of Trust, an alliance of prominent global companies that work together to advance cybersecurity not just in their own organizations, but in concert with policy makers and security authorities with the aim of improving cybersecurity on a global scale. In today’s connected world, cybersecurity starts within each company, but it doesn’t end there. Siemens leads by example and its Zero Trust initiative was the next stop on its cybersecurity journey, as well as a way to model cybersecurity.
Setting the stage for Zero Trust
Siemens aspired to a Zero Trust strategy, enabling real-time response from a dynamic security architecture. That meant a change in vendor strategy. As recently as 2016, Siemens focused on the best-of-breed approach. “We initially wanted to adopt the ultimate niche solution for every problem,” recalls Mueller-Lynch. “But that can give rise to an overwhelming number of solutions that deliver outstanding functionality for their respective métiers. Bringing that data together to understand the big picture is super complex. So, we chose the best-of-suite approach with the Microsoft 365 E5 solution, and now we have an overview of our environment that helps us to react in real time and defend against attacks proactively.” At that, Siemens also has the best-of-breed advantage, with several Microsoft security solutions named by Gartner and other reviewers as leaders in their respective areas.
Siemens starts its Zero Trust strategy by securing three areas: identities (including access by external parties), data, and endpoints. It turned to Azure AD, Microsoft Endpoint Manager, Microsoft Defender for Identity, and Microsoft Information Protection.
The team began by managing user identities with Azure AD and on-premises Active Directory, using Microsoft Defender for Identity to protect access to its on-premises identities, and applying Conditional Access policies to manage not only user identities, but data and devices, too. Siemens analysts monitor and protect on-premises identities with Defender for Identity, using the insights it provides to reduce the attack surface. The Enhanced Microsoft Security Program also applied Privileged Identity Management, an Azure AD service that Siemens uses to manage access to resources across Microsoft 365. The team also extends Privileged Identity Management to devices it manages with Microsoft Intune (part of Microsoft Endpoint Manager), Azure, and even non-Microsoft software as a service (SaaS) apps—a key capability for a large company using multiple software and cloud providers. “We paved the way to Zero Trust with Microsoft technology to help protect data,” explains Mueller-Lynch. “Going forward, we’ll connect more and more third-party applications to Azure AD so that we can apply the security structure we’ve built with Microsoft technologies.”
One of the technologies key to establishing Zero Trust, Microsoft Information Protection is Siemens’s primary data classification tool. The company uses it to uncover, classify, and help protect sensitive data, then expands that view with Microsoft Defender for Cloud Apps to control data travel and manage access to Siemens resources and applications. It is also beginning to roll out Microsoft Defender for Endpoint to locate configuration issues and vulnerabilities in real time, and to monitor and block threats to endpoints.
The company consolidates the siloed business systems of its past by shifting functionality to Microsoft 365 apps, making it possible for compliance teams to consider Microsoft 365 Advanced eDiscovery capabilities.
Finally, the company controls external access with Customer Lockbox for Microsoft Azure, enhanced with guest access in Microsoft Teams, enabled through Azure AD External Identities. Customer Lockbox is a Microsoft Azure capability that asks Microsoft customers like Siemens for permission to access customer data during those rare events when Microsoft engineers must access their data during support operations. It also provides extensive reporting on access requests and whether those requests were granted or denied. Siemens adds Defender for Endpoint to provide a simplified security umbrella across its estate of endpoints, using the solution to detect and respond to threats to devices. It adds an extra layer of protection for highly confidential data with mobile application management without enrollment (MAM-WE) in Microsoft Intune to help protect company data on Siemens users’ own devices. It can extend that protection wherever Siemens data resides—to application users anywhere, IoT devices on the factory floor, employee devices, and to the data itself.
Leading with security
There’s no ambiguity about which benefits Mueller-Lynch and Stoll value most, despite the licensing simplification that gives Siemens a web of coordinated security solutions from one vendor. “It’s true that we’ve had internal discussions about Zero Trust as a cost-saving project, but we are very clear that it is much more than that,” insists Mueller-Lynch. “Of course, we’re happy with any cost savings we realize, but security is the driver.” Stoll agrees. “We don’t put a price on security,” he says. “And a detailed security strategy is the first step toward Zero Trust. We use the Microsoft ecosystem as our blueprint for security planning.” That’s borne out by the company’s continuing efforts to advance the Charter of Trust, now grown to 17 members across the European Union and Asia.
Siemens trusts the Microsoft approach to security. “As a cybersecurity guy, I understand that Microsoft is intent on security, and it works with us to co-develop solutions,” says Stoll. “Microsoft uses great security-oriented technologies and a strong architecture.” Again, he and Mueller-Lynch are on the proverbial same page. “There aren’t too many vendors on the planet that can create a solution capable of providing consolidated insights into large, complex environments like ours,” adds Mueller-Lynch. “That’s why we chose Microsoft.”
Find out more about Siemens on Twitter, Facebook, and LinkedIn.
“Microsoft uses great security-oriented technologies and a strong architecture.”
Peter Stoll, Cybersecurity Officer and Program Lead for Zero Trust, Siemens IT Worldwide
Follow Microsoft