ACME Manufacturing Transforms Security and Efficiency with Agilicus AnyX
ACME Manufacturing is a large, distributed, vertically integrated manufacturer with multiple multi-national divisions and contract manufacturers.
ACME’s key business support system is SAP, which is operated by the parent company. Each division and contract manufacturer requires real-time access to SAP to manage inventory and work orders.
Learn how ACME transformed from a expensive, risky mesh of VPNs spanning multiple companies. to a more Zero Trust environment for all users, increasing security, increasing efficiency, and lowering risk…. without modifying key business support systems.
Read Case Study
ACME Manufacturing Transforms Security and Efficiency with Agilicus AnyX
Introduction
ACME Manufacturing is a large, distributed, vertically integrated manufacturer with multiple multi-national divisions and contract manufacturers. Their corporate structure is such that there is a parent holding company, and then a set of individual corporations under that, each with its own local management and decisions.
ACME’s key business support system is SAP, operated by the parent company. Each division and contract manufacturer requires real-time access to SAP to manage inventory and work orders. Prior to implementing Agilicus AnyX, ACME achieved this objective with a set of VPN connections, one from each company back to the headquarters data centre. With this VPN setup, ACME faced significant challenges in managing secure access to their shared SAP ERP system. Their existing VPN-based solution was complex, prone to security risks, and hindered operational efficiency.
Weighing heavily on ACME’s board of directors is the recent Clorox cyber attack, producing 6 weeks of downtime as well as a recent requirement from a key customer that ACME must hold E&O cyber security insurance.
As a publicly traded entity, ACME In addition is required to implement the new SEC S-K 1.06 8-K disclosure rules on cyber security practices, risk management.
ACME’s objective was to increase security, increase operational efficiency, delegate decisions downwards, but do so in an incremental way without risky changes to their core business system.
Agilicus AnyX provided a transformative secure connectivity solution, addressing ACME’s security concerns, streamlining user access, and enabling seamless integration with diverse systems and workflows, without requiring changes to business workflow or key business support systems.
Objectives And Constraints
Spurred by warnings from CISA, new requirements from the SEC, and high-profile cyber security manufacturing outages such as Clorox, the ACME board of directors and management set out a set of key objectives, and a set of constraints.
Increase Security, Decrease Risk In Manufacturing Environment
The primary objective, above all else, was a dramatic increase in the security within the manufacturing environment. Coupled with this, was a requirement to lower the risk in a way that could be effectively conveyed in the SEC reporting requirements.
Specifically highlighted as a risk was the fully-interconnected mesh of the VPN between all related companies.
Increase Efficiency
ACME felt that their business had some inherent inefficiencies driven by their security architecture. In particular, ACME sought to decrease inefficiencies related to complex connectivity, to decrease inefficiencies related to shared accounts, account provisioning.
Increase Usage of Modern IT, Cloud Concepts
ACME has a parallel objective, driven by Industry 4.0 initiatives, to increasingly use modern IT, cloud concepts. To leverage big data. To leverage elastic storage and compute.
Decrease Risk of Cascade Failures Within Business Divisions
ACME specifically highlighted the risk that a cyber security failure, or even simple human error, could traverse from one division to all.
Short Implementation Time frame
ACME has had bad experiences with ‘transformative’ projects that are long in duration, finding that scope creep and execution risks compound, often failing entirely.
Following modern, agile methodologies, and spurred in no small part by influential business books such as the Phoenix Project, ACME has an objective to go from trial to live within one quarter, to maximise the value of their investment, and minimise the time-risk equation.
Minimise Change, Disruption
ACME wants to keep the scope constrained to only the new technologies acquired, and to avoid either IT changes to existing systems (and the associated risks), or, process changes to their broadly distributed team.
Challenges
Over time ACME has grown, both organically and by acquisition, to be a large company. This growth, and many conflicting historical decisions create a set of challenges in their environment. Some of these key challenges include:
Complex VPN Infrastructure
Related Topics
Secure Remote Updates For Air-Gapped Systems
High Availability Dual WAN Remote Industrial Connectivity
Subscription Model and Remote Access In Industrial Control
ACME today creates a VPN-based connectivity from each contract manufacturer, divisions, and support staff to SAP, their key business support system.
Managing and maintaining this VPN is a full time job, requiring security updates to each VPN appliance in each location, rotation of certificates and passwords, as well as periodic debugging as one site, or one external consultant, makes some local configuration changes and breaks the inter-connectivity.
In addition, since the VPN is a layer-3 technology, there is a challenge of negotiating overlapping IP addresses with each location. Each 3rd party is reluctant to install and run the VPN solution that ACME has chosen, seeing it as both a licensing compliance issue, as well as a risk to their own business.
Identity Management Issues
Each division of ACME has its own local user base and IT decisions. Some divisions use Google Workplace, some use Microsoft Entra, some use Microsoft Active Directory. ACME’s contract manufacturers and IT support companies also have local decisions. This complex setup challenges ACME to provide modern single-sign-on to shared resources like SAP. It also makes a universal multi-factor roll out and audit compliance more difficult.
A set of external IT support staff and SAP consultants also pose a challenge, particularly around revoking access. It requires diligence to know when one of those players has a staffing change, and, to individual work to remove access. Audits have shown periodic lapses in this policy.
Compliance Requirements
As a public company, ACME has a set of compliance requirements to the SEC, to its shareholders, to its customers.
One area of compliance that recently came to light was a requirement in a key customer contract to hold errors and omissions cyber security insurance, which in turn requires ACME to demonstrate multi-factor authentication to key systems, including SAP.
The new SEC Regulation S-K Item 106 requires disclosure of internal controls and risk management and risk governance, which in turn is challenging with a multi-jurisdictional entity like ACME as each division has its own audit trail and user set.
Operational Inefficiencies
The factory operations make use of Zebra industrial label printers, as well as traditional paper printers for work orders and shipping manifests. These in turn must work with the machines which have access to SAP, meaning they are both on the remote network and the local network. This challenge has meant that ACME has had to forgo being able to print from the embedded Android tablets that are part of the factory floor stations, moving this to fixed locations nearby. This creates an operational efficiency issue.
The challenge in managing a second, centralised set of user accounts, one in each division or partner, and then shadowing them into the central VPN system requires a full time staff member. In addition, adding to the risk, it is common at the end of the month when they audit to find HR changes which have not been reported, and thus accounts that are still provisioned. In addition, as the divisional leaders hire people or look to work with individual vendors for support purposes, they are slowed down by the requirement to contact central IT to provision the user.
Cybersecurity Risks
In 2023 Clorox disclosed to the SEC a cyber attack which took down their production for 6 weeks. This was one of the first disclosures under the new SEC cyber security risk management rules. This incident, and the resulting SEC Regulation S-K Item 106 has caused ACME’s board of directors to focus heavily on risk and risk management. The star-mesh of SAP is the top risk identified, given its universal usage by multiple companies both first and third party, as well as high impact of an outage. In particular, the VPN mesh with its always-on, no audit, total access is a key item for risk management.
Lack of Standardised Identity System
Some divisions use Google Workspace, while others use Microsoft Office 365. Some contract manufactures use on-site Microsoft Active Directory. This homogeneous system, while strong from a security risk standpoint, is challenging to implement multi-factor authentication on, and, challenging to enforce consistent conditional access policies such as Geo-IP firewalls.
These, and other challenges, caused ACME to comment searching for a way to reduce the VPN risk while avoiding a wholesale IT re-architecture or change.
Agilicus AnyX Implementation
After evaluating options including orchestrated VPN solutions and complex identity cross-federation, ACME chose and implemented Agilicus AnyX.
Key Achievements of the Implementation:
- Single-Sign-On authentication for all users, regardless of role or company
- Simple revocation of rights, integrated with HR systems
- Multi-factor authentication to the factory floor
- Removal of VPN technologies, saving cost, saving risk
- Reduced cyber security risks by fine-grained authorisation, full audit trail
- Reduced risk of cascade failures by removal of unneeded inter-connectivity, unneeded access and permissions
- Increased operational efficiencies
Implementation Overview
Key to the success of the project was the ability to deploy incrementally, and the ability to do so without any configuration changes to the key SAP system supporting the company.
ACME started by deploying an Agilicus connector co-located with their standby SAP system, and testing with their parent company IT staff. Agilicus AnyX, pre-integrated to Microsoft Entra via a multi-tenant Azure Application Registration proved to take nearly zero effort: no software on the clients, only a requirement to list the users and their permissions.
Implementation Details
Moving from this pilot phase, ACME moved into a rapid deployment phase, enabling one division at a time. Agilicus AnyX worked in parallel with the existing VPN, meaning there was no change over time, no changes needed other than enabling the individual users. This incremental, agile roll out was continued to the SAP contractors managing the system, to the various joint ventures and contract manufacturers.
Each division had made local choices regarding Google Workplace, Microsoft Office 365, and even on-premise Microsoft Active Directory. Each of these became a sign-in option for the users, on a single unified authentication page.
No integration was required, Agilicus AnyX is pre-integrated to Microsoft Entra via a multi-tenant application registration, and is pre-integrated to Google. ACME merely had to select these as options. For the on-premise Microsoft Active Directory divisions, the Agilicus Connector handles the on-premise component, rendering it into an end-to-end encrypted modern OpenID Connect interface as a peer to Entra and Google. Each user merely selects their identity provider, and then signs in with their native credentials in a single-sign-on fashion. This is much stronger for phishing protection as users use a consistent sign-in experience, with theming, logo, etc.
Once the roll out was underway, ACME then addressed multi-factor authentication. The factor floor locations had no Internet access, so ACME chose to use passkey and USB-based multi-factor. The passkey proved particularly strong, and particularly easy to use. The end-user saw a ‘push’ based notification on their phone. The passkey also uses Bluetooth low energy (BLE) to ensure the phone is nearby, meaning it is resistant to multi-factor attacks such as multi-factor fatigue (where the user clicks yes to all prompts regardless).
Bringing single-sign-on, central identity, with multi-factor this deep into the operational technology, without exposing the manufacturing network to either inbound or outbound network connectivity is a huge improvement in security without sacrificing usability.
The key use case for ACME was seamless interoperability with SAP across all constituents: each division, each contract manufacturer, SAP consultants. This is required to have consistent just-in-time manufacturing and inventory in this vertically-integrated organisation.
To enable this, ACME used the Agilicus launcher, seamlessly wrapping the SAP client for the users of the desktop client, and, the Agilicus Identity-Aware Proxy for the SAP web client. This allowed users to continue to use, without change in workflow, the tool they were used to. The Agilicus launcher opens a browser initially to perform the sign-in, and then continues as normal. No VPN. No networking changes. No desktop changes. No changes in the start-menu icon or workflow.
With the main roll out and multi-factor well underway, ACME then chose to address the work-order and Zebra label printers. This was added to the Agilicus Launcher as a set of local IP/ports, and, thus any user with SAP open could print, even though having no direct connectivity to the printer network. Despite having no direct network connectivity to the IT network, to the printer, it still shows up as a native device, but only while SAP is open and signed-in. No user interaction is required.
This allowed work to move back to the production stations that had formerly been centralised, allowing the Android tablets to once again be part of the SAP workflow (via the SAP web interface).
During the implementation, ACME noted how simple the user management was. No longer was there a strict requirement to disable users in the corporate system when there was an HR change in the division. Additionally, ACME was able to delegate user management to the division HR teams, allowing new hires to be more efficient. The ACME divisions in turn used this ability to provision vendors and integrators for support purposes, enabling narrow, on demand connectivity as needed, reducing mean-time-to-repair.
During the implementation, ACME found several additional unmet needs. A key one, the executive management team in the parent holding company desired access to real-time production dashboards from each division. This had never been possible due to the balkanised identity and access systems. With Agilicus AnyX, this became simple: each executive could directly access, with no VPN, real-time data from each division.
Overall the users were very happy. Single-sign-on with their existing corporate account meant no new password to remember/set/rotate.
For the entire duration of the roll out, there was no changes to any existing business system. SAP worked as-is, users saw it as-is, security improved. No outages. The entire project was completed in less than 2 weeks.
Benefits and Results
Upon completion, ACME reflected on the benefits and results they had achieved.
ACME had achieved cyber security insurance coverage. By demonstrating multi-factor authentication for the key business system of SAP, they met the requirements for internal compliance and external customers as well as the insurance coverage.
ACME was able to demonstrate to their board of directors their improved risk governance and compliance, freeing up valuable management time to work on other projects.
ACME had mitigated their extreme ransomware risk. By eliminating the fully-connected VPN mesh, they minimised the impact of potential attacks. The blast radius would now at worst be a single division, rather than one contractor being able to inject malware to the entire family.
ACME increased efficiency by empowering division management. Enabling self-service user access management lead to less inter-office paper work and an increase in morale.
ACME was able to reduce their corporate team size by one full-time equivalent (FTE) staff dedicated to VPN user administration, and reduced VPN infrastructure costs by over $500,000 per year due to a combination of support and maintenance payments, VPN licenses, and reduced capital amortisation of the VPN appliance replacements.
ACME enhanced plant floor efficiency. They streamlined printing of work orders and labels directly from manufacturing stations, reducing internal manufacturing overhead and handling costs.
An earlier unmet need, and an unexpected benefit of deploying Agilicus AnyX was enabling real-time data access to corporate executives. These executives gained real-time visibility into inventory and production dashboards that formerly required requesting information manually from the divisions.
ACME improved vendor and contractor access. With Agilicus AnyX, ACME division management can now provision and enable secure, granular access to operational technology networks without needing to interact with corporate IT. Those vendors can in turn use their corporate credentials, and the Agilicus AnyX multi-factor, maintaining compliance and audit.
ACME eliminated the need for shadow accounts for external SAP consultants, reducing cost in their Microsoft Entra as well as simplifying their workflow.
Conclusions
ACME Manufacturing’s successful implementation of Agilicus AnyX resulted in significant improvements in security, efficiency, and operational agility. By replacing their complex VPN infrastructure with Agilicus AnyX’s seamless, secure, and user-friendly solution, ACME achieved cost savings, improved compliance, and empowered their workforce.
ACME achieved all of their objectives, within their budget time and risk constraints. Notably:
- Increase Security. Individual users now use single-sign-on corporate credentials, with multi-factor authentication, rather than always on shared VPNs.
- Increased Efficiency. Printing from the factory floor, no VPNs on desktops. Reduction in team size previously dedicated to managing VPN and shadow-user identities.
- Increased Usage of Modern IT, Cloud Concepts. Divisions are now increasing adoption of Office 365 and Google Workplace, and being able to share sign-in, credentials, audit trails is simplifying this, and simplifying sharing data in external cloud big data environments.
- Decrease Risk of Cascade Failures Within Business Divisions. Removal and decommissioning of the VPN means that a successful spear phishing attempt in one division, or even simple human error does not become a global issue.
- Short implementation time. ACME was live with the first users within days, and the first divisions within weeks.
- Minimise Change, Disruption. No changes were needed in SAP — no configuration changes, no software changes, no changes on servers, no changes on desktops. Users see the deployment as transparent (with the exception of the simpler sign in experience).
The transformative impact of Agilicus AnyX demonstrates the power of identity-aware access management in modernising and securing complex manufacturing environments without requiring complex architectural changes to the underlying systems.
Get In Touch
Ready To Learn More?
Agilicus AnyX Zero Trust enables any user, on any device, secure connectivity to any resource they need—without a client or VPN. Whether that resource is a web application, a programmable logic controller, or a building management system, Agilicus can secure it with multi-factor authentication while keeping the user experience simple with single sign-on.
info@agilicus.com, +1 519 953-4332
300-87 King St W, Kitchener, ON, Canada. N2G 1A7
info@partner.com, +1 555 555-5555
1 Main Street, Townsville, ON, Canada. POST-CODE