Zscaler Offers Comfortable, Secure Supportto NEC Group’s 110,000 Global Cloud Users

NEC Group is a global “social solution business” that co-creates with customers and society to promote safety, security, efficiency, and fairness. While aiming to support an efficient, sophisticated society in which we can live harmoniously, NEC Group is also accelerating efforts in work style innovation and digital transformation, shifting the entire IT environment to the cloud as well as promoting a multi-device operation to foster collaboration and productivity in the digital space.

The main idea was to migrate network infrastructure, including the internet gateway (web proxy/sandbox). “A secure cloud environment is essential to realizing a work style not constrained by time or place,” said Takeo Tagami, General Manager of the Management Information Systems Division at NEC.

Revisiting the situation at the time, Tagami said: “When considering an environment where employees access the internet from both inside and outside the company, encryption of web traffic makes it difficult to detect various cyberattacks and malware downloads.”

When the company’s internet communication was inspected, Tagami said, “About 90% of web traffic was already SSL. No matter how much you monitor web traffic using conventional security solutions, if you can’t see the SSL communication, it means that the content being communicated is hidden. Also, we found out that approximately 80% of malware communication were using SSL, which is often used for cyberattacks. So at that time, security solutions that did not support SSL visualization could not detect malware.”

“When upgrading the internet gateway, we focused on answering the question: ‘What do we want to achieve?' One thing was to ease internet traffic by significantly shifting the IT environment from on-premises to the cloud. That is to say, application performance will not be interrupted by security regulations and will be able to facilitate and maintain a user-friendly state that does not result in diminished responsiveness even when the traffic drastically increases."

“Another thing was to enable analysis necessary to inspect web access for the purpose of strengthening security, and rapidly respond when cyberattacks occur. These two factors are the cornerstones for achieving both comfort and security. None of these could be achieved with traditional security solutions until now,” said Mr. Tagami.

“In addition, the focus was placed on extending this value to overseas locations around the world in an effort to achieve the same security policy and countermeasure level. We did not consider deploying security solutions in Japan first and then later deploying to overseas locations, but planned to deploy on a global scale from the beginning, targeting a security solution that can adopt a globally unified environment.”

In July 2017, the company decided to introduce the Zscaler Zero Trust Exchange as its secure web gateway (SWG). Zscaler Cloud Security provides secure web access any time, anywhere, with unified security policy enforcement both in Japan and overseas. These elements of global performance and security played crucial roles in the decision-making process.

“In a nutshell, the ability to enable SLA for improved response performance, which is essential to realizing comfort and being able to use the same tenant with the same settings at the nearest service data center from the global internet environment, was key to achieving both comfort and security as we expand globally,” said Natsuo Tanaka, Manager of the Management Information Systems Division.

“The conventional approach was either to consolidate internet access in Japan (to have the web access environment built and operated in Japan while enabling access from overseas locations), or to set up a web access environment in overseas locations in accordance with the policies established in Japan. However, the aggregation of internet traffic results in performance degradation, which nullifies comfort. In addition, individual operations at overseas locations have created variations in security response levels (the number of cases in these locations are lower than the cases in Japan).

“To realize our security concept, we used the globally distributed DC of Zscaler to enable secured responses in a distributed manner, and centralize security management. The company deployed the Zscaler Zero Trust Exchange in October 2017. By utilizing our know-how as a system integrator for many years, we built a system which entailed setting up a cloud environment, building communication equipment that facilitate connectivity from the company's network, with the help of the Zscaler security solution as well as internal support.

“When creating the migration scenario, we leveraged Zscaler’s various functions and know-how. Also, when upgrading the environment for 100,000 users, it was necessary to minimize the task of end users as much as possible. We achieved this by combining our accumulated power: a network solution and the Zscaler solution. Although the adoption of the Zscaler solution was venturing onto new grounds for us, it has provided us with enormous support.

“Through a proof of concept and user acceptance test, we created a viable migration scenario. And for the last three months, we spent some time on user acceptance testing and went live in April 2018.

“The final switch was not for each location or organization, but for all domestic locations—we switched user traffic for approximately 100,000 employees simultaneously. In doing so, we reduced employees' PC settings significantly, and contrived ways to silently install certificates for SSL visualization. Also in the unlikely event of trouble, we can switch back to each destination and each connection without bothering employees and minimize the impact on our business.”

After launching Zscaler Zero Trust Exchange in April 2018, there were some challenges due to the scale of migration. Continued measures were necessary after the transition. However, many users indicated that they didn’t notice the web proxy had been changed. This was good feedback for the members of the transition team, who had tough days before and after switching.

“The challenges faced during transition were a cause for concern, but we eventually moved into a stable period characterized by smooth internet connection and improved speed, most importantly during peak periods, which were prone to slow internet connectivity and slower speed. It was nice to know that the users noticed this improvement and appreciated the efforts we put in.

“Also, there was the benefit of SSL visualization. By enhancing comfort while maintaining security, such as releasing technical SNS sites for research and developers and releasing YouTube for viewing business videos, which were previously restricted, many users’ perception of the IT initiative adopted by the information system department changed. We appreciate that we were able to realize this concept by selecting Zscaler and contributed in offering our users more value.”

Web access response has improved to the level where it can be proven quantitatively. This has improved productivity in the company at large.

“NEC has 110,000 employees in Japan alone, and with the existing on-premises solutions, it has always been a game of cat and mouse to handle the increasing traffic. Although we had initially improved our response level, it deteriorated significantly after several years. This triggered user complaints about the network. After switching, the download time was reduced by 60-70%—Zscaler Zero Trust Exchange guarantees improved response performance to users. Therefore, reducing the need to constantly invest in managing increased traffic is a huge benefit for NEC.

“Although web traffic doubled after a year and a half, we’re still maintaining favorable conditions. This goes to show Zscaler’s great value with respect to ease of use, which guarantees increased performance without the need for additional investment. Also, in the past, some content was invisible due to SSL communication, and we could not control/monitor in detail. For this reason, the only option was to block all useful sites and give full access to some users who desperately needed to perform their jobs, but at risk.

“With the Zscaler Zero Trust Exchange, it is possible to flexibly respond to incidents, such as allowing only authorized users to log in and browse, but prohibiting random file upload. Also, depending on the cloud service, it’s possible to allocate different domains and URLs to each company, and we can select to allow full access to the company’s URL, allow access to the competitor’s URL when relevant departments request authorization, or prohibit the upload of free account URL that may be exploited by shadow IT or malware.

“In addition, since the contents of the web access log can be checked in detail using SSL visualization, we have changed the rules for reliable IaaS from ‘regulating because we don’t know what they’re doing’ to ‘no pre-regulation based on monitoring.’ By visualizing SSL communication, we switched from the inconvenient state of prioritizing regulations on the risk side to a policy of using it freely, exercising control flexibility and secure status monitoring.

“The SSL visualization technology offered by the Zscaler Zero Trust Exchange has gone a long way to improve employee comfort and security.”

Following its domestic expansion, NEC began full-scale implementation of the Zscaler Zero Trust Exchange in overseas locations in April 2019. As of December 2019, the number of overseas users reached 6,000, and the company aimed to deploy to 15,000 users by the end of 2020.

“Until now, the policy for internet security management at overseas locations was developed in Japan, but the actual operation was left to the locals. As a result, the level of response was unassessable, and monitoring was challenging. There were some locations where we found it difficult to determine whether or not any security incident occurred, limiting our coverage of individual locations.

“However, the Zscaler Zero Trust Exchange does not require local equipment installation, and it allows us to directly see the communication status/malware detection status at all deployed overseas locations. It’s easy to see which country’s network is dangerous or secure.

“According to the company’s internal rules, reporting is necessary when a security incident occurs. But this is only possible when we can detect and understand the cyberattack itself. If we cannot detect it, we cannot confirm its presence, which means we are unable to respond or establish a report.

“Moreover, advanced analysis technology and know-how are required to detect increasingly sophisticated cyberattacks. By visualizing the local situation and globally expanding the sophisticated analysis system originally operated at the head office, we’ve been able to speed up risk detection and local alerts. Also, malicious communication can be promptly cut off centrally.

“If you want to deploy this kind of security infrastructure to overseas locations using on-premises solutions, you have to replicate the exact same solution at the headquarters in Japan in each overseas location. Aside from large-scale locations, it will be unrealistic to execute this in locations with very few employees.

“By simply connecting from existing local communication equipment or installing an application, Zscaler can provide a secure environment across all overseas locations similar to the environment designed at the headquarters in Japan. When looking at infrastructure deployment and maintenance, this is a very efficient option.”

In the future, the network will change significantly. To drive a cloud-first strategy and multi-device usage, NEC Group is shifting its structure from the conventional on-premises data center-centric solution to a cloud-centric solution. The shift will mainly be to IaaS and PaaS, and some will remain on-premises.

System-to-system communication that was previously executed at the data center, including the system that moved to SaaS and the company’s cloud environment, will be distributed on a different basis in the future.

“At the end of 2019, about 100,000 employees moved to Microsoft 365, and Zscaler’s control function for Microsoft 365 automatically improved connectivity. It was a very large traffic transition, but there were no performance problems.”

In addition to SaaS, the use of cloud platforms such as IaaS and PaaS will be accelerated in the future.

“We believe that NEC Group employees will be able to use secure internet services from multiple devices wherever they need it, instead of using internet services on the intranet.”

In doing so, easy internet access should not be compromised, even for security’s sake. Compatibility is a prerequisite. The Zscaler Zero Trust Exchange is responsible for monitoring internet access on network and user basis, managing by policy as well as dynamically determining which cloud service will be used by which user.

Standard business tools such as email schedulers; video conferencing; collaboration tools like SNS and Microsoft 365; or core systems like Salesforce, accounting, SCM, sales management, and more will shift to SaaS. Corporate IT needs to consider the migration of individual systems specialized for developing their environment and business. The shift will mainly be to IaaS and PaaS, and some will remain on-premises.

Zscaler CASB will monitor and manage cloud-to-cloud communications in the future, adding more value to the solution.

NEC Group has three pillars:

• Work style innovations that free employees from time and place
• Digital transformation using the latest digital tools
• Information security to realize proper security

“To achieve these, internet connection will be the core function of the corporate network. By introducing the Zscaler Zero Trust Exchange, which manages our network boundary with the cloud, it does only serve as a tunnel to facilitate migration to the cloud, but we have also positioned it as the core infrastructure for cloud utilization.”