Securing application access for employees and contractors with a great user experience for seamless work from anywhere
The oldest pharmaceutical company in the world, Tokyo-based Takeda Pharmaceutical Company has more than 60 office and research locations in 110 countries around the world. From its Cambridge, Massachusetts offices, Takeda’s IT team manages systems for its global workforce.
Replace VPNS with secure remote access from anywhere worldwide
Reaps significant cost savings from retiring network hardware
Simplifies security administration
Improves user experience for both end users and operations
Provides policy-based, secure remote access from anywhere
Displaces VPNs and slashes NGFWs from 320 to less than 20
Accelerates the company’s zero trust journey
Now IT can instead provide “an app-by-app type of approach to give folks what they need, and not have to over-provision access. … With the Zscaler Zero Trust Exchange, we’re much more flexible with what we can provide.
Evaluating vendor relationships in the context of zero trust
Industry-first zero-configuration data protection by ZscalerRead the Press Release
Lessons learned: Secure digital transformation at TakedaRead CXO Journey
Trust Officer Mike Towers on Takeda’s transformation journeyRead CXO Journey
“When we acquired Shire PLC, we doubled the size of the company,” said Mike Towers, Takeda Pharmaceutical Company’s Chief Digital Trust Officer. Tasked with merging the security infrastructure of the two entities, Towers found himself having to integrate an incongruous patchwork of network hardware technologies and protect an even more widely dispersed user base.
The merger led to the creation of a corporate initiative to enable employees to work from anywhere. Towers prioritized four objectives: secure remote access, VPN replacement, better user experience, and a focus on control, regardless of whether a system is on premises or in the cloud.
Fortunately, Takeda had already invested in the Zscaler Zero Trust Exchange and begun rolling out its Zscaler Internet Access (ZIA) service, initially to secure employee internet egress via the cloud and provide employees with a better, more consistent user experience no matter their location or device. But ZIA proved particularly valuable when Towers and his team were confronted with integrating what he called a “quite disjointed” network architecture.
“[The combined company] had about 320 firewalls in local sites, regional sites, core sites, and so on,” recalled Towers. “It was a very, very traditional, on-premises, network appliance-based architecture designed to protect the perimeter.”
Towers knew that this legacy castle-and-moat security infrastructure was already inadequate to provide the desired level of protection against cyberthreats, so the merger just accelerated Takeda’s migration to the cloud. “We were ready to move toward a zero trust type of model,” continued Towers. “We wanted to do that as quickly as possible, so we standardized on ZIA. By doing so, we displaced our next-gen firewalls.”
Implementing a zero trust approach with ZIA and the Zero Trust Exchange gave Takeda greater flexibility in enabling secure employee connectivity via local internet breakouts. “For our tens of thousands of employees spanning over 100 countries, we can apply the same security policies and provide a consistent experience—regardless of whether they are on premises or off,” Towers explained. “Because of that flexibility, Zscaler allows us to improve both user experience and security.”
In an industry built on research, Takeda Pharmaceutical Company relies heavily on internal development, and that requires extensive use of proprietary technologies, applications, and intellectual property. In the past, that dependence on machines that must stay on premises and regulatory pressures had prevented Takeda’s migration to the cloud.
Yet, looking to a cloud future, Towers envisioned a model of remote access for historically on-premises applications. “We wanted to provide secure access to those applications without granting access to the full network,” he said.
Consequently, Towers and his team turned to the Zero Trust Exchange and its Zscaler Private Access (ZPA) service, which provides fast, direct, secure access to private apps and services. The initial ZPA rollout proceeded cautiously, with deployment prioritized by both application and user. ZPA Towers also noted that Tokyo-headquartered Takeda — the oldest pharmaceutical firm in the world — is “values-driven,” and shifting to a cloud solution was a bit of a cultural change for the company.
We were ready to move toward a zero trust model. We wanted to do that as quickly as possible, so we standardized on ZIA. By doing so, we displaced our next-gen firewalls.
Deploying ZPA meant that Takeda could accomplish one of the initiative’s key objectives: replacing VPN hardware. “Remote access historically has meant remote network access,” said Towers. “We no longer think that way. … access should be more about the applications and services folks need.”
Besides providing more secure remote access, Takeda wanted to improve the user experience. “ZPA allows us to have the application accessed without somebody having to ever think about whether they must click some other window or some other emulation engine to get to it,” continued Towers. “We want to support that capability as quickly and with as little friction as possible.”
For our tens of thousands of employees spanning over 100 countries, we can apply the same security policies and provide a consistent experience—regardless of whether they are on premises or off.
As Towers and his team were progressing with a measured ZPA rollout at Takeda, the coronavirus outbreak hit. Like many multinational companies, Takeda saw its first operational impacts in China, where Towers notes branch offices were still using “legacy VPN infrastructure” on “dated network architectures that made application access and performance quite slow.” The solution? A “quick pivot to ZPA,” led by Towers and team.
But as the urgent need for employee remote access grew, Towers had to figure out how he and his colleagues around the world could sustain business continuity given such “unprecedented” challenges. “We’ve never had a situation where we have so many people working from home,” he says. “You practice for widespread work-from-home quite regularly, but no one practices with everyone doing it at the same time when all their children and families are home.” Access was one thing, managing crowded bandwidth was quite another: “Every worker [at home] is competing with Netflix and Xbox from the kids at the same time, so performance optimization for internet access is something that we’ve had to focus on.”
Towers and team looked at how Takeda users work with internal applications. They shifted Takeda’s “control and provisioning approach” so users would be concerned with which applications they needed to get their work done, and not so much with where those applications might reside. “We don’t want to think that way anymore,” Towers explained. “Now IT can instead provide “an app-by-app type of approach to give folks what they need, and not have to over-provision access.”
This is a good time to be a security professional because you don’t have to worry about trying to balance user experience and security anymore. You can do both!
By leveraging the Zero Trust Exchange and its ZIA and ZPA services, Takeda has achieved what Towers calls “significant cost savings.” Retiring firewall hardware—from more than 320 appliances to a target of just a dozen—and VPN hardware eliminates a lot of future spending on upgrades and maintenance alone. As employees have shifted to local internet breakouts, Towers has also been able to do away with costly networks. “Ninety-eight percent of what [users are] going to is on the internet anyway,” he said. “We can get rid of a lot of expensive WAN links.”
In addition, after struggling with “a lot of niche point solutions,” Towers is now leveraging Cloud Access Security Broker (CASB) capabilities within the Zero Trust Exchange. “Zscaler can help us do more with CASB controls, be smarter with the data, and make better security decisions based on data,” explained Towers. “And because it’s in the cloud, and we’re already sending our traffic through it, we know that it will scale [and] be operationally stable.”
In the past two years, Towers and his IT team have had to adjust (much more adroitly than they could have imagined) to operational obstacles placed in their path. But though Takeda’s secure cloud transformation may be progressing at a faster-than-expected pace within the company, Towers remains optimistic.
“With the Zscaler Zero Trust Exchange, we’re much more flexible with what we can provide and since we’re running all our traffic through it, we know it can scale,” concluded Towers. “This is a good time to be a security professional because you don’t have to worry about trying to balance user experience and security anymore. You can do both!”