Scandinavian Tobacco Group Secures Its Growing Global Operations on the Zero Trust Exchange

Scandinavian Tobacco Group A/S has been making and selling premium tobacco products for more than 250 years. Today, the company represents a portfolio of 200 leading tobacco-related brands, with particular focus on hand-rolled and machine-rolled cigars. 

The company has a vision to become the undisputed and sustainable global leader in cigars, but a legacy network infrastructure wasn’t flexible or scalable enough to adequately support global operations or further expansion. Scandinavian Tobacco Group began a path toward digital transformation, consolidating its network onto private cloud data centers and away from on-premises. Taking steps to modernize its infrastructure also inspired the company to modernize its security with a zero trust architecture.

“In the world of security these days, zero trust isn’t just an ideal option, it’s the only option,” said Erik van Goethem, Lead Solution Architect - IT Infrastructure, Security Strategy & Innovation at Scandinavian Tobacco Group. “We knew that a zero trust security approach was the best way to protect our dynamic and growing  global workforce.”

According to van Goethem, the company’s legacy infrastructure was a “self-built, almost SD-WAN based on side-to-side VPN tunnels attempting to provide both connectivity and security.” This DIY-infrastructure was never going to be a comprehensive solution for a company actively expanding global operations. 

Eventually, Scandinavian Tobacco Group made the full switch to SD-WAN for connectivity, keeping legacy VPN appliances and firewalls in place for security. This still wasn’t an ideal solution for such a geographically dispersed user group. With fixed capacities, traditional VPNs and firewalls struggle to handle high volumes of traffic, are plagued with latency and performance issues, and increase the attack surface. They also lack cloud integration, making them less effective as the company adopts a more cloud-forward approach.

“We had become increasingly disappointed with the stability and functionality issues caused by our VPNs and firewalls,” shared van Goethem. “As our workforce became more mobile and more geographically diverse, those legacy appliances could not keep pace. We needed a next-generation alternative.”

The company wanted a cloud native, comprehensive zero trust platform that could simplify its security architecture, strengthen security posture, and improve the user experience for its workforce. Easy integration with the company’s SD-WAN would be an important consideration. Seamless integration with Microsoft would also be helpful since the company would be using a wide range of Microsoft cloud solutions (Microsoft Azure, Microsoft 365, Microsoft Entra ID, Azure Sentinel, and Microsoft Defender for Endpoint). A zero trust partner with broad geographical coverage to support global operations across four continents was critical.

Scandinavian Tobacco Group chose the Zscaler Zero Trust Exchange as the foundation for its new zero trust security architecture.

“I was not familiar with Zscaler when we started researching zero trust options,” confessed van Goethem. “When I first learned of the Zscaler platform I initially described it as an infinitely scalable, big firewall in the cloud that is always close to the user. That sounded fantastic.”

Though initially interested in deploying the Zscaler platform with only outbound connectivity and security in mind, van Goethem learned that the Zero Trust Exchange could also secure inbound traffic to private applications and resources, as well as provide greater visibility around user experience, overall security posture, and risk assessment.

With a more holistic approach to zero trust easily in reach, van Goethem ultimately decided on Zscaler for Users. Tailored with user access in mind, Zscaler for Users is designed to secure user connections to the internet and corporate resources (both external and internal) regardless of a user’s location. This configuration enabled Scandinavian Tobacco Group to access the broad range of security capabilities available through Zscaler while maintaining focus on user-centric security in a distributed cloud environment.

“Once I had a deeper understanding of the Zscaler platform, I realized it was so much more than a big firewall in the cloud,” recalled van Goethem. “The Zero Trust Exchange would provide our global workforce with secure, fast, and reliable access to resources across any location, and help us achieve a stronger security posture.”

Approximately 10,000 Scandinavian Tobacco Group employees are working in 18 countries. A collection of physical and virtual legacy firewalls—van Goethem estimates around 65 individual appliances—made it challenging to safely and reliably connect such a geographically diverse workforce to the internet and public SaaS applications. 

Physical firewalls are location-bound, so latency becomes an issue for remote users. Virtual firewalls still require manual updates and maintenance just like physical firewalls. Managing multiple firewalls in tandem eventually leads to inconsistent security policies, not to mention that firewalls, in general, typically provide limited security functions and struggle to inspect all internet traffic.

“With an increasingly mobile user group spread across the globe, the threat landscape was evolving,” explained van Goethem. “It started to feel like our legacy firewalls were never in the right places, and making any needed adjustments was always a challenging process.”

Zscaler Internet Access (ZIA) brokers fast, direct connections to the internet and SaaS applications from anywhere. Zscaler delivers security inspection and policy enforcement as close to the end user as possible (from more than 160 edge locations worldwide), eliminating the need to backhaul internet traffic to central data centers for access and security.

The Zscaler platform also includes functionality for cloud firewall protection, URL filtering, TLS/SSL inspection, and advanced threat protection. Important security measures that would previously require multiple point products are now managed as part of the comprehensive Zero Trust Exchange.

Scandinavian Tobacco Group installed Zscaler Client Connector on all managed devices to enable even greater security controls for connectivity. Client Connector automatically determines if a user is trying to access the web, a SaaS application, or an internal private application, and then routes traffic to its destination via the Zero Trust Exchange. Having Client Connector installed early in the Zscaler deployment will also make it easier to implement and manage additional Zscaler services as the company’s zero trust architecture evolves.

“Zscaler allows us to operate with greater flexibility. No matter where a user is working, they can safely and seamlessly connect to the internet,” said van Goethem. “Not having to manually configure and update multiple firewall appliances makes it easier for us to establish and enforce more consistent access policies.”

Operations at Scandinavian Tobacco Group are managed worldwide across 12 production sites in Central America, Europe, and Asia, 18 sales offices in North America and Europe, and corporate headquarters in Denmark. The company’s global footprint continues to grow through strategic acquisitions. The result is a steady increase in already demanding access needs for private applications and internal data.

Legacy VPN appliances are not suitable to meet these needs. Traditional VPNs struggle to handle growing usage demands across multiple global locations and are ineffective at supporting remote work or third-party access. VPNs typically provide broad network access and make it challenging to implement least-privileged access controls across a globally dispersed workforce. They are also regularly subject to vulnerabilities: a problem for a device that typically relies on internet reachability in order to function.

Scandinavian Tobacco Group replaced its legacy VPN appliances with Zscaler Private Access (ZPA). ZPA eliminates the need for VPNs by directly connecting users only to the private applications they are authorized to access, rather than connecting users to the network as a whole. The company’s private applications and data, hosted between Microsoft Azure and on-premises data centers, are hidden behind the Zero Trust Exchange, making them invisible to threat actors and minimizing the attack surface. User identity and device posture verifications are enforced before inbound connections are established. Microsegmented application access prevents lateral threat movement.

While there is a need for safe remote work capabilities as the company evolves its hybrid workforce, supporting secure on-premises work across physical locations is equally important. “We maintain local data centers in our factories because the internet is not always reliable in those geographic locations,” explained van Goethem. “It didn’t make much sense to route traffic from our file server in a Dominican Republic factory to somewhere else, likely in the US, and then back again. We wanted to keep traffic local to reduce latency, but we didn’t want to compromise security posture. The company deployed a Zscaler Private Service Edge (PSE) at 12 Scandinavian Tobacco Group locations to provide consistent experiences for both remote and on-premises users. A Zscaler PSE essentially extends the capabilities of the ZPA service to the on-premises environment, optimizing performance, security, and compliance for local traffic. 

“Zscaler allows our users to access essential private resources from anywhere with consistency and transparency,” said van Goethem. “It doesn’t matter if a user is in the office, at a factory, or a remote location. On the Zero Trust Exchange, every user across any location is protected by the same rigorous zero trust access policies.”

With outbound and inbound user traffic secured through the Zero Trust Exchange, van Goethem wants to fully leverage all the features offered with the Zscaler for Users configuration.

Deploying Zscaler Digital Experience (ZDX) helps van Goethem further optimize the user experience across the company’s various locations. ZDX provides end-to-end visibility from user to application for easier monitoring across devices, networks, and applications. With AI-powered root cause analysis for all performance challenges, it takes less time for the Scandinavian Tobacco Group service desk to identify and resolve problems. In fact, user issues are often resolved before they can noticeably impact workflow. As a result, van Goethem estimates that support requests have dropped by 50% since the Zscaler deployment.

“Zscaler makes troubleshooting so much easier,” explained van Goethem. “We no longer need to check all kinds of switches, firewall logs, or VPN logs because there is literally one place to look. We have comprehensive visibility into user activity and application performance on the Zscaler platform.”

Scandinavian Tobacco Group frequently works with external partners, suppliers, and consultants. Adding Zscaler Privileged Remote Access to its Zscaler configuration allows the company to enable secure access to private applications and data for third-party users without the need to install agents on individual devices. This secure, clientless access eliminates the friction associated with traditional VPNs and improves productivity for a distributed workforce that includes external partners.

With increased demand for remote and third-party access to private applications, van Goethem wants to take proactive measures to increase visibility into threats inside the network for Scandinavian Tobacco Group. Zscaler Deception enhances threat detection by adding deception-based active defense to the company’s zero trust architecture. Deception detects compromised users and lateral threat movement to provide valuable threat intelligence when malicious actors attempt to access infrastructure. These advanced threat insights enhance protection for users and applications as well as strengthen security posture. 

“Even with zero trust protection in place, there is still an element of user error to contend with,” said van Goethem. “Sometimes, a user will still click on something they shouldn’t and a single workstation will get nuked. But with Zscaler, it stops there—any lateral spread is completely gone.”

Because maintaining holistic zero trust security is a dynamic process, not a one-time upgrade, van Goethem is already considering next steps for Scandinavian Tobacco Group. He plans to deploy additional Zscaler solutions in the coming months to ensure all facets of the company’s global operations are protected under a unified zero trust architecture.

Zscaler Zero Trust SD-WAN will function alongside the company’s existing SD-WAN infrastructure to facilitate secure connectivity between more than 30 global Scandinavian Tobacco Group branches, campuses, and factories. Zscaler Cloud Connector will extend zero trust protection to every cloud environment and data center the company works within to ensure consistent security policies for cloud workloads and applications. This combination of Zscaler solutions will further reduce the complexity of the organization’s security architecture and add another powerful layer of protection across a global network.

Deploying Zscaler Risk360™ can expand risk awareness at Scandinavian Tobacco Group. This comprehensive quantification and visualization framework will provide a holistic, data-driven assessment of the company’s top risk drivers, giving van Goethem even greater capacity to protect the company against data loss. A diverse range of additional reporting capabilities will help him better communicate about cyber risk and data loss prevention mitigations with the company’s leadership and board.

Zscaler Cloud Browser Isolation will offer further protection against web-based threats by creating a secure barrier between user devices and web content. By controlling actions like copy-paste, printing, and file downloads, Cloud Browser Isolation protects against data leakage on both managed and unmanaged devices. Users will have a near-native browsing experience without noticeable differences, while the company maintains zero trust security protocols.

“With our legacy security architecture, implementing new solutions was always stressful for the IT team and our users because even the smallest change could have such an intrusive effect on daily workflows,” reflected van Goethem. “The Zscaler platform makes it possible to continually evolve our zero trust security protocols without tangibly affecting the user experience.”

Mergers and acquisitions (M&A) is a core strategy supporting the company’s goal of becoming the undisputed global leader in cigars. Strategic M&A is not just a means to strengthen market position and expand global reach for Scandinavian Tobacco Group, though. It’s also a way for the company to protect the history, heritage, and craft of producing premium cigars, preserving the art for future generations of consumers.

Scandinavian Tobacco Group actively works to acquire strong, niche brands and companies that demonstrate outstanding craftsmanship in the world of tobacco products. In just four years, the company has completed seven successful acquisitions, adding brands like Royal Agio Cigars, Alec Bradley Cigars, La Perla Habana, and Mac Baren Tobacco Company.

As Scandinavian Tobacco Group continues to grow its global brand portfolio, Zscaler will simplify and expedite the process of integrating newly acquired brands into the company’s zero trust security infrastructure.

Before deploying the Zero Trust Exchange, van Goethem had to manage multiple tasks for each and every new brand acquisition, including steps like establishing connectivity, setting up controlled firewalls, defining IP addresses, determining domain routing, and installing site-to-site VPN appliances. According to van Goethem, initial onboarding for additional users at a newly acquired brand could take at least two weeks, and in some cases a month or longer. Not only did this onboarding process require higher one-time IT costs and effort; it could also increase the attack surface. 

On the Zscaler platform, initial onboarding for additional users at a new brand is as simple as adding Zscaler Client Connector to the user device, creating a user profile, and granting the user access to the ZPA solution—steps van Goethem and his team can complete in just one day. Onboarding new users is roughly 93% faster with Zscaler, and that speed doesn’t require any compromise to the company’s overall security posture. New users are protected by the same zero trust access and security controls as established users from day one, so the attack surface remains stable and shielded.

“The Zscaler platform will undoubtedly make future M&A efforts at Scandinavian Tobacco Group easier,” said van Goethem. “The scalability of the Zero Trust Exchange gives us the flexibility to expand the global brand portfolio, efficiently and with agility, while also maintaining our secure edge.”

Scandinavian Tobacco Group has leveraged the Zscaler platform to streamline its security infrastructure. The company has retired 65 firewalls and decommissioned six client VPN boxes, instead creating a zero trust security architecture built upon the comprehensive, singular Zero Trust Exchange.

Despite a streamlined security stack, the company has realized a stronger security posture. In a recent quarter, Zscaler processed more than 1 billion transactions and nearly 90 TB of traffic for Scandinavian Tobacco Group, preventing 16 million policy violations and blocking more than 260,000 security threats. Of the traffic processed, 93% was encrypted. Legacy solutions would have struggled to detect and inspect that encrypted traffic, but Zscaler detected and blocked more than 123,000 encrypted threats.

Before discovering the Zscaler solution, the company had been considering a switch to zero trust for a few years, but there were lingering concerns about how to implement such a robust security approach in a seamless way. “We knew that zero trust was the best way forward, but the concern was always how to implement zero trust security in a way that didn’t disrupt the daily experience for our workforce,” shared van Goethem. “Those concerns kept us stuck in a legacy security infrastructure until we found the Zscaler platform.”

Zscaler technology gave Scandinavian Tobacco Group the confidence to push past those concerns and finally embrace zero trust. “Zscaler gave us every resource we needed to build a modern, holistic zero trust security architecture that is easy to manage and effective at protecting our users,” concluded van Goethem. “Zero trust security at Scandinavian Tobacco Group, powered by the Zero Trust Exchange, doesn’t make things complicated—it makes things possible.”