Background and challenge
Our client is a prominent producer of carbon fiber reinforcements and resin systems, and the world leader in honeycomb manufacturing for the commercial aerospace industry. With over 20 plants across the world, employing nearly 5000 people, the client maintains its own global WAN to support its local and centralised IT functions that are essential to deliver hundreds of products offered in multiple markets across the globe.
The client has an ongoing strategy towards innovative IT across its manufacturing and go-to-market activities. To protect its IT infrastructure, the client had successfully maintained around 40 firewalls within an integrated content security platform from Check Point that had performed well for many years.
However, the client started experiencing performance degradation with these platforms with each newly released software update that required increased system requirements. This resulted in the firewalls not being capable of running some of the advanced features such as IPS along with inconsistencies within its management platform. Due to these challenges, the client’s IT team began exploring options to upgrade the legacy security platform deployed across 20 sites.
The client brought in ANSecurity, a long term and highly trusted partner, as a consultant on the project to provide independent guidance and implementation expertise. After discussions with Check Point, it was felt that upgrading the proprietary Check Point appliances – that were also due to reach End-of-life (EOL) within a few years – was prohibitively expensive for only limited benefit.
As a longer-term strategic goal, it was also decided that its firewall and related cyber security controls would be better deployed on non-proprietary hardware appliances – and where applicable, as fully virtualised appliances offering better value with more flexibility.
Solution and process
With this decision made, the client decided to explore alternative vendors to Check Point. The client approached ANSecurity, as a certified partner of the three vendors it was considering namely: Check Point, Palo Alto Networks and Fortinet – for guidance.
To kick-off the project, ANSecurity conducted a Platform Suitability Assessment (PSA). This independent process has been developed by ANSecurity over several years to capture and understand the “high level” business case for any deployment of security controls and technologies. The methodology combines business need analysis and industry best practice and is aligned against a deep technical understanding of the client environment. These are then tracked against each vendors technological solutions, integration capabilities, pricing, deployment options – and longer-term product roadmap.
The Platform Suitability Assessment created a detailed report to help the client make the final decision that helped it select a virtualised and highly available next-gen firewall solution from Palo Alto Networks. This was combined with its cloud-based Wildfire services which utilises static analysis, machine learning, sandbox environment, and ingestion of threat intelligence from global sources to guard against known and previously unknown zero-day threats.
Based on the PSA, the transition offered a comparable set of features and performance to the equivalent Check Point migration path but with a 42% cost saving – along with a rapid time to implement. The PSA also formed the basis for the second phase of the project – a Check Point Environmental Assessment (CPEA) that allowed ANSecurity technical teams to create a high-level scope of work, design, and build of materials (BoM) for the project.
At this point, the client was impacted by the global pandemic and was dealing with several internal pressures such as health and safety requirements, remote working and impact to its supply chain. As a result, ANSecurity were tasked with delivering the major migration project at sites across 9 countries spread across 3 continents within a 4-month period.
This stage included the design, implementation, testing with knowledge transfer for the entire project as well as ongoing professional services. As part of this task, ANSecurity needed to capture and migrate the complex rules, processes and polices from across the legacy Check Point security infrastructure and map these against the new Palo Alto environment. The team used existing migration tools and built its own configuration migration scripts plus extensive manual transposition stages to ensure that it could replicate the processes at each site – with as little downtime as possible – but with the highest levels of reliability.
Over the 4-month process, ANSecurity transitioned 20 sites from the legacy Check Point hardware to the new Palo Alto platforms. This also included the deployment of ancillary technologies such as Minemeld and user ID agents, plus extensive system documentation and testing elements.
During the project, downtime per site was reduced to an average of just 38 minutes as the teams swapped between the parallel running systems – and then tested each deployment against a broad security assurance model.
The migration was completed globally for the client within the 4 month target and ANSecurity provided a ‘Go-Live’ support package that included training workshops for in-house IT stakeholders as part of the ongoing knowledge transfer inherent within the overall project plan. This was supported by ad-hoc troubleshooting with the client’s network and security team over a 4-week period to iron out any inconsistencies before final sign off.
Results and benefits
The successful migration has delivered a more secure environment, removed performance issues and delivered a scalable platform that aligns with the client’s desire to move to a more hardware-independent security posture. The cost saving versus the originally scoped move to newer Check Point platforms was calculated as 42% – including all professional services and training elements – and the customer describes the project as “…an absolute triumph.”
“ANSecurity not only found a solution to the current problem that we as a business had, but they then built an implementation plan which gave us the luxury of a period of stable running. We felt that as a joint team, we learned a lot along the way, and really enjoyed working together. Top marks,” says a senior member of the clients IT team.
Although impacted by a global pandemic, the project highlights the value of a vendor agnostic approach that an independent security specialist such as ANSecurity can offer through practices such as a Platform Suitability Assessment and vendor-specific Environmental Assessments.
By maintaining certification and deep technical plus implementation knowledge of key endpoint security vendors, ANSecurity was able to provide impartial guidance backed up by an actionable plan to deliver the transition in line with the client expectations.