Cloud Journey at Siemens: Cyber security pioneers on the trail of the “next big thing”

300,000 employees at 125 locations in 43 countries all sharing the common goal of transforming the everyday. It is under this objective that Siemens is developing the very latest technologies to accelerate digital transformation, reinvent companies and entire industries, and make them more sustainable. Its portfolio spans everything from resource-efficient factories and resilient supply chains to smart buildings and power grids, low-emission trains and cutting-edge healthcare. The globally networked collaboration that takes place among Siemens employees requires digital tools and processes – something that poses unique challenges for such a complex company: “Today, ever more apps and processes run in the cloud or through software as a service (SaaS). This presents us with different security and infrastructure issues than those we faced ten years ago, when everything was still running on on-premises software,” recalls Thomas Müller-Lynch, who, as Global Director Digital Identities for IT, is helping to shape the cloud and cyber security transformation at Siemens. “The cloud used to be considered insecure, but today it is precisely there that security development is taking place”, he adds. “The situation has undergone a 180-degree shift. This is something we need to respond to as part of our security and cloud strategy.”

NextGen AD: Kick start towards the cloud

A glance back into the past clearly reveals that “reaction” was not really on the agenda. As early as 2013, Siemens recognized long before many other companies that a redesign of the then on-premises Active Directory was necessary. “We had 250 locations worldwide for our AD at that time. Hardware, maintenance, upgrades: all of these things were necessary for each of them. The infrastructure was so complex that it lacked the scalability, performance, reliability and access security we needed for our day-to-day work at Siemens. By consolidating and transitioning to our NextGen AD, we were able to solve this,” says Thomas Müller-Lynch, outlining the catalyst for the transformation. Today, there are only 50 on-premises software locations, with further reductions planned. “When we initiated the project, the goal was very clear to us, but the path itself was not. A project of this scale and magnitude had simply never been implemented by anyone at the time – it was totally uncharted territory. This meant that we needed support from very specialized experts with extensive expertise on cloud, identity management and cyber-security. This was the beginning of the partnership with Comma Soft,” says Thomas Müller-Lynch.

Comma Soft supported Siemens in the design and concept of the complete architecture of Active Directory and Azure AD and is still very much part of the team when it comes to ongoing optimization. The fact that the then decision to migrate AD made perfect sense is repeatedly evident today, confirms Philipp Bergmann, Senior Key Expert for IT Security & Senior Global Identity Architect at Siemens: “Even if the cloud is advantageous from an IT security perspective, in the end it is always the business that decides whether specialist applications run in the cloud or on on-premises software. We have created the prerequisites for both. The location where an app is hosted should not make any difference to the user. The authentication process should be fast and simple, and security must be guaranteed simultaneously. I always feel with Comma Soft, compared to other partners, that we can speak about our goals at eye level and are understood immediately.”

Next step: Modern Workplace

After the identity & access management was mapped, the ground was clear for the global rollout of Office 365 and the “Enhanced Microsoft Security” project. This made the Modern Workplace a reality for Siemens employees well before the pandemic-induced switch to digital, location-independent working. “It was relatively early on that we bid farewell to the intranet as the central and sole factor determining access to an application or information. “Instead, we can gain access from anywhere and with any company device – whether in the office or when working mobile from home – if certain criteria are met,” says Philipp Bergmann. These criteria include, for example, location, device, authentication strength, and previous access attempts, which allow conclusions to be drawn regarding identity. However, this also means that the identity of employees may be checked more regularly than in the past when they change devices and locations. This verification usually happens in the background, so that users do not even notice it in the majority of cases. From a security point of view, this makes sense, but for users it means a change that needs to be understood. This is not a major problem, however, according to Philipp Bergmann at Siemens: “Our internal communication is excellent and engenders acceptance among the workforce when changes like this occur.”

Next Level: Zero Trust

With its implementation of the “Enhanced Microsoft Security” project, Siemens once again proved to be ahead of its time: As a result, the groundwork was laid for cyber security based on the Zero Trust principle. All access attempts are checked, including those between applications. This elevates security to the next level, but also requires further optimization when it comes to the speed of the check and usability. For Thomas Müller-Lynch, it is obvious why Comma Soft is also supporting the group in this endeavor: “The Microsoft expertise and the wealth of knowledge that we need for our projects is generally hard to find among consultants to the same extent. On top of that, we also require new knowledge about new technologies and concepts that have seldom been implemented before, or at least not on the same scale. This is challenging, not everyone can do it.” It is with this support that Siemens now intends to continue the cloud and security journey: The plan is to move even more applications to the cloud, optimize performance and deploy Zero Trust in operational technology (OT). “We’re always looking for the ‘next big thing’. This is how we are getting closer and closer to our goal of cyber security,” agree Thomas Müller-Lynch and Philipp Bergmann.

Would you like to learn more about how Siemens and other companies are tackling the issues of cloud and cyber security, or would you like support in implementing them yourself? Please feel free to contact Dr. Andreas Künsken or Dr. Jan Ciupka and their colleagues: you can get in touch with them here.