Siemens Empowers Its Global Workforce and Factories with Zero Trust Transformation

Letting go of legacy security to enable greater business flexibility

Originally founded in 1847 as a small electrical engineering workshop, Siemens AG is now widely recognized as one of the world’s most innovative companies—creating technology for automation and digitalization in critical economic areas including industry, infrastructure, mobility, and healthcare. 

Though the company prides itself on a rich heritage, its leaders understand that not all legacies are worth holding onto. “We had a legacy perimeter security architecture that could not protect the company in a future-proof way,” shared Hanna Hennig, Chief Information Officer at Siemens AG. “Embracing zero trust architecture addresses modern cybersecurity challenges in a more holistic and dynamic way, while also enabling greater business flexibility.”

A more responsive approach to security with the Zscaler Zero Trust Exchange

Global operations at Siemens span more than 190 countries, encompassing hundreds of business locations and 300,000+ people operating within a highly mobile business environment. Recent publicly announced mergers and acquisitions (M&A) also mean the business environment is always changing. 

A legacy proxy infrastructure, stacked with traditional firewalls and VPN appliances, could not support cloud-first operations at the evolving scale Siemens needed. “Our legacy security solutions were limited by hardware and did not offer adequate protection against today’s sophisticated cyberthreats,” said Hennig. 

Siemens wanted a cloud native zero trust solution that could simplify its security architecture, mitigate risk more effectively, and better protect users, applications, and data across globally distributed locations. The company chose the comprehensive Zscaler Zero Trust Exchange platform to achieve these goals.

“Zscaler delivers the flexibility and scalability we need to facilitate our digital transformation from hardware-driven to software-led,” shared Hennig. “The Zscaler platform is the foundation for our zero trust concept.”

A phased deployment of the Zero Trust Exchange reduced the company’s reliance on legacy hardware, enabled work-from-anywhere flexibility for employees, secured faster M&A onboarding processes, and strengthened overall security posture.

Phase 1: Zscaler direct-to-internet connectivity turns the whole world into a secure remote workplace for a distributed, digital workforce

A collection of physical firewalls and proxy appliances spread across hundreds of locations made it challenging to safely and reliably connect users to the internet and public SaaS applications. Additionally, managing firewall rules for so many physical appliances and users resulted in heavy administrative overhead for the IT team.

Over 10 months, Siemens deployed Zscaler Internet Access (ZIA) to provide users with secure connectivity from any corporate facility or remote location. ZIA brokers direct access to the internet and public SaaS applications without backhauling to central data centers, ensuring zero trust policy enforcement for all outbound traffic. 

With the globally distributed Zscaler platform (160+ edge locations worldwide), Siemens can enforce advanced security policies including threat protection, malware scanning, URL filtering, and threat intelligence at the edge, closest to where users are connecting. This eliminates the need to backhaul traffic through MPLS networks or central data centers and makes managing outbound traffic for remote users more efficient and secure.

Zscaler powers local internet breakouts at 120 Siemens factories around the world, as well as the company’s other locations. This eliminates the need to backhaul traffic, ensuring faster internet access and better performing public SaaS applications for users working on-site at these locations.

“The Zscaler platform is ideal for securing our expanding digital workforce,” said Hennig. “Designed to handle global, high-volume traffic, Zscaler delivers fast, reliable, and secure connectivity wherever our users are working.”

Phase 2: Zero trust network access secures thousands of critical private applications and shrinks the attack surface

Siemens relies on more than 40,000 private applications that underpin almost every aspect of daily operations, and access demands for these resources are intense. At the same time, as the company provides essential technologies to major global industries on a massive scale, the risk of cyberattacks is unrelenting. 

A system of distributed VPN appliances was not suitable to meet the company’s needs. Traditional VPNs use public IP addresses to facilitate network connections, resulting in an inherently wider attack surface. Additionally, VPNs struggle to handle growing access demands and do not support least-privileged access control policies, increasing the likelihood of threats moving laterally across the organization’s network.

Siemens deployed Zscaler Private Access (ZPA) as a better alternative to VPNs. The company’s private applications and data, hosted between an on-premises data center, AWS, and Microsoft Azure, are hidden behind the Zero Trust Exchange and no longer accessible via public IP addresses. This makes these sensitive resources invisible to bad actors. ZPA then prevents lateral threat movement by directly connecting individual users to only the private applications they are authorized to access, eliminating access to the network as a whole. This direct user-to-app connectivity ensures the Siemens workforce can easily access the corporate resources they need securely. 

With identity verifications, device posture verifications, and microsegmented application access, Siemens is creating “client zones” across its many corporate locations. This approach allows Hennig to tightly segment private application access based on a variety of granular, dynamic policies, further minimizing the threat of lateral movement. 

It took only two weeks for Siemens to fully transition all global users to ZPA. In the following years, Hennig and her team implemented segmented client zones at around 100 Siemens locations (with more to be added in the near future).

“With Zscaler, I can verify every single interaction with our most critical private resources and data,” said Hennig. “Siemens users can connect to the private applications they need, whenever and wherever they choose to work, and I have greater confidence that those connections do not put our network at risk.”

Phase 3: Enhanced experience monitoring helps resolve user issues everywhere

For Hennig and her IT team at Siemens, chasing down user-experience complaints was a constant battle against data silos and monitoring blind spots. The real challenge wasn't just fixing problems, but finding them. This reality was transformed by Zscaler Digital Experience (ZDX) and its AI-powered root cause analysis. Today, when a user has an issue, Hennig's team can bypass the manual investigation. With a single click, the ZDX AI engine pinpoints the problem, giving them the insight needed to resolve issues with surgical precision and speed. This has fundamentally shifted their focus from reactive firefighting to proactively optimizing the digital experience for everyone at Siemens.

Built-in Zscaler reports presented on a single-pane-of-glass dashboard offer deeper insights into user behavior and security posture in real time, enabling Hennig to better assess risks and optimize zero trust implementation at Siemens.

“Zscaler experience monitoring capabilities enable us to provide the best user experience in the least intrusive way,” said Hennig. “On the Zscaler platform, Siemens employees can work without interruption between corporate and remote locations because we can mitigate user issues and security risks more effectively.” 

Additionally, Siemens has 30,000 employees in mainland China. Strict regulations and unanticipated changes in policies can degrade user experiences for these employees. To deliver a reliable and better user experience while accessing international websites and SaaS applications, Hennig and her IT team implemented Zscaler China Premium Access.

China Premium Access provides exceptional internet connectivity with comprehensive security in a uniquely challenging environment. By using in-country Zscaler data centers connected to top-tier Chinese internet service providers, Siemens reduces latency and improves the consistency of internet and public SaaS connectivity for employees. This allows users in China to have a comparable digital experience to their colleagues working elsewhere around the globe—all while ensuring the same, airtight, zero trust architecture.

Next Up: Exploring Zscaler solutions to improve security resilience

“Achieving holistic zero trust is an evolving journey, not a fixed destination,” shared Hennig. Looking to continue that journey, Siemens is now considering which Zscaler solutions to deploy next. “There are so many Zscaler solutions that align with our future ambitions,” Hennig added.

Zscaler Zero Trust Cloud extends zero trust protection from every device to every cloud environment and data center to ensure consistent security policies for cloud workloads and applications. Zscaler Zero Trust Branch enables café-like branch connectivity, allowing devices and apps running in the cloud, data centers, or other company locations to communicate directly with each other through the Zero Trust Exchange. This combination of Zscaler solutions would further reduce the complexity of the organization’s security architecture and add another powerful layer of protection across global operations.

Zscaler Resilience is an integrated suite of disaster recovery and business continuity features that ensure uninterrupted application access during any type of network disruption, or even catastrophic outages. Rapid disaster response and unfailing access to essential applications will be critical for maintaining global operations at Siemens if unexpected events occur.

Zscaler streamlines security infrastructure, reduces security costs, and improves operational efficiency

Leveraging Zscaler technology, Siemens has streamlined its security infrastructure—significantly reducing reliance on legacy point products in favor of a modern, zero trust architecture built on a unified, cloud native platform.

Siemens has retired 100% of its legacy firewalls across internet-only locations. At other, non-internet-only locations, Siemens has reduced the number of legacy solutions in use. With fewer security point products to maintain across all global locations, the company has reduced its technology spend by 70%.

The Zscaler platform has also improved operational efficiency and reduced administrative overhead at Siemens. Global security policy changes or updates can be facilitated in a matter of days when it would have taken months using the company’s previous suite of disjointed legacy point products—not to mention all of the automation that Zscaler provides. As such, Siemens can effectively support its workforce with a notably lean IT staff-to-user ratio. Common ratios for large enterprises range between 1:100 and 1:500—Hennig has estimated the ratio at Siemens is 1:25,000 (one full-time IT employee per every 25,000 end users).

Even with a streamlined security architecture and lean support staff ratio, the company has achieved a more robust security posture. In a recent three-month period, Zscaler processed 123 billion transactions and more than 20,000 TB of traffic for Siemens, preventing 5.7 billion policy violations and blocking 8.7 million security threats. 

“Improving our security architecture on the Zscaler platform has resulted in a more secure, more efficient, and more responsive IT environment at Siemens,” confirmed Hennig.

Transforming M&A approach from day one on the Zscaler platform

Zscaler technology is also helping Siemens maintain its M&A rhythm and achieve business outcomes with greater agility. Siemens relies on M&A activity to accelerate innovation, using a strategy that tries to balance portfolio optimization with targeted acquisitions. In the last three years alone, Siemens has completed around 10 major targeted acquisitions.

Before deploying the Zscaler platform, security onboarding for a newly acquired company would have taken at least 18 months. With Zscaler, new acquisition onboarding is approximately 30% faster, now taking only around 12 months to fully complete. While the finer details are being sorted, newly acquired end users can safely access business critical applications and data from day one, thanks to the highly segmented, identity-based access policies managed on the Zscaler platform.

“Divestitures and targeted acquisitions are being completed in record time for Siemens because managing access control policies on the Zscaler platform is a fast, straightforward process,” explained Hennig.

A zero trust partner to drive digital transformation

Reflecting on the zero trust transformation at Siemens, Hennig believes she didn’t simply deploy a security solution with the Zscaler platform—she aligned Siemens with a long-term, zero trust partner that can support both current and future needs.

“Zscaler is a strategic enabler, and the Zscaler platform has allowed us to transform risk into opportunity as we drive our zero trust journey,” concluded Hennig. “Our partnership with Zscaler keeps us leading-edge as we deploy technology to secure the whole enterprise.”