AkzoNobel Expands Zero Trust for Complete Digital Transformation

Innovating for the future requires a change in mindset

For more than two centuries, AkzoNobel has been supplying durable, high-performance paint and coatings for consumer and industrial use. The company’s mission is to preserve the best of what it has to offer today while paving the way for the future through innovative solutions and technology. To keep pace with change, the company has been continually evolving its operational processes and maturing its security architecture. 

As cloud adoption and remote work surged, AkzoNobel's WAN infrastructure became congested, burdened by its legacy hub-and-spoke model, which funneled all traffic through regional gateways in EMEA, the Americas, and APAC. To enable a seamless hybrid transformation, AkzoNobel deployed Zscaler Internet Access (ZIA) in 2014—securing user access, boosting network performance, and simplifying administration.

When CIO Kurt De Ruwe joined AkzoNobel, the company was in the midst of an even larger-scale cultural and technological transformation. It was shifting away from its legacy network architecture and perimeter-based security model and embracing a new paradigm: leveraging the internet as the corporate network.

“We found that we needed to further mature our environment and resources to stay ahead of increasingly sophisticated threats and support our growing cloud-first architecture and remote work,” De Ruwe said.

CISO Raffaele Maresca reinforced this new direction: “The way we worked changed, so we needed to change our security architecture to support that. We were searching for a partner that would help up-level the company’s security, lead the way with an innovative vision, and enable us to think strategically about our future,” Maresca said.

Expanding the use of zero trust to achieve proactive security

De Ruwe and Maresca decided to reengage with Zscaler to learn more about how its evolving zero trust platform could help them retire their reactive approach to security in favor of a proactive one. 

After in-depth discussions and whiteboard sessions with Zscaler, AkzoNobel discovered that the Zscaler Zero Trust Exchange provided a comprehensive solution that would:

• Reduce the costs and operational strain of managing hardware by moving to an always-on security solution delivered as a service via a cloud native zero trust platform
• Stop threats inline and reduce the attack surface 
• Anticipate threats rather than respond to them reactively
• Mitigate user experience issues more quickly with broader visibility into devices, applications, and the network

AkzoNobel took the first step on its full-scale zero trust expansion journey by securing users’ day-to-day workflow. “Zscaler’s zero trust platform provides employees with least-privileged, seamless access directly to the internet and corporate resources, wherever they are, and enables a holistic view of risk for IT operations,” De Ruwe said.

Phase 1: Early adoption of secure internet and SaaS access paves the way for ongoing modernization

More than 10 years ago, when AkzoNobel was in the early stages of migrating to a cloud-first architecture, the “zero trust” concept emerged as a viable solution. At the time, the manufacturing company was backhauling traffic from branches around the world to regional data centers. Meanwhile, employees began accessing more SaaS applications—including Microsoft 365 and SAP—for their daily work and noticed a slowdown in productivity. Private bandwidth couldn’t keep up, and the company started to look at alternative security and access models. 

Security leaders envisioned leaner branch sites, a consistent user experience, and always-on protection without reliance on expensive security appliances. When they learned how cloud native Zscaler Internet Access (ZIA) connects users directly to the internet and applies consistent security policies company-wide, they saw a path toward achieving a café-style, internet-first model. 

In 2014, AkzoNobel rolled out ZIA and later Zscaler Zero Trust Firewall to secure direct access to SaaS and the public internet for its 30,000 employees. Today, users rarely connect to the corporate network, and even at the headquarters, many prefer using the guest Wi-Fi for access.

“We started with ZIA to improve the user experience and protect users from malicious activity. That decision led us down a path of security innovation that saved both operational and resource costs and prepared us for a full network transformation,” said De Ruwe. 

Phase 2: Secure access to private applications accelerates retail store innovation and business agility

The next phase of AkzoNobel’s security evolution centered around replacing vulnerable VPNs with Zscaler Private Access (ZPA) to provide employees across all global locations with secure, direct access to private applications—without the need to extend access to the corporate network. 

ZPA had already been deployed selectively to meet a few specific business requirements. It was an easy way to segment groups of laptops without having to physically change the network set up. All the activities could also be managed remotely.

Now, ZPA seamlessly connects users everywhere to applications with context-aware policies, minimizes the attack surface, and prevents lateral movement of threats on the network.

“VPNs and firewalls can be reached from the internet, which makes them potential entry points for attackers. ZPA helps us simplify and secure users’ access to corporate resources from everywhere by connecting users directly to private applications without giving access to the internal network,” said Maresca. “When it comes to remote access, Zscaler has reduced our attack surface significantly.”

Leveraging Zscaler Client Connector, a lightweight agent that was already on user endpoints because of the prior ZIA deployment, the team rolled out ZPA to 20,000 remote employees with just a few keystrokes.

Phase 3: Boost user productivity with AI-powered root-cause analysis

Before Zscaler Digital Experience (ZDX) was publicly available, AkzoNobel had prerelease access at the time, allowing its team to test its features and usability and offer constructive, real-world feedback to Zscaler. 

ZDX provided the AkzoNobel IT team with comprehensive end-to-end visibility across user devices, networks, SaaS, clouds, and internal applications, empowering them to optimize digital experiences. By proactively identifying issues and uncovering root causes all the way down to the Wi-Fi access point, the IT team ensures consistent user experiences regardless of location or device.

“Having access to this wealth of information on areas for improvement has enabled us to enhance connectivity and boost user productivity,” said De Ruwe. “Before, it could take up to two weeks to get a root cause, why the user experience for a certain application in a certain location was poor. Now, I can see it in real time.”

Phase 4: Actionable data from risk management tools helps boost risk posture

Zscaler’s comprehensive risk management framework gives AkzoNobel the ability to measure risk at every level of IT infrastructure and provide precise, actionable information to reduce vulnerabilities.

“The visualization tools available with Zscaler Risk360 and external attack surface management (EASM) are the best ways to understand and properly manage security risk. Now, our IT leaders take necessary steps with guided workflows, and our supervisory board receives a complete picture of what we’re doing to protect the organization in a few concise slides,” said De Ruwe.

Risk360 quantifies cyber risk posture by ingesting more than 100 factors, along with EASM data, within a customer’s cybersecurity environment, data from external sources, and threat research data from Zscaler. The results are presented in visual dashboards and board-ready slides with actionable information. 

Zscaler ITDR (identity threat detection and response) also helps minimize risk by continuously monitoring identity misconfigurations and risky permissions.

“The key risk indicators that Zscaler provides have been essential to improving our risk posture. It's taking us many steps forward in our cybersecurity maturity,” said Maresca.

Up Next: OT network segmentation and AI to safeguard against modern threats

AkzoNobel continues to implement innovative security technology to protect its resources and prepare for the future. Next on its roadmap is evaluating extension of security to operational technology (OT) at its 140+ factories with Zscaler Zero Trust Device Segmentation. The company evaluates to deploy the AI-powered Zscaler Breach Predictor, which analyzes data from multiple sources and provides insights to help the team anticipate and preempt potential breaches. 

“With Zero Trust Device Segmentation and Breach Predictor, we would move from a reactive security stance to a proactive one in the factory environment,” noted Maresca.

Zero Trust Device Segmentation uses an agentless proxy-based architecture that isolates each device and controls network access based on identity and context, creating a secure “network of one.” This eliminates the risk of east-west lateral threat movement on OT networks as well as the complexity of traditional firewall-based segmentation. 

Breach Predictor uses AI-powered breach probability scoring and policy recommendations based on data collected from multiple security products. This preemptively identifies and eliminates likely attack paths to reduce overall risk. 

AkzoNobel also plans to evaluate the rollout of Zscaler China Premium Access to provide faster, more consistent, and more reliable access to international websites, SaaS applications, and the domestic internet to its employees in China. 

Building a comprehensive security ecosystem through integration

Zscaler integrations with AkzoNobel’s Microsoft solutions unify and streamline security management and create a more effective multilayered defense. Integration with Microsoft Defender for Endpoint broadens visibility, including into unsanctioned cloud application usage, resulting in automated blocking and remediation. 

For its security information and event management (SIEM), the company uses Azure Sentinel. Ingestion of Zscaler log data into Azure Sentinel provides greater threat visibility and enables more accurate investigations into potential attacks by adding detailed user and device context. 

“One of the compelling aspects of Zscaler that led us to expand our implementation is its API-based integrations. They have made it easy for us to advance our digital transformation by creating a truly cohesive and coordinated security infrastructure,” remarked De Ruwe.

Zero trust enhances security posture while cutting costs

De Ruwe and Maresca can attest to both measurable security benefits that resulted from their Zscaler implementation. 

“We have all the evidence we need to say with certainty that Zscaler has reduced our business risk. In one quarter, there were more than 400 million policy violations prevented and more than 1 million security threats blocked—452,535 of which were hidden in encrypted traffic,” related De Ruwe.

In terms of AkzoNobel’s bottom line, decommissioning VPNs, firewalls, thin clients, and remote access solutions while streamlining IT for new stores has substantially reduced technology costs. The removal of traditional VPNs and firewalls contributes to this, next to eliminating a lot of headaches and stress.

Zscaler has also reduced potential financial loss by improving the company’s security posture and reducing technology overhead.

Reducing security risk and time-to-value for M&A integration

One of the biggest positive impacts of adopting Zscaler is the new operational process for mergers, acquisitions, and divestitures (M&A/D). AkzoNobel averages three mergers and acquisitions annually. Before Zscaler, it took anywhere from six to 18 months to onboard acquired companies.

Today, the team leverages Zscaler to integrate a new company in substantially less time. M&A is accelerated because Zscaler provides direct-to-app connectivity that forgoes the need for laborious, time-consuming, and costly network integration. Accelerated time to integration results in accelerated time to value.

“Zscaler is a game-changer for M&A/D integration. It used to take a lot of time to have secure connectivity in place. Now, it’s just a matter of weeks,” pointed out De Ruwe.

Zero trust sets the stage for future security improvements

Thanks to Zscaler’s zero trust architecture, AkzoNobel is well on its way to future-proofing its IT infrastructure and laying the groundwork for its OT factory of the future. As visionary cybersecurity leaders, De Ruwe and Maresca derive great insights from regular interactions with Zscaler CEO Jay Chaudhry. These opportunities give them visibility into Zscaler’s innovations and food for thought for future buildouts. 

“When it comes to future-proofing an organization, there are a few basic security principles that we should always apply—and zero trust is one of them. Luckily, we have Zscaler, which brings together the elements we need for full digital transformation: context-based access control, segmentation, ongoing risk assessment, and continuous monitoring,” explained Maresca. “The Zscaler Zero Trust Exchange platform gives us an opportunity to look to the future and do it right.” 

De Ruwe underscores the value of Zscaler’s dedication to innovation: “I’ve been working with Zscaler for more than 10 years and have seen firsthand leadership’s commitment to innovation. This demonstrates the maturity of Zscaler’s technology and its accelerated pace of developing new products. It’s truly incredible.”