Zero Trust

How I drove secure digital transformation at NOV

Apr 18, 2023
How I drove secure digital transformation at NOV

As the CIO of NOV, my job is to ensure that IT infrastructure and security enable our business to power the people who power the world. By this, I mean our 27,000 employees across 60 countries working with thousands of partners, suppliers, and customers. They all require secure, reliable technology anytime, anywhere, on almost any device–the same reliability we expect when accessing electricity and water. Over the last several years, I led a secure digital transformation that made NOV more agile and adaptable to challenges.

A transformation to cloud and zero trust

Like many enterprises, we had a legacy IT environment with data centers, hundreds of branch offices, factories, and OT systems, connected via a hub-and-spoke network. We used a castle-and-moat security model with ever-expanding layers of security appliances to address each new threat vector. We relied on multiple VPN technologies for remote access. It was expensive and not flexible enough to support our increasingly mobile and dynamic business. 

I needed to reduce costs, improve security, and make life easier for our users and IT administrators. I needed our systems to work all the time, aka gain resiliency. It had to be a win across all these goals, so we set two main priorities.

First, be “cloud smart” and take advantage of where it can help. I had heard way too many horror stories of “cloud first” mass migrations causing extreme cost overruns and business-crippling outages. We had to be smart and determine where the cloud could add value and drive out cost. Our approach had to be evergreen, not replacing one legacy tech debt with new tech debt.

Second, transform our networks and security thinking. Focus on the internet first. Our global MPLS network was excessively expensive, and our old security appliances needed a multimillion-dollar upgrade. Most of our internet traffic was encrypted, which we could not see. The bad guys hid in that traffic, compromising our users and moving laterally to access high-value targets. Next, move toward zero trust. We wanted to follow the maxim “never trust, always verify,” which we later learned was a zero trust architecture. This meant enforcing access policies based on multiple contexts–user's role, location, device posture, and the applications they can access.

As we say in Texas, “We might need a new horse.” Sometimes your old horse can’t adapt, and you need a new one. You love and find comfort in the old steed, but it can’t take you where you need to go next. Our existing technology vendors and channel partners proposed we buy more of what they were already selling us.“Don’t change,” they said. “Double down with what got you into this predicament.” Maybe they could help us win with a couple of goals, but not all. We would need to explore new horizons.

Our phased transformation journey

A successful digital transformation is a journey that doesn’t happen simultaneously. Progress came in increments, with each experience influencing successive phases: 

Phase 1 – A collaboration solution

During phase one, we adopted Microsoft Office 365. Collaboration and sharing of large datasets were painful, and we had outgrown our email system. We began rapidly migrating hundreds of terabytes of emails, files, SharePoint data, etc. This delivered immediate productivity value and business flexibility, even with our legacy network and security appliances still in place.

Phase 2 – Secure access to the internet and SaaS from anywhere 

Phase two had three steps. First, we enabled secure access to the internet and SaaS applications through the Zscaler Zero Trust Exchange. This was deployed on our existing legacy MPLS Global Network in 60 days for the entire company while phase one was executing. It immediately gave us resiliency and increased our security posture.

Eliminating hardware by moving to zero trust can save significant costs while reducing data traffic on overburdened corporate data centers.

The next step of phase two was to eliminate our MPLS networks and provide local internet breakouts. This resulted in millions of dollars in savings, faster connections, and direct access through SaaS applications such as Office 365 by eliminating traffic through a centralized hub.

Improving performance by eliminating MPLS and using local breakouts can bring costs down by 4x while delivering a 10-20x faster user experience.

The final step involved turning on TLS inspection capabilities to detect and block threats hidden in encrypted traffic. This significantly improved our risk posture.

Given the high percentage of encrypted traffic, enabling TLS inspection reveals hidden threats, and allows for them to be blocked. 
Moving to zero trust significantly reduced the number of computer wipes and reimages required due to a reduction in malware infections.

Phase 3  – VPN replacement with zero trust security 

In phase three, we replaced multiple remote access VPN solutions and provided fast and secure zero trust network access (ZTNA) to private apps using Zscaler Private Access. This allowed NOV employees and our third-party contractors access to 7,500 NOV applications in multiple data centers and public cloud regions directly over the internet. We did this a few years before the COVID-19 lockdown, so we were fully prepared to support our users' need to work from home without interruption.

Users are able to securely access apps over the internet from anywhere through ZTA.
Cloud transformation enabled WFH, with Zscaler rolled out for secure access to internet/SaaS and private apps.

Phase 4 – Move private apps to the cloud and consolidate data centers 

Phase four required two steps. First, we moved our critical customer-facing applications into AWS. Then we moved our many regional data centers, which lacked the scale needed to operate efficiently, to Azure.

Phase 5 – Zero trust connectivity for offices 

This upcoming phase of our transformation will be the most exciting. Its genesis arose from a question collectively asked by all of our users working remotely from home. If we all can work fine remotely in a zero trust manner, why can’t we do that at our facilities? Do we even need the network? How can we provide ZTNA to devices without identity such as printers, barcode scanner guns, time clocks, IoT, and OT systems? Legacy networks are a security risk due to a lack of identity, and we are going to replace it with zero trust access! With zero trust connectivity, our offices will become like an internet café, and we will no longer extend our corporate network to every office. This step is critical for eliminating lateral threat movement.

The final phase of zero trust secures work from anywhere connectivity, on any device, and brings the café computing experience to offices. 

Many of these phases are complete, and some are ongoing due to contractual commitments. Phase five is just getting started. The journey hasn’t always been a straight line, but I can proudly say that we are overachieving our goals.

Here are some of the lessons I learned from our transformation journey:

  • Moving from legacy networks and security to zero trust is an architectural change. As it requires cultural and mindset changes, we identified forward-thinking leaders early on in our journey who helped us drive this initiative. 
  • Choose an integrated platform that secures not only users but also workloads and IoT/OT systems. 
  • Select a partner who has a highly reliable security cloud. Zscaler’s more than 10 years of operational experience in managing the largest security cloud has delivered us high-performance service without disrupting our business. 
  • Don’t boil the ocean–just get started. Look for quick, small wins that are easily achieved to drive organizational acceptance of this journey.

Our secure digital transformation has made NOV business a lot more agile. It has saved millions of dollars, improved user productivity, and reduced our cyber risk.

What to read next

Secure digital transformation is business transformation [podcast]

NOV’s digital transformation journey, powered by the Zscaler Zero Trust Exchange [video]