Transcript
My job is to make sure our IT infrastructure and security enable our business as we power the people who power the world. Our transformation journey was driven by a recession in our industry caused by excess production of our main commodity, which is oil. With our revenues plummeting and our tech stack at end of life, we needed to find a way to reduce cost, improve productivity, and protect against the ever-evolving threats we faced. We were the classic, normal hub-and-spoke network with a castle-in-moat security model. Taking that same legacy architecture and trying to use it with our growing cloud utilization was holding us back from achieving our business objectives. We needed a radical new approach, and we needed it fast. That's why we partnered with Zscaler and adopted their Zero Trust Exchange platform. During our journey, we learned our goal of Never Trust, but Always Verify is actually something called Zero Trust. We have eliminated our user VPNs and have decided now that firewalls need to go, because you can't implement Zero Trust by poking holes and building tunnels everywhere. You have to eliminate your attack surface and eliminate lateral movement. Like most organizations, we were heavily reliant on VPNs and firewalls for our employees and locations to have a pathway to the resources, such as files, applications, and web servers they needed to get to to do their work. Problem was, our firewalls and VPNs were exposing public IP addresses on the internet. They were discoverable by design and created an attack surface that has kind of ended up as an unattended consequence. VPNs and firewalls expose their IP address publicly and act like a homing beacon for the bad guys that says, here I am, come attack me. While it enabled our employees and customers to find NOV resources, it was just as easy for the bad actors to do the same. Zero-day vulnerabilities, like we all saw with Heartbleed or Log4j, could impact us at any time. If an attacker finds you and then exploits a vulnerability in an unpatched device exposed on the internet, then they're in. And today, imagine how much easier this is with Gen AI. I often use the analogy that a firewall acts like a door to a house. Once it's open, the traffic flows. Once in the house, attackers can move unimpeded to any room and steal or inflict damage at will. Firewalls and VPNs can't help us anymore. They have literally become our attack surface. It's not only employees in our offices, or remotely connecting, or even our consultants or contractors that we have to think about. This risk is constantly expanding. Think about all the IoT equipment, such as time clocks, cameras, access control systems, and even more scattered all across our enterprise. Or the CNC machines and sensors at our manufacturing facilities. And this is to say nothing about all of our NOV equipment on oil and gas rigs across the planet, where our customers need data streamed to them in real time, many of which are only accessible via satellite. We live in a world where every device, every location needs to be connected at all times. That means more public IPs, more attack surface. And a pile on even more. Every time we acquire a company or enter into a joint venture with a partner, there's a real need to share data across systems from different companies, integrations, migrations, and on and on. It all leads to a growing attack surface because the number of exposed public IPs just grows. So we thought, what if we didn't need to expose IP addresses on the public internet? How would that work? Wouldn't it be better if these bad guys couldn't even find us in the first place? The Zero Trust approach to the attack surfaces eliminate it. No public IPs mean the bad actors don't have anything to attack. Zscaler Zero Trust Exchange is a security proxy that operates like a switchboard on steroids. It delivers policy-based conditional access. It will check identity, context, and posture before stitching together connections between entities, between users and applications, or admins to OT systems, or even branch sites to data centers. The only thing exposed is the Zscaler proxy. I don't have to expose any of my public IP addresses. As we implement, it's like we put on a cloaking device and our operations simply went dark, invisible from the internet. It is a journey, but we need to start now. Yes, it is probably impossible to eliminate every public IP address. For example, my company can never eliminate the public IP address for our external website. Everyone needs to be able to get to that. But challenge your teams. Going down from 100 to 5 IP addresses will substantially reduce your attack surface and your risk of breach. We need partners with new thinking, not doubling down on what got us into this problem. You also can't boil the ocean all at once, and we need partners that can work together on a phased transformation journey that realizes there will still be some legacy that needs to be supported. We partnered with Zscaler and adopted their Zero Trust Exchange platform to eliminate a bunch of legacy point products, which helps us drastically reduce costs and complexity, and it also improves our user experience. And of course, just like with our legacy vendors, resilience and uptime is critical. The reality is if Zscaler doesn't work, NOV doesn't work. Their resilient, comprehensive Zero Trust platform has been pivotal in helping make NOV business a lot more agile. It saved us millions of dollars, improved our user productivity, and drastically improved our security posture.