CAME Group operates in 118 countries through 480 branches and licensed dealers. Thanks to its Bpt and Urbaco brands, it is a key global player in the home automation, urban planning, and high-security sectors, for which it offers integrated solutions for regulating and monitoring people flows and access points. CAME Group does 70 percent of its business globally. It is extremely proud of its Italian heritage, and employs 1,200 staff with sales around 215 million euros in 2013.
Too Many Different Networks & Devices
With 15 offices in Italy, and over 50 more in 40 other countries, CAME Group’s network has a lot of ground to cover - and to protect. CAME typically acquires five to six other companies every year, which adds more network users and locations, and often requires integrating and securing a network that uses disparate technologies.
CAME’s 2,000 users rely on ERP and CRM applications, email, and business intelligence and business object type software. All services are provisioned by the company’s three big datacenters in Italy. As the companies under CAME Group grew into worldwide leaders, and new offices opened and companies were acquired, issues arose. “Our network was heterogeneous and we couldn’t securely deploy services to all of our branches in a centralized way, nor efficiently manage IT,” says Massimiliano Tesser, Group CIO, CAME Group. “Web services, trade, and e-commerce around the world were managed and secured by 50 Cisco ASA 5540 and other firewalls, and about 50 proxy devices and servers. Each device had different capabilities; for example, some had Active Directory integration and some didn’t.”
User Frustration & Costs
The lack of a standard network technology created problems including manageability, costs, application access and control, network latency, and security. “Every device or server at each office was configured by a different IT partner or employee without common guidelines,” says Tesser. “Without centralized management, it was impossible to have the same settings and usage policies at all branches.”
The lack of uniform application usage and control policies frustrated users and burdened IT staff. “Rules didn’t follow users when they traveled,” says Cristiano Bedin, CAME Group ICT Manager. “If a user went from Italy to Russia, they had to manually set or disable proxy settings, use a different username, and call a different extension number. Everyone had to adapt to the location they traveled to.”
The inefficiency of CAME’s heterogeneous network absorbed resources. “It cost US $50,000 per branch per year to pay for IT consultants to manage and configure devices,” says Tesser. “We had to engage lots of people just to change proxy server configurations and handle network-related tasks.”
With so many different network devices, all managed by various IT consultants and staff, ensuring a high level of security proved problematic. “The firewalls and other devices couldn’t identify and stop certain threats or applications that posed risks, or that we didn’t want using bandwidth,” says Tesser. “In our industry, engineering designs and other email attachments are common. Our incumbent systems weren’t finding some threats in attachments. We were also unable to identify and control Skype usage, which can contain viruses and risks the potential loss of intellectual property because users can exchange company files through it without detection.”
CAME’s inability to identify, control, and manage applications and traffic affected bandwidth availability, which led to network latency issues. “Our branches connected via VPN or MPLS, but during high traffic times we experienced connectivity QoS issues,” says Tesser. “Application availability declined during peak traffic times, and background noise and dropped calls—especially for our call center business—were problems.”
There Must Be a Better Way
Management at CAME recognized that its decentralized network was impacting business performance. “They authorized our team to centralize network management, increase security, collect and report network information better, and to standardize application access and security policies across all locations worldwide,” says Tesser.
CAME Group’s longtime trusted technology partner, NGS Srl, was summoned. In addition to reviewing solutions from Cisco and Fortinet, NGS Srl suggested Palo Alto Networks. The next-generation security platform from Palo Alto Networks natively brings together all key network security functions, including a next-generation firewall, URL filtering, IDS/IPS, and advanced threat protection. These functions are purposely built into the platform from the ground up, and natively share important information across the respective disciplines, to ensure better security than legacy firewalls, UTMs, or point threat detection products. At throughput speeds of up to 120 Gbps, Palo Alto Networks can safely enable the use of all applications, maintain complete visibility and control, and protect businesses from the most basic to sophisticated cyberattacks—both known and unknown.
Finding the Right Solution
Tesser and his team reviewed the options and selected Palo Alto Networks. “We could clearly see that Palo Alto Networks can dig into applications and control and authorize them, and how we could easily apply a new standard of control and security to all locations,” says Tesser. “It would also let us decide who to block and who to enable access to Skype and other applications to optimize bandwidth and increase security.”
The CAME IT team appreciated the benefits of the network visibility afforded by Palo Alto Networks. “We saw we could stop unauthorized packets from entering the network, and get real-time information on attempted intrusions, even those that the Cisco devices were unable to identify.”
Another big draw for CAME was Panorama, Palo Alto Networks software that provides centralized management and logging capabilities to easily manage all security platforms and web policies from one location. “We recognized that Panorama would enable us to create, configure, and spread the same security policies out to branches all over the world with just one solution.”
Seamless Deployment at Offices Worldwide
CAME purchased and installed two Palo Alto Networks PA-3020 next-generation security platforms in high availability. Employing Zero Trust principles, a Palo Alto Networks security platform is positioned in front of each zone, and acts as the primary datacenter firewall.
In the branch offices, CAME deployed 40 PA-200 security platforms in Virtual Wire with redundant and secure VPN connections established for remote users. Each CAME office now has its own Internet connection through a Palo Alto Networks security device. Every Palo Alto Networks security platform CAME deployed has URL Filtering
and IPS to protect the network from known threats. WildFire™ provides integrated protection from advanced malware and threats by proactively identifying and blocking unknown threats commonly used in modern cyberattacks. The deployment includes Panorama running on an M-100 management appliance to centrally manage device configuration and policy deployment for all of the Palo Alto Networks devices.
“We appreciate that Palo Alto Networks enabled us to implement in Virtual Wire,” says Tesser. “It meant the introduction of the security platforms were totally transparent to the network, which was very important to us.”
Security & Access For All
Tesser and his team delivered everything CAME management requested, including standardized IT, centralized network management and control, uniform user access policies, enhanced security, better application reliability, and improved service to end-users.
Centralized management provides one the biggest benefits Palo Alto Networks has delivered for CAME. All of the traffic flowing through each security platform is logged to Panorama, which allows CAME to perform traffic analysis, quickly investigate and respond to security incidents, and collect audit information from a single, centralized location. “We centrally manage all application and security policies, including threat prevention—and distribute those services to all sites and ensure their quality—from our datacenters,” says Tesser. “This has made us far more efficient and easier to integrate new branches. One of the things I like most about Palo Alto Networks is its ability to adapt to the heterogeneous networks of the companies we acquire. With Panorama, we can configure, manage, and distribute policies to our Palo Alto Networks devices and rarely have to check with our new office.”
Another huge improvement that Panorama delivers is the creation of uniform policies, which provides consistency for all users, regardless of location or device type. “The ability of Palo Alto Networks security platforms to recognize users and apply policies wherever they go—even on mobile devices—is wonderful,” says Tesser. “Rules are valid and consistent at any branch or location, and users are automatically authenticated by the network with their same logins.” Time is no longer wasted helping traveling staff with access issues. “Calls about access issues have dropped to zero,” says Tesser. “Managers tell us, ‘I can see everything just like I’m at my branch office!’ After years of frustration, this is incredible to them.”
Billboard Worthy Results
Increased network visibility and control has solved issues related to security and bandwidth availability. “Now we can block Skype and control any other network activities,” says Tesser. “We also like having the flexibility to establish access rights for specific sides of our network; one for secure access for consultants, and another for guest user or public access.”
The threat detection and reporting capabilities of Palo Alto Networks are also delivering results. “We can easily report to our board what is being eliminated and controlled on the network,” says Tesser. “We even put up an electronic billboard behind our receptionist that shows our board and executives everything we are detecting and stopping every day with Palo Alto Networks.”
WildFire plays a key role in CAME’s improved network security. “WildFire is very important,” says Tesser. “When it finds something corrupted or a potential threat, it’s quickly identified and all our systems are instantly protected. Our past security system inspected email attachments that passed through our centralized email exchange server. In many cases, threats were invisible to it and entered our networks. WildFire solves this problem and gives us the same level of real-time inspection of traffic passing from the public to private network. Once we saw WildFire’s effectiveness we expanded it to all devices and branches.”
Bandwidth and network latency are no longer concerns. “We prioritize traffic packets to ensure the responsiveness of core applications, and eliminated background noise, dropped calls, and application availability problems,” says Bedin.
Perhaps as important as any benefit CAME has realized is the ease with which it can configure and deploy Palo Alto Networks. “The technology is excellent, but it’s just as important to have a partner that can deliver the provisioning, especially for a big company with many offices worldwide,” says Tesser. “Palo Alto Networks technology is configured the right way and integrates seamlessly with all our services. Previously, we couldn’t deploy all ERP and CRM services to all of our branches; now we can in a secure, centralized, and efficient way.”
Savings in the Millions
By consolidating its IT infrastructure on Palo Alto Networks security platforms, CAME has been able to remove devices from its network, and expensive consultants from its payroll. “We replaced a total of more than 100 firewalls and proxy devices with just 42 Palo Alto Networks security devices,” says Tesser. “Over three years, this saves us US $50,000 per branch office, or about US $2.5 million, previously spent on technicians, consultants, maintenance, training IT staff, configuring, and managing a heterogeneous network.”
CAME is reinvesting its savings into other business performance projects and services. “The time and money we are saving is significant, and evident to our board,” says Tesser. “We’ve redirected IT people to work on other enterprise projects, such as the successful distribution of an internal CRM app to all branches. Prior to Palo Alto Networks, we had three to four people, and at least one person in each branch, dedicated to managing the CRM.”
CAME Group is elated with its decision to install Palo Alto Networks next-generation security platforms. “Palo Alto Networks has changed our IT team’s perspective on security issues,” says Tesser. “All of our security problems were solved well beyond what we could have imagined or expected. CIO colleagues with different companies in Australia and London, both with global operations, were using Cisco, but are now migrating to Palo Alto Networks based on my experience.”
This Case Study available in: Italian.