How we Secured Schmitz Cargobull’s Global IT Operations with Microsoft Entra Private Access.

The challenge

In 2021, we onboarded Schmitz Cargobull (SCB) into our Security Operations Center and began monitoring and resolving incidents around the clock. However, their recent acquisition of the Spanish company Atlantis Global System (AGS) presented a new IT security challenge: How to ensure the same level of cyber security across the two companies and between two different countries.

“In contrast to SCB’s cloud-first strategy, our systems at AGS were still entirely focused on on-premises solutions, which had already given us challenges in areas such as new work and home offices even before the acquisition.”

Juan David Perez (Software Engineer at AGS)

As a first step, the AGS developers were migrated to the SCB tenant and provided with new hardware for this purpose. This presented SCB and our IT security experts at water with the following task: To avoid having to work with two sets of equipment, the new hardware had to provide secure access to AGS’s legacy on-premises server environment, while at the same time creating the framework for a modern, up-to-date IT landscape at AGS which is secure and doesn’t risk any data exfiltration of the Schmitz Cargobull environment.

The solution

To securely bridge the gap between SCB’s cloud-first strategy and AGS’s on-premises environment, our IT security specialists turned to Microsoft Entra Private Access. This state-of-the-art identity and network access solution made it possible to connect the two different IT landscapes without compromising security or performance.

https://learn.microsoft.com/en-us/entra/global-secure-access/concept-private-access

“For such cross-border projects, good preparation is essential for success. water has done a great job here, putting a lot of emphasis on empowering employees to work with the new solution without any problems.”

Michael Schöller (Head of IT and Infrastructure at SCB)

Prior to the implementation, clear access guidelines were defined, and it was determined who is authorized to access certain systems and servers. Finally, Microsoft Entra Private Access was implemented within one day. For this, two of our IT security experts were on site to work with their Spanish counterparts to ensure a smooth implementation.

The benefit

By deploying Microsoft Entra Private Access, SCB gained complete visibility into who is accessing its servers at any given time. In addition, our solution goes far beyond the capabilities of the VPN solution previously used by AGS. With Microsoft Entra Private Access, SCB can determine, at a very granular level, which individuals are allowed to access which servers and can also leverage Conditional Access to define the conditions that must be met for that access – for example, the presence of a FIDO2 key or adherence to the device compliance policy. The result: Improved phishing security and secure, monitored communication channels for all systems involved.

“A big advantage of this solution is that developers don’t have to access the IT infrastructure with their personal devices in the event of a server failure or cyber incident. Instead, the Spanish employees now have much easier and more secure server access – and can even work safely from their home offices without the need for a VPN.”

Sebastian Langer (IT Security Engineer at SCB)

As a result, AGS was able to phase out its VPN solution that was in place prior to the acquisition – although Microsoft Entra Private Access also provides the flexibility to continue using a VPN client. Following the rollout of the new identity and network access solution and the successful onboarding of employees, AGS now has an IT security solution at hand that meets today’s standards, addresses the needs of digitalization, and enables secure access to the legacy on-premises servers until the full migration of all systems is complete.