A high-tech company in the automotive industry would like to expand its activities to a new market, in which the regulations are very strict and where a local vendor is required to host and operate the software solution on behalf of the company. This is done to ensure only approved vendors process data and that no data leaves the country. However, it also gives a 3rd party (the local, hosting vendor) complete access to all the components of the company’s software, which includes highly sensitive intellectual property assets.
The company’s main challenges were:
Since the solution runs in an environment which is out of the company’s control, the following risks exist and require mitigation:
To fully protect the high-tech company’s intellectual property and data, ARMO’s Zero-Trust security plane was deployed on top of the company’s solution, and was therefore installed with the solution in the 3rd party environment. Since ARMO automatically protects workloads at runtime and data at-rest, in-transit and in-use, all the company IP was sent to the 3rd party environment encrypted – and is only available for the workloads provided by the company. This eliminates the possibility of any other party accessing it. It means that no one, including the hosting vendor, would be able to retrieve the data or obtain the company’s intellectual property (for example by reverse-engineering the code). In addition to this, all the traffic between the workloads is encrypted using mutual TLS, making sure no malicious node is able to communicate with the protected workloads.
Finally, the data that the workloads read/write to the local disk is encrypted. So even if someone steals the data, it’s useless – as only approved workloads can encrypt/decrypt the data.
1. The company attached ARMO’s micro-agent to its workloads, ensuring that only workloads that it approved can work in the cluster. ARMO’s agent protects the workloads, thus:
a. Eliminating the possibility of adding an untrusted node to the workload
b. Ensuring that no one can change the code or the workload, or add files processes to the workload
2. ARMO encryption keys were used to automatically encrypt Python scripts, configuration and data that is considered intellectual property before shipping it to the 3rd party environment, ensuring that:
a. Only trusted workloads can decrypt and run the Python scripts and access the sensitive data
b. The output of the script, algorithms output artifacts, is encrypted and protected at rest, in transit and in-use
c. The only workloads that can read the encrypted data and continue the processing are the trusted and authorized workloads
d. Keys are kept in the workload memory in a protected way that is virtually unbreakable
3. A Zero Trust micro-segmentation network policy was used to allow only trusted workloads to communicate with each other, and only over encrypted TLS tunnels. This ensures that even if someone was able to break the chain of trust and insert a malicious workload, they will not be able to create damage beyond the policy that was defined.
Using this strategy, the company was able to expand its business while keeping data and intellectual property intact. It can develop code safely on its premises, and confidently ship it to the new market without worrying that someone will steal its intellectual property or access its data.