Making Supply Chain Security as Trusty as a Pair of Levi's 501s
Levi Strauss' move to an SAP managed services approach reduced the visibility and control the clothing company had over supply chain security. Here's how it solved that problem.
When it comes to designing and selling jeans, few companies can beat Levi Strauss, which has sold more than 3.5 billion pairs since it started business in the 1850s. The company single-handedly built a better denim product by strengthening areas that experienced a lot of stress, such as the pockets. As the company dove into its next project of digital transformation, its leaders discovered that it would need to strengthen its model again—this time in the area of supply chain security.
Levi Strauss makes it a point to keep on top of technology trends, and over time, had built a solid infrastructure, supply chain and cybersecurity program. To remain current, the company’s tech leaders decided about six years ago to undergo a significant digital transformation that would move most of its applications and infrastructure to the public cloud. The move proved to be beneficial in many ways, from reducing costs to improving efficiency. It was especially fortuitous that it occurred before the COVID-19 pandemic because it allowed Levi Strauss to more easily pivot to a stronger e-commerce focus.
A big part of the transformation was moving away from its onsite SAP enterprise resource planning (ERP) system to SAP HANA running in the public cloud, managed by SAP for Levi Strauss. The company relies on SAP for everything from finances to inventory. By moving to a managed services model for ERP in the cloud, Levi Strauss expected to improve day-to-day management and have more control over costs.
While the benefits of the managed services approach were undeniable, this switch also reduced the visibility and control that Levi Strauss itself had over the security of its business applications and data.
“When our ERP system was on-site, we had full visibility and the ability to monitor and manage from a security perspective,” said Steve Zalewski, the company’s deputy chief information security officer. “But we still have the responsibility to protect the company against all avenues of attack. I can’t identify certain attack types without information that [SAP] has around infrastructure controls or logs. It created a standoff between my need to protect the company and their business responsibilities and SLAs [service-level agreements] and maturity to pick up that shared responsibility.”
The situation wasn’t a deal-breaker, but it did cause Zalewski and his team to think carefully about how to regain visibility and control. Discussions around shared responsibility, a potential impact on SLA requirements and the need for trust became major themes.
Visibility Above All Else
For Levi Strauss' security team, continued visibility was the most important requirement. With the new managed services model, that visibility was partially obstructed. If the infrastructure or application were attacked, Zalewski’s team wouldn’t initially know about it because that part of the infrastructure is under SAP’s purview. Depending on how the attack progressed, the Levi Strauss team may eventually identify it, but it may be too late. If the attack moved laterally, for example, it could compromise a business account or business data before it was identified and mitigated.
The first step in determining the best way to handle the situation was turning inward. Zalewski’s team needed to understand exactly what security information company officials needed access to from each provider and function to fully protect company resources. Once the team ironed that out, the next step was bringing in a third party that both Levi Strauss and SAP could fully trust.
The team settled on Onapsis, a platform that provides monitoring tools that can bridge environments. The idea was that the Onapsis tools would be installed inside of SAP’s IT infrastructure, enabling the Levi Strauss security team to monitor all activity and receive pertinent data. This setup would allow Zalewski’s team to holistically monitor all resources from a cybersecurity perspective—the infrastructure and application managed by SAP and the business application data and business access controlled by Levi Strauss.
The integration, which took about two years and finally went live in early 2021, required installing Onapsis tools on the infrastructure that SAP manages. That meant that Levi Strauss had to trust that the tools wouldn’t impact operational availability, and that the tools had the ability to capture the information Zalewski’s team needed and export it to Levi Strauss’ Security Operations Center (SOC) and data lake, which are housed in a different public cloud.
“Part of the negotiation from Day One was getting both sides to understand that the new relationship had to be forged from a cybersecurity perspective and that if we couldn’t, it was putting me in a position where I couldn’t accomplish my primary goal, which is to protect the company,” Zalewski explained.
In addition to keeping the company’s SAP installation secure, the monitoring solution also has caught other issues. Because it allowed the company to see all of its infrastructure—production and non-production environments, QA, test and preproduction—it could easily flag situations when a configuration file is changed. As a result, it quickly caught accidents developers had made in misconfiguring environments, which Zalewski said would have normally taken months to root out.
Now that everything is working smoothly, the security team plans to extend the functionality to its different cloud environments. The idea is to improve management of its growing supply chain and multiple, separate clouds.
“This digital transformation is pushing the industry further and further into highly distributed and complicated supply chains where less of the supply chain is within your control to manage, yet you still need to be able to monitor and address it,” Zalewski said. “That’s the challenge: how to mature our risk management capabilities with a shared trust or 'trust but verify' model so we can provide appropriate insurance policies to the company and key business processes.”
About the Author
You May Also Like