BUDVAR systematically increases its cyber security

eWay System s.r.o. is a Czech company providing CRM integrated directly into the Microsoft Budějovický Budvar, the national brewery, is the last large brewery to remain fully in Czech hands. For more than 125 years, its people have been brewing honest Czech beer, according to the original recipe and with the best conscience, which makes people happy not only at home in České Budějovice, but in more than 70 other countries around the world. It is primarily first-class raw materials, crystal water from 300 metres deep Artesian wells, Žatec hops and Moravian malt that are the basis for the success of the traditional, time-tested recipe. In 2021, the national brewery enjoyed 1.809 million hectolitres and every drop was brewed in České Budějovice.

At the beginning of everything there was an analysis. With the arrival of a new IT director, there was a need to map the state of IT security in the organization. After several consultations, our specialists convinced the customer of the quality of our services and received a request for an analysis of the current state of cybersecurity.

In this analysis, we use the necessary security methodologies, collect data, conduct interviews on the applications and processes used and, according to the data obtained, assess the maturity of the organization in this area. We take into account the technological view, but also the strategic view, i.e. whether there is a risk analysis, whether there are response plans in place, and we evaluate the personnel background. For Budvar, we actually went through the procedures of how more than 600 employees work, evaluated what 1 day of downtime means and how many millions of CZK it costs the company and which part is most affected. The result was a set of recommendations and a time line of steps to gradually improve safety.

On the basis of the agreement on long-term cooperation and the scope of prepaid consulting days, it was possible to explain the advantages and disadvantages of possible proposed solutions, to carry out a Proof of Concept for some areas and to define more precisely the partial requirements and separate projects. Budvar then handles these sub-projects in the form of a request for proposals within the framework of public tenders.

As one of the first implementation projects, a solution was designed to increase the cyber security of the organization by means of segmentation of the corporate network and subsequently micro-segmentation so that the level of rights for communication within the corporate network could be set for each device or user. Of the two possible proposed paths, a centralized solution with a global policy server was chosen to enable micro-segmentation of network access in the full sense of the word, central management of policies and the entire solution lifecycle, both at headquarters and at other sites, and integration with the organization's firewalls and MDM systems. It is an all-in-one solution that offers health checking of accessing devices, self-management of BYOD devices by their users and guest access management. All with appropriate integration links to other security systems, using HPE Aruba ClearPass technology.

The proposed solution using HPE Aruba technology stands and falls with dynamic segmentation technology, which, using tunnels, exports the traffic of any device to the HPE Aruba Gateway. This centralizes all user data and allows us to perform security operations on it, filter traffic, and determine quality of service by seeing into the context of the application and user. The advantage is that each user has their own tunnel that is built according to a defined role and that can be individually audited. With these technologies, the customer's expectations of increasing the security of the organization can be met.

One of the needs was to provide access to the device to the network, based on its current state/health. This means that the device meets all the defined compliance conditions and active protection from threat introduction is provided, which was addressed by the HPE Aruba ClearPass OnGuard module. Visitor/guest access requirements were also addressed, making it as simple as possible, but at the same time the customer registered their identity while verifying that they were inside the premises, not behind a wall somewhere. Multi-level guest impersonation is provided by the HPE Aruba ClearPass Guest module.

The foundation of the solution is built on the HPE Aruba 7200 series gateways, which also feature an SD-WAN license. The entire solution is unified managed by HPE Aruba Central, which allows all traffic to be monitored and managed using the power of the cloud and machine learning. The huge advantage is that through this system, a single view of the entire operation management is available and no additional tools are required.

The project included high requirements for integration with other elements of the organization's communications infrastructure ecosystem, with existing corporate firewall technology, with enterprise MDM systems in use for device management, etc. The entire solution is ready for future integration with the IoT world and the use of sensors in production or logistics.