Cisco asegura las posibilidades protegiendo de forma holística las identidades humanas y no humanas

Resumen

Cisco utiliza la plataforma de Seguridad de la Identidad de CyberArk para proporcionar el acceso con privilegios dinámico y con un solo clic que el personal necesita para prestar y desarrollar servicios a los usuarios, así como para agilizar y proteger los procesos de DevOps con una estrategia de gestión de secretos dinámica.

Perfil de la empresa

Cisco es una corporación multinacional estadounidense de tecnología de comunicaciones digitales con sede en San José, California. Opera en 180 países de todo el mundo prestando servicios que se basan en seis pilares estratégicos: redes seguras y ágiles; trabajo híbrido; experiencias de aplicación optimizadas; seguridad integral; Internet para el futuro; y capacidades al límite.

Empleados: 100.000

Desafíos

Imagine la responsabilidad de proteger a los clientes, el personal, los activos y las operaciones empresariales de uno de los negocios de TI más importantes del mundo. Es responsabilidad de Santosh Prusty, responsable sénior del equipo de Seguridad Empresarial en Cisco, y el desafío es significativo. Cisco tiene 100.000 empleados, cientos de empresas asociadas en todo el mundo y más de mil aplicaciones que dan soporte a la empresa y a sus clientes.

«Hace unos años, analizamos las carencias que teníamos en la gestión de acceso e identidades con privilegios», afirmó Prusty. «Teníamos una solución puntual, pero no había una visión de gobernanza corporativa de quién estaba haciendo qué ni ninguna capacidad de supervisión. Así que estábamos buscando un producto para cubrir estas carencias y satisfacer nuestras futuras necesidades de Seguridad de la Identidad».

Durante más de 50 años, Cisco ha sido la piedra angular de la mayoría de las redes tecnológicas e infraestructuras de TI empresariales en todo el mundo. Pero el panorama de amenazas para Cisco y muchas otras organizaciones está cambiando, no solo en las amenazas tradicionales del malware y el ransomware, sino también en los ataques a la cadena de suministro y la creciente importancia de la seguridad de la identidad.

«En los últimos diez años, los cambios en la digitalización, la automatización de las infraestructuras y la inteligencia artificial han modificado la forma en que analizamos todo el panorama de amenazas», afirmó Prusty. «Si utilizamos nuestra propia infraestructura, nos sentimos seguros porque está dentro de nuestro propio perímetro. Pero con las empresas dispersas, el personal remoto y el aumento del trabajo desde casa, aumenta drásticamente la conexión con nuestra red desde el exterior, así que ¿cómo nos aseguramos de que nuestras identidades no se vean comprometidas?»

Prusty mencionó lo que muestran continuamente los principales informes del panorama de las amenazas, el 74% de todas las filtraciones incluyen el factor humano, con personas involucradas ya sea por error, uso indebido de privilegios, uso de credenciales robadas o ingeniería social. «Nuestra identidad solía centrarse principalmente en nuestro nombre de usuario y contraseña», compartió Prusty. «Ahora la identidad incluye múltiples tipos de credenciales, nuestros permisos, nuestros ordenadores portátiles o cualquier otro dispositivo que utilicemos para trabajar. La superficie de ataque es enorme. Y no se trata solo de personas; hay identidades no humanas que todas las organizaciones necesitan proteger, controlar y gestionar».

Cisco ha organizado la Seguridad de la Identidad en tres pilares principales: identidad interna, externa y con privilegios. Pero había una brecha en la supervisión de las sesiones de los usuarios con privilegios. No existía una visión centralizada de los informes de auditoría ni de quién estaba haciendo qué. Cisco es una gran organización global con una gran variedad de productos, servicios y socios. Necesitaba obtener una mejor visión vertical de su acceso con privilegios e identidad para aumentar la gobernanza y el control.

Solutions

Cisco decided to use CyberArk because it is the proven and recognized leader in identity security and privileged access management (PAM). The company needed a solution that could combine human and non-human privileged access control and identity into a unified platform, so that they can centrally audit and secure who has access to what.

The Cisco implementation of the CyberArk Identity Security Platform comprises CyberArk Privileged Access Manager and CyberArk Secrets Manager, Self-Hosted (formerly CyberArk Conjur Enterprise) with plans to deploy next-generation CyberArk Secrets Hub and CyberArk Dynamic Privileged Access products in the near future. Cisco leverages CyberArk’s vast integration capabilities to integrate with Cisco’s own multi-factor authentication (MFA) solution, Duo and integrates with other applications such as SailPoint and Saviynt to automate identity governance processes and simplify onboarding of users and secrets used by applications within the entire DevOps pipeline. CyberArk Secrets Manager is hosted in AWS and is used across the enterprise-wide hybrid and multi-cloud infrastructure to manage and govern secrets management. It gives DevOps engineers a simple process to replace hard-coded credentials with APIs retrieving the secrets applications need to perform their workloads across their entire CI/CD (continuous integration and continuous delivery) pipeline.

“We are very proud about what we have achieved with our program. The CyberArk Identity Security Platform helps us secure and manage human and non-human identities in a unified solution. We secure 50,000 human privileged identities, isolate and monitor more than 25,000 sessions per month, and produce more than a thousand hours of recorded sessions per day. From a secrets management perspective, we vault and rotate tens of thousands of credentials used by applications and manage more than 40 million API secrets calls a month.”
– Santosh Prusty, Senior Leader, Enterprise Security Team, Cisco

Cisco is one of the largest consumers of cloud infrastructure, including AWS, Azure and GCP, in addition to hosting an impressive on-premises environment, making them a truly hybrid and multi-cloud company. As such, they needed an identity security solution that can holistically secure human and non-human access across various cloud platforms and even on-prem.

The next step will focus on two use cases and capabilities of the CyberArk Identity Security Platform:
CyberArk Secrets Hub will enable operational efficiencies and accelerate DevOps pipelines by enabling developers to use native AWS and Azure secrets management services that they are familiarized with, while the security team centrally manages and audits their applications’ credentials in CyberArk. Looking ahead, Cisco will also use CyberArk Secrets Manager to build cloud portable applications, provision cloud instances and enable users to manage and store their API key secrets, application and database credentials. CyberArk Dynamic Privileged Access (DPA) will help reduce the operational footprint and risk associated with standing access by creating ephemeral, time-bound access on the target Virtual Machine or server with attribute-based access control (ABAC) policies. Security teams will initiate isolated connections with just-in-time (JIT) access for administrators using their preferred RDP and SSH clients and leveraging risk-aware adaptive multi-factor authentication (MFA). All without the need for agents or VPNs to broker secured, isolated and monitored sessions.

Results

For Cisco, CyberArk delivers three core values:

1. Improve business operations by enabling one click to provision end-user secrets management.
2. Enhance security governance by monitoring and governing user access.
3. Removes hard-coded credentials across the entire DevOps pipeline and provides operational efficiencies to developers by giving developers an easy way to leverage API calls to retrieve secrets, freeing them to focus on value-add activities.

“Now, by having everything consolidated into one identity security platform, we are effective from a management and operational perspective for privileged access,” divulged Prusty. “We’ve been able to provide our admins and developers with a secure and flexible way to connect to their assets. This resulted in 50,000 privileged accounts protected with CyberArk and the platform handled 40 million API secrets calls per month to Conjur [now known as Secrets Manager], which is a requirement for us. We’ve also implemented multiple automations and integrations to streamline user and application onboarding. Onboarding used to take weeks. Now we can do it seamlessly and automatically in a few minutes.”

One of the other benefits of CyberArk is visibility and monitoring. “With CyberArk, every session is recorded and stored,” continued Prusty. “We can go back to review what has happened, who logged on, in which region, when and for how long. This gives us real insight for analysis and auditing.”

Cisco has established a strategic partner with CyberArk. The CyberArk Blueprint and CyberArk Success Plans have helped both parties set a roadmap to continuously achieve measurable risk reduction and enable operational efficiencies for Cisco and to work together to execute it. “Over the last three years, CyberArk has been great for Cisco,” acknowledged Prusty. “Now we are planning to evolve our CyberArk Identity Security Platform to leverage some of the new and advanced solutions that CyberArk is developing. We can bring a product like CyberArk Dynamic Privileged Access to Cisco and dramatically reduce the attack surface by providing just-in-time access, rather than standing access, for thousands of admin users.”

«Using CyberArk Secrets Hub will allow us to meet developers where they are. Developers will use the cloud providers native secrets management tool while we centrally manage and audit their secrets in CyberArk».
– Santosh Prusty, Senior Leader, Enterprise Security Team, Cisco

One pressing challenge for Cisco is vendor management. “Cisco works with hundreds of supply chain partners around the world,” said Prusty. “These partners are core to Cisco’s business, so we want to ensure they are successful. But we have to consider how to simplify the management and governance of supply chain partners and give them the access they need efficiently. Associated with that is simplifying how our tech support and vendor teams work with our partners to enable seamless transactions. These are challenges where we are consulting with CyberArk to help solve them.”

“CyberArk has some significant initiatives and solution developments going on like CyberArk Secure Web Browser, leveraging AI across the entire platform, enhancing cloud security and password-less access, and it is great to be part of that journey,” concluded Prusty. “We are working on a password-less strategy and I’m happy to see that CyberArk is ahead and thinking through it and we are proud to partner with them to manage and govern some of our specific use cases.”

Key benefits

• Consolidates privileged access and identity security onto one platform
• Handles enterprise scale with 40 million API secrets calls per month with Secrets Manager
• 50,000 privileged access accounts protected
• 25,000+ isolated and monitored sessions per month
• 1,000+ hours of recorded sessions per day
• Enables fast, security one-click access to business systems
• Provides security roadmap for future challenges and improvements