Cisco 致力于全面保护人类和非人类身份以保留实现可能性的机会

总结

Cisco 使用 CyberArk 身份安全平台提供员工所需的动态一键式特权访问权限，以便向客户提供和开发服务，并通过动态密钥管理策略来加快和保护 DevOps 管道。

公司简介

Cisco 是一家跨国数字通信技术公司，总部位于美国加利福尼亚州圣何塞。其业务足迹遍布全球 180 个国家/地区，根据其六大战略支柱提供服务：安全而敏捷的网络；混合式工作；经过优化的应用程序体验；端到端安全；未来的互联网；以及边缘能力。

员工数量：100,000 名

挑战

想象一下，确保全球最知名 IT 企业之一的客户、员工、资产和业务运营安全的责任有多么艰巨。这一责任由 Cisco 企业安全团队高级领导 Santosh Prusty 承担，也无疑是一项重大挑战。Cisco 在全球范围内拥有 100,000 名员工、数百家合作伙伴企业，以及为公司业务和 Cisco 客户提供支持的一千多款应用程序。

“几年前，我们发现了特权身份和访问管理方面的差距，”Prusty 解释道。“我们有一个单点解决方案，但关于谁在做什么缺乏治理视角，也没有任何监控能力。因此，我们想要寻找一种产品来弥补这些差距，同时满足我们未来的身份安全需求。”

50 多年来，Cisco 一直是全球大多数技术网络和商业 IT 基础设施的基石。但是，Cisco 和许多其他组织所面临的威胁格局不断发生变化，不仅仅有来自恶意软件和勒索软件的传统威胁，还有供应链攻击和日益重要的身份安全。

“过去十年间，在数字化、基础设施自动化和人工智能领域的变化，也改变了我们对整个威胁格局的看法，”Prusty 说道。“如果我们使用自己的基础设施，我们会感到安全，因为处于我们自己的防护范围之内。但随着企业的分散、员工采用远程办公方式和居家办公呈趋势上升，所有这些因素都极大地增加了从外部连接到我们企业网络的机会，那么我们该如何确保我们的身份不会遭到泄露呢？”

Prusty 引用了主要威胁格局报告持续显示的数据，74% 的漏洞包含人为因素，员工因出错、滥用特权、使用被盗的凭据或社会工程而牵涉其中。“我们的身份过去主要集中在我们的用户名和密码上，”Prusty 分享道。“如今的身份包括多种类型的凭据、我们的权限、我们的笔记本电脑，或我们工作所使用的任何其他设备。攻击面尤其巨大。不仅仅有人类身份；还有每个组织都需要保护、控制和管理的非人类身份。”

Cisco 将身份安全分为三大支柱：内部、外部和特权身份。但在特权用户会话监控方面存在差距。关于审计报告或谁在做什么，缺乏统一的视角。Cisco 是一家规模庞大的全球性组织，拥有众多不同的产品、服务和合作伙伴， 需要更好地自上而下了解其特权访问和身份资产，从而加强治理和控制。

Solutions

Cisco decided to use CyberArk because it is the proven and recognized leader in identity security and privileged access management (PAM). The company needed a solution that could combine human and non-human privileged access control and identity into a unified platform, so that they can centrally audit and secure who has access to what.

The Cisco implementation of the CyberArk Identity Security Platform comprises CyberArk Privileged Access Manager and CyberArk Secrets Manager, Self-Hosted (formerly CyberArk Conjur Enterprise) with plans to deploy next-generation CyberArk Secrets Hub and CyberArk Dynamic Privileged Access products in the near future. Cisco leverages CyberArk’s vast integration capabilities to integrate with Cisco’s own multi-factor authentication (MFA) solution, Duo and integrates with other applications such as SailPoint and Saviynt to automate identity governance processes and simplify onboarding of users and secrets used by applications within the entire DevOps pipeline. CyberArk Secrets Manager is hosted in AWS and is used across the enterprise-wide hybrid and multi-cloud infrastructure to manage and govern secrets management. It gives DevOps engineers a simple process to replace hard-coded credentials with APIs retrieving the secrets applications need to perform their workloads across their entire CI/CD (continuous integration and continuous delivery) pipeline.

“We are very proud about what we have achieved with our program. The CyberArk Identity Security Platform helps us secure and manage human and non-human identities in a unified solution. We secure 50,000 human privileged identities, isolate and monitor more than 25,000 sessions per month, and produce more than a thousand hours of recorded sessions per day. From a secrets management perspective, we vault and rotate tens of thousands of credentials used by applications and manage more than 40 million API secrets calls a month.”
– Santosh Prusty, Senior Leader, Enterprise Security Team, Cisco

Cisco is one of the largest consumers of cloud infrastructure, including AWS, Azure and GCP, in addition to hosting an impressive on-premises environment, making them a truly hybrid and multi-cloud company. As such, they needed an identity security solution that can holistically secure human and non-human access across various cloud platforms and even on-prem.

The next step will focus on two use cases and capabilities of the CyberArk Identity Security Platform:
CyberArk Secrets Hub will enable operational efficiencies and accelerate DevOps pipelines by enabling developers to use native AWS and Azure secrets management services that they are familiarized with, while the security team centrally manages and audits their applications’ credentials in CyberArk. Looking ahead, Cisco will also use CyberArk Secrets Manager to build cloud portable applications, provision cloud instances and enable users to manage and store their API key secrets, application and database credentials. CyberArk Dynamic Privileged Access (DPA) will help reduce the operational footprint and risk associated with standing access by creating ephemeral, time-bound access on the target Virtual Machine or server with attribute-based access control (ABAC) policies. Security teams will initiate isolated connections with just-in-time (JIT) access for administrators using their preferred RDP and SSH clients and leveraging risk-aware adaptive multi-factor authentication (MFA). All without the need for agents or VPNs to broker secured, isolated and monitored sessions.

Results

For Cisco, CyberArk delivers three core values:

1. Improve business operations by enabling one click to provision end-user secrets management.
2. Enhance security governance by monitoring and governing user access.
3. Removes hard-coded credentials across the entire DevOps pipeline and provides operational efficiencies to developers by giving developers an easy way to leverage API calls to retrieve secrets, freeing them to focus on value-add activities.

“Now, by having everything consolidated into one identity security platform, we are effective from a management and operational perspective for privileged access,” divulged Prusty. “We’ve been able to provide our admins and developers with a secure and flexible way to connect to their assets. This resulted in 50,000 privileged accounts protected with CyberArk and the platform handled 40 million API secrets calls per month to Conjur [now known as Secrets Manager], which is a requirement for us. We’ve also implemented multiple automations and integrations to streamline user and application onboarding. Onboarding used to take weeks. Now we can do it seamlessly and automatically in a few minutes.”

One of the other benefits of CyberArk is visibility and monitoring. “With CyberArk, every session is recorded and stored,” continued Prusty. “We can go back to review what has happened, who logged on, in which region, when and for how long. This gives us real insight for analysis and auditing.”

Cisco has established a strategic partner with CyberArk. The CyberArk Blueprint and CyberArk Success Plans have helped both parties set a roadmap to continuously achieve measurable risk reduction and enable operational efficiencies for Cisco and to work together to execute it. “Over the last three years, CyberArk has been great for Cisco,” acknowledged Prusty. “Now we are planning to evolve our CyberArk Identity Security Platform to leverage some of the new and advanced solutions that CyberArk is developing. We can bring a product like CyberArk Dynamic Privileged Access to Cisco and dramatically reduce the attack surface by providing just-in-time access, rather than standing access, for thousands of admin users.”

“Using CyberArk Secrets Hub will allow us to meet developers where they are. Developers will use the cloud providers native secrets management tool while we centrally manage and audit their secrets in CyberArk”.
– Santosh Prusty, Senior Leader, Enterprise Security Team, Cisco

One pressing challenge for Cisco is vendor management. “Cisco works with hundreds of supply chain partners around the world,” said Prusty. “These partners are core to Cisco’s business, so we want to ensure they are successful. But we have to consider how to simplify the management and governance of supply chain partners and give them the access they need efficiently. Associated with that is simplifying how our tech support and vendor teams work with our partners to enable seamless transactions. These are challenges where we are consulting with CyberArk to help solve them.”

“CyberArk has some significant initiatives and solution developments going on like CyberArk Secure Web Browser, leveraging AI across the entire platform, enhancing cloud security and password-less access, and it is great to be part of that journey,” concluded Prusty. “We are working on a password-less strategy and I’m happy to see that CyberArk is ahead and thinking through it and we are proud to partner with them to manage and govern some of our specific use cases.”

Key benefits

• Consolidates privileged access and identity security onto one platform
• Handles enterprise scale with 40 million API secrets calls per month with Secrets Manager
• 50,000 privileged access accounts protected
• 25,000+ isolated and monitored sessions per month
• 1,000+ hours of recorded sessions per day
• Enables fast, security one-click access to business systems
• Provides security roadmap for future challenges and improvements