Cisco 透過全面保護人類和非人類身分來保護通往可能性的橋樑

總述

Cisco 使用 CyberArk 身分識別安全平台來提供員工所需的動態一鍵式特權存取，以便為客戶提供和開發服務，並透過動態存取鑰匙管理策略加速和保護 DevOps 管道。

公司概況

Cisco 是一家總部位於美國加州聖荷西的跨國數位通訊技術公司。它在全球 180 個國家/地區開展業務，在六大戰略支柱下提供服務：安全、敏捷的網路；混合式工作；最佳化的應用程式體驗；端對端安全性；面向未來的網際網路；以及在邊緣的功能。

員工人數：100,000

挑戰

想像一下保護全球最知名 IT 企業之一的客戶、員工、資產和業務營運安全的責任。這項責任由 Cisco 企業安全團隊資深領導者 Santosh Prusty 承擔，挑戰是巨大的。Cisco 在全球擁有 10 萬名員工、數百家合作夥伴企業以及支援企業和 Cisco 客戶的一千多個應用程式。

「幾年前，我們研究了我們在特權身分和存取管理方面的差距，」Prusty 解釋道。「我們有一個單點解決方案，但沒有關於誰在做什麼的治理檢視，也沒有任何監控功能。因此，我們正在尋找一款產品來填補這些空白並滿足我們未來的身分安全需求。

50 多年來，Cisco 一直是全球大多數技術網路和商業 IT 基礎結構的基石。但 Cisco 和許多其他組織所面臨的威脅情勢正在發生變化，不僅是惡意軟體和勒索軟體的傳統威脅，還有供應鏈攻擊和日益重要的身分識別安全性。

「過去十年來，數位化、基礎結構自動化和人工智慧的變化改變了我們看待整個威脅情勢的方式，」Prusty 說。「如果我們使用自己的基礎結構，我們就會感到安全，因為它在我們自己的周邊內。但隨著企業分散、遠端員工以及居家工作的增加，所有這些都大大增加了從外部到我們網路的連接，那麼我們如何確保我們的身分不會被洩露？」

Prusty 引用了主要威脅情勢報告多次呈現的內容，74% 的洩露行為涉及人為因素，人們因錯誤、特權濫用、使用被盜憑證或社會工程而參與其中。「我們的身分過去主要集中在我們的使用者名稱和密碼上，」Prusty 分享道。「現在身分包括多種類型的憑證、我們的權限、我們的筆記型電腦或我們用於工作的任何其他裝置。攻擊面很大。不僅僅是人， 每個組織都有需要保護、控制和管理的非人類身分。」

Cisco 將身分安全分為三大支柱：內部、外部和特權身分。但特權使用者連線存取監控方面存在差距。沒有稽核報告或關於誰在做什麼的集中檢視。Cisco 是一家大型全球性組織，擁有許多不同的產品、服務和合作夥伴。它需要更好地自上而下地瞭解其特權存取和身分財產，以加強治理和控制。

Solutions

Cisco decided to use CyberArk because it is the proven and recognized leader in identity security and privileged access management (PAM). The company needed a solution that could combine human and non-human privileged access control and identity into a unified platform, so that they can centrally audit and secure who has access to what.

The Cisco implementation of the CyberArk Identity Security Platform comprises CyberArk Privileged Access Manager and CyberArk Secrets Manager, Self-Hosted (formerly CyberArk Conjur Enterprise) with plans to deploy next-generation CyberArk Secrets Hub and CyberArk Dynamic Privileged Access products in the near future. Cisco leverages CyberArk’s vast integration capabilities to integrate with Cisco’s own multi-factor authentication (MFA) solution, Duo and integrates with other applications such as SailPoint and Saviynt to automate identity governance processes and simplify onboarding of users and secrets used by applications within the entire DevOps pipeline. CyberArk Secrets Manager is hosted in AWS and is used across the enterprise-wide hybrid and multi-cloud infrastructure to manage and govern secrets management. It gives DevOps engineers a simple process to replace hard-coded credentials with APIs retrieving the secrets applications need to perform their workloads across their entire CI/CD (continuous integration and continuous delivery) pipeline.

“We are very proud about what we have achieved with our program. The CyberArk Identity Security Platform helps us secure and manage human and non-human identities in a unified solution. We secure 50,000 human privileged identities, isolate and monitor more than 25,000 sessions per month, and produce more than a thousand hours of recorded sessions per day. From a secrets management perspective, we vault and rotate tens of thousands of credentials used by applications and manage more than 40 million API secrets calls a month.”
– Santosh Prusty, Senior Leader, Enterprise Security Team, Cisco

Cisco is one of the largest consumers of cloud infrastructure, including AWS, Azure and GCP, in addition to hosting an impressive on-premises environment, making them a truly hybrid and multi-cloud company. As such, they needed an identity security solution that can holistically secure human and non-human access across various cloud platforms and even on-prem.

The next step will focus on two use cases and capabilities of the CyberArk Identity Security Platform:
CyberArk Secrets Hub will enable operational efficiencies and accelerate DevOps pipelines by enabling developers to use native AWS and Azure secrets management services that they are familiarized with, while the security team centrally manages and audits their applications’ credentials in CyberArk. Looking ahead, Cisco will also use CyberArk Secrets Manager to build cloud portable applications, provision cloud instances and enable users to manage and store their API key secrets, application and database credentials. CyberArk Dynamic Privileged Access (DPA) will help reduce the operational footprint and risk associated with standing access by creating ephemeral, time-bound access on the target Virtual Machine or server with attribute-based access control (ABAC) policies. Security teams will initiate isolated connections with just-in-time (JIT) access for administrators using their preferred RDP and SSH clients and leveraging risk-aware adaptive multi-factor authentication (MFA). All without the need for agents or VPNs to broker secured, isolated and monitored sessions.

Results

For Cisco, CyberArk delivers three core values:

1. Improve business operations by enabling one click to provision end-user secrets management.
2. Enhance security governance by monitoring and governing user access.
3. Removes hard-coded credentials across the entire DevOps pipeline and provides operational efficiencies to developers by giving developers an easy way to leverage API calls to retrieve secrets, freeing them to focus on value-add activities.

“Now, by having everything consolidated into one identity security platform, we are effective from a management and operational perspective for privileged access,” divulged Prusty. “We’ve been able to provide our admins and developers with a secure and flexible way to connect to their assets. This resulted in 50,000 privileged accounts protected with CyberArk and the platform handled 40 million API secrets calls per month to Conjur [now known as Secrets Manager], which is a requirement for us. We’ve also implemented multiple automations and integrations to streamline user and application onboarding. Onboarding used to take weeks. Now we can do it seamlessly and automatically in a few minutes.”

One of the other benefits of CyberArk is visibility and monitoring. “With CyberArk, every session is recorded and stored,” continued Prusty. “We can go back to review what has happened, who logged on, in which region, when and for how long. This gives us real insight for analysis and auditing.”

Cisco has established a strategic partner with CyberArk. The CyberArk Blueprint and CyberArk Success Plans have helped both parties set a roadmap to continuously achieve measurable risk reduction and enable operational efficiencies for Cisco and to work together to execute it. “Over the last three years, CyberArk has been great for Cisco,” acknowledged Prusty. “Now we are planning to evolve our CyberArk Identity Security Platform to leverage some of the new and advanced solutions that CyberArk is developing. We can bring a product like CyberArk Dynamic Privileged Access to Cisco and dramatically reduce the attack surface by providing just-in-time access, rather than standing access, for thousands of admin users.”

“Using CyberArk Secrets Hub will allow us to meet developers where they are. Developers will use the cloud providers native secrets management tool while we centrally manage and audit their secrets in CyberArk”.
– Santosh Prusty, Senior Leader, Enterprise Security Team, Cisco

One pressing challenge for Cisco is vendor management. “Cisco works with hundreds of supply chain partners around the world,” said Prusty. “These partners are core to Cisco’s business, so we want to ensure they are successful. But we have to consider how to simplify the management and governance of supply chain partners and give them the access they need efficiently. Associated with that is simplifying how our tech support and vendor teams work with our partners to enable seamless transactions. These are challenges where we are consulting with CyberArk to help solve them.”

“CyberArk has some significant initiatives and solution developments going on like CyberArk Secure Web Browser, leveraging AI across the entire platform, enhancing cloud security and password-less access, and it is great to be part of that journey,” concluded Prusty. “We are working on a password-less strategy and I’m happy to see that CyberArk is ahead and thinking through it and we are proud to partner with them to manage and govern some of our specific use cases.”

Key benefits

• Consolidates privileged access and identity security onto one platform
• Handles enterprise scale with 40 million API secrets calls per month with Secrets Manager
• 50,000 privileged access accounts protected
• 25,000+ isolated and monitored sessions per month
• 1,000+ hours of recorded sessions per day
• Enables fast, security one-click access to business systems
• Provides security roadmap for future challenges and improvements