Capcom strengthens its security by protecting sensitive information in game development environments

Company profile

Capcom is a leading worldwide developer, publisher and distributor of interactive entertainment for game consoles, PCs, handheld and wireless devices. Founded in 1983, the company has created hundreds of games, including groundbreaking franchises Resident Evil™, Monster Hunter™, Street Fighter™, Mega Man™, Devil May Cry™ and Ace Attorney™. Capcom maintains operations in the U.S., U.K., Germany, France, Hong Kong, Taiwan, Singapore and Tokyo, with corporate headquarters located in Osaka, Japan. More information about Capcom and its products can be found at www.capcom.com or www.capcom-unity.com.

Date of Initiation : June 11, 1983
Net sales : 110,054 million yen (fiscal year ended March 31, 2022)
Number of Employees : 3,206 (as of March 31, 2022)

Challenges

Comprehensive improvement of security measures needed for one of the world’s leading game makers

Capcom’s game business is particularly noteworthy for its advanced technological development capabilities.
In recent years, manufacturers often first purchase a game engine provided by a game platform technology developer and then develop content based on that engine. Capcom, however, has developed its own game engine based on fundamental technology development capabilities for many years and is highly rated and positioned as a leader in the game industry. The development team for the latest game engine even won the top award in the engineering category at the prestigious CEDEC AWARDS. Capcom is committed to proprietary technology, making games loved by fans worldwide.

The R&D Foundational Technology Department, which supports the development of games and game platform technology, oversees the introduction of technology and creates rules to increase productivity so that engineers and creators can focus on development. In addition to compiling and disseminating rules, this department is also responsible for operating and enhancing security approaches and ensuring compliance with the laws and regulations of each country and region.

Kohei Akiyama of Capcom’s Engine Development Support Section, R&D Foundational Technology Department, said, “Of course, the information systems department has also been addressing company-wide security and compliance measures. However, the game development department handles vital data assets using a dedicated development environment for each project. Since we sell our content around the world, we also need to consider laws and regulations from the outset to create products that comply with the rules of each country and region. In addition, since we are operating a large-scale system with numerous development projects running concurrently, we add our own approach to support smooth creativity,”

Capcom has been focusing on strengthening security measures for some time, but in order to work on more advanced measures and higher levels of protection, a dedicated Development Security Task Force has been established and has begun studying the introduction of technologies and mechanisms to protect valuable information assets.

Solutions

Privileged access management protects development environments without compromising productivity

The Development Security Taskforce consulted with several IT vendors regarding enhanced security measures. It adopted a proposal from Japan Business Systems (JBS) that focused on a solution that would make the development environment more secure and transparent without compromising productivity. From there, Capcom showed keen interest in privileged access management solutions.

Protecting the privileged access of system administrator accounts is still considered an important security measure in recent years. This is because if an an attacker gains administrator-level access to systems, they could easily manipulate data and applications and steal as much information as possible.

A part of Capcom’s development environment is configured on a virtualization infrastructure, but the hundreds of virtual servers are operated by the people in charge of each project. The Engine Development Support Section Office had established rules for operating accounts and passwords. Still, since the actual operation was left to the staff, based on the principle of good faith, there were concerns about whether these rules were being thoroughly followed. Since modern game development is increasingly online and more domestic and overseas partner companies are actively participating, it is crucial to enhance privileged access management for the future.

Mr. Koji Yoshida of Capcom’s Engine Development Support Section of the R&D Foundational Technology Department said, “The development environment centered on a server is accessed by engineers from individual PC terminals. The server, where all kinds of data are concentrated, is the place that must be protected the most. With a few exceptions, the personnel for each project in charge of servers is not IT professionals but application programmers who also have game development tasks. The development environment is mainly Linux servers, and not everyone is familiar with the operation. Therefore, there was a risk that account management would inevitably become sloppy. Implementing a privileged access management solution was one of our most urgent and important tasks.”

In response to these requirements, Capcom selected CyberArk Privileged Access Manager as its privileged access management solution, which supports existing Linux-based development environments and meets the stringent requirements of Capcom’s security teams. CyberArk Privileged Access Manager has a proven track record in the industry and offers a complete set of functions to enhance privileged access management, such as logging and password rotation. The biggest deciding factors in introducing the system were its “agentless” implementation and support for single sign-on.

CyberArk Privileged Access Manager does not require agents to be installed on each server, so the impact on the development environment is minimal. The agentless feature has helped reduce the workload, as each project involves setting up many servers and closing them when development is complete. The functionality of privileged access management ensures IDs/passwords are kept secret from even the server administrator, and it is easy to create a flow that can only be accessed via CyberArk Privileged Access Manager. As a result, the system matched the preliminary requirements of being transparent and significantly improving security measures and governance without increasing end-user effort.

Results

Privileged access management of all development projects centralized using CyberArk Privileged Access Manager

After deciding to implement CyberArk Privileged Access Manager, Capcom designed an operational method after several months of proof-of-concept. Then, with the support of JBS, Capcom implemented the solution, gradually expanded the operation and started full-scale protection in June 2022.

Initially, the operation secured new projects using CyberArk Privileged Access Manager and adjusted the operational flow with the cooperation of each department. Capcom has since shifted existing projects’ processes to the new system, so CyberArk Privileged Access Manager secures them completely.

“It is an important security measure, and there will be changes to existing operational methods, so we took the time to explain to people and leaders in charge of each department to help us implement the system. However, CyberArk Privileged Access Manager itself is very easy to use. I have had no difficulties, and it has become a natural fit for me as a PAM administrator. It has all the functionality we need for privileged access management, and we feel that we have consolidated and enhanced our account management,” said Mr. Yoshida.

A side effect of privileged access management is that server administrators are now able to manage and visualize access via CyberArk Privileged Access Manager.

By utilizing CyberArk Privileged Access Manager’s log auditing function, it is possible to closely monitor how often privileged access is required and how often administrators manage servers. Mr. Yoshida found that as the development project progressed, the server management work itself was not performed very often, and the the servers were not accessed frequently. In addition, there were some cases where virtual servers that were hardly used at the end of the development process were left standing.

“The visibility provided by CyberArk Privileged Access Manager has allowed us to review the server operations themselves. If there is little access to the servers, there is a risk that necessary OS updates and other operations may be neglected. There is also a desire to optimize resource allocation by proactively removing unnecessary servers. In the future, we believe we can proactively consider reviewing our server management rules,” said Mr. Yoshida.

Mr. Akiyama and his team have also received comments from application programmers who are in charge of server operations that there are no problems at all with regular use. Although there were some concerns, the transparent use of the system has proven not to impair productivity. The programmers have no trouble setting up the server because it comes complete with instructions and documentation. They feel confident that JBS, a CyberArk partner, will support them if they have any questions, allowing them to concentrate on developing games with peace of mind.

Further security enhancement promoted
The R&D Foundational Technology Department intends to promote the strengthening of security measures, including using CyberArk Privileged Access Manager, to create a safer and more comfortable environment in which people can engage in game development.

“In addition to enhancing technical measures, our mission is to enhance end-user literacy. We are also making progress toward drastic rule and operational improvements to meet our needs, such as discussing whether server management should remain as it is. By visualizing the current situation, we were able to make a start toward creating a better environment. In that sense, we feel that CyberArk Privileged Access Manager is a solution for which there is no alternative,” said Mr. Akiyama. He also looks forward to receiving the information to strengthen literacy and countermeasures from CyberArk and its solution partner, JBS.

A secure and comfortable environment is necessary for maintaining a healthy development site, and enhanced security with CyberArk Privileged Access Manager at its core will help increase game development productivity and produce more engaging content.

Key benefits

• Enhances security for game development environments with sensitive information.
• Introduces privileged access management for development servers.
• Introduces without load due to agentless feature.
• Realizes robust countermeasures through confidentiality of privileged IDs and passwords.