Cisco Protects the Bridge to the Possible by Holistically Securing Human and Non-human Identities

Summary

Cisco uses the CyberArk Identity Security platform to provide dynamic and one-click privileged access that staff need to deliver and develop services to customers and to accelerate and secure DevOps pipelines with a dynamic secrets management strategy.

Company profile

Cisco is an American-based multinational digital communications technology corporation headquartered in San Jose, California. It operates in 180 countries around the world delivering services under six strategic pillars: secure, agile networks; hybrid work; optimized application experiences; end-to-end security; Internet for the future; and capabilities at the edge.

Employees: 100,000

Challenges

Imagine the responsibility of securing the customers, staff, assets and business operations of one of the world’s most high-profile IT businesses. That responsibility lies with Santosh Prusty, Senior Leader, Enterprise Security Team at Cisco, and the challenge is significant. There are 100,000 Cisco employees, hundreds of partner businesses globally and over a thousand applications supporting the business and Cisco’s customers.

“A few years ago, we looked at the gaps we had in privileged identity and access management,” explained Prusty. “We had a point solution, but there was no governance view of who was doing what nor any monitoring capability. So, we were looking for a product to fill these gaps as well as meet our future identity security needs.”

For over 50 years, Cisco has been the cornerstone of most technology networks and business IT infrastructures across the globe. But the threat landscape for Cisco and many other organizations is changing, not just for traditional threats of malware and ransomware, but also supply chain attacks and the growing significance of identity security.

“Over the last ten years, changes in digitization, infrastructure automation and artificial intelligence have changed the way we look into the whole threat landscape,” said Prusty. “If we use our own infrastructure, we feel secure because it is within our own perimeter. But with dispersed enterprises, remote staff and a rise in working from our homes, all this dramatically increases connecting to our network from the outside, so how do we make sure our identities are not compromised?”

Prusty cited what leading threat landscape reports continuously show, 74 percent of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or social engineering. “Our identity used to mainly focus on our username and password,” shared Prusty. “Now identity includes multiple types of credentials, our permissions, our laptops or whatever other device we use for work. The attack surface is vast. And it is not only people; there are non-human identities that every organization needs to secure, control and manage.”

Cisco has organized identity security into three major pillars: internal, external and privileged identity. But there was a gap in privileged user session monitoring. There was no centralized view of audit reporting or who was doing what. Cisco is a large, global organization with a host of different products, services and partners. It needed to gain a better top-down view of its privileged access and identity estate to increase governance and control.

Solutions

Cisco decided to use CyberArk because it is the proven and recognized leader in identity security and privileged access management (PAM). The company needed a solution that could combine human and non-human privileged access control and identity into a unified platform, so that they can centrally audit and secure who has access to what.

The Cisco implementation of the CyberArk Identity Security Platform comprises CyberArk Privileged Access Manager and CyberArk Conjur Enterprise with plans to deploy next-generation CyberArk Secrets Hub and CyberArk Dynamic Privileged Access products in the near future. Cisco leverages CyberArk’s vast integration capabilities to integrate with Cisco’s own multi-factor authentication (MFA) solution, Duo and integrates with other applications such as SailPoint and Saviynt to automate identity governance processes and simplify onboarding of users and secrets used by applications within the entire DevOps pipeline. CyberArk Conjur is hosted in AWS and is used across the enterprise-wide hybrid and multi-cloud infrastructure to manage and govern secrets management. It gives DevOps engineers a simple process to replace hard-coded credentials with APIs retrieving the secrets applications need to perform their workloads across their entire CI/CD (continuous integration and continuous delivery) pipeline.

“We are very proud about what we have achieved with our program. The CyberArk Identity Security Platform helps us secure and manage human and non-human identities in a unified solution. We secure 50,000 human privileged identities, isolate and monitor more than 25,000 sessions per month, and produce more than a thousand hours of recorded sessions per day. From a secrets management perspective, we vault and rotate tens of thousands of credentials used by applications and manage more than 40 million API secrets calls a month.”
– Santosh Prusty, Senior Leader, Enterprise Security Team, Cisco

Cisco is one of the largest consumers of cloud infrastructure, including AWS, Azure and GCP, in addition to hosting an impressive on-premises environment, making them a truly hybrid and multi-cloud company. As such, they needed an identity security solution that can holistically secure human and non-human access across various cloud platforms and even on-prem.

The next step will focus on two use cases and capabilities of the CyberArk Identity Security Platform:
CyberArk Secrets Hub will enable operational efficiencies and accelerate DevOps pipelines by enabling developers to use native AWS and Azure secrets management services that they are familiarized with, while the security team centrally manages and audits their applications’ credentials in CyberArk. Looking ahead, Cisco will also use CyberArk Conjur to build cloud portable applications, provision cloud instances and enable users to manage and store their API key secrets, application and database credentials. CyberArk Dynamic Privileged Access (DPA) will help reduce the operational footprint and risk associated with standing access by creating ephemeral, time-bound access on the target Virtual Machine or server with attribute-based access control (ABAC) policies. Security teams will initiate isolated connections with just-in-time (JIT) access for administrators using their preferred RDP and SSH clients and leveraging risk-aware adaptive multi-factor authentication (MFA). All without the need for agents or VPNs to broker secured, isolated and monitored sessions.

Results

For Cisco, CyberArk delivers three core values:

1. Improve business operations by enabling one click to provision end-user secrets management.
2. Enhance security governance by monitoring and governing user access.
3. Removes hard-coded credentials across the entire DevOps pipeline and provides operational efficiencies to developers by giving developers an easy way to leverage API calls to retrieve secrets, freeing them to focus on value-add activities.

“Now, by having everything consolidated into one identity security platform, we are effective from a management and operational perspective for privileged access,” divulged Prusty. “We’ve been able to provide our admins and developers with a secure and flexible way to connect to their assets. This resulted in 50,000 privileged accounts protected with CyberArk and the platform handled 40 million API secrets calls per month to Conjur, which is a requirement for us. We’ve also implemented multiple automations and integrations to streamline user and application onboarding. Onboarding used to take weeks. Now we can do it seamlessly and automatically in a few minutes.”

One of the other benefits of CyberArk is visibility and monitoring. “With CyberArk, every session is recorded and stored,” continued Prusty. “We can go back to review what has happened, who logged on, in which region, when and for how long. This gives us real insight for analysis and auditing.”

Cisco has established a strategic partner with CyberArk. The CyberArk Blueprint and CyberArk Success Plans have helped both parties set a roadmap to continuously achieve measurable risk reduction and enable operational efficiencies for Cisco and to work together to execute it. “Over the last three years, CyberArk has been great for Cisco,” acknowledged Prusty. “Now we are planning to evolve our CyberArk Identity Security Platform to leverage some of the new and advanced solutions that CyberArk is developing. We can bring a product like CyberArk Dynamic Privileged Access to Cisco and dramatically reduce the attack surface by providing just-in-time access, rather than standing access, for thousands of admin users.”

„Using CyberArk Secrets Hub will allow us to meet developers where they are. Developers will use the cloud providers native secrets management tool while we centrally manage and audit their secrets in CyberArk“.
– Santosh Prusty, Senior Leader, Enterprise Security Team, Cisco

One pressing challenge for Cisco is vendor management. “Cisco works with hundreds of supply chain partners around the world,” said Prusty. “These partners are core to Cisco’s business, so we want to ensure they are successful. But we have to consider how to simplify the management and governance of supply chain partners and give them the access they need efficiently. Associated with that is simplifying how our tech support and vendor teams work with our partners to enable seamless transactions. These are challenges where we are consulting with CyberArk to help solve them.”

“CyberArk has some significant initiatives and solution developments going on like CyberArk Secure Web Browser, leveraging AI across the entire platform, enhancing cloud security and password-less access, and it is great to be part of that journey,” concluded Prusty. “We are working on a password-less strategy and I’m happy to see that CyberArk is ahead and thinking through it and we are proud to partner with them to manage and govern some of our specific use cases.”

Key benefits

• Consolidates privileged access and identity security onto one platform
• Handles enterprise scale with 40 million API secrets calls per month with Conjur
• 50,000 privileged access accounts protected
• 25,000+ isolated and monitored sessions per month
• 1,000+ hours of recorded sessions per day
• Enables fast, security one-click access to business systems
• Provides security roadmap for future challenges and improvements