The global multi-energy provider, Repsol Protects Privilege Users and Vendors with a Comprehensive Privileged Identity Security Strategy

Summary

Repsol, the global multi-energy provider embarked on an ambitious digital transformation journey over half a decade ago. This shift, coupled with a customer-centric approach, extensive data collection and analysis, and new service launches, led to a complex system. To address this change and establish a global cybersecurity strategy for all entities, Repsol has been partnering with CyberArk to develop a program to secure privileged identities and has decided to centralize and unify the privileged Identity approach. Initially, the focus was on securing privileged accesses, but the program has since evolved to encompass endpoints and applications.

Company profile

Repsol is engaged across the entire value chain of energy production and strives to lead the transition to renewable energy generation. It has committed to the ambitious goal of becoming a net zero emissions company by 2050. In the 2022 Forbes Global 2000, Repsol was ranked as the world’s 320th largest public company with a net income of 4,251 billion Euros and serves over 24 million customers in 90+ countries.

Employees: 24,000

Challenges

Global multi-energy leader Repsol initiated an ambitious digital transformation over the past few years and is the first energy company to take on the commitment of reaching net zero emissions by 2050. Repsol has seven industrial complexes with one million+ barrels per day of refining capacity in its industrial facilities – one of the most efficient refining systems in Europe.

Repsol is transforming these complexes into multi-energy hubs capable of manufacturing products with a low, neutral or even a negative carbon footprint as well as promoting new business models based on digitalization and technology.

“Digitization and technology are fundamental to meeting our goal of being a net-zero emissions company by 2050,” explained David Corral, head of cybersecurity architecture at Repsol. “We rely on digital technologies such as artificial intelligence, robotic process automation, cloud solutions, advanced data analytics and more.”

Given this context, Repsol has been focusing on strengthening its security posture throughout the process to protect the company’s business and reputation from potential attacks.

With a global infrastructure serving over 24,000 employees and thousands of third-party vendors, Repsol evolves in a dynamic and challenging environment.

The emphasis on data and informed decision-making has fostered a cloud-first IT strategy, driving notable change in the company’s business systems. This shift is particularly evident in the substantial cloud deployment across Azure and Amazon Web Service (AWS) platforms. Repsol now employs multiple SaaS, PaaS and cloud-based solutions, which has dramatically increased the proliferation of human and non-human identities. This, coupled with some legacy systems and specialized systems supporting oil and gas operations distributed across the world, underscores the need for a stronger cybersecurity strategy.

The risks Repsol faces are technical, regulatory and business-related. These could lead to operational disruptions, intellectual property theft, data breaches and fraudulent activity. External factors like the pandemic, remote work and connections, and complex geopolitical situations, have exacerbated these threats, particularly impacting the energy and cybersecurity sectors.

Corral is a recognized digital transformation and cybersecurity executive with over 17 years of experience. He currently leads Repsol’s global security-by-design strategy. He is aware of the need to uphold business agility and distribution while ensuring the safeguarding of customers, personnel and systems. To consistently secure Repsol’s large volume of privileged identities and entitlements without impacting business efficiency, the company needed a consistent solution for its hybrid and multi-cloud environments.

Specifically, Repsol needed to secure remote access for privileged users, managing local administrators and extending the protection of credentials used by non-human identities such as application secrets.

To be successful, Repsol has adopted a nimble way of working for most of its teams. The company needs agility and permission to manage the resource groups for which it is responsible. They considered using a range of niche solutions, but their privileged identity security policy would have been decentralized, more costly and difficult to manage.

“We decided to secure privileged identities and their remote access with a single platform because of the cost of multiple solutions and deployment complexity, it made more sense to consolidate and find synergies from a single vendor.“

– Lukene Berrosteguieta, Head of security operations center at Repsol.

Solutions

Repsol has been a CyberArk customer since 2016 but began rolling out CyberArk in earnest as an enterprise-wide solution as its IT environment became more complex and cloud-based. Now the company has deployed several capabilities from the CyberArk Identity Security Platform.

The company has a strong team managing CyberArk, other solutions, and policies for privileged identity security and remote access. This includes protecting users, data, and applications of all types, as Repsol has 24.000 employees at locations across 20+ countries as well as hundreds of third-party vendors managing operational technology (OT) environments.

To protect privileged access across the global IT and OT environments, CyberArk Privileged Access Manager Self-Hosted was expanded and CyberArk Vendor PAM was adopted to protect internal and external privileged users. Privileged users access critical infrastructure with secure authentication from anywhere. Sessions are also isolated and monitored, and passwords are centrally managed in a strongly encrypted vault.

Repsol develops applications in Azure, AWS and on-premises, so it plans to implement CyberArk Conjur Secrets Manager to centrally secure its non-human identities across its multi-cloud and hybrid infrastructure. Repsol plans to explore adding CyberArk Secrets Hub, which would allow developers to use the cloud providers built-in (native) secrets management tools, such as AWS Secrets Manager and Azure Key Vault, without requiring code changes while providing security with full visibility and control of these secrets.

Repsol´s ongoing security strategy is to continue with a multi cloud approach and the next challenge it is facing is how to control Cloud Entitlements and to ensure cloud identity has least privilege permissions.

Results

“CyberArk has enabled Repsol to secure thousands of privileged identities while striking a good balance between increased security and agility that is instrumental in managing a complex and multi-national business like Repsol,” explained Corral.

Underpinned and protected by CyberArk, Repsol has developed a tier model for managing privileged identity security. This creates divisions between administrators depending on the resources they access. Admins that control workstations are separated from those who manage critical platforms with enterprise identities. Isolating domains limits how far an attack can penetrate the environment. Tier zero, for example, is used for the most critical domains like active directory systems, identity systems and backups. These have been separated at the identity and permission levels.

CyberArk Vendor PAM is used to protect third-party access to over 17 operational technology (OT) environments. These are critical infrastructure and industrial environments made up of software and hardware used to manage industrial control systems typical in many of Repsol’s oil and refining processes and low carbon energy networks. Additionally, CyberArk Vendor PAM’s capabilities provide offline secure access to air-gapped environments and ubiquitous access to external vendors needing to troubleshoot issues on remote systems.

In total, Repsol uses CyberArk Vendor PAM to ensure secure access for over 300 remote vendors across Repsol’s global operations in nine countries.

Another challenge Repsol was facing was related to the management of local administration rights in the endpoints. Administration rights removal was already enforced, and they were using an in-house solution that enabled Just in Time administrative rights assignment. Lack of features and auditability, minimize the permissions assignment window as well as the pursue for standardization and use of a commercial solution where the main drivers to look into CyberArk’s Endpoint Privilege Manager.

The implementation process went through distinct phases that involved deployment, monitoring, profile definition, ServiceNow integration and policies enforcement.

The solution has been part of Repsol’s daily operations for over six months, and the experience has been really positive. EPM allows the company to elevate privileges for everything catalogued and assigned to the different profiles defined and, for anything outside that, it provides Just in Time capabilities which allows the flexibility Repsol needs.

“CyberArk is one of the core platforms in Repsol’s state-of-the-art cybersecurity prevention and protection technology strategy,” concluded Corral. “It is configured according to risk prioritization and security by design. It draws on the capabilities of a market leading solutions like CyberArk.”

Key benefits

• Secures thousands of privileged identities without impacting global operations
• Enforces least privilege and secures 2K endpoints
• Secures privileged access for 300 vendors and remote users
• Expands and deploys PAM solution to 17 sites and nine countries
• Consolidates global privileged access onto a single platform
• Leverages a single solution for a complex hybrid and multi-cloud environment for human and non-human identities