Ecad transforms identity security program, protecting royalties for millions of musicians worldwide

Summary

With royalties of millions of musicians worldwide threatened by cyberattacks, Brazil’s copyright agency, Ecad, has partnered with CyberArk to strengthen its identity security posture. Ecad’s mission is to monitor, gather and distribute millions of dollars in royalties each time an artist’s work is played in Brazil. Ecad uses the CyberArk Identity Security Platform to centrally authenticate and authorize access to automated and semi-automated processes that track the consumption of music, via multiple channels (radio, TV, live or streaming). The CyberArk platform provides Ecad’s workforce a secure and easy experience accessing applications, while intelligent privilege controls help isolate, monitor and continuously authenticate high-risk access.

Company profile

Ecad is a Brazilian non-profit organization that collects and distributes copyright royalties owed to any songwriter, performer and musician in the world when their work is played in Brazil. It is part of a collective management of seven music industry agencies and has 535 employees working out of more than 20 offices throughout Brazil. Ecad uses a hybrid IT infrastructure to identify when works are played, and then distributes payments to the relevant artists. Working with hundreds of external third-party vendors and thousands of music agencies around the world to protect artists’ copyright royalties, Ecad is responsible for one of the largest databases in Latin America. It includes 594 channels and registered places, 21 million musical pieces, 22 million recordings and 375,000 audiovisual works. In 2023, Ecad distributed US$320 million (BRL 1.6 billion) to approximately 323,000 songwriters, performers, musicians, publishers and record producers worldwide.

Employees: 535

Challenges

Royalties are the lifeline for millions of musicians around the world and securing fair payment is Ecad’s greatest mission. Every day, attackers and bad actors attempt access to Ecad’s IT environment trying to access this data and associated financials. Ecad’s identity security program is further complicated by a distributed workforce in multiple branches across Brazil, interacting with centralized applications. The shift over time to a SaaS and cloud infrastructure increased data exposure and made legacy protections such as traditional perimeter-based controls like virtual private network (VPN) obsolete and ineffective against advanced attackers. This made data accuracy, protection of identities and endpoints and real-time visibility a critical demand that led Ecad to modernize its identity infrastructure. Additionally, secure access for external IT vendors needed improving, as there was a lack of visibility into the third-party access to critical business applications.

“Suppose someone were to breach our systems and add a fictitious name to a piece of work,” explained Davi Lyra, systems coordinator at Ecad. “Every time that work is played, money would be sent to that fraudulent individual, robbing the rightful artist of their income.”

Aware of this and many other risks it faced; Ecad ran a series of penetration tests to spot vulnerabilities in the existing security infrastructure. With traditional perimeter-based security breaking down and staff in 21 offices across Brazil needing to access business-critical applications, the penetration test showed that protecting identity security was critical.

“Protecting identity is now mandatory. Previously, if we secured the perimeter, we were fine, but now that is not enough. We needed a solution that could protect any type of identity and application (legacy, on-premises, in the cloud, or SaaS-based), to be able to innovate with confidence for decades to come. »

– -Valéria Pessôa, IT Executive, Ecad

Ecad faced challenges escalated by the many different systems supporting payment collections, music identification and financial distribution. When a piece of music is played, Ecad systems monitor the music and match it to the artist who needs to be paid. As new channels – TV, radio and recently streaming – evolved, Ecad set up new teams and systems to manage the channels. This resulted in new systems having different authentication and log-in credentials. “The problem with multiple authentication and credential types is we cannot anticipate the side effects of change,” explained Lyra. “A change in one system could cause another system to fail.”

Solutions

Ecad deployed a CyberArk Identity Security Platform comprising products to reinforce security in a centralized identification platform. This acts as a single portal combining the front ends of Ecad’s copyright monitoring and managing applications. CyberArk enhances the portal with capabilities such as single-sign-on (SSO), validating passwords and identities and continuously checking credentials and authentication.

“CyberArk has flexible deployment options, like open API, OpenID and many others and has tackled several different security challenges in one go,” shared Lyra. “CyberArk became our one-stop-shop for securing multiple applications and systems irrespective of platform. We can even integrate our third-party API gateway into CyberArk authentication which means that all our API calls are secure. Most importantly, this means applications are more resilient to changes so that we can react quickly to new needs and demands.”

Furthermore, the CyberArk dashboard provides insight into access activities such as tracking users logging in to Microsoft Active Directory. Overall, CyberArk secures 500 staff, 500 workstations, 250 servers and access to Ecad by external IT system vendors. For example, local admin rights have been removed from servers and replaced with least privilege policies application controls using CyberArk Endpoint Privilege Manager (EPM). Additionally, using CyberArk to manage access to cloud services and infrastructure enables the organization to leverage the full extent of the cloud with a security-first mindset. Developers enjoy a seamless access experience protected by intelligent privilege controls.

CyberArk was implemented in partnership with Ecad, CyberArk and its local business partner Asper.

“The deployment of CyberArk, including developing the identification platform portal, took just three months. Deployment was very easy especially since we could use the API concepts in CyberArk to improve and speed up portal development. Working with CyberArk’s partner Asper here in Brazil was fundamental to the success of the project,” highlighted Vinicius Fonseca, IT Specialist at Ecad. “Asper provided great advice and consultancy and helped us resolve issues that we found challenging.”

Results

The flexibility of the CyberArk solution has allowed Ecad to protect its investment in its existing systems while at the same time implementing more secure identity-based security.

“Because of the flexibility and simplicity of the CyberArk Identity Security Platform, we were able to cover a lot of ground with very little effort,” elaborated Lyra. “We have a very broad and different spectrum of applications doing authentication in several different ways. However, with CyberArk it was nowhere near as complex or difficult compared to other options. CyberArk has all the standards we need ready to use so it has saved Ecad a lot of money and months of development time.”

By integrating CyberArk solutions with the identification platform portal that front-ends applications, Ecad has avoided a significant amount of development, testing, maintenance time and troubleshooting. Before it would have meant developing dozens of different authentication and authorization processes and then re-writing them for each application. A critical benefit of CyberArk is it did not replace anything or demand lots of change, it just added another, even more secure, layer of protection.

Ecad estimates that using CyberArk has reduced typical application development and implementation time by up to three months and saved thousands of dollars in costs.

After deploying CyberArk, Ecad re-ran a penetration test and found that virtually all the vulnerabilities highlighted before had been resolved making it much harder for bad actors to make a successful breach.
CyberArk further reduces cost and time by supporting Ecad as it expands. As the way that music is consumed evolves, Ecad needs to develop applications to accommodate new platforms for playing music. Any new application just needs to plug into the identification platform portal where the necessary authentication and authorization is already pre-built using CyberArk.

“From our perspective, CyberArk is a global leader in the cybersecurity space which helps Ecad save time, effort and money,” said Lyra. “CyberArk provides such a wide range of solutions, regularly adapts itself to new threats and develops new ways of making identity and authentication processes more secure. The value Ecad gets from CyberArk is knowing we have a partner working on the front line of identity security and developing innovative solutions that enable us to protect millions of musicians and their livelihoods across the globe.”

Key benefits

• Saves a huge amount of development costs and time
• Avoids expensive and repetitive development, testing and maintenance
• Typical application development time cut by up to three months
• Saves thousands of dollars making applications more secure
• Protects investment in existing and future application implementation
• Achieves a dramatic improvement in penetration test success
• Solution deployed in three months