Cisco는 사용자 및 비-사용자형 아이덴티티를 통합적으로 보호합니다.

요약

Cisco는 CyberArk 아이덴티티 보안 플랫폼을 사용하여 사용자가 고객에게 서비스를 제공하고 개발하는 데 필요한 동적인 원클릭 특권 액세스를 제공하고 동적 기밀 관리 전략으로 DevOps 파이프라인을 가속화 및 보호합니다.

회사 소개

Cisco는 캘리포니아 산호세에 본사를 둔 미국 기반의 다국적 디지털 통신 기술 회사입니다. 전 세계 180개국에서 6가지 전략, 즉 안전하고 민첩한 네트워크, 하이브리드 업무, 최적화된 애플리케이션 경험, 엔드투엔드 보안, 미래를 위한 인터넷, 그리고 엣지에서의 역량 아래에서 서비스를 제공하고 있습니다.

직원 수: 100,000

도전 과제

세계에서 가장 유명한 IT 비즈니스의 고객, 직원, 자산 및 비즈니스 운영을 보호해야 하는 책임을 상상해 보십시오. 이러한 책임을 Cisco의 엔터프라이즈 보안팀 선임 리더인 Santosh Prusty가 맡고 있으며 그 과제는 막중합니다. 전 세계에 100,000명의 Cisco 직원, 수백명의 파트너 사업체와 그러한 사업체 및 Cisco의 고객을 지원하는 천 개 이상의 애플리케이션이 있습니다.

“과거, 특권 자사의 아이덴티티와 액세스 관리의 취약한점을 분석하였습니다.”라고 Prusty는 설명합니다. “포인트 솔루션은 있었지만 누가 무엇을 하고 있는지 거버넌스 관점도 없었고 모니터링 기능도 없었습니다. 그래서 우리는 이러한 격차를 해소하고 미래의 아이덴티티 보안 요구 사항을 충족하는 제품을 찾고 있었습니다.”

50년이 넘는 기간 동안 Cisco는 전 세계 대부분의 기술 네트워크 및 비즈니스 IT 인프라의 초석이 되어 왔습니다. 그러나 멀웨어 및 랜섬웨어와 같은 전통적인 위협뿐만 아니라 공급망 공격과 아이덴티티 보안의 중요성이 커지는 등 Cisco를 비롯한 많은 조직의 위협 환경이 변화하고 있습니다.

“지난 10년 동안 디지털화, 인프라 자동화 및 인공 지능의 변화로 인해 전체 위협 환경을 바라보는 방식이 바뀌었습니다,”라고 Prusty는 말합니다. “만약 우리가 자체 인프라를 사용한다면 자체 경계 내에 있기 때문에 안전하다고 느낄 것입니다. 하지만 분산된 기업, 원격 근무자, 재택근무의 증가로 인해 외부에서 네트워크에 연결할 수 있는 기회가 급격히 늘어나는 상황에서 어떻게 아이덴티티 보안이 손상되지 않도록 할 수 있을까요?”

Prusty는 주요 위협 환경 보고서가 지속적으로 보여주는 내용을 인용하며, 전체 침해 사고의 74%는 인적 요소를 포함하며, 사람들이 실수, 권한 오용, 도난당한 자격 증명 사용 또는 소셜 엔지니어링을 통해 연루된다고 설명했습니다. “예전에는 우리의 아이덴티티가 주로 사용자 이름과 비밀번호에 집중되어 있었죠,”라고 Prusty는 말합니다. “이제 아이덴티티에는 여러 유형의 자격 증명, 권한, 노트북 또는 업무에 사용하는 기타 모든 장치가 포함됩니다. 공격 가능한 범위는 방대합니다. 그리고 이는 사람뿐만이 아니며, 모든 조직이 보호, 제어 및 관리해야 하는 비인간 아이덴티티도 존재합니다.”

Cisco는 아이덴티티 보안을 세 가지 주요 축, 즉 내부, 외부 및 특권 아이덴티티로 구성했습니다. 하지만 특권 사용자 세션 모니터링에는 빈틈이 있었습니다. 감사 보고에 대한 중앙 집중식 보기라든가 누가 무엇을 하고 있는지 알 수 없었습니다. Cisco는 다양한 제품, 서비스 및 파트너를 보유한 대규모 글로벌 조직입니다. 거버넌스와 제어를 강화하기 위해 특권 액세스 및 아이덴티티 자산에 대한 더 나은 하향식 보기를 확보해야 했습니다.

Solutions

Cisco decided to use CyberArk because it is the proven and recognized leader in identity security and privileged access management (PAM). The company needed a solution that could combine human and non-human privileged access control and identity into a unified platform, so that they can centrally audit and secure who has access to what.

The Cisco implementation of the CyberArk Identity Security Platform comprises CyberArk Privileged Access Manager and CyberArk Secrets Manager, Self-Hosted (formerly CyberArk Conjur Enterprise) with plans to deploy next-generation CyberArk Secrets Hub and CyberArk Dynamic Privileged Access products in the near future. Cisco leverages CyberArk’s vast integration capabilities to integrate with Cisco’s own multi-factor authentication (MFA) solution, Duo and integrates with other applications such as SailPoint and Saviynt to automate identity governance processes and simplify onboarding of users and secrets used by applications within the entire DevOps pipeline. CyberArk Secrets Manager is hosted in AWS and is used across the enterprise-wide hybrid and multi-cloud infrastructure to manage and govern secrets management. It gives DevOps engineers a simple process to replace hard-coded credentials with APIs retrieving the secrets applications need to perform their workloads across their entire CI/CD (continuous integration and continuous delivery) pipeline.

“We are very proud about what we have achieved with our program. The CyberArk Identity Security Platform helps us secure and manage human and non-human identities in a unified solution. We secure 50,000 human privileged identities, isolate and monitor more than 25,000 sessions per month, and produce more than a thousand hours of recorded sessions per day. From a secrets management perspective, we vault and rotate tens of thousands of credentials used by applications and manage more than 40 million API secrets calls a month.”
– Santosh Prusty, Senior Leader, Enterprise Security Team, Cisco

Cisco is one of the largest consumers of cloud infrastructure, including AWS, Azure and GCP, in addition to hosting an impressive on-premises environment, making them a truly hybrid and multi-cloud company. As such, they needed an identity security solution that can holistically secure human and non-human access across various cloud platforms and even on-prem.

The next step will focus on two use cases and capabilities of the CyberArk Identity Security Platform:
CyberArk Secrets Hub will enable operational efficiencies and accelerate DevOps pipelines by enabling developers to use native AWS and Azure secrets management services that they are familiarized with, while the security team centrally manages and audits their applications’ credentials in CyberArk. Looking ahead, Cisco will also use CyberArk Secrets Manager to build cloud portable applications, provision cloud instances and enable users to manage and store their API key secrets, application and database credentials. CyberArk Dynamic Privileged Access (DPA) will help reduce the operational footprint and risk associated with standing access by creating ephemeral, time-bound access on the target Virtual Machine or server with attribute-based access control (ABAC) policies. Security teams will initiate isolated connections with just-in-time (JIT) access for administrators using their preferred RDP and SSH clients and leveraging risk-aware adaptive multi-factor authentication (MFA). All without the need for agents or VPNs to broker secured, isolated and monitored sessions.

Results

For Cisco, CyberArk delivers three core values:

1. Improve business operations by enabling one click to provision end-user secrets management.
2. Enhance security governance by monitoring and governing user access.
3. Removes hard-coded credentials across the entire DevOps pipeline and provides operational efficiencies to developers by giving developers an easy way to leverage API calls to retrieve secrets, freeing them to focus on value-add activities.

“Now, by having everything consolidated into one identity security platform, we are effective from a management and operational perspective for privileged access,” divulged Prusty. “We’ve been able to provide our admins and developers with a secure and flexible way to connect to their assets. This resulted in 50,000 privileged accounts protected with CyberArk and the platform handled 40 million API secrets calls per month to Conjur [now known as Secrets Manager], which is a requirement for us. We’ve also implemented multiple automations and integrations to streamline user and application onboarding. Onboarding used to take weeks. Now we can do it seamlessly and automatically in a few minutes.”

One of the other benefits of CyberArk is visibility and monitoring. “With CyberArk, every session is recorded and stored,” continued Prusty. “We can go back to review what has happened, who logged on, in which region, when and for how long. This gives us real insight for analysis and auditing.”

Cisco has established a strategic partner with CyberArk. The CyberArk Blueprint and CyberArk Success Plans have helped both parties set a roadmap to continuously achieve measurable risk reduction and enable operational efficiencies for Cisco and to work together to execute it. “Over the last three years, CyberArk has been great for Cisco,” acknowledged Prusty. “Now we are planning to evolve our CyberArk Identity Security Platform to leverage some of the new and advanced solutions that CyberArk is developing. We can bring a product like CyberArk Dynamic Privileged Access to Cisco and dramatically reduce the attack surface by providing just-in-time access, rather than standing access, for thousands of admin users.”

“Using CyberArk Secrets Hub will allow us to meet developers where they are. Developers will use the cloud providers native secrets management tool while we centrally manage and audit their secrets in CyberArk”.
– Santosh Prusty, Senior Leader, Enterprise Security Team, Cisco

One pressing challenge for Cisco is vendor management. “Cisco works with hundreds of supply chain partners around the world,” said Prusty. “These partners are core to Cisco’s business, so we want to ensure they are successful. But we have to consider how to simplify the management and governance of supply chain partners and give them the access they need efficiently. Associated with that is simplifying how our tech support and vendor teams work with our partners to enable seamless transactions. These are challenges where we are consulting with CyberArk to help solve them.”

“CyberArk has some significant initiatives and solution developments going on like CyberArk Secure Web Browser, leveraging AI across the entire platform, enhancing cloud security and password-less access, and it is great to be part of that journey,” concluded Prusty. “We are working on a password-less strategy and I’m happy to see that CyberArk is ahead and thinking through it and we are proud to partner with them to manage and govern some of our specific use cases.”

Key benefits

• Consolidates privileged access and identity security onto one platform
• Handles enterprise scale with 40 million API secrets calls per month with Secrets Manager
• 50,000 privileged access accounts protected
• 25,000+ isolated and monitored sessions per month
• 1,000+ hours of recorded sessions per day
• Enables fast, security one-click access to business systems
• Provides security roadmap for future challenges and improvements