🔐Cisco Secure Access

The Cisco Secure Access integration allows P0 to securely manage and automate access to private network resources—such as servers, databases, or applications that are only reachable within a private network or cloud VPC—without requiring public IP exposure. When combined with Just-in-Time (JIT) access policies, this setup ensures that private infrastructure access is secure, traceable, and identity-aware.

How It Works

1. Private Resource Configuration

   • A private resource (such as a VM or database) is hosted within a private network or virtual cloud (AWS VPC, Azure VNet, or GCP VPC).

   • The resource is defined as a Private Resource in Cisco Secure Access and connected via a Secure Access Connector instance.

   • Cisco Secure Access makes the private resource reachable through its internal IP address without exposing it to the public internet.

2. Identity and Access Control

   • Cisco Secure Access is configured with Okta SSO (or another identity provider) for user authentication.

   • Access policy rules within Secure Access can use user identities to grant or restrict access to specific users or groups.

3. P0 Integration

   • P0 integrates with the Secure Access API to automatically discover private resources and enforce access through existing Secure Access connectors.

   • When a user creates an access request in P0:

     • If a relevant access rule already exists in Secure Access, P0 routes the request automatically.

     • If no rule exists, P0 can optionally use the Secure Access API to create or check a Just-in-Time (JIT) access rule within Secure Access policy.

4. Connection Flow

   • The user runs the Cisco Secure Access client locally.

   • The user logs in using their SSO credentials (e.g., Okta).

   • Once authenticated, the user can connect to the private resource directly through Secure Access using its private IP.

   • P0 validates compliance with policy, enforces approval workflows, and logs the event.

Before You Begin

Prerequisites

To set up the Cisco Secure Access integration with P0, you'll need:

• Cisco Secure Access Account with administrator privileges

• Secure Access Connector deployed and configured in your private network

• Identity Provider (IdP) configured in Cisco Secure Access (e.g., Okta, Azure AD)

• P0 Account with administrator access

• API Credentials from Cisco Secure Access:

  • API Client ID

  • API Client Secret

  • Organization ID

Required Permissions

You must have the following permissions in Cisco Secure Access:

• Administrator or API Admin role

• Permission to create and manage API clients

• Permission to view and manage private resources

• Permission to configure access policies

Setting Up Cisco Secure Access

Step 1: Create an API Client in Cisco Secure Access

1. Log in to your Cisco Secure Access Dashboard

2. Navigate to Settings → API Clients

3. Click Create API Client

4. Configure the API client:

   • Name: P0 Integration

   • Description: API client for P0 Just-in-Time access management

   • Scopes: Select the following scopes:

     • policies.privateresources:read - View private resources

     • policies.rules:read - View access policies

     • policies.rules:write - Manage access policies (required for JIT access)

5. Click Create

6. Save the credentials displayed:

   • Client ID

   • Client Secret (this will only be shown once)

Step 2: Install the P0 Cisco Secure Access Integration

1. Log in to your P0 Dashboard at https://p0.app

2. Navigate to Integrations → Resource Integrations

3. Click Add Integration

4. Select Cisco Secure Access from the list

5. Enter the following configuration details:

   API Configuration:

   • Organization ID: Your Cisco Secure Access organization ID

   • API Key: Your Cisco Secure Access API Key

6. Click Save to complete the installation

Additional Resources

• Cisco Secure Access Documentation

• Cisco Secure Access API Reference

• Requesting Access via Slack