I second this. My advisor and I recently visited Cisco to present some embedded security work we've been doing. From what I could gather, they were very interested in ensuring that their customers' applications and devices were secure. They were also looking for ways to provide their customers with ways to check for government backdoors.
There's an honest question about how deep that support goes though. Is it just that group, which is a tiny tiny part of a megacorp? How much influence do they have on the huge number of shipped products? What percentage of shipped Cisco products get a security review?
An alternative line of thought is, making the right noises for the customers while also keeping the bribe budgets liquid, to put it crassly.
Putting my security researcher hat on, maybe this tiny little group's purpose is to figure out and get intel on what directions customers are actually looking in, so they know where to hide stuff.
Actually if you read the paper, the architecture is designed in such a way that the key management server can be implemented as an on-premise box while all the rest of your data lives in Cisco's cloud. In that situation, Cisco has access to your data but it's fully encrypted with keys that they do not have access to, making it a true end-to-end solution. It's a pretty interesting design that allows companies to be the only ones with access to the raw, unencrypted data while still letting Cisco manage everything in the cloud.
Now this does only apply for companies that choose to go with the on-premise KMS, if not, Cisco manages the KMS in their own cloud as well, which does mean it's not a true e2e solution (although like I said, I can speak with a pretty high level of confidence that security is one of the top priorities)
But the client (Cisco software) does the encryption does it not? Therefore it has access to the unencrypted data, therefore can do what it likes with it.
I mean I suppose that's true but that's a terribly weak argument. You could say the same thing about Signal which is considered one of the most secure messaging applications on the market at the moment. It's pretty trivial to monitor network traffic to see that the unencrypted data never leaves your own device
As far as I know, security has always been one of Cisco's top priorities which is one of the reasons they have been so strong in the enterprise market. It's almost inevitable at some point that bugs like the one in the link here pop up but I haven't heard of any backdoors or nefarious practices from Cisco in the past.
Cisco has been strong in the enterprise market because they are good at marketing to the enterprise market, and providing certifications so that they can ensure a labor pool for IT departments.
Part of the marketing is talking about security. It's unclear if the reputation matches reality though.
I say this as someone who has become super disillusioned with Cisco, as the thread originator has. But this is mostly because of their switch products, pricing, configuration management, and end user software. I don't have much experience with their security. Though I have no reason to suspect that it's the least better than any other companies' security based on the amount of patching and their default configurations.