Cisco IT’s Zero Belief Entry Evolution: Securing Our Distributed Future

Cisco’s strategic zero belief entry evolution represents a crucial transformation in how organizations shield their digital belongings, customers, and purposes for the office right now and the longer term. 

As an enormous enterprise, we handle over 135,000 laptops, tens of hundreds of cellular gadgets, and a workforce unfold throughout the globe. Securing that setting requires a essentially totally different method than the standard perimeter-based safety we relied on prior to now. 

It’s paramount that we at all times attempt to empower our workers to be productive, progressive, and safe, regardless of the place they work. That’s why we proceed to evolve our zero belief technique to fulfill the wants of a contemporary, distributed workforce.  

The challenges of the trendy office

For many years, virtual private networks (VPNs) had been the gold commonplace for distant entry. Nevertheless, these legacy options include important drawbacks.  

1. Implicit belief: As soon as linked, VPNs usually grant broad community entry. Because of this as soon as a person authenticates, they are often trusted with full community entry with out steady person validation. It’s a “as soon as authenticated, at all times trusted” method.  
2. Restricted visibility: VPNs typically lack granular monitoring of particular software interactions, information switch volumes, and precise person actions throughout the community. This creates challenges in compliance reporting, detecting insider threats, and understanding potential safety dangers in real-time.  
3. Rigid structure: Inefficient routing and single tunnel limitations imply customers join by one community path, and if that path is geographically distant from purposes, it creates greater latency, elevated community congestion, and slower software efficiency.  
4. Safety vulnerabilities: Broad community entry will increase potential assault surfaces. Giving full community entry means a compromised credential may allow intensive potential injury, permitting attackers to maneuver laterally between programs, entry a number of delicate assets, and exploit unpatched programs throughout the community.  

Our imaginative and prescient: Complete, clear Zero Belief Entry (ZTA)

Conventional zero belief options got here of age within the time of the pandemic, initially targeted on distant entry. However they missed crucial use circumstances like on-premises person entry, non-user gadget safety, legacy software integration, and complete community segmentation. 

We realized that we wanted a brand new method — one which was based mostly on the first precept of zero belief: “by no means belief, at all times confirm, implement least privilege.” However we additionally knew that merely implementing a conventional zero belief resolution wouldn’t be sufficient. We wanted an answer that was really common — one that would safe each person, gadget, and software, no matter location or community. 

ZTA emerged as a extra granular, security-first mannequin that: 

• Verifies each entry request — for customers and issues 
• Gives application-level granularity 
• Repeatedly validates person and gadget posture 
• Minimizes potential breach impacts 

The excellent mannequin tackles the challenges of conventional zero belief options by supporting native enforcement factors, enabling constant safety insurance policies throughout all environments, offering versatile entry controls for managed and unmanaged gadgets, and integrating complete id and community visibility.  

Our implementation: A phased method

Our personal migration was a practical and phased method consisting of:

1. Lifting and shifting current VPN infrastructure to the cloud: We instantly migrated current VPN configurations to cloud-based service with no modifications to person expertise or entry strategies to cut back the complexity of integration. This offers a “staging floor” for a full ZTA transformation and permits us to leverage cloud scalability and international entry factors whereas sustaining current safety insurance policies throughout preliminary migration. 
2. Step by step transitioning purposes to ZTA: We utilized a phased method to software migration, prioritizing purposes based mostly on safety criticality, compatibility with ZTA protocols, and enterprise impression to permit our IT groups to study and adapt with out huge disruption.  
3. Sustaining backward compatibility: We wanted to make sure legacy programs proceed functioning and supply a number of entry strategies by conventional VPN, ZTA, and hybrid entry modes. We wanted to assist purposes that don’t natively assist ZTA and implement fallback mechanisms to stop enterprise interruption throughout transition and supply flexibility for our complicated legacy infrastructure.  
4. Minimizing person disruption: Lowering person frustration and productiveness loss was prime of thoughts, so we wanted to protect acquainted person workflows with clear authentication processes and constant entry expertise throughout totally different purposes to offer a seamless transition between entry strategies. 

This method allowed us to cut back implementation dangers by a managed, manageable transformation with steady safety enhancements and minimal operational interruption. By evolving our community safety systematically, we averted the “rip and exchange” method that may trigger important operational challenges. The outcome was a safer, extra versatile community that may adapt to future wants.  

It’s not a single level resolution, however a seamless integration between cloud and on-premise environments, id and entry administration options, and safe entry service edge (SASE). We labored to mix our best-of-breed applied sciences to ship a seamless and safe expertise for each person and gadget, regardless of the place they’re positioned. 

Key parts of our resolution

Our ZTA technique takes a singular identity-centric method, constructed on a basis of Cisco safety and networking merchandise:

• Cisco SSE (Safe Entry): offers a unified, cloud-delivered safety and networking resolution that allows safe and seamless entry for customers and gadgets to purposes wherever. 
• Cisco Duo: helps adaptive, passwordless authentication and diminished login friction whereas imposing real-time, risk-aware insurance policies with Threat-Based mostly Authentication (RBA) and Passport.   
• Cisco SD-WAN: permits us to securely join our department workplaces to the cloud and optimize community efficiency. 
• Cisco Id Providers Engine (ISE): integrates with Safe Entry to offer identity-based entry management, dynamic gadget posture checks, and constant coverage enforcement throughout all entry eventualities. 
• Cisco ThousandEyes: offers end-to-end digital expertise monitoring and visibility that ensures seamless and dependable entry.   
• Cisco AI Entry: (in course of) permits groups to observe worker GenAI utilization, establish and mitigate potential dangers, implement information loss prevention (DLP) insurance policies, and allow utilization guardrails.   
• Cisco Safety Cloud Management: (in course of) unifies coverage administration throughout the Cisco Safety portfolio for simplified administration and constant enforcement throughout hybrid environments. 

The outcomes: A safer and productive workforce

The pliability of our ZTA method permits progressive safety approaches to secure unmanaged gadget entry, AI software utilization, dynamic risk-based authentication, and complete digital office safety. Our journey continues, however we’ve seen many advantages thus far. In June 2025 alone, we noticed:  

• Login reductions: We considerably diminished the variety of logins per week by single sign-on (SSO) and passwordless authentication. 92% of logins had been routinely suppressed, requiring no person login.  
• Improved person expertise: Our workers have seamless and constant entry to the purposes they want, no matter their location. With much less login distractions to take them away from work, they’re empowered to be extra productive.  
• Passwordless adoption: Excessive adoption charges for passwordless authentication, make it simpler for our workers to securely entry their purposes. Only one% of 16.5 million authentications relied on passwords. 
• Enhanced safety: We’ve considerably diminished our assault floor and potential for safety breaches. 99% of all logins are phishing-resistant. Our identity-driven entry method unifies id, entry, and community enforcement to allow a safer, seamless, and scalable zero belief setting.  
• Elevated effectivity: Our IT crew manages entry insurance policies extra effectively, releasing up time to concentrate on different strategic initiatives. Troubleshooting is simplified with AI-powered concern detection, remediation, and optimization.  
• Price financial savings: We’ve realized important price financial savings by elevated worker productiveness and diminished IT helpdesk assist prices. 

Trying forward

Zero belief entry is a technique, not a product. Cisco’s strategic migration to a complete ZTA mannequin represents greater than a technological improve — it’s a elementary reimagining of community safety. By transferring past conventional perimeter-based fashions, we’re making a extra resilient, adaptive, and clever safety framework with complete and granular safety. 

The journey isn’t about changing current infrastructure; it’s about reworking how we conceptualize and implement safety in an more and more complicated digital world. Our versatile and phased method is crucial to the continual adaptation wanted in trendy cybersecurity. As cyber threats develop into extra refined, zero belief safety isn’t simply an choice; it’s a necessity.  

Extra assets: