Cisco IT’s Zero Belief Entry Evolution: Securing Our Distributed Future

Cisco’s strategic zero belief entry evolution represents a crucial transformation in how organizations shield their digital belongings, customers, and functions for the office in the present day and the long run. 

As a large enterprise, we handle over 135,000 laptops, tens of 1000’s of cell gadgets, and a workforce unfold throughout the globe. Securing that surroundings requires a essentially completely different strategy than the standard perimeter-based safety we relied on previously. 

It’s paramount that we at all times try to empower our staff to be productive, progressive, and safe, regardless of the place they work. That’s why we proceed to evolve our zero belief technique to fulfill the wants of a contemporary, distributed workforce.  

The challenges of the trendy office

For many years, virtual private networks (VPNs) have been the gold customary for distant entry. Nonetheless, these legacy options include important drawbacks.  

1. Implicit belief: As soon as linked, VPNs sometimes grant broad community entry. Which means that as soon as a person authenticates, they are often trusted with full community entry with out steady person validation. It’s a “as soon as authenticated, at all times trusted” strategy.  
2. Restricted visibility: VPNs usually lack granular monitoring of particular utility interactions, information switch volumes, and actual person actions throughout the community. This creates challenges in compliance reporting, detecting insider threats, and understanding potential safety dangers in real-time.  
3. Rigid structure: Inefficient routing and single tunnel limitations imply customers join by means of one community path, and if that path is geographically distant from functions, it creates increased latency, elevated community congestion, and slower utility efficiency.  
4. Safety vulnerabilities: Broad community entry will increase potential assault surfaces. Giving full community entry means a compromised credential might allow in depth potential harm, permitting attackers to maneuver laterally between methods, entry a number of delicate sources, and exploit unpatched methods throughout the community.  

Our imaginative and prescient: Complete, clear Zero Belief Entry (ZTA)

Conventional zero belief options got here of age within the time of the pandemic, initially targeted on distant entry. However they missed crucial use circumstances like on-premises person entry, non-user gadget safety, legacy utility integration, and complete community segmentation. 

We realized that we would have liked a brand new strategy — one which was primarily based on the first precept of zero belief: “by no means belief, at all times confirm, implement least privilege.” However we additionally knew that merely implementing a standard zero belief resolution wouldn’t be sufficient. We would have liked an answer that was actually common — one that might safe each person, gadget, and utility, no matter location or community. 

ZTA emerged as a extra granular, security-first mannequin that: 

• Verifies each entry request — for customers and issues 
• Offers application-level granularity 
• Constantly validates person and gadget posture 
• Minimizes potential breach impacts 

The great mannequin tackles the challenges of conventional zero belief options by supporting native enforcement factors, enabling constant safety insurance policies throughout all environments, offering versatile entry controls for managed and unmanaged gadgets, and integrating complete identification and community visibility.  

Our implementation: A phased strategy

Our personal migration was a realistic and phased strategy consisting of:

1. Lifting and shifting present VPN infrastructure to the cloud: We straight migrated present VPN configurations to cloud-based service with no modifications to person expertise or entry strategies to scale back the complexity of integration. This offers a “staging floor” for a full ZTA transformation and permits us to leverage cloud scalability and world entry factors whereas sustaining present safety insurance policies throughout preliminary migration. 
2. Progressively transitioning functions to ZTA: We utilized a phased strategy to utility migration, prioritizing functions primarily based on safety criticality, compatibility with ZTA protocols, and enterprise influence to permit our IT groups to be taught and adapt with out large disruption.  
3. Sustaining backward compatibility: We would have liked to make sure legacy methods proceed functioning and supply a number of entry strategies by means of conventional VPN, ZTA, and hybrid entry modes. We would have liked to assist functions that don’t natively assist ZTA and implement fallback mechanisms to forestall enterprise interruption throughout transition and supply flexibility for our advanced legacy infrastructure.  
4. Minimizing person disruption: Lowering person frustration and productiveness loss was prime of thoughts, so we would have liked to protect acquainted person workflows with clear authentication processes and constant entry expertise throughout completely different functions to offer a seamless transition between entry strategies. 

This strategy allowed us to scale back implementation dangers by means of a managed, manageable transformation with steady safety enhancements and minimal operational interruption. By evolving our community safety systematically, we prevented the “rip and exchange” strategy that may trigger important operational challenges. The outcome was a safer, extra versatile community that may adapt to future wants.  

It’s not a single level resolution, however a seamless integration between cloud and on-premise environments, identification and entry administration options, and safe entry service edge (SASE). We labored to mix our best-of-breed applied sciences to ship a seamless and safe expertise for each person and gadget, regardless of the place they’re positioned. 

Key parts of our resolution

Our ZTA technique takes a singular identity-centric strategy, constructed on a basis of Cisco safety and networking merchandise:

• Cisco SSE (Safe Entry): offers a unified, cloud-delivered safety and networking resolution that allows safe and seamless entry for customers and gadgets to functions anyplace. 
• Cisco Duo: helps adaptive, passwordless authentication and diminished login friction whereas implementing real-time, risk-aware insurance policies with Danger-Based mostly Authentication (RBA) and Passport.   
• Cisco SD-WAN: permits us to securely join our department places of work to the cloud and optimize community efficiency. 
• Cisco Id Companies Engine (ISE): integrates with Safe Entry to offer identity-based entry management, dynamic gadget posture checks, and constant coverage enforcement throughout all entry eventualities. 
• Cisco ThousandEyes: offers end-to-end digital expertise monitoring and visibility that ensures seamless and dependable entry.   
• Cisco AI Entry: (in course of) permits groups to watch worker GenAI utilization, determine and mitigate potential dangers, implement information loss prevention (DLP) insurance policies, and allow utilization guardrails.   
• Cisco Safety Cloud Management: (in course of) unifies coverage administration throughout the Cisco Safety portfolio for simplified administration and constant enforcement throughout hybrid environments. 

The outcomes: A safer and productive workforce

The pliability of our ZTA strategy allows progressive safety approaches to secure unmanaged gadget entry, AI utility utilization, dynamic risk-based authentication, and complete digital office safety. Our journey continues, however we’ve seen many advantages so far. In June 2025 alone, we noticed:  

• Login reductions: We considerably diminished the variety of logins per week by means of single sign-on (SSO) and passwordless authentication. 92% of logins have been robotically suppressed, requiring no person login.  
• Improved person expertise: Our staff have seamless and constant entry to the functions they want, no matter their location. With much less login distractions to take them away from work, they’re empowered to be extra productive.  
• Passwordless adoption: Excessive adoption charges for passwordless authentication, make it simpler for our staff to securely entry their functions. Just one% of 16.5 million authentications relied on passwords. 
• Enhanced safety: We’ve considerably diminished our assault floor and potential for safety breaches. 99% of all logins are phishing-resistant. Our identity-driven entry strategy unifies identification, entry, and community enforcement to allow a safer, seamless, and scalable zero belief surroundings.  
• Elevated effectivity: Our IT staff manages entry insurance policies extra effectively, liberating up time to deal with different strategic initiatives. Troubleshooting is simplified with AI-powered situation detection, remediation, and optimization.  
• Price financial savings: We’ve realized important value financial savings by means of elevated worker productiveness and diminished IT helpdesk assist prices. 

Wanting forward

Zero belief entry is a method, not a product. Cisco’s strategic migration to a complete ZTA mannequin represents greater than a technological improve — it’s a elementary reimagining of community safety. By transferring past conventional perimeter-based fashions, we’re making a extra resilient, adaptive, and clever safety framework with complete and granular safety. 

The journey is just not about changing present infrastructure; it’s about reworking how we conceptualize and implement safety in an more and more advanced digital world. Our versatile and phased strategy is crucial to the continual adaptation wanted in fashionable cybersecurity. As cyber threats turn out to be extra refined, zero belief safety isn’t simply an possibility; it’s a necessity.  

Further sources: