Cisco IT’s Zero Belief Entry Evolution: Securing Our Distributed Future

Cisco’s strategic zero belief entry evolution represents a crucial transformation in how organizations defend their digital belongings, customers, and functions for the office at present and the long run. 

As a large enterprise, we handle over 135,000 laptops, tens of 1000’s of cell units, and a workforce unfold throughout the globe. Securing that surroundings requires a essentially completely different strategy than the normal perimeter-based safety we relied on prior to now. 

It’s paramount that we at all times try to empower our workers to be productive, revolutionary, and safe, regardless of the place they work. That’s why we proceed to evolve our zero belief technique to satisfy the wants of a contemporary, distributed workforce.  

The challenges of the trendy office

For many years, virtual private networks (VPNs) have been the gold normal for distant entry. Nevertheless, these legacy options include vital drawbacks.  

1. Implicit belief: As soon as related, VPNs usually grant broad community entry. Because of this as soon as a consumer authenticates, they are often trusted with full community entry with out steady consumer validation. It’s a “as soon as authenticated, at all times trusted” strategy.  
2. Restricted visibility: VPNs usually lack granular monitoring of particular software interactions, knowledge switch volumes, and precise consumer actions inside the community. This creates challenges in compliance reporting, detecting insider threats, and understanding potential safety dangers in real-time.  
3. Rigid structure: Inefficient routing and single tunnel limitations imply customers join by one community path, and if that path is geographically distant from functions, it creates increased latency, elevated community congestion, and slower software efficiency.  
4. Safety vulnerabilities: Broad community entry will increase potential assault surfaces. Giving full community entry means a compromised credential may allow in depth potential injury, permitting attackers to maneuver laterally between methods, entry a number of delicate assets, and exploit unpatched methods inside the community.  

Our imaginative and prescient: Complete, clear Zero Belief Entry (ZTA)

Conventional zero belief options got here of age within the time of the pandemic, initially centered on distant entry. However they ignored crucial use instances like on-premises consumer entry, non-user gadget safety, legacy software integration, and complete community segmentation. 

We realized that we wanted a brand new strategy — one which was primarily based on the first precept of zero belief: “by no means belief, at all times confirm, implement least privilege.” However we additionally knew that merely implementing a conventional zero belief answer wouldn’t be sufficient. We would have liked an answer that was really common — one that might safe each consumer, gadget, and software, no matter location or community. 

ZTA emerged as a extra granular, security-first mannequin that: 

• Verifies each entry request — for customers and issues 
• Gives application-level granularity 
• Constantly validates consumer and gadget posture 
• Minimizes potential breach impacts 

The great mannequin tackles the challenges of conventional zero belief options by supporting native enforcement factors, enabling constant safety insurance policies throughout all environments, offering versatile entry controls for managed and unmanaged units, and integrating complete id and community visibility.  

Our implementation: A phased strategy

Our personal migration was a realistic and phased strategy consisting of:

1. Lifting and shifting current VPN infrastructure to the cloud: We immediately migrated current VPN configurations to cloud-based service with no adjustments to consumer expertise or entry strategies to scale back the complexity of integration. This supplies a “staging floor” for a full ZTA transformation and permits us to leverage cloud scalability and world entry factors whereas sustaining current safety insurance policies throughout preliminary migration. 
2. Step by step transitioning functions to ZTA: We utilized a phased strategy to software migration, prioritizing functions primarily based on safety criticality, compatibility with ZTA protocols, and enterprise influence to permit our IT groups to study and adapt with out huge disruption.  
3. Sustaining backward compatibility: We would have liked to make sure legacy methods proceed functioning and supply a number of entry strategies by conventional VPN, ZTA, and hybrid entry modes. We would have liked to help functions that don’t natively help ZTA and implement fallback mechanisms to forestall enterprise interruption throughout transition and supply flexibility for our advanced legacy infrastructure.  
4. Minimizing consumer disruption: Lowering consumer frustration and productiveness loss was prime of thoughts, so we wanted to protect acquainted consumer workflows with clear authentication processes and constant entry expertise throughout completely different functions to supply a seamless transition between entry strategies. 

This strategy allowed us to scale back implementation dangers by a managed, manageable transformation with steady safety enhancements and minimal operational interruption. By evolving our community safety systematically, we averted the “rip and exchange” strategy that may trigger vital operational challenges. The consequence was a safer, extra versatile community that may adapt to future wants.  

It’s not a single level answer, however a seamless integration between cloud and on-premise environments, id and entry administration options, and safe entry service edge (SASE). We labored to mix our best-of-breed applied sciences to ship a seamless and safe expertise for each consumer and gadget, regardless of the place they’re situated. 

Key elements of our answer

Our ZTA technique takes a singular identity-centric strategy, constructed on a basis of Cisco safety and networking merchandise:

• Cisco SSE (Safe Entry): supplies a unified, cloud-delivered safety and networking answer that allows safe and seamless entry for customers and units to functions wherever. 
• Cisco Duo: helps adaptive, passwordless authentication and decreased login friction whereas imposing real-time, risk-aware insurance policies with Danger-Primarily based Authentication (RBA) and Passport.   
• Cisco SD-WAN: permits us to securely join our department workplaces to the cloud and optimize community efficiency. 
• Cisco Identification Companies Engine (ISE): integrates with Safe Entry to supply identity-based entry management, dynamic gadget posture checks, and constant coverage enforcement throughout all entry situations. 
• Cisco ThousandEyes: supplies end-to-end digital expertise monitoring and visibility that ensures seamless and dependable entry.   
• Cisco AI Entry: (in course of) permits groups to observe worker GenAI utilization, establish and mitigate potential dangers, implement knowledge loss prevention (DLP) insurance policies, and allow utilization guardrails.   
• Cisco Safety Cloud Management: (in course of) unifies coverage administration throughout the Cisco Safety portfolio for simplified administration and constant enforcement throughout hybrid environments. 

The outcomes: A safer and productive workforce

The pliability of our ZTA strategy permits revolutionary safety approaches to secure unmanaged gadget entry, AI software utilization, dynamic risk-based authentication, and complete digital office safety. Our journey continues, however we’ve seen many advantages thus far. In June 2025 alone, we noticed:  

• Login reductions: We considerably decreased the variety of logins per week by single sign-on (SSO) and passwordless authentication. 92% of logins have been mechanically suppressed, requiring no consumer login.  
• Improved consumer expertise: Our workers have seamless and constant entry to the functions they want, no matter their location. With much less login distractions to take them away from work, they’re empowered to be extra productive.  
• Passwordless adoption: Excessive adoption charges for passwordless authentication, make it simpler for our workers to securely entry their functions. Just one% of 16.5 million authentications relied on passwords. 
• Enhanced safety: We’ve considerably decreased our assault floor and potential for safety breaches. 99% of all logins are phishing-resistant. Our identity-driven entry strategy unifies id, entry, and community enforcement to allow a safer, seamless, and scalable zero belief surroundings.  
• Elevated effectivity: Our IT group manages entry insurance policies extra effectively, releasing up time to deal with different strategic initiatives. Troubleshooting is simplified with AI-powered difficulty detection, remediation, and optimization.  
• Price financial savings: We’ve realized vital value financial savings by elevated worker productiveness and decreased IT helpdesk help prices. 

Trying forward

Zero belief entry is a technique, not a product. Cisco’s strategic migration to a complete ZTA mannequin represents greater than a technological improve — it’s a basic reimagining of community safety. By shifting past conventional perimeter-based fashions, we’re making a extra resilient, adaptive, and clever safety framework with complete and granular safety. 

The journey is just not about changing current infrastructure; it’s about remodeling how we conceptualize and implement safety in an more and more advanced digital world. Our versatile and phased strategy is crucial to the continual adaptation wanted in trendy cybersecurity. As cyber threats turn into extra refined, zero belief safety isn’t simply an possibility; it’s a necessity.  

Extra assets: