Cisco IT’s Zero Trust Access Evolution: Securing Our Distributed Future

Cisco’s strategic zero trust access evolution represents a critical transformation in how organizations protect their digital assets, users, and applications for the workplace today and the future. 

As a massive enterprise, we manage over 135,000 laptops, tens of thousands of mobile devices, and a workforce spread across the globe. Securing that environment requires a fundamentally different approach than the traditional perimeter-based security we relied on in the past. 

It’s paramount that we always strive to empower our employees to be productive, innovative, and secure, no matter where they work. That’s why we continue to evolve our zero trust strategy to meet the needs of a modern, distributed workforce.  

The challenges of the modern workplace

For decades, virtual private networks (VPNs) were the gold standard for remote access. However, these legacy solutions come with significant drawbacks.  

1. Implicit trust: Once connected, VPNs typically grant broad network access. This means that once a user authenticates, they can be trusted with complete network access without continuous user validation. It’s a “once authenticated, always trusted” approach.  
2. Limited visibility: VPNs often lack granular tracking of specific application interactions, data transfer volumes, and exact user activities within the network. This creates challenges in compliance reporting, detecting insider threats, and understanding potential security risks in real-time.  
3. Inflexible architecture: Inefficient routing and single tunnel limitations mean users connect through one network path, and if that path is geographically distant from applications, it creates higher latency, increased network congestion, and slower application performance.  
4. Security vulnerabilities: Broad network access increases potential attack surfaces. Giving full network access means a compromised credential could permit extensive potential damage, allowing attackers to move laterally between systems, access multiple sensitive resources, and exploit unpatched systems within the network.  

Our vision: Comprehensive, transparent Zero Trust Access (ZTA)

Traditional zero trust solutions came of age in the time of the pandemic, initially focused on remote access. But they overlooked critical use cases like on-premises user access, non-user device security, legacy application integration, and comprehensive network segmentation. 

We realized that we needed a new approach — one that was based on the primary principle of zero trust: “never trust, always verify, enforce least privilege.” But we also knew that simply implementing a traditional zero trust solution wouldn’t be enough. We needed a solution that was truly universal — one that could secure every user, device, and application, regardless of location or network. 

ZTA emerged as a more granular, security-first model that: 

• Verifies every access request — for users and things 
• Provides application-level granularity 
• Continuously validates user and device posture 
• Minimizes potential breach impacts 

The comprehensive model tackles the challenges of traditional zero trust solutions by supporting local enforcement points, enabling consistent security policies across all environments, providing flexible access controls for managed and unmanaged devices, and integrating comprehensive identity and network visibility.  

Our implementation: A phased approach

Our own migration was a pragmatic and phased approach consisting of:

1. Lifting and shifting existing VPN infrastructure to the cloud: We directly migrated existing VPN configurations to cloud-based service with no changes to user experience or access methods to reduce the complexity of integration. This provides a “staging ground” for a full ZTA transformation and allows us to leverage cloud scalability and global access points while maintaining existing security policies during initial migration. 
2. Gradually transitioning applications to ZTA: We utilized a phased approach to application migration, prioritizing applications based on security criticality, compatibility with ZTA protocols, and business impact to allow our IT teams to learn and adapt without massive disruption.  
3. Maintaining backward compatibility: We needed to ensure legacy systems continue functioning and provide multiple access methods through traditional VPN, ZTA, and hybrid access modes. We needed to support applications that don’t natively support ZTA and implement fallback mechanisms to prevent business interruption during transition and provide flexibility for our complex legacy infrastructure.  
4. Minimizing user disruption: Reducing user frustration and productivity loss was top of mind, so we needed to preserve familiar user workflows with transparent authentication processes and consistent access experience across different applications to provide a seamless transition between access methods. 

This approach allowed us to reduce implementation risks through a controlled, manageable transformation with continuous security improvements and minimal operational interruption. By evolving our network security systematically, we avoided the “rip and replace” approach that can cause significant operational challenges. The result was a more secure, more flexible network that can adapt to future needs.  

It’s not a single point solution, but a seamless integration between cloud and on-premise environments, identity and access management solutions, and secure access service edge (SASE). We worked to combine our best-of-breed technologies to deliver a seamless and secure experience for every user and device, no matter where they’re located. 

Key components of our solution

Our ZTA strategy takes a unique identity-centric approach, built on a foundation of Cisco security and networking products:

• Cisco SSE (Secure Access): provides a unified, cloud-delivered security and networking solution that enables secure and seamless access for users and devices to applications anywhere. 
• Cisco Duo: supports adaptive, passwordless authentication and reduced login friction while enforcing real-time, risk-aware policies with Risk-Based Authentication (RBA) and Passport.   
• Cisco SD-WAN: allows us to securely connect our branch offices to the cloud and optimize network performance. 
• Cisco Identity Services Engine (ISE): integrates with Secure Access to provide identity-based access control, dynamic device posture checks, and consistent policy enforcement across all access scenarios. 
• Cisco ThousandEyes: provides end-to-end digital experience monitoring and visibility that ensures seamless and reliable access.   
• Cisco AI Access: (in process) allows teams to monitor employee GenAI usage, identify and mitigate potential risks, enforce data loss prevention (DLP) policies, and enable usage guardrails.   
• Cisco Security Cloud Control: (in process) unifies policy management across the Cisco Security portfolio for simplified management and consistent enforcement across hybrid environments. 

The results: A more secure and productive workforce

The flexibility of our ZTA approach enables innovative security approaches to secure unmanaged device access, AI application usage, dynamic risk-based authentication, and comprehensive digital workplace security. Our journey continues, but we’ve seen many benefits to date. In June 2025 alone, we saw:  

• Login reductions: We significantly reduced the number of logins per week through single sign-on (SSO) and passwordless authentication. 92% of logins were automatically suppressed, requiring no user login.  
• Improved user experience: Our employees have seamless and consistent access to the applications they need, regardless of their location. With less login distractions to take them away from work, they’re empowered to be more productive.  
• Passwordless adoption: High adoption rates for passwordless authentication, make it easier for our employees to securely access their applications. Only 1% of 16.5 million authentications relied on passwords. 
• Enhanced security: We’ve significantly reduced our attack surface and potential for security breaches. 99% of all logins are phishing-resistant. Our identity-driven access approach unifies identity, access, and network enforcement to enable a more secure, seamless, and scalable zero trust environment.  
• Increased efficiency: Our IT team manages access policies more efficiently, freeing up time to focus on other strategic initiatives. Troubleshooting is simplified with AI-powered issue detection, remediation, and optimization.  
• Cost savings: We’ve realized significant cost savings through increased employee productivity and reduced IT helpdesk support costs. 

Looking ahead

Zero trust access is a strategy, not a product. Cisco’s strategic migration to a comprehensive ZTA model represents more than a technological upgrade — it’s a fundamental reimagining of network security. By moving beyond traditional perimeter-based models, we’re creating a more resilient, adaptive, and intelligent security framework with comprehensive and granular security. 

The journey is not about replacing existing infrastructure; it’s about transforming how we conceptualize and implement security in an increasingly complex digital world. Our flexible and phased approach is critical to the continuous adaptation needed in modern cybersecurity. As cyber threats become more sophisticated, zero trust security isn’t just an option; it’s a necessity.  

Additional resources:

• From the Inside Out: Cisco IT’s Path to Zero Trust Security  

• Zero Trust Everywhere – Cisco’s Universal ZTNA At-a-Glance  

• Universal ZTNA from Cisco: Zero Friction. Zero Imposters. Zero Downtime. 
• Cisco on Cisco Case Study