A Zero Trust at scale approach to cybersecurity is critical to help local, state, and federal governments keep up with the evolving threat landscape they face. With the increased download of niche apps by workers at all levels of government, those threats can have severe and unexpected impacts. A current example is the popular social media platform TikTok, which has now been banned on federal government-owned work devices, with more than two dozen states enacting similar bans. Plus, many colleges and universities have begun blocking access to TikTok on their campus Wi-Fi networks.

Why now

According to the 2022 Data Breach Investigations Report by Verizon, 82% of breaches involved the “human element” either via the use of stolen credentials, phishing scams, or errors and misuse of resources.

We also know that vulnerabilities and their exploitation continue to be the root causes of most information security breaches. Vulnerabilities unattended and unaddressed for months or years are most common. But these could easily be stopped by keeping devices updated with software patches and automatically updating their operating software.

That’s why the capability to validate device health is so critical for government IT today and should be the gatekeeper when it comes to allowing or denying access. With Zero Trust, you gain better visibility across users, devices, and applications. Plus, it verifies their security state every time there is an access request.

Why Cisco adopted a Zero Trust at scale approach

The value added by implementing a Zero Trust approach is clear. That’s why Cisco moved from our traditional network-based perimeter and VPN model to a Zero Trust framework. Using our own Duo solution, we began implementing a zero trust approach to over 100,000 of our employees in 2020. We detailed our experience in our latest report: Zero Trust at Scale A Case Study and Best Practices for Government.

As we did so we made four things clear that must happen every time someone tries to access an application on our networks:

  1. We verify the user.
  2. We confirm that the device is up-to-date and healthy.
  3. We validate that a Cisco-managed device is being used.
  4. The application can be accessed without the VPN.

Every time. No exceptions.

Cisco’s best practices for deploying Zero Trust at scale

During our deployment we developed best practices that we feel public sector organizations like yours can also leverage to improve their success when transitioning to a Zero Trust approach. I’ve provided a very brief summary below and you can take a deeper dive into the details at Zero Trust at Scale A Case Study and Best Practices for Government.

  • Use a team approach: we created a core team that included a representative from each workstream. They were given authority to make decisions for their organization. Having a lean team that met regularly kept the team on track and in sync. This helped them sail more smoothly over road bumps as they encountered them.
  • Get executive sponsorship: buy-in by both our CIO and chief security and trust officer helped pave the way to a smoother deployment. Especially since we were working across several teams with different agendas. Executive support lifted the core team, making them feel trusted to make the right decisions based on their experiences.
  • Pilot for proof: By phasing the rollout we kept things much more manageable. This let us prove the process with viable, identify any issues, and fix them more quickly. A phased rollout gives you a scalability featuring much more flexibility to respond and innovative as you deploy within a large organization.
  • Create demand for Zero Trust: We also got buy-in from users by giving them the opportunity to become personally familiar with the software used. We then let them suggest additional apps that could be part of the Zero Trust approach. Gamification can also be leveraged at this state of your project to explain how to users how it benefits them.
  • Full transparency and regular communication: We developed several channels of communication to keep everyone aware of the process and the project milestones. Weekly newsletters, a SharePoint site, forums, articles, and more were all used to keep everyone aware.

Zero Trust at scale works for government

Through our efforts, Cisco was able to deploy Duo configurations to more than 180,000 endpoints, including our entire fleet of Cisco-IT-managed iOS, Android, Mac, and Windows devices. We substantially increased our ability to react to device risk and found 86,000 devices in just one month that were concerns. And with Duo, users were able to self-remediate the issues themselves without having to contact tech support.

By adopting a Zero Trust at scale approach at Cisco, we’ve added a very strong and well-defined layer of security across tens of thousands of devices. We’ve enhanced our global network’s stability and reliability. And, most importantly, we’ve given our workforce a greater sense of safety for their devices and data.

Local, state, and federal agencies can do the same by learning from our experience. We encourage you to download the full report that includes use cases and more detailed best practices for implementing Zero Trust at scale for your government agency. Now is the perfect time to take a proactive stance against the growing threats.

I encourage you to take a deeper dive into the subject by reviewing Zero Trust at Scale A Case Study and Best Practices for Government.

Additional Resources

How to Enable Zero Trust Security

Zero Trust Frameworks Architecture Guide

Cisco Solutions for State and Local Government



Matthew Dietz

Government National Security Strategist

Industry Solutions Group