“It’s not often that you can say you are improving security while also improving the user experience, but that’s what we have achieved with this rollout.”
—Josephina Fernandez, Director of Security Architecture & Research at Cisco
The network edge has left the building. Long before 2020 happened, we were working from coffee shops, airports and client sites. We have been using our personal devices on public or home networks to access productivity applications. Our users can be employees, contractors, vendors or come from acquisitions, and we use all sorts of applications that are located in the cloud and on-premise. As a result, we are more flexible and agile than ever—but changes in how we access corporate applications have introduced a lot of complexity and risk.
Like many of our customers, Cisco is also embracing this change in the way we work. We see a future that is more accessible and more secure for everyone. But that future needs to come quickly and it needs to come at scale. With our recent deployment of Duo Beyond, Cisco has demonstrated how workforce zero trust can be implemented across a globally distributed enterprise with minimal disruption. Along the way, we learned what works well and developed a blueprint to accelerate our customers’ success.
This past year, Cisco IT transformed how we work by using Duo Beyond to apply the principles of workforce zero trust. The charter was quite simple – verify every user, validate every device and do this every time an application is accessed. Oh, and make it frictionless so the user doesn’t even know it is happening, or better yet, they feel that their life somehow became a little easier. The final challenge: do it in less than five months.
Enter workforce zero trust. Zero trust can feel complex and unattainable, but really it is quite simple. Every time a user accesses an application:
- We make sure they are who they say they are
- Their device is up-to-date and healthy
- It is with a device we trust
- It is frictionless – meaning no VPN
The key is every time and for every application. Not some of the time and only the applications that are easy to protect—it’s every. single. time.
Duo Beyond helps ensure this seamless, secure access by:
- Preventing fraudulent login attempts
- Detects abnormal login attempts
- LImiting access to corporate-managed devices
- Ensuring devices are secure and compliant
- Blocking risky login attempts with rules customized by application
- Simplifying access with one username and password
- Housing all applications in one location
- Providing secure application access without a VPN
This may look like a lot of work, but the reality is that a good security solution needs to be both easy for the user and easy for administrators. Security that is easy is security that is used. We know that resources are scarce and that ‘good enough’ security is both tantalizing and risky. That’s why we take the admin experience extremely seriously and take a great deal of pride in making Duo simple to use and support. Additionally, Duo is platform agnostic, meaning easy integration with a very broad range of applications, so hard choices don’t need to be made.
Not only was the Cisco team able to successfully roll out Duo Beyond to over 100,000 users, they found that there wasn’t even a need to add any additional support headcount. In fact, most calls that came in were to ask to be added to the pilot group. Cisco smoothly laid the foundations for a strong zero trust workforce in a matter of five short months.
Five factors emerged as key to the rollout’s success:
- Executive sponsorship: The project was sponsored by multiple execs from security and IT who could get buy-in at their level. They also provided air cover in case the team needed to move quickly and test solutions—a fairly large departure from how things have typically been done.
- Create demand for zero trust: The team started by enabling all users with the technology of Duo and then added apps to the zero trust architecture over time. This helped build demand for the program and made the process effortless for users. Users nominated applications which helped with prioritization. They also developed a process for application owners to request zero trust for their app.
- Team approach: A core team made up of one representative from each workstream met regularly. Team member made decisions for their organization. The core team met on a regular basis for updates. It helped to keep people focused on what they needed to do and be agile in decision-making.
- Pilot for proof: Rather than roll out to all apps and all users, the team started with a subset of apps and departments. That helped to prove out the process, identify any issues and fix them. As a result, the full rollout went live months beforehand
- Communications: Subscribers received a weekly updated newsletter, and a sharepoint site to explain what was happening. Forums were available for public comments as well as emails, articles and guidance for leadership comms.
The team views zero trust as a win-win-win. By automating to the tune of 2.6 million health checks per month resulting in 48,000 self-remediated devices, a tremendous burden was lifted off of the security team’s shoulders. That’s 48,000 potential compromises avoided right off the bat. As more applications are made accessible via the Duo Network Gateway, users will need to authenticate less with the VPN. Currently at a quarter million fewer VPN authentication per month and growing, users are loving this more accessible and more secure new normal.
Be sure to catch Brad Arkin at RSA, where he will share lessons learned from Cisco’s workforce zero trust journey in securing over 100,000 users in less than five months.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels