Avatar

Let’s be honest. Most people don’t trust zero trust.

For users, when they hear the words ‘zero trust’, it sounds like it might take longer to log into work. And if you’re in IT or IT security, you may have more products to buy and integrate into your existing — already complicated — security stack. And of course, then there are the audits.

Maybe that’s why so many zero trust projects are stalled.

No matter how you slice it, zero trust access is an elusive but desirable goal for many organizations, and yet most teams haven’t achieved zero trust maturity1 — especially for securing remote work.

At Cisco, we have designed our solution in a way that overcomes common obstacles by powering a secure, in-office experience anywhere. And we know because we have been on our own zero trust journey with our user communities and IT teams for years now.

Cisco on Cisco: Zero trust access at scale

We started with an enterprise rollout of Cisco Duo for our remote-first workforce back in 2020, and we are currently deploying Cisco Secure Access. Cisco’s massive and diverse IT infrastructure includes:

  • 1 million IP connected “things”
  • 27,000 Cisco video devices
  • 62,000 mobile devices

…across large campuses, small offices, homes, customer sites, roaming users, and more.

Rapid time to value

During our first phase in 2020, we rolled out Duo for phishing-resistant Multi-Factor Authentication (MFA) and device posture across our vast user community in only 5 months, saving $500K on fewer helpdesk tickets in the first year, preventing over 86K potential endpoint compromises each month.

More recently, we deployed Cisco Secure Access, our Security Service Edge (SSE) solution which is optimized for helping ease the transition from legacy VPN architecture to Zero Trust Network Access (ZTNA) with VPN-as-a-Service (VPNaaS). We’re just getting started, but we’ve already seen value.

Because Secure Access eliminates the need for multiple teams to analyze networking and security data, and because it sidesteps complex tasks like IP-user mapping, we’ve seen a 25% reduction in mean time to troubleshoot user connectivity issues. In the past, a single region on-prem VPN enablement process would take weeks to a month. Now by using the VPNaaS capability inside of Secure Access, our teams can enable 5 regions in just 3 hours.

Rapid time to productivity

Here’s what it’s like for a typical Cisco remote-first employee:

  • Whether at their breakfast table or in the office, they login ‘passwordlessly’ on their laptop (via Windows Hello or Mac TouchID) and then Cisco Duo — behind the scenes — takes that OS-level trust to all use cases (cross-browser, embedded browser).
  • By being fully context-aware, Cisco Duo recognizes this as typical user activity, reducing user interaction needed for authentication. That said, any changes to device posture and other contextual risk attributes will prompt our users to reverify trust via risk-based authentication (e.g., Verified Push).
  • Remote workers can automatically and transparently access every needed application, some by ZTNA, others by Cisco’s VPN-as-a-Service. They don’t even have to think about how they will access an app … it just works, thanks to Cisco Secure Access.
  • When our employees are off our corporate network, their internet access is transparently protected by a variety of integrated cloud-delivered security tools providing DNS-layer security, secure web gateway, CASB, DLP, remote browser isolation and more.

 

Zero trust access provides a seamless user experience:, with a graph showing the experience
Secure, in-office experience for Cisco’s remote-first workforce — fast, easy app access from everywhere

 

Challenges with early SSE products

Sadly, the first-to-market SSE solutions weren’t designed for the remote-first workplace. Instead, most of these vendors started as point products (e.g., CASB, NGFW, SWG, etc.) and then bolted-on additional functionality to qualify as SSE vendors and grab zero trust budget.

The underlying architecture is brittle as a result, with a disjointed and siloed management experience and a lack of identity- and context-awareness. These challenges slow down zero trust adoption, making it difficult for teams to deliver the same consistent and secure experience for all workers connecting to all kinds of applications.

  • Lack of visibility: Who are my users, what are they accessing, which policies are required, which devices are managed vs. unmanaged, what is their end-to-end digital experience?
  • User frustration: High latency, dropped connections, confusing authentication and app access workflows, and inadequate performance — even with common office applications — and no way of knowing where the performance issues lie
  • Complicated management: Multiple agents, consoles and policies make it more difficult to enforce the right zero trust access policy everywhere
  • Costly surprises: Organizations can’t simply stop supporting VPN, as some apps do not work well with ZTNA; plus, evolution to zero trust on your own schedule is a better approach than being pushed into a risky VPN rip-and-replace

Given the challenges with these solutions, it’s no surprise that organizations are struggling with their zero trust initiatives. End users and IT teams alike need a better zero trust experience.

Cisco Zero Trust Access

Our Cisco Zero Trust Access solution is different: Our architecture is purpose-built to provide an in-office experience, everywhere. It’s a force multiplier, as it delivers the industry’s most easily managed strong identity security, coupled with leading Security Service Edge (SSE) capabilities.

Beyond happy users, these are the ways your IT and IT security teams will benefit:

  • SSE deployment is eased with a single client — The multi-functional Cisco Secure Client is a single installer, helping to enhance interoperability and lower cost. Its modular features include ZTNA, VPNaaS and off-corporate-network SWG and DNS-layer security protection.
  • More secure — and simpler — multi-factor authentication — Today, attackers often do not hack into enterprises — they simply log in. Duo evaluates identity behavior and attributes before, during and after login to ensure secure access and adjust authentication strength automatically based on contextual risk.
  • Fewer support calls — Unlike other ZTNA solutions using legacy protocols with performance limitations, Cisco’s underlying internal transport (Vector Packet Processing, or VPP) is faster and more reliable with modern protocols including QUIC and MASQUE.
  • No management updates, no site visitsAll elements of the Zero Trust Access solution are cloud-managed, and, aside from client activity, all security is cloud-delivered, globally.
  • Ongoing management simplified — Compared to solutions that have separate consoles for internet access security, ZTNA, and VPN, Cisco’s Zero Trust Access collapses these functions into one, increasing visibility, enabling more comprehensive security policies, and saving you precious time.
  • Superior mobile support — Our partnerships with leading mobile device manufacturers, like Apple and Samsung, have led to industry-first operating system-level integration for more dependable connectivity.

Start making zero trust easier, effective and efficient

Only Cisco Zero Trust Access provides strong identity security coupled with a comprehensive, easy-to-manage SSE. This enables you to deliver a consistent in-office experience everywhere, ensuring that security does not hinder productivity.

And because our Cisco Secure Access SSE solution has not only ZTNA, but integrated VPNaaS as well, you can undertake your zero trust journey on your timeline, not one that is dictated by the limitations of other vendors.

Discover more about Cisco Zero Trust Access, and how it can transform your security approach, by registering for an upcoming workshop or exploring a product tour of Cisco Secure Access.

 

1Based on research from Cisco’s latest Security Outcomes for Zero Trust report


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn



Authors

Raj Chopra

SVP & Chief Product Officer

Security Business Group