You may be considering applying zero trust principles across your organization, but are unclear on where to start or how changes will impact the user experience. We had these considerations in mind as Cisco IT moved from a traditional model of perimeter and VPN security to a model based on zero trust. Our goal was to improve security and create a better access experience for our 100,000+ users.
We explored many questions in our journey to adopt zero trust principles across Cisco. The five key questions presented here, along with insights on how we answered them within Cisco IT, can help your organization plan and undertake a similar journey.
1. What advantages do you expect to gain from implementing zero trust?
Begin by clearly defining what you want to gain from the move to zero trust. For Cisco IT, our primary goals were to increase security for remote work and simplify application access for users.
To improve security, we apply zero trust controls to establish trust for both the user and device with every access attempt before permitting that access to proceed. User trust is based by verifying the entered credentials (i.e., username and password) and successful completion of a multifactor authentication (MFA) step. The device is also verified to confirm that it is registered with Cisco IT and that it is up-to-date and healthy, through a check by the Duo Device Health application.
Users are able to conduct more of their work anywhere because zero trust allows secure remote access to corporate applications that previously required a direct connection to the Cisco network. If the user's device does not meet our security requirements, the Duo Device Health application provides clear steps so the user can make needed changes without contacting our helpdesk.
2. Do you have executive buy-in for a zero trust strategy?
To maximize the protections gained, a zero trust deployment needs broad reach across applications and users. Executive support of the new security model will be essential for achieving this reach. We found that involving IT and security stakeholders at the start of our project planning was vital to encourage executive support. As a result, we obtained sponsorship from both the Cisco CIO and chief security and trust officer.
3. Do you fully understand the zero trust model and the changes it will require in your IT environment?
Developing a detailed rollout plan is essential for a successful zero trust deployment that improves security across the IT environment. Our planning included these steps:
Inventory all desktop and mobile endpoints that will need to be configured and managed.
Ensure that enforced requirements align with corporate security policies and standards.
Conduct a pilot project with a small number of users and a limited set of applications to verify the architecture, access processes, and device configurations.
After a successful pilot, gradually roll out zero trust access to more users and applications for a smooth transition.
Create a process to onboard applications into the zero trust program, including prerequisites, a testing environment, and support resources.
4. Have you identified a strategy for using zero trust to improve the overall user experience?
Planning is also important to create a zero trust deployment that improves the user experience. We found success with an incremental introduction strategy.
Find an area to focus on first; we chose the remote work use case.
Try to generate user excitement about the benefits to be gained; for Cisco users, it was the ease of borderless access to corporate applications. Also emphasize the value of improved security for the enterprise.
Gradually expand use cases and ask users to nominate applications for the program, adding them over time.
5. What is your long-term vision for zero trust?
Throughout the program, regularly review your long-term vision and goals for zero trust to ensure efforts are still in alignment. With zero trust now in place for our internal users, we plan to extend the model to extranet users and users in acquired companies.
Our long-term vision is to apply zero trust principles to secure all access across our applications and environment. It begins by validating users when they access on-premises or cloud-hosted applications, and validating devices when they attempt connection to the Cisco network. Eventually, we will apply zero trust to how applications, services, and microservices communicate with one another.
What questions are guiding exploration of a zero trust deployment in your organization?
For more information: Zero Trust at Scale