A Zero Trust Security Strategy At Scale
Follow Cisco's zero trust data protection rollout step-by-step — from planning and architecture, to implementation and post-project learnings — in the Zero Trust at Scale whitepaper.
Adopting a Comprehensive Cybersecurity Strategy
Cisco enrolled in Duo Beyond’s secure access solution after extending its network perimeter to include cloud-based applications and hybridized work. They chose Duo Beyond to help meet their zero trust access goals and secure their workforce at per-user, per-device and per-application levels. “The world is continuing to evolve and we're seeing a need for companies to provide employees with a way to work securely from basically anywhere in the world," says Josephina Fernandez, Director of Security Architecture & Research at Cisco.
Why Cisco Invested in Zero Trust Security
The zero trust cybersecurity approach can be summed up with the mantra of “never trust, always verify.” True zero trust means access is continuously validated for every application. “Since Duo is platform agnostic, we know that we can protect every application, regardless of where it lives. Duo’s ability to easily protect any application reduces my team’s effort, freeing them up to focus on other important work,” says Fernandez. With Duo, organizations like Cisco can follow this four-step zero trust model:
- Establish user trust
- Maintain device and activity visibility
- Define device trust standards
- Set adaptive access policies
In less than three months, Cisco effectively deployed Duo’s secure authentication app to its entire domestic workforce. In just five, Duo was deployed in Cisco workforces spanning 98 countries. Showing rapid progress was the secret to success for the initial zero trust rollout.
How Duo Helped Accomplish Cisco’s Zero Trust Security Goals
First, the Cisco team employed Duo MFA, a cutting edge multi-factor authentication tool, to verify all user identities, company-wide. With Duo, users can self-enroll and are able to choose from a variety of flexible, secure 2FA methods like mobile push and touch ID. Because of Duo MFA's customizable approach to zero trust, the product frustrates the attackers, not the users. While over 100,000 users onboarded, less than 1% contacted the helpdesk for assistance. Explore MFA
Next, Cisco employed Duo’s Trust Monitor, an admin-managed software tool which evaluates each user’s behavior. Trust Monitor offers Cisco’s administrators both an optimized UX (user experience) and UI (user interface) for easy monitoring. This facilitates the organization’s access control by immediately flagging nefarious or unusual user behavior. "Duo very cleanly addresses our need for visibility and getting better insight into the true status of user devices. With Duo, we’re both improving the user experience, but also better managing the risks in our environment.” says Brad Arkin, SVP and Chief Security and Trust Officer. Explore Trust Monitor
To gain the “true status of user devices” that Arkin refers to, Cisco further established device trust by integrating Duo Device Health. This lightweight application boosts endpoint security by determining whether each individual device is healthy and up to date, all before granting users access to company data. Device hygiene standards like having an up-to-date OS (operating system), a screen lock and password protection system enabled and an installed anti-virus software are all required to pass these health checks, notifying users if they aren’t meeting any of these standards. Explore Device Health
To further bolster Cisco’s device trust strategy, Duo’s Trusted Endpoints feature was deployed in order to designate which devices are directly managed by Cisco. This limits sensitive application access to only corporate-managed devices, adding yet another layer of defense in the event that credentials are compromised. Explore Trusted Endpoints
Finally, The Duo Network Gateway (DNG) solves a common challenge of on-premises and proprietary applications: preventing unauthorized lateral movements. Eliminating the need for a VPN, users are now able to access applications directly, keeping all previously mentioned features in place while they work remotely. Thanks to DNG, Cisco now eliminates over 410,000 VPN connections each month, supporting an impressive ROI (return on investment). Explore DNG
The True Value of Zero Trust: Duo frustrates attackers and not users
Cisco successfully performs 5.76 million health checks monthly and its users self-remediate 86,000 devices per month. That’s 86,000 times a potential vulnerability was patched without any effort from IT or impact on the help desk — in just 30 days. Cisco's ROI with Duo now saves the organization $3.4 million yearly in employee productivity and an annual $500,000 in IT helpdesk support costs.
“I haven't had to dedicate any additional resources from my team - that just speaks to not just the ease of implementation but also the low support costs of Duo,” Fernandez says.“Before with VPN, we checked the user and device once coming in the door, and then that's it - especially if you're remote. You basically had free reign to move laterally across the network. The DNG instead makes sure that you and your device are secure on a per application basis. I think that's a huge security win at no cost to the user - feedback has been great across the board.”
For Fernandez, the agility of Duo Security means that her team is flexible enough to scale up quickly and respond to changes. “Our general workforce, our execs, and our help desk have all had really positive things to say. The best endorsement that we have gotten is the overwhelming number of emails from our users asking us to onboard even more applications to the zero-trust architecture. It's clear that everyone just loves the Duo experience.”
Cisco Duo Today
After Cisco’s 2018 acquisition of Duo, the UX-boosting Duo passwordless MFA solution was released, further simplifying and securing the workforce's access. Today, Cisco Security’s suite of data security products like Duo help expand zero trust beyond Cisco’s immediate ecosystem. Even third-party use cases like the extranet partner landscape and onboarding acquisitions can now achieve security resilience in a more seamless, less infrastructure-intensive way.