Cisco shares lessons learned in zero-trust deployment

The networking giant explained at RSA Conference 2021 how it was able to deploy a company-wide zero trust model in less than six months, and what it learned along the way.

Cisco hopes that an effort to overhaul its internal security will help customers with their own transitions to a zero-trust model.

Speaking at the 2021 RSA Conference, Cisco chief security and trust officer Brad Arkin said that over a five-month period, the networking giant managed to transition many of its own employees into a zero-trust setup. The new system replaces traditional password logins with alternative authentication for each user and device that are checked at every step over the network.

Under the setup, passwords are no longer used; instead, each user and device is issued a digital certificate, along with a multifactor authentication request. Once that is verified, the certificate is checked each time the user tries to access as specific resource, such as a database or an internal application.

"The real focus is looking at the user certificate that we associate with the user and the device certificate that we associate with each device the user might use," Arkin said of Cisco's zero-trust approach. "We can then start to ask questions around the device posture: Is this device properly patched? Is it configured the way it is supposed to be?"

Aside from improved security, Cisco aimed to give users identical experiences for logging into both SaaS applications and those housed on premises, something that had previously required connecting to a VPN.

With those goals in mind, Cisco first embarked on a relatively small pilot project, which Arkin estimated to be around 10,000 authentications daily, to get the zero-trust system up and running.

Within five months, the zero-trust model was running company-wide and handling some 100,000 employee laptops and even more mobile devices, Arkin said. He added that the overhaul has not only simplified authentication, but has also allowed Cisco to address in real time possible security concerns, such as misconfigured or unpatched devices.

"What we got was a vastly improved end-user experience," he said. "Being able to intervene at that moment has allowed us to create a much better security posture for the entire fleet. It allowed us to completely change the way end users access our environment."

Cisco believes that it is also going to be able to translate those lessons learned internally to customers in what the company sees as a growing market for zero trust. Arkin said the biggest challenge of the project was preparing all the different teams involved and making sure they understood it would be a transformational shift in the end-user experience.

Everyone understood this was not a business-as-usual, incremental improvement but a really dramatic, before-and-after change.
Brad ArkinChief security and trust officer, Cisco

"Making that decision, and leaping in with both feet, is what allowed us to get this project done so quickly because everyone understood this was not a business-as-usual, incremental improvement but a really dramatic, before-and-after change," he said.

Carla Roncato, a senior analyst at Enterprise Strategy Group, said Cisco's decision to eat its own dog food isn't uncommon -- both Microsoft and Google have deployed their own zero-trust models internally -- but it is a positive sign.

"I wholeheartedly support these initiatives, and while there are different technical approaches, they all are standards-based, interoperable solutions under the covers," Roncato said via email. "Each company can focus on the user experience, context and conditions that are right for them. Endpoints/devices, for the most part (Win, Linux, MacOS, Android, iOS) are all capable of passwordless/PINless authentication. It is usually the access control points and access policies, and IT support workflows that need the most change along with some end-user education."

COVID accelerated move to zero trust

Speaking to SearchSecurity ahead of the conference, Cisco Security chief strategy officer Dug Song said that as the pandemic has moved employees off premises and toward SaaS offerings, companies have had to move up their plans to get into a zero-trust setup. This was further backed up by the recent White House directive that encouraged the move to zero-trust models.

"We accelerated three to five years into the future with this digital transformation. Customers had to move quickly," Song said. "In some cases, they decided to rip the Band-Aid off and go full zero trust, some of them really went whole hog. Others had to figure it out. They had lots of legacy infrastructure and applications, so we had to help them figure it out."

A big part of that transition was due to workers going off-campus and accessing corporate networks not only from their home, but in many cases using their personal PCs, laptops and mobile devices. This created a need for security setups that accounted for not just a company-controlled device and a user account, but also for employee-owned hardware that might carry its own risky configurations.

Even as the pandemic subsides, Song said he believes that companies are beyond the tipping point, and the sort of hybrid network setups that require a zero-trust system are becoming the norm.

"Now as we start to see a light in the tunnel, we see a lot of organizations that are saying this is our new normal," Song said. "Our customers have told us they are not going back."

Enterprise Strategy Group is a division of TechTarget.

Security News Director Rob Wright contributed to this report.

Dig Deeper on Network security