How Cisco IT is redefining Zero Trust in the AI Era as customer zero

Cisco IT transformed security for its global workforce by partnering with product and engineering teams to design and deploy Cisco Secure Access internally. As customer zero, Cisco IT helped improve the product for both our business and our customers to deliver simplified operations, robust security, and a seamless user experience empowering employees and setting a blueprint for the future of zero trust and secure, flexible work.

As the team responsible for securing Cisco's global network and workforce, Cisco IT faces a unique challenge: securing a hyper-distributed environment for 130,000 and contractors, a sprawling ecosystem of devices, applications, and connectivity methods.

For years, we tackled this challenge with our custom-built solution, "CloudPort." It was our attempt to create a single-tenant Secure Access Service Edge (SASE), a regional hub for networking and security. While CloudPort delivered significant benefits, it became clear that maintaining and evolving this bespoke architecture was consuming significant resources. Resources we needed to focus on driving innovation and strategic initiatives.

Like many organizations, we faced the challenge of doing more with less. Rather than continuing to invest valuable time and resources into building, maintaining, automating, and integrating our own platform and tools, we made a strategic decision to shift towards a SASE/SSE approach. The transition would allow our teams to focus on what truly matters-addressing emerging security threats, particularly those related to the use of AI.

A deliberate and strategic approach

Our timing was ideal, as Cisco was beginning to launch initiatives to develop an entirely new SASE/SSE solution. Our team strongly believed that Cisco could build a more modern, intelligent security platform that truly addresses the complex challenges of today's distributed workforce. Challenges like:

• User friction:Users often faced inconsistent connectivity experiences, particularly with VPNs that required thought around how to connect to the network rather than the process being transparent. This introduced unnecessary complexity with negative impacts on user productivity. The UX was dated and needed to be modernized to address the needs of our workforce.
• IT overhead:Maintaining and integrating our existing security infrastructure consumed significant engineer time, diverting resources from strategic initiatives.
• Fragmented security:Our security enforcement mechanisms spanned multiple products, requiring diligent efforts to maintain consistent policies and comprehensive visibility. To enhance efficiency and streamline management, we recognized the value of adopting a unified approach to security.
• Evolving threats:Emerging threats, such as the risks associated with Generative AI, demanded stricter controls and proactive security measures.
• Hybrid work:Our workforce connects from home, offices, and various other locations, accessing applications across private data centers, public clouds, and SaaS environments. This landscape required a solution that could adapt to diverse environments and connectivity methods.
• Scale and diversity:Managing a global network with a vast number of users, devices, and connectivity options is inherently complex.

Slow and steady wins the race

With full confidence in the vision that would become Cisco Secure Access (CSA), we committed to deploying the solution at scale within our organization as an early adopter, proving its readiness before it became publicly available and solving for the real-world business problems we faced in IT.

We already had over 10 years of experience in building and operating our own custom solution and offered our expertise and unique perspective to help shape Secure Access into a product that would meet the needs of both our own organization within Cisco IT andour customers. Our focus was on designing a comprehensive platform that could adapt to the evolving digital landscape and help future-proof our workplaces for years to come.

Instead of rushing to market, we took our time to identify the most pressing needs. We knew that if it didn't address the problems we faced in Cisco IT, it wouldn't for our customers either. We needed to make sure the solution was done right and up to our own standards with zero exceptions.

How we helped as Cisco's first customer

Our goal is to always be Cisco's first customer and help improve our products in the early stages, beforethey go to market. We spent a year developing and perfecting the product before our own internal deployment, and we're proud to report that we have almost 100 feature enhancements submitted to date that have helped optimize the product for not only ourselves, but our customers as well. Our "Customer Zero" strategy is fundamental to the journey of delivering the best possible products that are easy for both our business and customers to adopt.

We started with small Proof of Concepts, testing different technologies, gaining confidence, and working closely with the product and engineering teams to ensure the product shipped was the highest quality. The teams building the product were the first to test it, giving them firsthand experience with both the product's quality and the results of their own work.

The result is a cloud-delivered solution that consolidates multiple security functions into a unified platform. This approach allowed us to:

• Simplify IT operations and security management
• Reduce the operational complexity of disparate components
• Provide a consistent and transparent user experience
• Implement more robust security controls

Delivering a positive experience for Cisco employees

Our initial phase of internally adopting Secure Access took six months - with minimal disruption to users. While we could have accelerated the migration, we prioritized quality and user experience over speed. Ensuring a nearly seamless transition for our internal IT clients was essential in demonstrating to our customers that they too can migrate with confidence.

You have to crawl before you can walk, and walk before you can run. Our approach followed this sentiment:

Phase 1: Crawl (VPN Migration)

Our first phase focused on migrating VPN services to Secure Access. This phase was strategic, addressing two critical objectives:

1. Replacing aging VPN infrastructure
2. Solving for user friction while improving security

By simplifying the connection experience for users and enabling faster issue resolution through unified data, we reduced user friction. At the same time, we enhanced security by efficiently restricting access from high-risk locations, implementing more efficient policy, and gaining powerful security telemetry.

In addition, we simplify the lives of IT operators and Security Analysts with:

• AI Assistant: The AI Assistant provides guidance in setting up Cisco Secure Access and helps troubleshoot access issues to private applications.
• ThousandEyes: Digital Experience Monitoring (DEM) capabilities proactively measure UX and performance from the user endpoints to CSA and critical applications to provide insights into potential issues.
• Splunk: Telemetry data from CSA is fed into Splunk for quick access to pre-built dashboards allowing for in-depth root cause analysis.

We can now leverage AI-powered capabilities to proactively detect and resolve issues - often before users even have a chance to open a ticket.

Phase 2: Walk (Proxy and Zero Trust)

The second phase is focused on accelerating our zero trust journey and mitigating risks associated with GenAI usage. Over the next three months, we plan to deploy these capabilities pervasively across the entire workforce. This phase centers around three key components:

1. DNS: Performing a full migration from Cisco Umbrella to Cisco Secure Access to simplify and unify security policy.
2. GenAI Risk Mitigation: Implementing AI Access controls to protect against the risks of using 3rd party GenAI Applications. With better visibility into what AI Apps are being used and the risks associated to them, we can inform our users and prevent exposure of sensitive data using Data Loss Prevention capabilities.
3. Zero Trust: Enabling the majority of applications for Zero Trust Access, with both client and browser-based controls, to enforce consistent least privilege access from anywhere.

Phase 3: Run (Unified Policy and Business Value)

In this phase, we're shifting our focus from just users to also securing devices and things, integrating our SD-WAN offices with Cisco Secure Access to deliver unified zero trust across the environment. We'll continue to leverage ongoing product innovations to rapidly address and adapt to emerging security threats.

Our ultimate goal is to advance our zero trust vision through unified policy management across Cisco's Hybrid Mesh Firewall,driving even greater security and business value for ourselves and our IT clients.

Reaping the rewards of Cisco Secure Access

Sipping our own champagne has never tasted sweeter. What previously required complex, multi-step processes can now be accomplished in just a few clicks. With Secure Access, we now have a single pane of glass for configuration and management.

Not only that, but by consolidating security services, we've reduced potential security gaps and improved our ability to implement consistent policies across the enterprise and mitigate potential AI-related security risks.

And finally, our employees can now enjoy a consistent connection experience, whether they're in the office, at home, or working from a coffee shop. And there's so much more to come.

Lessons learned along the way

Our journey with Secure Access has been a rewarding learning experience. Along the way, we've gained valuable insights that have strengthened our approach and contributed to our ongoing success:

• Cross-functional collaboration is key: The adoption of Cisco Secure Access has established closer relationships with many teams across IT and Security. By closely working together towards a common goal, we achieve greater results.
• Executive sponsorship is essential:Securing executive support is crucial for driving prioritization, funding, and alignment across teams.
• User experience matters:Prioritizing user experience is critical for adoption and satisfaction.
• A phased rollout minimizes disruption:A gradual, iterative approach allows us to address challenges and ensure a smooth transition.
• Modernizing policies is a must:We need to reimagine our security policies to take full advantage of the Cisco platform and product capabilities, something we've successfully exemplified with Secure Access.

Powering the future of zero trust

Secure Access is the cornerstone of our zero truststrategy, serving as a comprehensive, integrated security solution that goes beyond traditional access methods. It's not a single tool, but an entire ecosystem of security services delivered from the cloud.

Our adoption of Cisco Secure Access is a testament to our commitment to providing a secure, seamless, and innovative IT environment for our employees and customers alike. By continuing to evolve and enhance our zero trust strategy, we are empowering our workforce to be more productive, collaborative, and secure - regardless of where they work.

We're excited about both the future and potential of Secure Access to transform our security posture and enable new and exciting use cases, like AI-driven security policies and real-time data loss prevention. We believe that Secure Access is a strategic enabler, and a key component of our vision for a future-proofed workplace.

We're confident that our journey with Secure Access will not only benefit Cisco IT, but also serve as a valuable blueprint for other organizations seeking to bolster their own zero trust strategies.

To learn more, read the case study (link to come,) explore our journey (link to come,) and check out this sessionfrom CLEMEA 2025.

To learn more, read the case study,explore our journey, and check out this sessionfrom CLEMEA 2025.

Find more Cisco on Cisco blogs here