Question: How can I empower a remote workforce without compromising security or productivity? How do I begin to transition to a zero-trust architecture?

Ash Devata, general manager, Cisco Zero Trust and Duo Security: The transition to a zero-trust architecture is a multiyear journey. We recommend that organizations scope through the phases of a journey and then integrate that scope into the organization’s zero-trust architecture. Starting with a strong maturity model, first establish user trust by verifying users with strong authentication using a passwordless or biometric indicator unique to them. Second, determine device and activity visibility, verifying user devices any time a user tries to login to an application. Third, device trust should be the focus, with limited access to apps or only segments of the network with zero-trust proxies or network segmentation. Fourth, adopting a fully adaptive set of policies for workforce and workloads together is the end state.

Making the transition to a zero-trust architecture should focus on doing what offers your organization the most value. Reducing the attack surface is your main objective. As an example, you may already have multifactor authentication (MFA) for 80% of your users and require it for 60% of your apps; now you can work toward expanding that to 100% for both.

A zero-trust model can help you with a remote workforce because it doesn’t distinguish a remote employee from an employee in the office. You always do the right and same verification, regardless of where the employee resides. In this regard, it is the simplicity of the solution that is the genius behind the function.

Reducing friction for the end user at any point you can is extremely important. Going VPN-less for apps inside the environment helps keep end user friction low. This means the user can just log into a corporate application the way they log into popular consumer applications, like Facebook or Twitter. We always recommend SSO and adaptive policies to eliminate friction for users without compromising on security. And you should have SSO for all applications, passwordless, and VPN-less remote access, which is easier for the end user, reduces overall friction, and increases access.