From MFA to Zero Trust: A Five-Phase Journey to Securing the Workforce

by | Sep 20, 2021 | Just in, Security

Zero trust has become a dominant security model for addressing the changes brought by mobility, consumerization of IT and cloud applications. John Kindervag defined the guiding principle for “zero trust” as “never trust, always verify.” Attackers that make it past one verification point (such as a firewall or a user login) can exploit inherent trust and move laterally within a network, application or environment to target sensitive data. An insider that starts within a trusted zone can escalate privileges. By always verifying, we can identify and stop these frequent attacks. Yet the adoption of zero trust thinking has brought a new challenge: how do we get there? This guide lays out a practical approach in five phases for implementing Zero Trust for the Workforce, which comprises an organization’s users and their devices, and how they access applications. The approach is iterative. Begin with a specific set of people, expand coverage for their applications and expand coverage for their devices. Once we are always verifying trust within this well-defined scope, apply a set of reasonable policies to enforce trust and protect the organization. Finally, integrate this scope with the broader organization’s IT and security functions and shift to continuous improvement. Following these steps, an organization can incrementally achieve a zero trust transformation.

White Paper by Cisco

This guide lays out a practical approach in five phases for implementing Zero Trust for the Workforce, which comprises an organization’s users and their devices and how they access applications.
From MFA to Zero Trust Graphic

The Zero Trust Approach

The zero trust principles share much in common with the fundamentals. Like default deny, zero trust begins with no access until trust is demonstrated and established. As with least privilege, zero trust relies on just enough trust and seeks to minimize excessive trust. Zero trust builds upon these fundamentals with following concepts:

Visibility informs policy

Provide as much intelligence and insight as possible to the people administering the technology, in order to produce informed policies.


Trust is neither binary nor permanent

Continually reassess the posture of users, devices and applications and adjust your trust accordingly. Be prepared to respond to events that raise the risk level by containing newly discovered threats and vulnerabilities.


Ownership is not a control

Validate and extend trust to devices, applications and networks that you
don’t own or manage, from BYOD (bring your own device) and IoT (Internet of Things) devices to SaaS and public cloud.


The perimeter is any place where you make an access control decision

Choose the layers and process points that work for your environment, whether it’s at the network layer, the application layer, at the point of identity verification or during a transaction workflow.

Access decisions are based on re-establishing trust every time

Membership within a group, an application service within a tier or a device connected to a network location, are not enough on their own to authorize activity.


Combine least privilege and segmentation with response capabilities to monitor for threat activity and limit its spread by default.
About Duo Security

Duo Security, now part of Cisco, is the leading multi-factor authentication (MFA) and secure access provider. Duo comprises a key pillar of Cisco Secure’s Zero Trust offering, the most comprehensive approach to securing access across IT applications and environments, from any user, device, and location. Duo is a trusted partner to more than 25,000 customers globally, including Bird, Facebook, Lyft, University of Michigan, Yelp, Zillow and more. Founded in Ann Arbor, Michigan, Duo also has offices in Austin, Texas; San Francisco, California; and London.
This report was created by Cisco/Duo

Do you need IT support?

Our expertise is in network design, server deployments, remote access (VPN), and cybersecurity.