Zero Trust has become one of the most discussed security frameworks in Indian enterprise IT — and also one of the most misunderstood. "Zero Trust" is not a product you can buy. It is an architectural principle: no user, device, or system is trusted by default, even if they are inside the corporate network. Every access request must be continuously verified against identity, device health, location, and context.
Cisco has one of the most complete Zero Trust portfolios in the industry. This guide explains how Cisco's three core Zero Trust components — Cisco Duo (identity), Cisco ISE (network access), and Cisco Secure Access (SSE/ZTNA) — work together, and what a practical Zero Trust implementation looks like for Indian enterprises at different stages of maturity.
The Three Pillars of Cisco Zero Trust
Zero Trust architecture is typically described across three control domains: Workforce (users and devices), Workload (applications), and Workplace (network access). Cisco maps a specific product to each:
| Zero Trust Domain | Cisco Product | What It Controls |
|---|---|---|
| Workforce (Identity) | Cisco Duo | User authentication, MFA, device trust |
| Workplace (Network) | Cisco ISE | Who, what, where connects to the network |
| Workload (Application Access) | Cisco Secure Access (SSE) | Cloud and private app access without VPN |
Each product works independently. Together, they form a unified Zero Trust enforcement architecture where every access decision is informed by identity, device health, and network context simultaneously.
Pillar 1: Cisco Duo — Identity and Device Trust
Cisco Duo is the foundation of any Cisco Zero Trust deployment. Before a user can access any application — cloud, on-prem, or SaaS — Duo verifies:
Identity: Who are you? Duo enforces MFA at every login — push notification, TOTP, hardware token, or biometric. A stolen password alone is never sufficient.
Device health: Is this a healthy device? Duo checks OS patch level, disk encryption status, browser version, screen lock enabled, and whether the device is jailbroken. An unpatched, unencrypted device is blocked even with valid credentials.
Contextual policies: Is this access consistent with normal behaviour? Duo's adaptive authentication can step up MFA requirements based on risk signals — unusual login location, new device, anomalous time-of-day login.
What Duo Enforces in Practice
- VPN MFA: Every VPN connection requires Duo Push before network access is granted
- Cloud app MFA: Microsoft 365, Google Workspace, Salesforce, AWS console — all enforce Duo before session establishment
- On-prem app MFA: Active Directory authentication, RDP, SSH, legacy web applications — all covered via Duo's authentication proxy
- Windows desktop MFA: Duo can add MFA to the Windows login screen itself
- Privileged access MFA: Administrator account logins to servers, networking gear, and security devices
Cisco Duo Advantage and Premier add Trusted Endpoints — certificate-based device enrolment that provides cryptographically verified device identity, not just a health check.
Detailed Cisco Duo guide and pricing →
Pillar 2: Cisco ISE — Network Access Control
Identity Services Engine (ISE) is Cisco's network access control (NAC) platform. Where Duo controls whether a user can log into an application, ISE controls whether a device can even connect to the network.
ISE answers the question: "What level of network access should this device get, and why?"
How ISE Works
When a device connects to a Cisco Catalyst switch, WiFi access point, or VPN, ISE intercepts the connection and performs:
Authentication: Who is this device? ISE verifies device certificates (802.1X), user credentials, or MAB (MAC Address Bypass) for devices that cannot do 802.1X (printers, IP cameras, IoT devices).
Authorisation: What network access should this device receive? ISE evaluates device posture (is the antivirus running? Is the OS patched?), user role, and device type to assign a dynamic access policy:
- Fully managed corporate Windows laptop → VLAN 10, full network access
- Personal mobile device (BYOD) → VLAN 20, internet access only, no access to file servers
- Unregistered device → Quarantine VLAN, remediation portal only
- IP camera / printer → IoT VLAN, isolated from user data
TrustSec Micro-segmentation: ISE integrates with Cisco Catalyst switching to apply Security Group Tags (SGTs) — logical labels that travel with the traffic and enforce access rules regardless of IP address. This is Cisco's approach to software-defined segmentation across the campus network.
ISE for Specific Indian Deployment Scenarios
Manufacturing OT/IT segmentation: ISE separates operational technology (PLCs, SCADA systems, production automation) from IT networks, with access rules based on device type and function. An engineer's laptop gets read-only access to OT visibility systems. Operational systems are isolated from general internet-connected IT infrastructure.
Healthcare device segmentation: Medical devices (ECG machines, imaging systems, infusion pumps) are segmented from EMR servers and admin workstations. A compromised admin laptop cannot reach medical devices or patient data systems.
Campus BYOD management: Universities and corporate campuses use ISE to separate employee-managed devices from student/guest devices from IoT devices — enforcing different internet access policies, bandwidth limits, and isolation levels for each group.
Branch office enforcement: ISE integrated with Cisco Catalyst switches at branch offices ensures that only authorised devices connect to the branch network — even if the branch has no on-site IT staff.
Pillar 3: Cisco Secure Access — ZTNA and SSE
Cisco Secure Access is Cisco's Security Service Edge (SSE) platform — a cloud-delivered security stack that provides secure access to applications from anywhere, without a traditional VPN.
The Problem with Traditional VPN in a Hybrid World
Traditional VPN grants network access. When an employee connects to VPN, they are placed on the corporate network with access to everything that network can reach. This creates problems:
- An attacker who compromises VPN credentials gets broad network access
- VPN concentrators become performance bottlenecks as remote workforces grow
- All traffic routes to headquarters and back — inefficient for cloud-hosted applications
- No granular per-application access control — VPN is binary (on/off)
Cisco Secure Access addresses this through two mechanisms:
Zero Trust Network Access (ZTNA)
Instead of granting network access, ZTNA grants application access. An employee working remotely authenticates via Cisco Duo (identity + device check), and is granted access only to the specific application they are authorised to use — not the entire network.
The application remains invisible to the internet — only Cisco Secure Access knows its location. This dramatically reduces attack surface.
For on-prem applications, a lightweight connector installed in the data center establishes an outbound tunnel to Cisco Secure Access. Inbound firewall ports are not required — the application is never directly exposed to the internet.
Secure Web Gateway (SWG) and CASB
For outbound traffic — employees accessing the internet and cloud applications — Cisco Secure Access provides:
Secure Web Gateway (SWG): DNS-layer filtering (Cisco Umbrella) blocks access to malicious domains before a connection is established. URL filtering, content categorisation, and SSL inspection for encrypted outbound traffic.
Cloud Access Security Broker (CASB): Visibility into shadow IT — which cloud applications are employees using? Are sanctioned applications (Google Drive, M365 SharePoint) being used in ways that could leak data? CASB enforces data loss prevention policies on cloud application usage.
Cisco Umbrella Integration: Cisco Secure Access incorporates Cisco Umbrella (DNS security) as a foundational layer — blocking malicious domains across all DNS queries from any connected device, enforced at the network layer before any TCP connection is established.
How the Three Components Work Together
The real value of Cisco's Zero Trust architecture comes from the integration between Duo, ISE, and Secure Access:
Scenario 1: Remote Worker Accessing CRM
- Employee on personal laptop opens Salesforce from home
- Cisco Secure Access intercepts the request
- Cisco Duo challenges for MFA — employee approves via Duo Push
- Duo checks device: personal laptop, OS patched, disk encrypted → passes
- Secure Access grants access to Salesforce — application-specific ZTNA
- Session telemetry is sent to Cisco XDR for threat correlation
Scenario 2: Device Connecting to Campus Network
- New Windows laptop connects to Cisco Catalyst switch
- Cisco ISE intercepts via 802.1X
- ISE verifies: device certificate (enrolled in corporate) + user credentials
- ISE checks posture: AV running, OS patched, disk encrypted → passes
- ISE assigns VLAN 10 (corporate) with full network access
- Cisco Duo enforces MFA when the user accesses the first cloud application
Scenario 3: Anomalous Login Detected
- Cisco Duo detects login from an unusual location (Delhi user authenticating from a foreign IP)
- Duo flags this as a risky authentication event
- Cisco XDR receives the Duo anomaly signal and correlates with endpoint telemetry
- XDR identifies that the endpoint has an active Cobalt Strike beacon
- XDR playbook triggers: Cisco ISE quarantines the device from the campus network + Cisco Duo revokes the active user session
- Security analyst receives a single high-confidence incident in XDR with the full timeline
This coordinated automated response — across three security layers — is only possible with native Cisco product integration. A mixed-vendor Zero Trust architecture requires custom integration scripts that are fragile and slow.
Zero Trust Maturity Levels — Where Indian Enterprises Start
Zero Trust is a journey, not a binary state. Most Indian enterprises are at Level 1 or 2:
Level 1 — Basic Identity (Most Common Starting Point)
- MFA enforced for all users on all applications
- Tool: Cisco Duo Essentials or Advantage
- Investment: Low — typically 2–4 weeks to deploy
- Result: Eliminates ~80% of credential-based attacks
Level 2 — Device Trust
- Device health checks at every authentication
- Tool: Cisco Duo Advantage (device posture) or ISE (network device trust)
- Investment: Medium — requires device management visibility
- Result: Eliminates compromised device risk alongside credential risk
Level 3 — Application-Level ZTNA
- Replace VPN with per-application access control
- Tool: Cisco Secure Access (ZTNA module)
- Investment: Medium to high — requires application connector deployment
- Result: Dramatically reduces VPN lateral movement risk
Level 4 — Continuous Trust Verification
- Risk-based conditional access — trust is re-evaluated continuously during a session
- Tool: Cisco Duo Premier + Secure Access + ISE TrustSec
- Investment: High — requires mature identity governance and security operations
- Result: Session-level granular enforcement, automated threat response
Most Indian businesses should start with Level 1 (Cisco Duo MFA) and progressively add device trust and ZTNA as their security programme matures.
Cisco Zero Trust Pricing — India 2026
Cisco's Zero Trust components are separately licensed:
Cisco Duo: Per-user, per-year. Essentials / Advantage / Premier tiers. Contact Cloudfy for INR pricing.
Cisco ISE: Per network device (plus ISE appliance or VM licensing). Contact Cloudfy for INR pricing.
Cisco Secure Access (SSE): Per-user, per-year. Includes ZTNA, SWG, CASB, Umbrella DNS. Contact Cloudfy for INR pricing.
Cisco EA (Enterprise Agreement): For organisations buying multiple Cisco Security products, an EA bundles Duo, Secure Access, ISE, XDR, and Secure Firewall under a single multi-year agreement — typically with volume discount that makes the combined cost meaningfully lower than individual licensing.
Frequently Asked Questions
Can we implement Zero Trust without replacing our existing VPN immediately? Yes. The standard approach is to deploy Cisco Duo alongside your existing VPN as a first step — adding MFA to VPN connections immediately. ZTNA (Secure Access) can be deployed progressively for specific high-risk application access scenarios before the full VPN migration.
Does Cisco ISE require all Cisco switching infrastructure? ISE is primarily designed for Cisco Catalyst switching and Cisco Wireless. It can integrate with non-Cisco switches via standard 802.1X RADIUS, but full TrustSec micro-segmentation features require Cisco infrastructure.
Is Cisco Secure Access (SSE) suitable for SMB organisations in India? Cisco Secure Access minimum deployment scale is typically 100+ users. For smaller organisations, Cisco Umbrella (DNS security) provides a simpler entry point into the Cisco cloud security portfolio without the full SSE platform.
How does Cisco Zero Trust help with DPDP Act compliance? Cisco Zero Trust supports DPDP compliance in two ways: (1) ISE network segmentation isolates systems handling personal data from general IT infrastructure, and (2) Duo MFA enforces authentication for access to personal data repositories — providing the access control documentation required for DPDP compliance audits.
Ready to start your Cisco Zero Trust journey? Contact Cloudfy Systems — India's authorised Cisco Security partner — for an architecture assessment and formal proposal.