Step 2: Map the Protect Surface Transaction Flows

Identify transaction flow interdependencies between data, applications, assets, and services (DAAS) to understand who should access which DAAS elements and how.
Map the transaction flows (interactions) between your critical DAAS elements and users to understand their interdependencies—who has business reasons to access each element, in what manner, and at what time. Map the transaction flows to understand and architect the network. Mapping helps you understand how to create security policy that allows only authorized users access to specific data and assets using the specified applications (principle of least-privileged access).
There are many ways to map transaction flows, and some techniques for defining your protect surface also apply to mapping its transaction flows:
  • Leverage existing flow diagrams if you have them (compliance and auditing sometimes require businesses to create flow diagrams).
  • Work with application, network, and enterprise architects, and business representatives to understand the purpose of applications and the transaction flow the architects and business representatives envision.
  • Insert one or more next-generation firewalls transparently into your network in virtual wire (vwire) mode to gain visibility into traffic. Check Traffic logs to view and analyze traffic.
  • Use third-party tools from Palo Alto Networks’ integrated partners.
  • Use log information from the Cortex Data Lake to gain visibility into and map transaction flows. The Cortex Data Lake aggregates logs from the next-generation firewall, VM-Series firewalls, Prisma Access, and Cortex XDR.
  • For applications, map the workflows, including the flow of application data across the network, the computing objects required for each application, and who uses each application.
  • For data, find out who uses the data, where you collect, store, use and transfer the data, and how the data is stored, encrypted, archived, or destroyed after use.
  • For assets, find out the asset’s location, who uses the asset, when they use the asset, and where the asset fits into workflows.
  • For services, map the service workflows across the environment.
In addition to revealing who uses what applications where and when, mapping transaction flows provides granular visibility that aids with disaster recovery planning and compliance. It also gives you an opportunity to optimize workflows and examine who has legitimate business reasons to access the DAAS elements in each protect surface.
When you understand transaction flows through your network, you’ll know how to segment the network and where to insert controls because you’ll understand who uses each protect surface, how they use it, where it’s located, and which elements interact to enable each critical application.

Recommended For You