Zero Trust High-Level Best Practices

Zero Trust best practices to help you plan and understand what you need to do to ensure a successful deployment.
The following best practices prepare for and help you transition your network to a Zero Trust architecture:
  • Define your desired business outcomes before architecting your Zero Trust environment. The Zero Trust model supports and enables secure business functions.
  • Design from the inside-out instead of from the outside-in to protect what’s most valuable to your business first. Your most valuable assets are more likely to be in your data center than at your perimeter.
  • Use an integrated, centrally managed platform that reduces the total cost of ownership, rather than a collection of point products that don’t work well together. Palo Alto Networks shares information among platform elements and enables centralized management and simplified operation using Panorama, GlobalProtect, and Prisma Access to provide consistent policy, prevention, and protection across all locations.
  • Use Palo Alto Networks Next-Generation Firewalls as segmentation gateways to consolidate security technologies on one platform and to apply consistent security policy in all locations natively at Layer 7 using App-ID, User-ID, and Content-ID. A segmentation gateway segments and controls the network based on applications, users, and data, and should provide granular access control and secure all traffic as it crosses microperimeters and gains access to a protect surface.
    You don’t need to change your infrastructure to create microperimeters because you create microperimeters in Layer 7 policy by allowing only authorized users to access only the protect surfaces they need to access for business purposes.
  • Segment your network based on what’s valuable to your business to prevent unauthorized lateral movement.
  • Apply the principle of least-privileged access to your protect surfaces. Determine who needs access to what resources, how they need access, and when they need access. Allow only the exact level of access required for each user and device, assert identity (including proper authorization), and then map Layer 7 policy to identity.
  • Decrypt, inspect, and log every packet through Layer 7 that regulations, compliance, and your business practices allow you to inspect. You must inspect and log Layer 7 traffic. Remember, every attacker knows how to bypass security controls at Layer 3 and Layer 4.
  • Create a strategy for tagging workloads to group objects and registering tags dynamically to help automate security policy.
  • Develop processes to operate, maintain, and continually update prevention controls as you develop your strategy and design the network. Document processes, educate and train personnel, set baselines, and measure progress against the baselines.
  • Transition to a Zero Trust environment gradually, one segment at a time, beginning with one or more non-critical segments from which you learn and gain experience. Zero Trust segments coexist with legacy segments, so you can use a safe, iterative approach instead of a risky rip-and-replace approach.
As the importance of applications diminishes, you can be less aggressive with protection. For example, you don’t need to apply the same protection to a chat app that you need to apply to business-critical apps. Collaboration with business leaders helps to determine which applications are the most critical to protect.

Recommended For You