Step 1: Define Your Protect Surface
Identify data, applications, assets, and services (DAAS) that are valuable to your business so you can prioritize what you need to protect first.
A protect surface is what’s valuable to your business: the data, applications, assets, and services (DAAS) you need to protect to ensure normal business operation. Defining your protect surface enables you to focus on defending what really matters to your business instead of trying to identify and protect the entire attack surface or focusing on just the perimeter. The protect surface is also much smaller than the attack surface or the perimeter, so it’s easier to protect.
Define your protect surface based on the most crucial DAAS elements for your business:
- Data. What data needs to be protected? Think about intellectual property such as proprietary code or processes, personally identifiable information (PII), payment card information (PCI), and personal health information (PHI) such as Health Insurance Portability and Accountability Act (HIPAA) information.
- Applications. Which applications consume sensitive information? Which applications are critical for your business functions?
- Assets. Which assets are the most sensitive? Depending on your business, that could be SCADA controls, POS terminals, medical equipment, manufacturing equipment, and groups of critical servers.
- Services. Which services can attackers exploit to disrupt IT operations and negatively impact the business, such as DNS, DHCP, and Active Directory?
Each critical DAAS element is part of a protect surface (or in some cases is a protect surface). For example, if your business provides health care, then personal health information (PHI) is critical to your business. The Data is the patient information. The Applications are the applications used to access PHI data—for example, EPIC. The Assets are servers that store the data and equipment that generates PHI, such as medical scanners or physicians’ workstations. The Services are services used to access the data, such as single sign-on and Active Directory.
As you follow the five-step methodology, you’ll place each protect surface in its own microperimeter (segmented by a Palo Alto Networks physical or virtual next-generation firewall, which acts as a segmentation gateway) so that you control exactly who accesses the element, how they access it, and when they access it. Secure each protect surface in manner that is appropriate for that protect surface. A microperimeter is easier to manage and defend than a broad perimeter that encompasses DAAS elements that users with different access requirements need to reach. It also moves protections closer to the critical data.
Prioritize what to protect first based on what’s critical to running your business. Your most valuable assets are often in your data center or in the cloud. After you implement Zero Trust on one or more non-critical protect surfaces to gain experience, defend your most critical protect surfaces. You may not know all of the applications in your data center when you start, but you know your most critical applications. Afterward, move on to the next set of protect surfaces on the priority list and keep going through the list until you reach your security goals.
Use the following tools to gain visibility into your network traffic and help identify the DAAS elements that make up your most critical protect surfaces:
- The team’s knowledge of the business. For example, business leaders can speak to the strategic value of applications.
- Insert one or more next-generation firewalls transparently into your network in virtual wire (vwire) mode, which is a passthrough mode that requires no topology changes because vwire interfaces don’t have IP or MAC addresses, to gain visibility into traffic. Check the Traffic logs to view and analyze network traffic. If you already have managed firewalls in your network, use Panorama logs.
- If you run PAN-OS 9.0 or later on the next-generation firewall or on the Panorama that manages your firewalls, use Policy Optimizer to help identify key applications on existing Security policy rules. (Policy Optimizer even shows you all of the applications on port-based rules.) If you can’t use Policy Optimizer, use Expedition to gain visibility into applications.
- Application Dependency Mapping tools to discover application dependencies (the resources an application uses, such as databases, load balancers, servers, etc.) automatically.
Recommended For You
Recommended videos not found.