Identify transaction flow interdependencies between data,
applications, assets, and services (DAAS) to understand who should
access which DAAS elements and how.
Map the transaction flows (interactions)
between your critical DAAS elements and users to understand their
interdependencies—who has business reasons to access each element,
in what manner, and at what time. Map the transaction flows to understand
and architect the network. Mapping helps you understand how to create
security policy that allows only authorized users access to specific
data and assets using the specified applications (principle of least-privileged
There are many ways to map transaction flows, and some techniques
for defining your protect surface also apply to mapping its transaction
Leverage existing flow diagrams if you have them (compliance and
auditing sometimes require businesses to create flow diagrams).
Work with application, network, and enterprise architects,
and business representatives to understand the purpose of applications
and the transaction flow the architects and business representatives
Insert one or more next-generation firewalls transparently
into your network in virtual wire (vwire) mode
to gain visibility into traffic. Check Traffic logs to view and
Use log information from the Cortex
Data Lake to gain visibility into and map transaction flows.
The Cortex Data Lake aggregates logs from the next-generation firewall,
VM-Series firewalls, Prisma Access, and Traps.
For applications, map the workflows, including the flow of
application data across the network, the computing objects required
for each application, and who uses each application.
For data, find out who uses the data, where you collect,
store, use and transfer the data, and how the data is stored, encrypted,
archived, or destroyed after use.
For assets, find out the asset’s location, who uses the asset,
when they use the asset, and where the asset fits into workflows.
For services, map the service workflows across the environment.
In addition to revealing who uses what applications where and
when, mapping transaction flows provides granular visibility that
aids with disaster recovery planning and compliance. It also gives
you an opportunity to optimize workflows and examine who has legitimate
business reasons to access the DAAS elements in each protect surface.
When you understand transaction flows through your network, you’ll
know how to segment the network and where to insert controls because
you’ll understand who uses each protect surface, how they use it,
where it’s located, and which elements interact to enable each critical