Zero Trust best practices to help you plan and understand
what you need to do to ensure a successful deployment.
The following best practices prepare
for and help you transition your network to a Zero Trust architecture:
Define your desired business outcomes before architecting
your Zero Trust environment. The Zero Trust model supports and enables
secure business functions.
Design from the inside-out instead of from the outside-in
to protect what’s most valuable to your business first. Your most
valuable assets are more likely to be in your data center than at
Use an integrated, centrally managed platform that reduces
the total cost of ownership, rather than a collection of point products
that don’t work well together. Palo Alto Networks shares information
among platform elements and enables centralized management and simplified
operation using Panorama, GlobalProtect, and Prisma Access to provide
consistent policy, prevention, and protection across all locations.
Use Palo Alto Networks Next-Generation Firewalls as segmentation gateways
to consolidate security technologies on one platform and to apply consistent
security policy in all locations natively at Layer 7 using App-ID, User-ID,
and Content-ID. A segmentation gateway segments and controls the network
based on applications, users, and data, and should provide granular access
control and secure all traffic as it crosses microperimeters and
gains access to a protect surface.
You don’t need to
change your infrastructure to create microperimeters because you
create microperimeters in Layer 7 policy by allowing only authorized
users to access only the protect surfaces they need to access for
Segment your network based on what’s valuable to your business
to prevent unauthorized lateral movement.
Apply the principle of least-privileged access to your protect
surfaces. Determine who needs access to what resources, how they
need access, and when they need access. Allow only the exact level
of access required for each user and device, assert identity (including
proper authorization), and then map Layer 7 policy to identity.
Decrypt, inspect, and log every packet through Layer 7 that
regulations, compliance, and your business practices allow you to
inspect. You must inspect and log Layer 7 traffic. Remember, every
attacker knows how to bypass security controls at Layer 3 and Layer
Develop processes to operate, maintain, and continually update prevention
controls as you develop your strategy and design the network. Document
processes, educate and train personnel, set baselines, and measure
progress against the baselines.
Transition to a Zero Trust environment gradually, one segment
at a time, beginning with one or more non-critical segments from
which you learn and gain experience. Zero Trust segments coexist
with legacy segments, so you can use a safe, iterative approach
instead of a risky rip-and-replace approach.
As the importance of applications diminishes, you can be
less aggressive with protection. For example, you don’t need to
apply the same protection to a chat app that you need to apply to
business-critical apps. Collaboration with business leaders helps
to determine which applications are the most critical to protect.