How Do I Start My Zero Trust Implementation?

This topic answers the fundamental question for any deployment activity: “Where do I start?”
Education and collaboration begin the journey to a Zero Trust enterprise. Stakeholders who identify what’s valuable to your business and who architect how to protect it need to understand Zero Trust concepts, principles, and goals.
Create a cross-functional team of business leaders (business and technical decision makers), IT, information security, infrastructure, application developers, and other stakeholders. The team defines and identifies each attack surface and its users, applications, and infrastructure, with the greatest focus on the most critical assets. This includes understanding which applications access critical data, which users access those applications, the data that you’re protecting, and the user devices and infrastructure, including IoT devices.
The cross-functional team prioritizes what to protect based on your business, and researches, plans, and implements the Zero Trust strategy. The team remains involved in maintaining the deployment as the business changes. Business leaders can speak to desired business outcomes, compliance requirements, and the value of business assets.
When you gain a basic understanding of Zero Trust from Palo Alto Networks Zero Trust website and this document, and have an idea of your goals, you can:
  • Leverage the Palo Alto Networks Zero Trust Advisory Service, which guides you through:
    • A vendor-agnostic Zero Trust architecture and strategy, including a roadmap to take your enterprise from its current security state to a Zero Trust state.
    • Zero Trust policy design and implementation, where you design and implement a Zero Trust security policy.
    • Monitoring, maintaining, and enhancing your Zero Trust security policy.
  • This best practices document includes Zero Trust Resources, which provides links to Zero Trust, best practices, and other resources to help you reach your Zero Trust goals.
  • The Zero Trust Reference Architecture Guide contains more specific details about Zero Trust implementation.
  • Follow The Five Steps to Approaching Zero Trust to create your Zero Trust enterprise and secure users, applications, and infrastructure across all four validation points (identity, device/workload, access, and transaction).
  • Start the transition with your most critical business assets to protect them first with Zero Trust. Move from the highest priority assets to the lowest priority assets until your enterprise is protected.
    As the importance of applications diminishes, you can be less aggressive with protection. For example, you don’t need to apply the same protection to a chat app as you need to apply to business-critical apps. Collaboration with business leaders helps determine which applications are the most critical to protect.
Palo Alto Networks offers a comprehensive platform of tightly integrated tools that enable you to plan, architect, prepare for, and implement Zero Trust to apply consistent security policy to every part of your enterprise, for every use case, everywhere.
Platform Tools
Network Security Platform Next-Generation Firewalls
(Security policy and access enforcement for all use cases)
Cloud Native Security Platform
  • Prisma Cloud—Secures cloud-native infrastructure and applications and provides visibility and threat detection across hybrid and multi-cloud infrastructures.
Managed Endpoint Protection
  • Cortex XDR—Integrates previously siloed capabilities such as threat intelligence, UEBA, cloud security, EDR, AD, NTA, full endpoint protection, and more in one tool.
  • GlobalProtect—Extends the same Next-Generation Firewall based Security policies that are enforced inside the physical perimeter to all users in all locations.
Unmanaged Endpoint Protection
Centralized Management
(all use cases)
(all use cases)
  • User-ID—User and user group identification.
  • Cloud Identity Engine (CIE)—Centralized, cloud-based user and user group identification and user authentication. Aggregates all identity information across Identity and Access Management (IAM) solutions to provide consistent policy that follows users everywhere.
  • Dynamic User Groups (DUGs)—User groups that are updated dynamically based on tags to provide automated remediation for anomalous user behavior and malicious activity.
  • Multi-Factor Authentication (MFA)—The ability to use more than one factor to authenticate a user’s access.
  • Credential Phishing Prevention—Stop credential submission to malicious and suspicious sites.
  • Device-ID—Unmanaged device identification.
  • IAM vendor integration—Fully integrated cloud-native identity and SSO identity providers such as Okta, Azure AD, Ping, Google, etc., for onboarding and authorization.
Application Visibility and Control
(all use cases)
  • App-ID—Network application identification.
  • App-ID Cloud Engine (ACE)—Cloud-delivered service for applications that were previously identified as ssl, web-browsing, unknown-tcp, or unknown-udp traffic. Leverages Policy Optimizer to display rules that match downloaded ACE cloud App-IDs.
  • SaaS Security—Cloud-delivered integrated Cloud Access Security Broker (CASB) service to control sanctioned and unsanctioned SaaS applications.
  • Application Filters—User-defined filters that define application membership based on application category, sub-category, risk, tags, and characteristics so that as new applications match a filter, they are automatically added to Security policy rules which use that filter.
    Application Groups—User-defined groups of applications that require the same security settings.
  • Applications Content Updates—Adds new App-IDs and modifies existing App-IDs when needed.
  • Cortex XDR—Provides full endpoint visibility.
  • Decryption—To inspect encrypted packets and to identify applications granularly, you must decrypt the traffic. Decrypt as much traffic as your business requirements, local regulations, and compliance allow, and follow Decryption best practices.
Threat Prevention and Cloud-Delivered Security Services
(all use cases)
To inspect and prevent threats in encrypted traffic, you must decrypt the traffic or the firewall can’t inspect the payload. You must also configure threat profiles (Vulnerability Protection, Antivirus, Anti-Spyware, File Blocking, DLP, WildFire, and URL Filtering) and attach them to Security policy rules.
  • Threat Prevention Profiles—cloud-delivered Advanced Threat Prevention that includes antivirus, anti-spyware (command-and-control), and vulnerability protection (PAN-OS 10.2 and later) or standard threat prevention (PAN-OS 10.1 and earlier).
  • File Blocking profiles to block malicious file types.
  • WildFire—Analysis environment that identifies both known and unknown (new) malware and generates signatures that firewalls use to block it. (Cloud-based or private.)
  • DNS Security—Cloud-delivered service identifies and blocks threats in DNS traffic and prevents connection to malicious DNS sites.
  • Advanced URL Filtering—Cloud-delivered service enables safe web access and protects users from dangerous websites and credential phishing attacks.
  • Enterprise DLP—Cloud-delivered service that protects data across all networks, clouds, and users.
  • SaaS Security—Cloud-delivered security for SaaS applications.
  • DoS Protection and Zone Protection—Prevent denial-of-service attacks and prevent flooding zones.
  • Cortex XDR and Cortex XSOAR—Protect endpoints from threats and automate threat responses.
  • Threats Content Updates—Adds new threat signatures and updates existing signatures when needed.
  • Best Practice Assessment (BPA) tool—Access and run the BPA from the Customer Support Portal to check your firewall security configuration against Palo Alto Networks best practices.
Security Policy Control and Automation
(all use cases)
In addition to granular Security policy rules that enable you to control layer 7 traffic by source (user, IP address, zone, device), destination (IP address, zone, device), application, service, and URL category:
  • Policy Optimizer—Automatically identifies Security policy rules that include unused applications, rules with the application set to
    (port-based rules that allow any application on the port), and rules that don’t have Log Forwarding configured.
  • SaaS Policy Recommendation and IoT Policy Recommendation—Enables SaaS and IoT administrators, respectively, to push Security policy recommendations to firewall administrators.
  • Dynamic Address Groups (DAGs)—Enable Security policy to change automatically based on tags when you add, move, or delete servers. When an address moves to a different DAG, different Security policy can be applied to that address.
  • Dynamic User Groups (DUGs)—User groups that are updated dynamically based on tags to provide automated remediation for anomalous user behavior and malicious activity. When a user moves to a different DUG (for example, a DUG for quarantined users), different Security policy can be applied to that user.
Consulting and Transformation Services
Prisma Access delivers ZTNA 2.0, which uses many of the tools and capabilities described in the table to enforce least privilege access (CIE, User-ID), continuous trust verification (User-ID, App-ID, MFA), continuous security inspection (Advanced Threat Protection, Advanced URL Filtering, SaaS Security, DNS Service, WildFire), data protection (DLP), and endpoint protection (Cortex XDR, GlobalProtect, Device-ID, IoT Security), all delivered from the cloud to provide consistent security in all use cases.

Recommended For You