Table of Contents

Step 3: Standards and Designs

Design your Zero Trust environment based on what’s valuable to your particular business.
Determine the standards and designs for your Zero Trust deployment. Standards and designs mean the architectural framework you will follow and the strategic approach to implementing that architectural framework. For example, the framework could include a requirement to enforce MFA for access to all business-critical servers. Different types of businesses may set different standards and designs for their organization’s security. For example, financial institutions and social media companies may define different architectures and goals to meet their individual business needs based on security and availability tradeoffs.
Armed with an understanding of your business, your assets and their priorization (Step 1), and your transactions (Step 2), you’re ready to architect your Zero Trust deployment and apply consistent security across your entire enterprise. As you develop standards and designs, keep in mind ease of operation and maintenance, and flexibility to accommodate network and business changes.
The cornerstone of the architecture is segmentation gateways—physical, virtual, or cloud Palo Alto Networks Next-Generation Firewalls that connect and protect your network segments and enforce Layer 7 policy. Run all traffic through a segmentation gateway, place segmentation gateways as close as possible to the resources they protect, and use them in conjunction with other Palo Alto Networks capabilities to automate security as much as possible. Next-generation firewalls:
  • Create a microperimeter in Layer 7 policy around each attack surface. This prevents lateral movement because the microperimeter provides granular policy controls for who (User-ID) accesses what applications (App-ID) and resources (source and destination) in what manner (Content-ID) and at what time through the segmentation gateway. Segment the network so that you can apply the principle of least privilege access to workloads and devices and segment the network based on how users and applications access infrastructure, data, and services.
  • Identify and authenticate all users with User-ID and use the Cloud Identity Engine (CIE) to push and sync ID across the entire enterprise for consistent policy that follows users everywhere.
  • Aggregate security capabilities into a single control point for all traffic entering and exiting the attack surface. The segmentation gateway enforces policy, decrypts encrypted traffic, inspects the decrypted traffic, and applies cloud-delivered security services where appropriate. Cloud-delivered security services help ensure consistent protection across all use cases:
    • Enterprise DLP to inspect traffic for data theft and exfiltration.
    • DNS Security to block threats in DNS traffic and prevent connection to malicious DNS sites.
    • Advanced Threat Prevention (PAN-OS 10.2 and later) for antivirus, anti-spyware (command-and-control), and vulnerability protection and prevention (use standard threat prevention if you run PAN-OS 10.1 or earlier).
    • WildFire to identify and block both known and unknown malware.
    • SaaS Security to secure and inspect SaaS applications.
    • Advanced URL Filtering to enable safe web access and prevent credential phishing attacks.
    • IoT Security to secure IoT unmanaged endpoints.
    Configure File Blocking to block potentially dangerous file types.
  • Decrypt and inspect all the traffic that business requirements, local regulations, compliance, and your firewall capacity allow at Layer 7 in real-time.
  • Log every packet from Layer 2 through Layer 7. Forward logs to
    Strata Logging Service
    from managed firewalls using Panorama to push log forwarding settings to firewall groups, from individual firewalls (firewalls not managed by Panorama), from
    Prisma Access
    , and from Cortex XDR to centralize and aggregate your on-premise and virtual (private and public cloud) log storage for physical, VM-Series, CN-Series, and virtual next-generation firewalls.
  • Automate feedback loops that detect events and automate responses.
    • Tag workloads and use tags as filtering criteria to determine the members of dynamic address groups (DAGs) in security policy. This enables you to automate actions based on log forwarding events to an HTTP(S) server. The log forwarding event triggers the action by dynamically adding or removing members of a DAG used in security policy in real-time. The security policy determines if the DAG members are allowed or denied access and the firewall enforces the action. For example, set up a DNS sinkhole in an Anti-Spyware security profile to automatically quarantine potentially compromised systems that attempt to access the sinkhole. Use tags and log forwarding to add and remove those systems automatically from a DAG which is attached to a policy rule that blocks and logs all traffic to the sinkhole address. You can then investigate potentially compromised systems when notified by log alerts.
    • Use Cortex XDR to automate analyzing your traffic, discovering anomalous behavior that indicates a potential intrusion, and alerting on that behavior so you can investigate and remediate the issue. Cortex XDR provides visibility into traffic, simplifies threat investigation by correlating logs, and enables you to identify the root cause of alerts and respond immediately. Use Cortext XDR APIs to integrate with Cortex XSOAR and automate responses using Cortex XSOAR response playbooks that are tailored to your business workflows, which can reduce response time from days to minutes.
    • Use WildFire to automate discovery of new malware. When WildFire discovers malware anywhere in the world, it takes at the most five minutes before WildFire updates your security profiles to protect you against the new malware.
In addition, to apply consistent security to users, applications, and infrastructure across all use cases:
  • Panorama centralizes management policy control for multiple next-generation firewalls and increases operational efficiency compared to managing firewalls individually. Use Panorama’s templates and template stacks to automate policy deployment.
  • Use APIs for tight integration with third-party defense tools from partners.
  • Use tools such as Ansible, Terraform, and Python to automate, orchestrate, and accelerate protecting Prisma Cloud deployments.
  • Corporate network and data center: Use next-generation firewalls to segment the network into microperimeters for your attack surfaces.
  • Public cloud: Use
    Prisma Access
    , which uses on-premise or VM-Series next-generation firewalls, CN-Series next-generation firewalls (for Kubernetes environments), and Prisma Cloud (an API-based cloud infrastructure security solution), to implement Zero Trust policy in cloud environments. Virtual private clouds (VPCs) define protection boundaries to segment workloads.
  • Private cloud: Use VM-Series firewalls or CN-Series firewalls (for Kubernetes environments) to implement Zero Trust policy.
  • Branch office and mobile users: Use
    Prisma Access
    to provide cloud-based security and to avoid round-trips to corporate network resources. Configure
    Prisma Access
    and also
    Prisma Access
    to secure branches.
    Alternatively, use an on-premises next-generation firewall with the GlobalProtect subscription service to extend security policy and enforcement to remote users and branch offices.
  • Endpoints: Layer protection using the next-generation firewall for segmentation and the first layer of protection and using the Cortex XDR agent for the second layer of protection. Enforce consistent policy using GlobalProtect (on-premise installation),
    Prisma Access
    (installed using Panorama and managed for you in the cloud), or
    Strata Cloud Manager Managed Prisma Access
    (using the
    Prisma Access
    app) to extend policy to remote endpoints and enable policy to move with the user.
    Prisma Access
    requires the GlobalProtect app on mobile user endpoints. In all cases, install the GlobalProtect app on managed endpoints and use GlobalProtect Clientless VPN on unmanaged endpoints (endpoints on which you can’t or don’t want to place an agent, such as partner systems or personal devices). Apply Multi-Factor Authentication when appropriate to protect high-value assets.
  • SaaS applications: Use SaaS Security to scan, analyze, classify, and help protect SaaS applications. Redirect SaaS application traffic for unmanaged devices through your next-generation firewall (traffic from managed devices goes through
    Prisma Access
    , GlobalProtect, or a next-generation firewall).

Recommended For You