High-Level Zero Trust Best Practice Concepts
Expand all | Collapse all
High-Level Zero Trust Best Practice Concepts
Zero Trust best practices to help you plan and understand
what you need to do to ensure a successful deployment.
Follow these high-level Zero Trust best practices concepts:
Apply consistent security everywhere, across all use
cases, users, applications, and infrastructure. Consistent security
policy ensures that the same people have the same access to applications
and services in every location, with the same level of authentication
and authorization, the same traffic inspection, and the same access
privileges.
Decrypt traffic to gain visibility into it so that you can
inspect it and prevent malicious activity and data exfiltration.
Continuously validate users, applications, and infrastructure.
Do not allow unknown traffic in your network.
Use Palo Alto Networks Next-Generation Firewalls (NGFWs),
including VM-Series and CN-Series firewalls, as segmentation gateways.
This consolidates security technologies on one platform and enables you
to apply consistent security policy in all locations natively at
Layer 7, based on users, devices, IP addresses, zones, URLs, services,
and applications (including individual applications in application containers—for
example, not just the gmail application, but also granular applications
such as gmail-drive, gmail-chat, gmail-posting, gmail-uploading,
etc.). The segmentation gateway segments and controls the network,
provides granular access control, and secures all traffic as it
crosses microperimeters and attempts to access to an attack surface.
Segment your network based on what’s valuable to your business to
prevent unauthorized lateral movement.
You don’t need
to change your infrastructure to create microperimeters because
you create microperimeters in Layer 7 security policy by allowing
only authorized users to access only the resources they need to
access for business purposes.
Apply the principle of least privilege access to all access—not
only to access for people, but also to access for services and APIs.
Allow only the exact level of access required for each user, service,
and API.
Use an integrated, centrally managed platform that reduces the total cost of ownership, rather
than a collection of point products that don’t work well together. Palo Alto
Networks shares information among platform elements and enables centralized
management and simplified operation using Panorama, GlobalProtect, and
Prisma Access
to provide consistent policy, prevention, and protection
across all use cases.
Protect all endpoints, including unmanaged IoT endpoints.
Log every packet through Layer 7 that regulations, compliance,
and your business practices allow you to inspect.
Document processes, educate and train personnel, set baselines,
and measure progress against the baselines.
Update your Zero Trust deployment as your business changes.
For example, new applications may replace older applications, you
may upgrade your infrastructure, employees and contractors join
and leave the business, and the business itself may change over
time.
Define your desired business outcomes before architecting
your Zero Trust environment. The Zero Trust model supports and enables
secure business functions.
Design from the inside-out instead of from the outside-in
to protect what’s most valuable to your business first. Your most
valuable assets are more likely to be in your data center than at
your perimeter.
Transition to a Zero Trust environment beginning with the
most critical segments (propriety source code repositories, customer
data, etc.—whatever is most valuable to your business). Zero Trust segments
coexist with legacy segments, so you can protect your most critical
assets first and then go on to protecting less critical segments
and assets instead transitioning everything at one time.
As the importance of applications diminishes, you can be
less aggressive with protection. For example, you don’t need to
apply the same protection to a chat app as you need to apply to
business-critical apps. Collaboration with business leaders helps
determine which applications are the most critical to protect.