High-Level Zero Trust Best Practice Concepts

• Apply consistent security everywhere, across all use cases, users, applications, and infrastructure. Consistent security policy ensures that the same people have the same access to applications and services in every location, with the same level of authentication and authorization, the same traffic inspection, and the same access privileges.
• Decrypt traffic to gain visibility into it so that you can inspect it and prevent malicious activity and data exfiltration.
• Continuously validate users, applications, and infrastructure.
• Do not allow unknown traffic in your network.
• Use Palo Alto Networks Next-Generation Firewalls (NGFWs), including VM-Series and CN-Series firewalls, as segmentation gateways. This consolidates security technologies on one platform and enables you to apply consistent security policy in all locations natively at Layer 7, based on users, devices, IP addresses, zones, URLs, services, and applications (including individual applications in application containers—for example, not just the gmail application, but also granular applications such as gmail-drive, gmail-chat, gmail-posting, gmail-uploading, etc.). The segmentation gateway segments and controls the network, provides granular access control, and secures all traffic as it crosses microperimeters and attempts to access to an attack surface. Segment your network based on what’s valuable to your business to prevent unauthorized lateral movement.
  You don’t need to change your infrastructure to create microperimeters because you create microperimeters in Layer 7 security policy by allowing only authorized users to access only the resources they need to access for business purposes.
• Apply the principle of least privilege access to all access—not only to access for people, but also to access for services and APIs. Allow only the exact level of access required for each user, service, and API.
• Use an integrated, centrally managed platform that reduces the total cost of ownership, rather than a collection of point products that don’t work well together. Palo Alto Networks shares information among platform elements and enables centralized management and simplified operation using Panorama, GlobalProtect, and Prisma Access to provide consistent policy, prevention, and protection across all use cases.
• Protect all endpoints, including unmanaged IoT endpoints.
• Log every packet through Layer 7 that regulations, compliance, and your business practices allow you to inspect.
• Create a strategy for tagging workloads to group objects and registering tags dynamically to help automate security policy.
• Document processes, educate and train personnel, set baselines, and measure progress against the baselines.
• Update your Zero Trust deployment as your business changes. For example, new applications may replace older applications, you may upgrade your infrastructure, employees and contractors join and leave the business, and the business itself may change over time.

• Define your desired business outcomes before architecting your Zero Trust environment. The Zero Trust model supports and enables secure business functions.
• Design from the inside-out instead of from the outside-in to protect what’s most valuable to your business first. Your most valuable assets are more likely to be in your data center than at your perimeter.
• Transition to a Zero Trust environment beginning with the most critical segments (propriety source code repositories, customer data, etc.—whatever is most valuable to your business). Zero Trust segments coexist with legacy segments, so you can protect your most critical assets first and then go on to protecting less critical segments and assets instead transitioning everything at one time.