Best Practices Implementing Zero Trust with Palo Alto Networks
Updated on
Jan 27, 2024
Focus
Download PDF
Updated on
Jan 27, 2024
Focus
- Home
- Best Practices
- Best Practices Implementing Zero Trust with Palo Alto Networks
- Zero Trust Best Practices
- High-Level Zero Trust Best Practice Concepts
Download PDF
High-Level Zero Trust Best Practice Concepts
Table of Contents
Zero Trust best practices to help you plan and understandwhat you need to do to ensure a successful deployment.
Follow these high-level Zero Trust best practices concepts:
Apply consistent security everywhere, across all usecases, users, applications, and infrastructure. Consistent securitypolicy ensures that the same people have the same access to applicationsand services in every location, with the same level of authenticationand authorization, the same traffic inspection, and the same accessprivileges.
Decrypt traffic to gain visibility into it so that you caninspect it and prevent malicious activity and data exfiltration.
Continuously validate users, applications, and infrastructure.
Do not allow unknown traffic in your network.
Use Palo Alto Networks Next-Generation Firewalls (NGFWs),including VM-Series and CN-Series firewalls, as segmentation gateways.This consolidates security technologies on one platform and enables youto apply consistent security policy in all locations natively atLayer 7, based on users, devices, IP addresses, zones, URLs, services,and applications (including individual applications in application containers—forexample, not just the gmail application, but also granular applicationssuch as gmail-drive, gmail-chat, gmail-posting, gmail-uploading,etc.). The segmentation gateway segments and controls the network,provides granular access control, and secures all traffic as itcrosses microperimeters and attempts to access to an attack surface.Segment your network based on what’s valuable to your business toprevent unauthorized lateral movement.
You don’t needto change your infrastructure to create microperimeters becauseyou create microperimeters in Layer 7 security policy by allowingonly authorized users to access only the resources they need toaccess for business purposes.
Apply the principle of least privilege access to all access—notonly to access for people, but also to access for services and APIs.Allow only the exact level of access required for each user, service,and API.
Use an integrated, centrally managed platform that reduces the total cost of ownership, rather than a collection of point products that don’t work well together. Palo Alto Networks shares information among platform elements and enables centralized management and simplified operation using Panorama, GlobalProtect, and
Prisma Access
to provide consistent policy, prevention, and protection across all use cases.Protect all endpoints, including unmanaged IoT endpoints.
Log every packet through Layer 7 that regulations, compliance,and your business practices allow you to inspect.
Create a strategy for tagging workloads to group objects and registering tags dynamically to help automate security policy.
Document processes, educate and train personnel, set baselines,and measure progress against the baselines.
Update your Zero Trust deployment as your business changes.For example, new applications may replace older applications, youmay upgrade your infrastructure, employees and contractors joinand leave the business, and the business itself may change overtime.
Define your desired business outcomes before architectingyour Zero Trust environment. The Zero Trust model supports and enablessecure business functions.
Design from the inside-out instead of from the outside-into protect what’s most valuable to your business first. Your mostvaluable assets are more likely to be in your data center than atyour perimeter.
Transition to a Zero Trust environment beginning with themost critical segments (propriety source code repositories, customerdata, etc.—whatever is most valuable to your business). Zero Trust segmentscoexist with legacy segments, so you can protect your most criticalassets first and then go on to protecting less critical segmentsand assets instead transitioning everything at one time.
As the importance of applications diminishes, you can beless aggressive with protection. For example, you don’t need toapply the same protection to a chat app as you need to apply tobusiness-critical apps. Collaboration with business leaders helpsdetermine which applications are the most critical to protect.
"); adBlockNotification.append($("Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application.")); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function(e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function(e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
