How Do I Start My Zero Trust Implementation? (2024)

Best Practices Implementing Zero Trust with Palo Alto Networks

: How Do I Start My Zero Trust Implementation?

Updated on

Jan 27, 2024

Focus

Download PDF

Updated on

Jan 27, 2024

Focus

Home
Best Practices
Best Practices Implementing Zero Trust with Palo Alto Networks
Zero Trust Best Practices
How Do I Start My Zero Trust Implementation?

Download PDF

How Do I Start My Zero Trust Implementation?

Table of Contents

This topic answers the fundamental question for any deploymentactivity: “Where do I start?”

Education and collaboration begin thejourney to a Zero Trust enterprise. Stakeholders who identify what’svaluable to your business and who architect how to protect it needto understand Zero Trust concepts, principles, and goals.

Create a cross-functional team of business leaders (businessand technical decision makers), IT, information security, infrastructure,application developers, and other stakeholders. The team definesand identifies each attack surface and its users, applications,and infrastructure, with the greatest focus on the most critical assets.This includes understanding which applications access critical data,which users access those applications, the data that you’re protecting,and the user devices and infrastructure, including IoT devices.

The cross-functional team prioritizes what to protect based onyour business, and researches, plans, and implements the Zero Truststrategy. The team remains involved in maintaining the deploymentas the business changes. Business leaders can speak to desired businessoutcomes, compliance requirements, and the value of business assets.

When you gain a basic understanding of Zero Trust from Palo Alto Networks Zero Trust website andthis document, and have an idea of your goals, you can:

Leverage the Palo Alto Networks Zero Trust Advisory Service,which guides you through:

A vendor-agnostic Zero Trustarchitecture and strategy, including a roadmap to take your enterprisefrom its current security state to a Zero Trust state.

Zero Trust policy design and implementation, where you designand implement a Zero Trust security policy.

Monitoring, maintaining, and enhancing your Zero Trust securitypolicy.

This best practices document includes Zero Trust Resources, whichprovides links to Zero Trust, best practices, and other resourcesto help you reach your Zero Trust goals.

The Zero Trust Reference ArchitectureGuide contains more specific details about Zero Trust implementation.

Follow The Five Steps to Approaching Zero Trust to createyour Zero Trust enterprise and secure users, applications, and infrastructureacross all four validation points (identity, device/workload, access,and transaction).

Start the transition with your most critical business assetsto protect them first with Zero Trust. Move from the highest priorityassets to the lowest priority assets until your enterprise is protected.

Asthe importance of applications diminishes, you can be less aggressivewith protection. For example, you don’t need to apply the same protectionto a chat app as you need to apply to business-critical apps. Collaborationwith business leaders helps determine which applications are themost critical to protect.

Palo Alto Networks offers a comprehensive platform of tightlyintegrated tools that enable you to plan, architect, prepare for,and implement Zero Trust to apply consistent security policy toevery part of your enterprise, for every use case, everywhere.

Capability	Platform Tools
Network Security Platform Next-Generation Firewalls (Securitypolicy and access enforcement for all use cases)	PAN-OS Next-Generation Firewall (physicallocations such as campus, branches, distributed infrastructure, etc.) Prisma Access (cloud-delivered security for branches, remote work forces, etc., ZTNA 2.0) VM-Series virtual firewalls (campus,branch, distributed infrastructure, public cloud, private cloud,etc.) CN-Series virtual firewalls (Kubernetes)
Cloud Native Security Platform	Prisma Cloud—Secures cloud-native infrastructureand applications and provides visibility and threat detection acrosshybrid and multi-cloud infrastructures.
Managed Endpoint Protection	Cortex XDR—Integratespreviously siloed capabilities such as threat intelligence, UEBA,cloud security, EDR, AD, NTA, full endpoint protection, and morein one tool. GlobalProtect—Extendsthe same Next-Generation Firewall based Security policies that areenforced inside the physical perimeter to all users in all locations.
Unmanaged Endpoint Protection	IoT Security—Discoversand protects unmanaged IoT endpoints. IoT Policy Recommendation—EnablesIoT administrators to push Security policy recommendations to firewall administrators. Device-ID—Unmanaged device identification.
Centralized Management (all usecases)	Panorama Panorama Virtual Appliance Prisma Access (cloud-native management or managed by Panorama)
Identity (all use cases)	User-ID—User and user group identification. Cloud Identity Engine (CIE)—Centralized, cloud-baseduser and user group identification and user authentication. Aggregatesall identity information across Identity and Access Management (IAM)solutions to provide consistent policy that follows users everywhere. Dynamic User Groups (DUGs)—User groups that are updated dynamically based on tags to provide automated remediation for anomalous user behavior and malicious activity. Multi-Factor Authentication (MFA)—The ability to use more than one factor to authenticate a user’s access. Credential Phishing Prevention—Stop credential submission to malicious and suspicious sites. Device-ID—Unmanaged device identification. IAM vendor integration—Fully integrated cloud-native identityand SSO identity providers such as Okta, Azure AD, Ping, Google, etc.,for onboarding and authorization.
Application Visibility and Control (alluse cases)	App-ID—Network application identification. App-ID Cloud Engine (ACE)—Cloud-delivered service for applications that were previously identified as ssl, web-browsing, unknown-tcp, or unknown-udp traffic. Leverages Policy Optimizer to display rules that match downloaded ACE cloud App-IDs. SaaS Security—Cloud-deliveredintegrated Cloud Access Security Broker (CASB) service to controlsanctioned and unsanctioned SaaS applications. Application Filters—User-definedfilters that define application membership based on applicationcategory, sub-category, risk, tags, and characteristics so thatas new applications match a filter, they are automatically addedto Security policy rules which use that filter. Application Groups—User-definedgroups of applications that require the same security settings. Applications Content Updates—Addsnew App-IDs and modifies existing App-IDs when needed. Cortex XDR—Provides fullendpoint visibility. Decryption—To inspectencrypted packets and to identify applications granularly, you mustdecrypt the traffic. Decrypt as much traffic as your business requirements,local regulations, and compliance allow, and follow Decryption best practices.
Threat Prevention and Cloud-Delivered SecurityServices (all use cases)	To inspect and prevent threats inencrypted traffic, you must decrypt the traffic or the firewallcan’t inspect the payload. You must also configure threat profiles(Vulnerability Protection, Antivirus, Anti-Spyware, File Blocking,DLP, WildFire, and URL Filtering) and attach them to Security policyrules. Threat Prevention Profiles—cloud-delivered Advanced Threat Prevention that includes antivirus, anti-spyware (command-and-control), and vulnerability protection (PAN-OS 10.2 and later) or standard threat prevention (PAN-OS 10.1 and earlier). File Blocking profilesto block malicious file types. WildFire—Analysis environmentthat identifies both known and unknown (new) malware and generatessignatures that firewalls use to block it. (Cloud-based or private.) DNS Security—Cloud-deliveredservice identifies and blocks threats in DNS traffic and preventsconnection to malicious DNS sites. Advanced URL Filtering—Cloud-delivered serviceenables safe web access and protects users from dangerous websitesand credential phishing attacks. Enterprise DLP—Cloud-deliveredservice that protects data across all networks, clouds, and users. SaaS Security—Cloud-deliveredsecurity for SaaS applications. DoS Protection and Zone Protection—Preventdenial-of-service attacks and prevent flooding zones. Cortex XDR and Cortex XSOAR—Protect endpointsfrom threats and automate threat responses. Threats Content Updates—Addsnew threat signatures and updates existing signatures when needed. Best Practice Assessment (BPA) tool—Access and run the on-demand BPA from Strata Cloud Manager to check your firewall security configuration against Palo Alto Networks best practices.
Security Policy Control and Automation (alluse cases)	In addition to granular Security policyrules that enable you to control layer 7 traffic by source (user,IP address, zone, device), destination (IP address, zone, device),application, service, and URL category: Policy Optimizer—Automaticallyidentifies Security policy rules that include unused applications,rules with the application set to any (port-basedrules that allow any application on the port), and rules that don’thave Log Forwarding configured. SaaS Policy Recommendation and IoT Policy Recommendation—EnablesSaaS and IoT administrators, respectively, to push Security policyrecommendations to firewall administrators. Dynamic Address Groups (DAGs)—Enable Security policy to change automatically based on tags when you add, move, or delete servers. When an address moves to a different DAG, different Security policy can be applied to that address. Dynamic User Groups (DUGs)—User groups that are updated dynamically based on tags to provide automated remediation for anomalous user behavior and malicious activity. When a user moves to a different DUG (for example, a DUG for quarantined users), different Security policy can be applied to that user.
Consulting and Transformation Services	Zero Trust Advisory Service—Advice, roadmap,security policy design and implementation. Managed Threat Hunting—Unit42 experts hunt down attackers in your environment.

Prisma Access

delivers ZTNA 2.0, which uses many of the tools and capabilities described in the table to enforce least privilege access (CIE, User-ID), continuous trust verification (User-ID, App-ID, MFA), continuous security inspection (Advanced Threat Protection, Advanced URL Filtering, SaaS Security, DNS Service, WildFire), data protection (DLP), and endpoint protection (Cortex XDR, GlobalProtect, Device-ID, IoT Security), all delivered from the cloud to provide consistent security in all use cases.

Recommended For You

{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}

{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}

{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}

{{ } else { }}

{{ } }} {{ } else { }}

{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}

{{ } else if (raw.objecttype == "Knowledge") { }}

{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}

{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}

{{ } else { }}

{{ } }} {{ } }}

{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}

{{ if (raw.pantechdoctype == "pdf"){ }}

{{ } }}

{{ } else { }}

{{ if (raw.pantechdoctype == "pdf"){ }}

{{ } }}

{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}

{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}

{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}

{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}

{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}

{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}

{{ } }}