Frequently, companies seem reluctant to the idea to implement Zero Trust because of the belief that is difficult, costly and disruptive.  However, building a Zero Trust network is much simpler than classifying users as “trusted” and “untrusted”, which is proven to be an ineffective approach to this matter. A five-steps methodology is enough to transform your legacy network, protecting your network across the entire environment, no matter the location. Let’s explore in-depth these steps:


1.Define Your Protect Surface

When defining the protect surface, you need to consider all critical data, applications, assets, or services (DAAS). This could include data, applications, assets and services. Palo Alto Networks Next-Generation Firewalls, in physical or virtualized form, provide comprehensive Layer 7 visibility to help you determine your DAAS profile. Cortex XDR™ detection and response by Palo Alto Networks utilizes network, cloud, and endpoint products as sensors, feeding data into Cortex Data Lake to provide visibility into the activity of users, devices, applications, and services for greater insight into the individual protect surfaces across your enterprise environment.

2.Map the Transaction Flows

In order to design a correct network, it is mandatory to understand how systems should work. Traffic movements across the network and the kind of data will determine how should it be protected. The scanning and mapping of transactions will determine how various DAAS components interact with other resources on your network.

Zero Trust is a flow-based architecture. Once you understand how your systems are designed to work, the flow maps will tell you where you need to insert controls. It is important to start with what you know. You shouldn’t delay your Zero Trust initiative just because you don’t have perfect knowledge.

3 Architect a Zero Trust Network

Zero Trust networks are tailor-made, they do not follow any pattern or universal design. With your protection surface defined and flows mapped, the Zero Trust architecture will become logical. The architectural elements begin with deploying a Next-Generation Firewall as a segmentation gateway to enforce granular Layer 7 access as a microperimeter around the protect surface. With this architecture, there is a simultaneous controlling and inspecting access.

The architecture would still be incomplete without important third-party offerings. Palo Alto Networks integrates with multiple multi-factor authentication (MFA) providers to add fidelity to User-ID. To round out and simplify Zero Trust architectures, our powerful API provides deep integrations with more than 250 third-party partners, including anti-spam/anti-phishing technologies, DLP systems, software-defined wide area networks (SD-WAN), and wireless offerings.

4.Create the Zero Trust Policy

Once you’ve architected your Zero Trust network, you need to create the supporting Zero Trust policies following the Kipling Method, answering the who, what, when, where, why, and how of your network and policies. The Kipling Method of creating policy enables Layer 7 policy for granular enforcement so that only known allowed traffic or legitimate application communication is allowed in your network. This process significantly reduces the attack surface while also reducing the number of port-based firewall rules enforced by traditional network firewalls.

To simplify the process, you should create policies primarily on your segmentation gateways’ centralized management tool. Palo Alto Networks Panorama™ provides this functionality and is where the Kipling Method is applied. Palo Alto Networks powerful Next-Generation Firewall technology and unique features let you write policies that are easy to understand and maintain while providing maximum security transparent to your end-users.

5.Monitor and Maintain the Network

The last step in this iterative process is to monitor and maintain your network. This means continuously looking at all internal and external logs through Layer 7 and focusing on the operational aspects of Zero Trust. The more your network is attacked, the stronger it will become, with greater insight into making policies more secure. Additional data gives you insight into the protected surface, such as what you should include in it and the interdependencies of data within it, that can inform architectural tweaks to further enhance your security. Next-Generation Firewall and VM-Series data are consolidated into a singular view under Panorama, which raises an alert when a malicious or suspicious occurrence should be investigated.

Zero Trust is a powerful prevention strategy when implemented across your entire environment—the network, endpoint, and cloud. RanTek, in partnership with PaloAlto, can provide the technology and professional knowledge to maximize the protection of your most valuable asset. Contact us in order to learn more on how to apply it to your business. Get started on your Zero Trust journey!

Protecting users when entering SD WAN worldNordic Tech Summit Banner