Achieving End-to-End Zero Trust

May 29, 2020
3 minutes

This post is also available in: 日本語 (Japanese)

I’ve spent the last 25 years developing products that help customers reduce risk. And I think it’s fair to say that the cybersecurity industry as a whole shares the same goal – help our customers reduce risk. We acknowledge that risk will never be zero, but we work to help find a balance of risk versus cost. What are customers willing to lose in case of a cyber attack versus how much are they willing to put into preventing and mitigating those attacks?  

The security products deployed across your infrastructure – for the network, endpoint and now cloud – are focused on reducing risk by helping us decide whether we should trust four things: 

  • Users
  • Endpoints and Workloads
  • Applications
  • Content

For example, a good old 25-year-old firewall uses IP filtering to determine whether it can trust a user and a port number to check whether an application should be trusted, antivirus software determines whether content can be trusted by matching files with a list of known bad signatures, and sandboxes determine whether never-before-seen content can be trusted.


So What is Zero Trust?End to end Zero Trust for your Infrastructure. This gif includes many components of a complete Zero Trust architecture.

Zero Trust is an end-to-end cybersecurity strategy that spans the infrastructure. With Zero Trust, you operate under the assumption that no user, endpoint/workload, application or content can be trusted at any entity, whether it has previously been checked or will be checked later on by another entity. That means that each entity, such as an endpoint, server, VM- or container-based microservice, or Platform-as-a-Service (PaaS), must validate the identity of any endpoint, workload or application that it communicates with as well as scan any content that it sends, receives or maintains at rest for malicious activity. 

In simple terms: each device, application and microservice is responsible for its own security. 

Lately, the industry has been emphasizing Zero Trust Network Access (ZTNA). ZTNA is certainly important in Zero Trust, but it is only one component of any Zero Trust strategy. It focuses on the communications between a user on an endpoint and that user’s first entry into the infrastructure, usually through a web application server. 

An often overlooked but equally important aspect of Zero Trust is the Security Operations Center. The role of the SOC is to double check trust decisions made by the infrastructure – for example, a decision to trust a connection made by the firewall and the intrusion prevention system (IPS). It is also responsible for making after-the-fact trust decisions for things that cannot be decided in realtime by inline products. 


The Palo Alto Networks Approach to Zero Trust

At Palo Alto Networks, we believe that the easiest, and really the only way to achieve end-to-end Zero Trust, is to have a well-coordinated architecture and solutions that validate, authenticate and apply threat prevention capabilities across your entire infrastructure. Prisma Access enables ZTNA as a simple to consume, cloud-delivered service. Our PAN-OS offerings enable deployment of granular policy enforcement and threat prevention capabilities, including IoT security, regardless of location. Prisma Cloud enables all different aspects of Zero Trust for public or private clouds across all compute form factors. For the security operations center, Cortex applies automation and analytics to double check all the trust decisions that have been made previously and enables change in near-real time. 

In a recent video, I discuss the technology considerations for various Zero Trust deployments across your infrastructure and how Palo Alto Networks helps customers deploy end-to-end Zero Trust. Watch the video to learn more.

This post is part of a series covering “Zero Trust Throughout Your Infrastructure.”

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.