Palo Alto Networks and our technology partner Nutanix have teamed up to make it easy for you to implement Zero Trust in virtualized environments. From healthcare to education and professional services, many industries have embraced virtual desktops and End User Computing (EUC) as part of their data center virtualization strategy. Users gain a consistent interface and portability, while IT gains greater control, scalability and efficiency through virtualization and central management of desktop environments. Since adoption of EUC environments is on the rise, now is a perfect time to talk about efficient and effective ways to deploy and secure them.
Deploying Zero Trust in Virtualized Environments
A Zero Trust security model, or “never trust, always verify,” is the gold standard for reducing cyber risk. It assumes that any user, system or device is inherently untrustworthy. While traditional security architectures focused on identifying threats attempting to breach an organization’s network perimeter, a Zero Trust architecture makes no assumptions about the safety or validity of traffic, even in the data center.
Using the principles of Zero Trust to segment EUC environments from the rest of the data center is a best practice, particularly since many cyberattacks start with compromising a user’s device. The ultimate goal is to prevent attacks originating from a compromised virtual desktop from spreading to the rest of the data center.
Implementing a Zero Trust architecture for EUC environments can be done in a few steps:
Protect the software infrastructure that delivers the EUC service using microsegmentation. Establish a granular network policy that limits access to the management, brokers and other essential IT services (directory services, VPN, DNS and so on) to only required communications. When creating and managing policies, it is helpful to use software that can discover and visualize these network dependencies.
- Define Dynamic, User-based Policies
Define dynamic policies that grant EUC users access to certain applications and data based on their role. This can further reduce the attack surface available should a user’s desktop become compromised. For example, you may want to limit the applications and services that contractors can access compared with employees, or differentiate access between job functions.
Accomplishing this kind of segmentation using traditional methods typically requires more complex configuration and deployments of both the software delivering EUC and the solutions providing physical networking and security or threat intelligence. A software-based solution using virtual networking and security appliances reduces the cost and complexity of achieving this level of control while allowing for integration into automated service delivery applications.
- Inspect Permitted Traffic
Once you’ve defined policies that allow only valid traffic flows, you must also inspect the permitted traffic for any threats that might be hiding within it. Security tools should detect and block suspicious traffic on an open port, or malware attempting to spread from a compromised virtual desktop.
Simplifying the Process of Securing EUC Environments
While this all sounds pretty complex, Palo Alto Networks and Nutanix are working together to help you meet this business need. Organizations using Nutanix Hyper-Converged Infrastructure (HCI) with Nutanix Acropolis Hypervisor (AHV) virtualization and Nutanix Flow can protect virtual infrastructure and isolate groups of virtual desktops with identity-based microsegmentation with Active Directory integration. Then, they can define which traffic to route to Palo Alto Networks VM-Series, a virtualized form factor of Next-Generation Firewalls, for additional network inspection and threat detection. VM-Series virtual firewalls enable you to define and enforce granular Layer 7 security policies based on application and user identity. Threat Prevention and other cloud-delivered security subscriptions enabled on VM-Series firewalls detect and stop threats – even zero-day threats – attempting to penetrate the data center, move laterally across virtualized environments or exfiltrate data.
Nutanix and Palo Alto Networks also make it easy for you to automatically deploy and centrally manage Zero Trust security in your virtualized environments. Using Nutanix Calm, your team can deploy VM-Series and Palo Alto Networks Panorama, a network security management solution, into a Nutanix Flow environment with a few clicks. From Panorama, security teams can consistently manage their Nutanix environment and security policies from a single interface.