Establish an approach to applying Zero Trust principles within Palo Alto Networks
A data-centered methodology that uses Palo Alto Networks Next-Generation Firewalls (NGFW), Prisma® Access, and Prisma® Cloud, and Cortex® to secure users, applications, and infrastructure
Palo Alto Networks is the cybersecurity partner of choice for over 85,000 customers in more than 150 countries. Pursuing a mission to make every day more secure, it provides the visibility, trusted intelligence, automation, and flexibility that help complex organizations advance securely. Today, Palo Alto Networks’ comprehensive security solutions protect over a billion people around the globe.
Like most large enterprises, the company’s own network has seen a dramatic increase in remote access and reliance on software as a service (SaaS) applications in recent years. As this shift has expanded the attack surface, Palo Alto Networks has also experienced a rising number of attempted cyberattacks, making a Zero Trust approach to security mission-critical for the organization.
Zero Trust has been a priority for Palo Alto Networks for several years but in 2021, Chief Information Security Officer Niall Browne and his information security (InfoSec) team set out to create an effective methodology to significantly evolve Palo Alto Networks’ Zero Trust posture. As it pursued this project, the team built an intuitive methodology that allows it to continually advance its Zero Trust framework as the company evolves.
For Palo Alto Networks, it’s imperative to remain at the forefront of digitization to serve the security needs of the world’s largest and most advanced companies. As the company has leaned into its own digital transformation, its use of cloud services and SaaS applications has increased rapidly. With a large, global workforce requiring remote access to respond quickly to customers’ security needs, its endpoints have become more numerous and diverse.
As the world’s leading cybersecurity company, it also possesses intellectual property that’s of particular interest to hackers. That’s always made it a leading target, but in recent years the frequency and sophistication of attacks has intensified. For Browne and the InfoSec team, a rapidly growing attack surface coupled with the rising number of cyberattacks presented a significant risk. Embracing Zero Trust was essential to keep the network safe.
However, at that time there was no comprehensive, replicable process for achieving Zero Trust. The concept wasn’t new: it’s about securing the organization by eliminating implicit trust and continuously validating every stage of the digital transaction. But that can’t be achieved simply by implementing a security solution. It requires a strategic approach, with ongoing refinement and commitment.
Due to competing priorities, remaining true to a Zero Trust strategy is a challenge for any organization. Palo Alto Networks’ security teams are focused on keeping up with the threat landscape and the evolution of the company’s digital environment. Current security threats, as well as global attacks like the Log4j event, create distractions from a proactive effort to find and mitigate new security gaps.
The speed of business and ever-expanding nature of Palo Alto Networks’ ecosystem means SaaS applications are always being added, straining the InfoSec team’s ability to inventory and assess them. And with a large, worldwide customer base to protect and support, other goals threaten to starve attention and required skillsets from Zero Trust projects.
“We knew Zero Trust was critical,” Browne says. “We also realized that we needed an approach we could communicate, achieve wins with, and then replicate.”
To begin the process, Browne and the InfoSec team needed to define what success would mean for a Zero Trust approach. By studying where other organizations had struggled, they identified both the cultural and technical elements that needed to be in place for the strategy to work.
They knew Zero Trust would require board of directors approval for ongoing investment. That meant their approach needed to be structured in a way that could be easily explained—and its benefits periodically reported on to demonstrate value.
They also knew the approach needed to be holistic. Their strategy had to address trust across key domains such as users, applications, and infrastructure. For applications, both cloud and on-premises environments needed to be evaluated against Zero Trust best practices. At the same time, the approach needed to prioritize the company’s most valuable assets—those related to critical data as well as those that presented the most attractive targets for malicious actors.
Critically, they realized that Zero Trust requires an ongoing effort. Palo Alto Networks is always adding resources and applications to support its operations. As the data estate evolves with the addition of new technologies, the Zero Trust approach needs to evolve with it. That meant embracing a process of continuous evaluation and improvement.
Browne worked closely with Palo Alto Networks senior leadership and the board to gain approval to invest in the initiative, making Zero Trust a top priority for the company. This was a critical first step to ensure Zero Trust was approached in a holistic and comprehensive manner, with broad support at the highest levels to ensure success.
To create a strategic plan and prioritize efforts, the InfoSec team took a conceptual approach that looked at Zero Trust by asking a series of questions:
This approach led the team to establish a data-focused strategy. The applications that use the data need to be secured, and the security has to extend across all infrastructure. The data must be protected from unwanted access or use by any application, device, or user—and all points of access have to be visible to administrators.
Explains Browne: “Identifying our ‘crown jewels’ and knowing where they reside on the network allows us to map user and application access and infrastructure components to a Zero Trust strategy.”
Using this approach, the InfoSec team is able to measure the effectiveness of its Zero Trust methodology through audits of the organization’s most valuable data assets. Demonstrating that those assets remain secure validates the investments and support of senior leadership and board.
Partnering with product teams to accelerate innovation
Within Palo Alto Networks, the InfoSec team is regarded as the “First Customer.” This gives it unfettered access to product teams to customize solutions for the company’s network—a process that also improves the solutions Palo Alto Networks delivers to customers. By working with these teams, InfoSec was able to optimize solutions to meet the specific needs of Zero Trust.
For example, correctly applying User-ID, App-ID, and Device-ID allowed the InfoSec team to confidently establish broad visibility and understand the nature of traffic across the network. By utilizing a combination of on-premises Next-Generation Firewalls and Prisma Access, they achieved segmentation and controls. They also established permissions ensuring that access to valuable data, resources, and applications requires validation, and they added multifactor authentication for every user at all times.
This allowed the team to create and implement a series of Zero Trust policies, addressing:
They also ensured that the organization’s Security Operations Center (SOC) had visibility into all applications using data that held organizational risk.
For Palo Alto Networks, establishing an effective Zero Trust methodology ensures that the company’s most valuable data assets remain secure and that there’s a way to enhance that security with increasing granularity over time. As it continues on the Zero Trust journey, this methodology supports ongoing digitization efforts and the InfoSec team’s work to improve Palo Alto Networks’ overall security posture.
Just as Browne’s first Zero Trust initiative helped to optimize Palo Alto Networks’ products, the ongoing Zero Trust process allows the InfoSec team to work with product developers to surface issues and provide feedback on product roadmaps. This has enabled the team to increase visibility into its own rapidly expanding data estate, simplify the management tools needed to support Zero Trust, and maintain the security it needs in an increasingly intense threat landscape.
As Palo Alto Networks delivers these product improvements to the market, it’s helping other organizations think about and implement an effective Zero Trust strategy. The challenges Palo Alto Networks surmounted are common to any enterprise with a significant digital estate; the approach Browne and his team defined brings the same benefits to every customer.
One of the most significant benefits of the project has been the way a “follow the data” approach helps customers’ security leaders talk to their C-suites and boards about Zero Trust. “CIOs and CISOs can talk about protecting data versus talking about a thousand metrics nobody can follow,” Browne explains. “This is a story they can tell.” It’s a compelling story that allows security teams to achieve meaningful outcomes and demonstrate success.
Developing an effective approach to Zero Trust is an important achievement for Palo Alto Networks. For Browne and his team, however, it’s only the beginning. Given the dynamic nature of today’s data, applications, networks, and cloud environments, there will always be a need to evolve a Zero Trust approach to keep pace with technology and business.
That has the team looking ahead to new opportunities to increase the effectiveness of Palo Alto Networks’ Zero Trust approach. As it does, the InfoSec team will build on the cycle of self-improvement inherent in its own methodology—contributing to the product development that makes Palo Alto Networks the world’s leading provider of network security.
Find out more about how Palo Alto Network’s Zero Trust methodology can help secure your organization’s data, endpoints, and applications. Additional information is here.