Problem

The continued, high frequency of successful cyberattacks against today’s enterprises has made it abundantly clear that traditional, perimeter-centric security strategies are no longer effective. There is inadequate visibility, control and protection of user and application traffic transiting high-risk network boundaries, and an outdated assumption that everything on the inside of an organization’s network should be trusted.

The Zero Trust architecture approach, first proposed by Forrester Research, is intended to address this by promoting "never trust, always verify" as its guiding principle. With Zero Trust there is no default trust for any entity — including users, devices, applications, and packets — regardless of what it is and its location on or relative to the corporate network. By establishing Zero Trust boundaries that effectively compartmentalize different segments of the network, you can protect critical intellectual property from unauthorized applications or users, reduce the exposure of vulnerable systems, and prevent the lateral movement of malware throughout your network.

Some organizations use virtual local area networks (VLANs) to segment their network, but VLANs simply isolate network traffic – they are unable to enforce the control of privileged information. In addition, by itself, a VLAN cannot inspect your traffic for threats. True Zero Trust network segmentation requires an enterprise security platform that understands your applications, users, and content.

 

Solution

Palo Alto Networks enterprise security platform addresses critical Zero Trust concepts such as:

  • Secure access — GlobalProtect™ delivers consistent secure IPsec and SSL VPN connectivity for all employees, partners, customers, and guests wherever they’re located (e.g., at remote/branch offices, on the local network, or over the Internet). Policies to determine which users and devices can access sensitive applications and data can be defined based on application, user, content, device, and device state.
  • Inspection of ALL traffic — App-ID™ accurately identifies and classifies all traffic, regardless of ports and protocols, evasive tactics such as port hopping, or encryption. This eliminates methods that malware may use to hide from detection and provides complete context into applications, associated content, and threats. Least privileges access control- The combination of App-ID, User-ID™, and Content-ID™ deliver a positive control model that allows organizations to control interactions with resources based on an extensive range of business-relevant attributes, including the specific application and individual functions being used, user and group identity, and the specific types or pieces of data being accessed (e.g., credit card or social security numbers). Compared to alternative solutions which let too much traffic through because they’re limited to port and protocol level classification, the result is truly granular access control that safely enables the right applications for the right sets of users while automatically eliminating unwanted, unauthorized, and potentially harmful traffic from gaining access to the network.
  • Advanced threat protection — A combination of anti-virus/malware, intrusion prevention, and advanced threat prevention technologies (Content-ID and WildFire®), provide comprehensive protection against both known and unknown threats, including threats on mobile devices. In addition, support for a closed-loop, highly integrated defense ensures that inline enforcement devices and other components in the threat protection framework are automatically updated with the findings from WildFire and other sources of threat intelligence.

To get started, IT security teams can take advantage of our virtual wire deployment mode to non-disruptively deploy Palo Alto Networks devices at one or more locations within your network. Configured in listen-only mode, you can then obtain a detailed picture of transaction flows throughout the network, including where, when and to what extent specific users are using specific applications and data resources. Armed with these details, your security team can then incrementally deploy devices in appropriate locations to establish internal trust boundaries for identified trust zones, and configure the appropriate enforcement and inspection policies to effectively put each trust boundary "on line."

With the right Zero Trust architecture for your network, you will gain unparalleled situational awareness of malicious activity, prevent the exfiltration of sensitive data and simplify adherence to compliance regulations.

 

Related Content


 

GlobalProtect Datasheet

GlobalProtect extends the protection of the Palo Alto Networks Next-Generation Security Platform to your mobile workforce, no matter where they may go.
  • 3
  • 45688

WildFire

Palo Alto Networks WildFire cloud-based threat analysis service is the most advanced analysis and prevention engine zero-day exploits and malware.
  • 7
  • 24605

SilverTerrier: The Rise of Nigerian Business Email Compromise

Through our analysis, it remains clear that Nigerian cyber actors will continue to expand their attacks in terms of size, scope and capabilities. According to law enforcement organizations, the exposed losses to businesses worldwide from these threat actors are now estimated to be more than US$3 billion. Given the substantial risk these actors pose, we present techniques to enable large-scale attribution efforts to combat this threat. In doing so, we demonstrate a repeatable and sustainable process to identify SilverTerrier infrastructure and put preventive measures in place prior to the first samples of malware reaching our security products.
  • 0
  • 2762

GlobalProtect Deployment Guide

Read how organizations can use Palo Alto Networks GlobalProtect to provide a secure environment for the increasingly mobile workforce.
  • 7
  • 13078

Replacing Traditional Remote Access VPN With GlobalProtect

This solution brief provides an overview for using GlobalProtect as remote access VPN.
  • 0
  • 7034

GlobalProtect Cloud Service

Global expansion, mobile workforces and cloud computing are shifting the locations of your applications, data and users. These changes introduce new opportunities for business efficiencies, but they also create a set of unique cybersecurity challenges.
  • 2
  • 5151