The continued, high frequency of successful cyberattacks against today’s enterprises has made it abundantly clear that traditional, perimeter-centric security strategies are no longer effective. There is inadequate visibility, control and protection of user and application traffic transiting high-risk network boundaries, and an outdated assumption that everything on the inside of an organization’s network should be trusted.

The Zero Trust architecture approach, first proposed by Forrester Research, is intended to address this by promoting "never trust, always verify" as its guiding principle. With Zero Trust there is no default trust for any entity — including users, devices, applications, and packets — regardless of what it is and its location on or relative to the corporate network. By establishing Zero Trust boundaries that effectively compartmentalize different segments of the network, you can protect critical intellectual property from unauthorized applications or users, reduce the exposure of vulnerable systems, and prevent the lateral movement of malware throughout your network.

Some organizations use virtual local area networks (VLANs) to segment their network, but VLANs simply isolate network traffic – they are unable to enforce the control of privileged information. In addition, by itself, a VLAN cannot inspect your traffic for threats. True Zero Trust network segmentation requires an enterprise security platform that understands your applications, users, and content.



Palo Alto Networks enterprise security platform addresses critical Zero Trust concepts such as:

  • Secure access — GlobalProtect™ delivers consistent secure IPsec and SSL VPN connectivity for all employees, partners, customers, and guests wherever they’re located (e.g., at remote/branch offices, on the local network, or over the Internet). Policies to determine which users and devices can access sensitive applications and data can be defined based on application, user, content, device, and device state.
  • Inspection of ALL traffic — App-ID™ accurately identifies and classifies all traffic, regardless of ports and protocols, evasive tactics such as port hopping, or encryption. This eliminates methods that malware may use to hide from detection and provides complete context into applications, associated content, and threats. Least privileges access control- The combination of App-ID, User-ID™, and Content-ID™ deliver a positive control model that allows organizations to control interactions with resources based on an extensive range of business-relevant attributes, including the specific application and individual functions being used, user and group identity, and the specific types or pieces of data being accessed (e.g., credit card or social security numbers). Compared to alternative solutions which let too much traffic through because they’re limited to port and protocol level classification, the result is truly granular access control that safely enables the right applications for the right sets of users while automatically eliminating unwanted, unauthorized, and potentially harmful traffic from gaining access to the network.
  • Advanced threat protection — A combination of anti-virus/malware, intrusion prevention, and advanced threat prevention technologies (Content-ID and WildFire®), provide comprehensive protection against both known and unknown threats, including threats on mobile devices. In addition, support for a closed-loop, highly integrated defense ensures that inline enforcement devices and other components in the threat protection framework are automatically updated with the findings from WildFire and other sources of threat intelligence.

To get started, IT security teams can take advantage of our virtual wire deployment mode to non-disruptively deploy Palo Alto Networks devices at one or more locations within your network. Configured in listen-only mode, you can then obtain a detailed picture of transaction flows throughout the network, including where, when and to what extent specific users are using specific applications and data resources. Armed with these details, your security team can then incrementally deploy devices in appropriate locations to establish internal trust boundaries for identified trust zones, and configure the appropriate enforcement and inspection policies to effectively put each trust boundary "on line."

With the right Zero Trust architecture for your network, you will gain unparalleled situational awareness of malicious activity, prevent the exfiltration of sensitive data and simplify adherence to compliance regulations.


Related Content


Next-Generation Security Platform

To enable organisations to securely roll out new services and apps, Palo Alto Networks built the Next-Generation Security Platform to provide prevention through automation, applied consistently across the network, endpoint and cloud.
  • 2
  • 1571

St. Patrick’s Mental Health Services

End-to-end security prevents cyberthreats from disrupting services and exploiting patient records at largest, mental health services in Ireland
  • 0
  • 1139

Prevention-based Architecture Transformation Checklist

prevention-based architecture, transformation, professional services
  • 0
  • 3456

Royal Air Forces Association

The RAF Association deployed the Palo Alto Networks Security Operating Platform, with the Next-Generation Firewall deployed in its data center and Azure public cloud.
  • 1
  • 354

SkiStar AB

Scandinavian Resort Giant Delivers Secure Network Experience for Guests Online and on the Ski Slopes
  • 0
  • 727

JBG Smith

Real estate investment firm achieves complete integrated security and consistent policy enforcement across it's enterprise network
  • 0
  • 591