WhatIsZeroTrust

#WhatIsZeroTrust?
What is Zero Trust to you? Join us to share your thoughts and opinions on this security strategy.
Top Votes
Palo Alto Networks
10 to go!

How can leaders drive Zero Trust within their organizations?
[+] Show Hidden Comments
[-]
Tom Hollingsworth
Understand the business goals of what Zero Trust offers. It's not a magic wand. It's a strategy that assists other technologies and makes them more effective.
[-]
Rob Reiter
Use the business strategy to outline where in the business plan #zerotrust supports initiatives. Engage with a Zero Trust partner. Use stories to illustrate the benefits and drive the message home.
[-]
John Kindervag
Luckily I've got a slide for that! https://www.crowdchat.net/s/25vx1
https://www.crowdchat.net/s/25vx1

[-]
Lieuwe Jan Koning
@NetworkingNerd fully agree! Spread the word. Point to video's that explain zero trust. And if you build a new environment, or start moving to the cloud, make sure you involve someone who has done it before
[-]
John Kindervag
Here are common misconceptions about #ZeroTrust https://www.crowdchat.net/s/05vx5
https://www.crowdchat.net/s/05vx5

Andrew McLean
Here’s a harder one. If you had to sum up in a sentence to a CIO why Zero Trust should be adopted, what would it be?
[+] Show Hidden Comments
[-]
Palo Alto Networks
Great question!
[-]
Rob Reiter
Zero Trust is a business enabler, with long-term ROI rooted in risk reduction, agility & complexity reduction.
[-]
Andre Van Zyl
want to get rid of those red audit findings....adopt zero trust. PS It can be free!

(edited)

[-]
Lieuwe Jan Koning
I would add that it is the only effective security strategy agains lateral movement. Note that most big hacks would not have been there without lateral movement.
[-]
Chris Pugrud
#ZeroTrust simplifies the process of focusing our security controls on protecting our most critical assets.
[-]
Eila
here here to the compliance benefit!!

(edited)

[-]
John Kindervag
Also it gives them a vision. I was just out speaking at a banks board of Directors meeting last month. The CEO need a vision in Cyber. #ZeroTrust gives it to them.
[-]
Lieuwe Jan Koning
What about this infographic for the CISO (instead of a sentence :)) https://on2it.net/zero-trust-infographic/
https://on2it.net/zero-trust-infographic/
https://on2it.net/wp-content/uploads/2019/09/ON2IT-infographic-zero-trust-security-model-201902.pdf
https://on2it.net/wp-content/uploads/2019/09/ON2IT-infographic-zero-trust-security-model-201902.pdf
[-]
John Kindervag
I've had CIOs tell me that the cost savings in the Audit world more than paid for their Zero Trust environment.
[-]
Andre Van Zyl
should Zero Trust not be something that you you pitch to both CIO and the Risk Manager?
[-]
Rob Reiter
ZT should be pitched to the entire leadership team, as it's a strategy that impacts everyone from the CIO, CRO, CFO, etc.
[-]
Eila
Adding on to what Rob said, it also needs their buy in as it drives cultural change
Palo Alto Networks
Thanks everyone for all your great questions and points raised so far! Keep 'em coming. Next question from me:

What is a good starting point for Zero Trust?
[+] Show Hidden Comments
[-]
Rob Reiter
We chose the basics. Identifying sensitive data & flows, mapping critical applications & roles. Starting off with less-critical applications vs. crown jewels.
[-]
John Kindervag
I call this DAAS elements. Data, Applications, Assets, and Services. Put those in the Protect surface.
[-]
Rob Reiter
It's all about the data! Then we looked at user governance, devices, etc. All of this was mapped back to the business case to outline the ROI savings we calculated
[-]
John Kindervag
See this whitepaper on the 5 Steps to Zero Trust: https://www.paloaltonetworks.com/content/dam/pan/e...
[-]
Tom Hollingsworth
I would agree with Rob here. You have to know what you want to protect before you start writing rules #ZeroTrust
[-]
Andrew Webster
So far this is all pretty high level stuff, can we see some nuts and bolts of this in action?
[-]
John Kindervag
Yes you can see it in action in your organization. We do POCs on this all the time. A bit of a challenge to do it via Twitter. :-) This should help: https://docs.paloaltonetworks.com/best-practices/9...
https://docs.paloaltonetworks.com/best-practices/9-0/zero-trust-best-practices.html
Zero Trust Best Practices
Zero Trust Best Practices
Learn how to implement Zero Trust strategy with Palo Alto Networks, from where to start to how to execute and maintain the deployment.
[-]
Andrew Webster
@Kindervag Is 9.0 a requirement to enjoy the benefits of #ZeroTrust?
[-]
Rob Reiter
You can also look at our journey on how we implement #zerotrust on our cloud offering to provide our clients with a #zerotrust base - https://www.paloaltonetworks.com/customers/fnts
https://www.paloaltonetworks.com/customers/fnts
FNTS Case Study - Palo Alto Networks
FNTS Case Study - Palo Alto Networks
Nebraska-based cloud hosting and managed services provider FNTS transformed its cloud hosting environment by adopting a hyperconverged, micro-segmented, and software-defined infrastructure. Traditional security approaches did not align with this new ...
[-]
John Kindervag
Yes @NetworkingNerd. How can you protect something if you don't know what to protect in the first place. That was always the issue when I was an engineer. "Protect all the invisible stuff!"
[-]
Lieuwe Jan Koning
No. We have built ZT networks since PANOS 2.6. You would like some technical pointers?
[-]
John Kindervag
No 9.0 is not a requirement. Having a 9.0 Panorama management console absolutely speeds thing up though. But it will work with your 8.0 PAN-OS devices
[-]
Andrew Webster
@lieuwejan Yes, please.
[-]
Lieuwe Jan Koning
When we focus on ZT with a firewall, first of all, you need to know what systems belong to what data. So some mapping of "ERP" or "HR" to an IP address. And make sure you route the traffic throug a NG-FW so you see and control all traffic
[-]
Lieuwe Jan Koning
then make a mini-firewall policy for inbound and outbound traffic, specific to that microsegment.
[-]
mRr3b00t
asset and data identification and business context would seem sensible to me as a starting point
[-]
Rob Reiter
If you want to start at an even more basic level, as @Kindervag put it, 9.0 simplifies visibility by mapping rules with application context to help you narrow/clean-up and map data flows
[-]
Lieuwe Jan Koning
On a technical level, a microsegment is a list of IP's (in on-prem) or a list of ARN's (in aws, for example)
[-]
Lieuwe Jan Koning
@Rob_Reiter 9.0 certainly helps in creating an App-based firewall policy, since it can easily transform traffic logs into an app-id based firewall policy.
[-]
Andrew Webster
@lieuwejan Would that require micro-segmenting the network so each system is compartmentalized so that lateral movement between systems must pass through the firewall?
[-]
John Kindervag
Yes, @lieuwejan but we create the micro-segment automatically by creating a micro-perimeter in Layer 7 policy.
[-]
Lieuwe Jan Koning
yes, as much as possible; however: microsegmentation is often misunderstood. It does NOT mean that every server needs to be behind the firewall individually. Just all servers that belong together in a microsegment as a group need to be
[-]
Tom Hollingsworth
@Kindervag The biggest disasters I see in security involve creating policy in a vacuum because you needed something on paper instead of figuring out what you needed to write first.
[-]
John Kindervag
Substitute "Protect Surface" for "micro-segment" and you'll more easily understand the foundational difference with Zero Trust. https://blog.paloaltonetworks.com/2018/09/define-p...
https://blog.paloaltonetworks.com/2018/09/define-protect-surface-massively-reduce-attack-surface/
Define a Protect Surface to Massively Reduce Your Attack Surface
Define a Protect Surface to Massively Reduce Your Attack Surface
John Kindervag on how defining a protect surface can reduce your attack surface.
[-]
Lieuwe Jan Koning
so, all servers that belong to your intranet system as one big group, webservers, app-servers, databases. They can all be in a single segment.
[-]
Rob Reiter
You certainly have that option, too. We chose to implement microsegmentation on our HPC cloud, and inspect/force all traffic through the NGFW's. It did simplify policy creation & management, but not a requirement.
[-]
John Kindervag
Yes, @NetworkingNerd. That's why we engage the business early and often. That's also why I created the Kipling Method. I've taught CFOs how to create Zero Trust policy!
[-]
Andrew Webster
@Rob_Reiter Sizing / capacity requirements must be an important consideration in NGFW selection, much more than in a traditional deployment?
[-]
Rob Reiter
it's necessary. We standardized on certain NGFW models and scale horizontally with the same reqs unless we have a specific workload that requires more resources.

(edited)

[-]
Andrew Webster
@Kindervag Hence the need for the data owner's buy-in.
[-]
John Kindervag
Yes, proper sizing is important. We are putting the segmentation gateway as close as possible to the protect surface so make sure you factor that in.
[-]
Rob Reiter
ensuring the right workloads are steered to the right NGFW based on policy and not trying to do everything, everywhere
[-]
Lieuwe Jan Koning
ideally, yes. But not necessarily. If you do not or cannot know what kind of data flows the data owner intents to allow, you can always deduce from actual traffic; that wil make a great starting point.
[-]
Andrew Webster
@lieuwejan I can certainly see that in situations where the data owner is not available. (Legacy systems).