Palo Alto Networks is the cybersecurity partner of choice for over 70k customers in more than 150 countries. Pursuing a mission to make every day more secure, we provide the visibility, trusted intelligence, automation, and flexibility to help complex organizations advance securely. Our comprehensive security portfolio protects more than a billion people around the globe.
Like most large enterprises, our own network has seen a dramatic increase in remote access and reliance on software as a service (SaaS) applications in recent years. As this shift has expanded the attack surface, we have experienced a rising number of attempted cyberattacks, making a Zero Trust approach to security mission-critical for our organization.
Zero Trust has been a priority for Palo Alto Networks for several years, but in 2021, our chief information security officer Niall Browne and his information security (InfoSec) team set out to create an effective methodology to significantly evolve our own Zero Trust posture. As we pursued this project, the team built an intuitive methodology that allows us to continually advance our Zero Trust framework as the company evolves.
"We knew Zero Trust was critical. We also realized that we needed an approach we could communicate, achieve wins with, and then replicate."
– Niall Browne
Chief Information Security Officer, Palo Alto Networks
Confronting the rapid rate of change
As the world’s leading cybersecurity company, it is imperative for Palo Alto Networks to remain at the forefront of digitization to serve the security needs of the world’s largest and most advanced companies. As we have leaned into our own digital transformation, our use of cloud services and SaaS applications has increased rapidly. With a large, global workforce requiring remote access to respond quickly to our customers’ security needs, our endpoints have become more numerous and diverse.
Our high-profile position in the world of cybersecurity means we also possess intellectual property that’s of particular interest to hackers. That has always made us a leading target. In recent years, however, the frequency and sophistication of attacks has intensified. For Niall and our InfoSec team, the rapidly growing attack surface, coupled with the rising number of cyberattacks, presented a significant risk. Embracing Zero Trust was essential to keeping our network safe.
When we launched our initiative, there was no comprehensive, replicable process we could use as a model for achieving an enterprise-wide Zero Trust approach. The concept wasn’t new: it’s about securing the organization by eliminating implicit trust and continuously validating every stage of the digital transaction. But that can’t be achieved simply by implementing a security solution. It requires a strategic approach, with ongoing refinement and commitment.
Due to competing priorities, remaining true to a Zero Trust strategy is a challenge for any organization, even an organization such as ours, which has been a pioneer in developing Zero Trust solutions and methodologies. Our security teams are focused on keeping up with the threat landscape and the evolution of our digital environment. Current security events, as well as global attacks like the Log4j event, create distractions from a proactive method to find and mitigate new security gaps.
The speed of business and ever-expanding nature of the Palo Alto Networks ecosystem means SaaS applications are always being added, straining the InfoSec team’s ability to inventory and assess them. And, with a large, worldwide customer base to protect and support, other goals threatened to starve attention and required skill sets from Zero Trust projects.
“We knew Zero Trust was critical,” Niall says. “We also realized that we needed an approach we could communicate, achieve wins with, and then replicate.”
Defining Zero Trust in the ecosystem
To begin the process, Niall and the team needed to define what success would mean for a Zero Trust approach across our entire digital estate. By studying where other organizations had struggled, they identified both the cultural and technical elements that needed to be in place for the strategy to work.
From the outset, the team recognized that Zero Trust would require board of directors’ approval for ongoing investment. That meant the approach needed to be structured in a way that could be easily explained—and its benefits periodically reported on to demonstrate value.
They also knew the approach needed to be holistic. The strategy had to address trust across key domains such as users, applications, and infrastructure. For applications, both cloud and on-premises environments needed to be evaluated against Zero Trust best practices. At the same time, the approach needed to prioritize the company’s most valuable assets—those related to critical data as well as those that presented the most attractive targets for malicious actors.
Critically, the InfoSec team realized that Zero Trust would be an ongoing effort. At Palo Alto Networks, we are always adding resources and applications to support our operations. As the data estate evolves with the addition of new technologies, the Zero Trust approach needs to evolve with it. So, we needed to embrace a process of continuous evaluation and improvement.
"Identifying our ‘crown jewels’ and knowing where they reside on the network allows us to map user and application access and infrastructure components to a Zero Trust strategy."
– Niall Browne
Chief Information Security Officer, Palo Alto Networks
Establishing data as the priority
Niall and his team worked closely with senior leadership and the board to gain approval to invest in the initiative, making Zero Trust a top priority for the company. This was a critical first step to ensure Zero Trust was approached in a holistic and comprehensive manner, with broad support at the highest levels to ensure success.
To create a strategic plan and prioritize efforts, the InfoSec team took a conceptual approach that looked at Zero Trust by asking a series of key questions:
- What’s our most sensitive data, and where does it reside?
- What applications access our most sensitive data?
- Where do these applications reside within our infrastructure?
- Which users have access—and should they have it?
This approach led our organization to establish a data-focused strategy. The applications that use the data need to be secured, and the security has to extend across all infrastructure. The data must be protected from unwanted access or use by any application, device, or user—and all points of access have to be visible to administrators.
As Niall explains: “Identifying our ‘crown jewels’ and knowing where they reside on the network allows us to map user and application access and infrastructure components to a Zero Trust strategy.”
Using this approach, our InfoSec team is able to measure the effectiveness of its Zero Trust methodology through audits of the organization’s most valuable data assets. Demonstrating that those assets remain secure validates the investments and support of senior leadership and the board.
Partnering with product teams to accelerate innovation
Within our company, the InfoSec team is regarded as Palo Alto Networks own “first customer.” This gives InfoSec unfettered access to the product teams to customize solutions for our own network—a process that also improves the solutions we deliver to customers. By working with product teams, InfoSec is able to help optimize solutions to meet the specific needs of Zero Trust.
For example, correctly applying User-ID, App-ID, and Device-ID allowed the InfoSec team to confidently establish broad visibility and understand the nature of traffic across the network. By utilizing a combination of on-premises Next-Generation Firewalls and Prisma Access, they achieved segmentation and controls. They also established permissions ensuring that access to valuable data, resources, and applications requires validation, and they added multifactor authentication for every user at all times.
This allowed the team to create and implement a series of Zero Trust policies, addressing:
- Sanctioned, tolerated, and unsanctioned applications
- Decryption of egress traffic
- Blocking inappropriate traffic destined for a specific service by user, application, and/or device
- Deployment of security keys to high-risk employees
They also ensured that our security operations center (SOC) had visibility into all applications using data that held organizational risk.
Better security, less complexity
Establishing an effective Zero Trust methodology ensures that our company’s most valuable data assets remain secure and that there’s a way to enhance that security with increasing granularity over time. As we continue on our Zero Trust journey, this methodology supports Palo Alto Networks ongoing digitalization efforts and our InfoSec team’s work to improve our company’s overall security posture.
Just as our initial Zero Trust initiative helped to optimize Palo Alto Networks products, the ongoing Zero Trust process allows InfoSec to work with product developers to surface issues and provide feedback on product roadmaps. This has enabled the company to increase visibility into our own rapidly expanding data estate, simplify the management tools needed to support Zero Trust, and maintain the security we need in an increasingly intense threat landscape.
As we deliver these product improvements to market, we’re helping other organizations think about and implement an effective Zero Trust strategy. The challenges we confronted and surmounted are common to any enterprise with a significant digital estate; the approach that Niall and his team defined brings the same benefits to every customer.
One of the most significant benefits of the project has been the way a “follow the data” approach helps our customers’ security leaders talk to their C-suites and boards about Zero Trust. “CIOs and CISOs can talk about protecting data versus talking about a thousand metrics nobody can follow,” Niall says. “This is a story they can tell.” It’s a compelling story that allows security teams to achieve meaningful outcomes and demonstrate success.
"CIOs and CISOs can talk about protecting data versus talking about a thousand metrics nobody can follow. This is a story they can tell."
– Niall Browne
Chief Information Security Officer, Palo Alto Networks
Just the beginning of a winning Zero Trust approach
Developing an effective approach to Zero Trust is an important achievement, for both Palo Alto Networks and the overall industry. But we realize it is only the beginning. Given the dynamic nature of today’s data, applications, networks, and cloud environments, there will always be a need to evolve a Zero Trust approach to keep pace with technology and business.
Focusing on “next is now” has our teams continuously seeking new opportunities to increase the effectiveness of our Zero Trust approach, both for our own company’s benefit and for the benefit of our customers. By looking ahead, our InfoSec team will be able to continuously build on the cycle of self-improvement inherent in its own methodology—contributing to the product development that makes Palo Alto Networks the world’s leading provider of network security.
Find out more about how Palo Alto Networks Zero Trust methodology can help secure your organization’s data, endpoints, and applications. Additional information is here.