Zero Trust: A Transformation Roadmap

The goal of the cybersecurity industry is to prevent successful cyberattacks – "success" meaning the exfiltration of sensitive and/or valuable data. This is becoming progressively more difficult to achieve due to the growing sophistication and scale of attacks. As an industry, we need to change our approach and architectures to protect our environments.

Although there are many point products available in the industry to tactically address threats, the industry is still struggling with some additional challenges: proliferation of products, duplicate features, increasing operational costs and shortage of skilled resources. Traditional approaches to cybersecurity have increased these challenges because they lack automation and integrated capabilities. Forrester® introduced Zero Trust as a modern strategy to prevent successful cyberattacks. This paper will explain how to achieve Zero Trust by transforming to a prevention-based architecture with the Palo Alto Networks® Security Operating Platform.

What Is Zero Trust?

Zero Trust is a cybersecurity strategy designed around the concept that users, applications and data should never be trusted, and their actions should always be verified in an environment. The strategy involves limiting the scope of an attack and blocking lateral movement by leveraging micro-segmentation based on users, data and location. To achieve Zero Trust, you must start with identifying what needs to be protected and where it is located. This is called the "protect surface" – the users, applications, data and services to be protected – and should be limited to the smallest possible scope. The transaction flows across the protect surface must be understood so that policies can be created to prevent successful attacks against it. This differs from traditional approaches in that it focuses on the individual pieces to be protected instead of perimeter protection.

Figure 1: A model of Zero Trust

How Do You Implement Zero Trust?

Zero Trust is implemented with a prevention-based architecture, which numerous capabilities of the Security Operating Platform provide the tools to achieve. A prevention-based architecture grounds your security approach in prevention. The process of transformation to this architecture is defined in four levels.

Prevention-Based Architecture Transformation Model

This model, depicted in Figure 2, focuses on four levels of adoption of platform functionality to achieve specific outcomes and, ultimately, Zero Trust. Fully achieving each transformation level also requires operational transformation. This ensures the processes and expertise are in place to maintain the current capabilities and avoid reverting to traditional approaches.

Figure 2: Prevention-based architecture transformation levels

Transformation Level 1: Visibility into Non-Encrypted Traffic

The primary focus of this level is to migrate from legacy technologies and achieve a baseline of visibility and awareness into user activity, network traffic and threats. Greater visibility means lower risk. This begins with the foundational requirements for the successful integration of the platform into the environment, followed by the functions of the platform that provide visibility into activity and usage so that operations personnel can refine controls and utilize the rich information this visibility provides.

Technical capabilities:

  • Layer 3/4 policy migration from legacy technology for basic traffic visibility and blocking
  • User-ID™ technology deployed
  • Threat Prevention subscription enabled in alert mode
  • URL Filtering enabled in alert mode
  • WildFire® malware prevention service enabled in alert mode for zero-day malware and exploit visibility
  • Cloud application visibility obtained
  • SSL decryption strategy created
  • Formal documentation of existing operational processes created
  • Staff fully trained on current technologies in place
  • Effectiveness of controls assessed (best practice alignment, threat and traffic analysis)


  • Visibility into your clouds, network and endpoints
  • Platform consolidation for traceability and audit purposes
  • Improved efficiency in policy administration
  • Automated threat intelligence
  • Automated alerting on known and unknown threats

Transformation Level 2: Control of All Traffic by Reducing the Attack Surface

The aim of this level is to achieve complete visibility into the environment, based on your organization's business goals and requirements. You can use the information you gain through this visibility to make better and safer decisions on how to secure your environment. This allows for tighter controls around network traffic through application recognition and enforcement, file transfer restrictions, and segmentation.

Technical capabilities:

  • Layer 7 policy created and deployed in block mode
  • Unsanctioned applications blocked
  • Network segmentation implemented
  • Threat Prevention subscription enabled in block mode
  • URL Filtering enabled in block mode
  • WildFire enabled in block mode for zero-day malware and exploit visibility
  • Endpoint environment deployed
  • SSL decryption strategy deployed
  • Operational process requirements redefined; automation applied
  • Staff fully trained on current technologies in place
  • Effectiveness of controls assessed (best practice alignment, threat and traffic analysis)


  • Granular visibility and precise control of encrypted traffic
  • Network segmentation
  • Network, endpoint and application blocking
  • URL/Unsanctioned application blocking
  • Prevention of known and unknown malware and exploits
  • Stabilization of SOC resources with less low-fidelity data sent to the SOC

Transformation Level 3: Enforcement of Advanced Security Policy

The third level focuses on refining the existing configurations for enhanced prevention enforcement, measurement and analytics. At the completion of this level, all desired features of the platform are functional, and operational processes exist to operate, maintain and continually update prevention controls as required by the ever-changing threat landscape.

Technical capabilities:

  • Policies evolved and enhanced
  • Application and user segmentation enacted
  • Last-mile threat analysis/tuning/recategorization/blocking configured
  • AutoFocus™ contextual threat intelligence service, MineMeld™ threat intelligence syndication engine and Magnifier™ behavioral analytics deployed
  • Fileless attack prevention in place
  • Cloud compliance managed
  • Executive reporting and measurements established and automated
  • SSL decryption strategy optimized; decrypted traffic incorporated into threat framework
  • Operational process requirements redefined; automation applied
  • Staff fully trained on current technologies in place
  • Effectiveness of controls assessed (best practice alignment, threat and traffic analysis)


  • Complete control of application flows and user access
  • Process integration between your network and security operations centers
  • Closed-loop process for security use cases
  • Enablement of development flexibility; acceleration of business
  • Public and private cloud protection
  • VM policy templates for automated provisioning
  • Reporting of unsanctioned URLs/applications for lines of business

Transformation Level 4: Integration Across All Deployment Scenarios

The fourth level achieves a full technology and operational transformation across all deployment scenarios, including network, endpoint and cloud, as adopted based on your business needs. Following Level 3, you have achieved a best-practice stance for granular visibility and precise control of users, apps and threats. The fourth level is about enhancing and expanding the capabilities of the platform by providing advanced features in the areas of securing software-as-a-service type applications, threat analytics, Application Framework applications and other cloud-based alternatives to contemporary services. The Security Operating Platform has advance features to assist you on this journey.

Technical capabilities:

  • NGFW fully deployed with evolved Layer 7 policies
  • Traps™ advanced endpoint protection deployed
  • SaaS applications secured with Aperture™ SaaS security service
  • Threat intelligence orchestrated with MineMeld; new prevention-based controls enforced
  • Remote and branch-to-branch access secured with GlobalProtect™ cloud service
  • Palo Alto Networks Logging Service configured
  • Extraction, correlation and analytics of threat intelligence enabled with AutoFocus
  • API-based cloud security in place
  • Operational process requirements redefined; automation applied
  • Staff fully trained on current technologies in place
  • Effectiveness of controls assessed (best practice alignment, threat and traffic analysis)


  • Zero Trust achieved with Levels 1, 2 and 3 met for all deployment scenarios
  • Centralized management in place
  • Third-party applications utilized from the Application Framework for automation and orchestration
  • GlobalProtect cloud service, Aperture, Directory Sync and Logging Service deployed
  • New capabilities rapidly adopted
  • Executive reporting and measurements established and automated

Operational Transformation

The four levels of transformation are only complete when paired with the operational components necessary to operate and maintain the platform features. Operational transformation establishes the steady-state processes and people changes required to maintain the transformation after the project is complete. This includes process documentation, education and training, prevention assessment, application of automation, and measuring/revising progress.

How Do You Measure Transformation Progress and Effectiveness of Controls?

Confidence in your controls comes in two categories: configuration confidence and operational confidence. Configuration confidence is the assurance that your technologies are running as intended and configured according to best practices. Operational confidence is the assurance that you have the skilled resources and processes in place to handle an attack when it happens. Various tools provided by Palo Alto Networks can measure this confidence.

Evaluate Visibility with the Security Lifecycle Review

The Security Lifecycle Review, or SLR, is a tool that can help you gain visibility into what is happening on your network. It provides a full understanding of which applications are being used, including "shadow" applications that your IT depart may not have authorized. It will show URL traffic and content types, as well as catalog all potential threats on the network, known and unknown, including those linked to user behavior. The final report includes recommendations for handling the risks identified.

Figure 3: SLR excerpt example

Evaluate Control with the Best Practice Assessment

The Best Practice Assessment, or BPA, is a tool that can help you assess security capabilities in different parts of your environment as well as your adherence to best practices. The results are provided as a heatmap depicting feature use throughout your network. Additionally, the online report includes detailed information about controls that do not align with best practice recommendations and information about how to update them.

Figure 4: Heatmap results from a BPA

Figure 5: Example output of a BPA

Evaluate Enforcement with the Expedition Tool

The Expedition transformation and best practices adoption tool will help with your initial migration and policy consolidation from legacy technology as well as take advantage of machine learning to refine security policies. The tool will create security policies for implementation based on application consumption analyses by users and servers. It will also enrich security policies and reduce the attack surface by replacing objects to open with the current users, applications and zones seen in traffic logs. Expedition makes it easy to replace old application override rules with new custom timeouts, from services available with PAN-OS®, to increase visibility.

Figure 6: Example output from the Expedition tool

Evaluate Effectiveness of Controls with a Threat Assessment Workshop

In a collaborative workshop environment, our expert consultants will perform a health check to analyze your configuration and traffic, determine the effectiveness of your controls, and provide recommendations on how you can improve your prevention posture. The traffic analysis is performed with your team to help you make evidence-based modifications to your controls to better protect against active threats.

Figure 7: Example output from the threat assessment

What Is the Recommended Approach to Zero Trust Transformation?

This transformation can be performed over time, incrementally, without disrupting your environment. We recommend you start with a well-known and well-understood part of your network, such as a branch office or a main data center. This will further reduce risk because of your team's knowledge of, and comfort with, the existing architecture. You can also run the new policies with the old once to gain confidence in their effectiveness. Once you've transformed one area of your network, you can expand to other parts of the environment.

You may also consider moving workloads to the cloud. Since controls are close to the protect surface, policies are not tied to a location and will move with the workloads as they migrate to the cloud.

What Are the Benefits of Implementing Zero Trust?

Once achieved, Zero Trust provides numerous benefits, including:

  • Prevention of successful cyberattacks.
  • Simplified operations though automation and a reduced rule set.
  • Increased confidence in your controls.
  • Situational awareness of enterprise computing activity, legitimate or otherwise.
  • Strict enforcement of a least-privileged access control policy, essential to reducing the attack surface.
  • Dramatic enhancement of your organization's ability to prevent exfiltration of sensitive data.
  • Simplified compliance with applicable standards and regulations, using trust boundaries to segment sensitive resources.
  • Accommodation of business-driven IT initiatives, such as user mobility, social networking, infrastructure virtualization and cloud computing, in a secure and easily adaptable manner.
  • Reduced total cost of ownership through the use of a single, consolidated security platform across your entire computing environment instead of a collection of disconnected point products.