05-29-2025 09:36 AM - edited 05-29-2025 09:42 AM
Hi all
I have been tasked with providing a Zero-Trust strategy document to management, related to how to implemenet this on our Prisma Access solution.
I am looking for some examples that I can pull from that anyone has done this already for.
I have gone thru so many Palo documents, discussing all the Pillars etc, there is so much information overload, it hard to pull from that and put into a format that can be provided to managmenet on how we would proceed to implement. I have provided some basics already and explained how each step and what would be needed, but not good enough. I know that the first is identification, authentication, applications and access to resources. Asking individuals directly only reveals, I need access to everything. Any assistance or examples would be helpful.
Thank you
05-29-2025 10:32 AM
@D.Maas -- You can start with DoD or NIST publications, but I think anything you get from someone here or another company is the wrong approach. ZTNA is this overarching policy or process, but what that looks like to a particular organization will probably be different.
I think, if you were to take the original precepts of what ZTNA was and try to use Prisma Access Mobile Users (MU) or Remote Network (RN) and say that's a part of your ZTNA strategy you're already starting off incorrectly. I think a Zscaler type model, if you can start out with it, makes it easier to follow a "ZTNA strategy."
The concept of ZTNA has evolved though, and so have the components of what "Prisma Access" is, now especially with Palo's acquisition of Talon and folding that into Prisma Access to become Prisma Access Browser. I think as long as your organization is consistent and has answers to implement features to address the concepts of the various ZTNA pillars that's really what you should be building.
06-04-2025 02:15 PM
Honestly in my mind your company is looking at doing this improperly. While it might sound like a good idea in theory to have everything in place prior to migrating users to Prisma, you're introducing too much change at the same time. This not only creates a lot of various troubleshooting issues, but more importantly it damages the end-user reputation of the migration.
I would recommend that you migrate to Prisma Access and view that as one "project" in itself. Then you would have a zero-trust "strategy" that you would need to actually design.
Zero-Trust as @Brandon_Wertz mentioned isn't anything more than a strategy or policy; you won't really find any detailed information that someone can share because once you get to that level of planning information it becomes extremely centered to a particular organization. What I would recommend doing when looking at zero-trust is having an actual working group that contains individuals from each business unit that are well informed on everything that the business unit does. You need people that actually understand each of the individual business practices and what each role actually needs, otherwise you'll still be making things too generalized.
Then you go business process by business process and actually include all of the required changes to actually say that you have a zero-trust network. Keep in mind that this isn't solely about network access here, but also permission to things like file directories, applications, individual application access, the whole kit and caboodle. This will almost certainly break things as it is built out since most businesses will have exceptions for certain people performing work outside of their role that even people working with them aren't necessarily privy to.
If you haven't led a project like this before I actually work recommend working with someone that can help guide you through this process and ensure that you're actually accounting for everything. It isn't something that you can't do by yourself or in a small team, but generally smaller companies will have a harder time accepting that the journey to zero-trust won't be free of issues. They tend to start seeing issues and just thinking that you don't know what you're doing because you're actively breaking things, involving them as much as possible in identifying requirements will help lessen that impact.
06-05-2025 05:44 AM
I would agree with @BPry on implementation/timeline. I don't know what your network looks like now, but depending on your organization and how large it is it might take 6 months to a year or longer just to get everyone into Prisma Access (RN/MU/PAB.) This in itself will probably be a big lift, then adding other features like user (Authentication / Authorization) as well as going down the path of roles & locking down application access and network segmentation ZTNA will be a 3-7 year journey.
Like was mentioned before don't try to do too much too quickly, but your first step should be visibility. The the steps that are least intrusive, but give the most visibility or ability to apply control.
06-10-2025 08:15 AM
@OtakarKlier wrote:
Hello @Brandon_Wertz ,
Would love to hear your thoughts on why and how to improve the design.
Regards,
@OtakarKlier -- I guess the title of the thread, to me, is mistitled. It should be "A Zero-Trust Strategy incorporating Prisma xxxxxxx" For me, given that we're starting off on the wrong foot you're not going to achieve the outcome you're looking for.
My interpretation of ZTNA's intention is to really segment and isolate the enterprise as a whole, while creating specific granularized (authorized) access consistently throughout your enterprise no matter where you are both logically and physically. You want to create a consistent user experience that no matter where the user is, the user accesses resources the same way and the support and oversight of the technical components are consistent for the IT and SecOps support teams.
ZTNA, is the realization that cyber exploitation / compromise in a legacy network design is a foregone conclusion and networks/applications need to mirror to a degree the controls that exist in more secured networks like PCI or the military.
The above stated, if someone is going to leverage Prisma Access Mobile Users (VPN) that's one external component, are there others? Is there a VDI solution? What's that OEM? What controls exist there? What does access from the internal network look like? What visibility is there? What controls exist? Are they the same as when a mobile user? If as MU you're super locked down with great visibility, but internally you're wide open, with little control and near zero visibility with visibility just on what's happening externally then that's not really a ZTNA paradigm. At all layers of your network you should have consistent application and use and user based controls, business application based access restrictions as well as some level of network access control (NAC) employment.
To do this you're going to want components that integrate with each other sharing data, visibility and functionality (if possible.) A single pane of glass into your entire enterprise. So if you block or allow something that action should be executed in one location (view) with the action happening in maybe 4+ separate network segments/layers.
05-29-2025 10:32 AM
@D.Maas -- You can start with DoD or NIST publications, but I think anything you get from someone here or another company is the wrong approach. ZTNA is this overarching policy or process, but what that looks like to a particular organization will probably be different.
I think, if you were to take the original precepts of what ZTNA was and try to use Prisma Access Mobile Users (MU) or Remote Network (RN) and say that's a part of your ZTNA strategy you're already starting off incorrectly. I think a Zscaler type model, if you can start out with it, makes it easier to follow a "ZTNA strategy."
The concept of ZTNA has evolved though, and so have the components of what "Prisma Access" is, now especially with Palo's acquisition of Talon and folding that into Prisma Access to become Prisma Access Browser. I think as long as your organization is consistent and has answers to implement features to address the concepts of the various ZTNA pillars that's really what you should be building.
05-30-2025 07:43 AM
Thank you for the information Brandon. I have looked thru all of these and many others. It is difficult to come up with something on paper to layout the strategy that management is asking for. Just copying what is being show in all of these documents is not going to fly. And Honestly I have not had to do anything like this in the past. I provided high level strategy and provided this is what we would need to do. In this case they are asking to have something in place prior to moving our users to Prisma is this case. Hopefully I can get Palo vendor and my management to have a dicussion so everyone be on same page, since I feel they believe from their point of view my suggestions are not good enough.
06-04-2025 02:15 PM
Honestly in my mind your company is looking at doing this improperly. While it might sound like a good idea in theory to have everything in place prior to migrating users to Prisma, you're introducing too much change at the same time. This not only creates a lot of various troubleshooting issues, but more importantly it damages the end-user reputation of the migration.
I would recommend that you migrate to Prisma Access and view that as one "project" in itself. Then you would have a zero-trust "strategy" that you would need to actually design.
Zero-Trust as @Brandon_Wertz mentioned isn't anything more than a strategy or policy; you won't really find any detailed information that someone can share because once you get to that level of planning information it becomes extremely centered to a particular organization. What I would recommend doing when looking at zero-trust is having an actual working group that contains individuals from each business unit that are well informed on everything that the business unit does. You need people that actually understand each of the individual business practices and what each role actually needs, otherwise you'll still be making things too generalized.
Then you go business process by business process and actually include all of the required changes to actually say that you have a zero-trust network. Keep in mind that this isn't solely about network access here, but also permission to things like file directories, applications, individual application access, the whole kit and caboodle. This will almost certainly break things as it is built out since most businesses will have exceptions for certain people performing work outside of their role that even people working with them aren't necessarily privy to.
If you haven't led a project like this before I actually work recommend working with someone that can help guide you through this process and ensure that you're actually accounting for everything. It isn't something that you can't do by yourself or in a small team, but generally smaller companies will have a harder time accepting that the journey to zero-trust won't be free of issues. They tend to start seeing issues and just thinking that you don't know what you're doing because you're actively breaking things, involving them as much as possible in identifying requirements will help lessen that impact.
06-05-2025 05:44 AM
I would agree with @BPry on implementation/timeline. I don't know what your network looks like now, but depending on your organization and how large it is it might take 6 months to a year or longer just to get everyone into Prisma Access (RN/MU/PAB.) This in itself will probably be a big lift, then adding other features like user (Authentication / Authorization) as well as going down the path of roles & locking down application access and network segmentation ZTNA will be a 3-7 year journey.
Like was mentioned before don't try to do too much too quickly, but your first step should be visibility. The the steps that are least intrusive, but give the most visibility or ability to apply control.
06-05-2025 11:05 AM
Hello,
The following is my opinion, I would force all users to utilize global protect that way you have full control over north/south and east/west traffic.
https://skrzsecurity.net/zero-trust
Full disclosure this is my site.
Regards,
06-05-2025 11:54 AM
Yeah, but from a ZTNA, enterprise perspective, Prisma Access won't always exist. In general Prisma Access is about being off-net or away from the corporate office. That's where, someone's ZTNA over-all design should be coming into play and do the controls that exist when remote align or compliment the controls that exist when you're on a corporate network.
That's where I was originally alluding to, that Prisma Access itself, can't be a company's ZTNA design or strategy. It would need to be a component of it.
06-06-2025 11:13 AM
Hello,
So the idea behind my solution is that no corp resources are available unless you are on VPN. So the network just provides restricted internet access and forces users to VPN in.
Hope that makes sense.
06-07-2025 06:53 AM
@OtakarKlier wrote:
Hello,
So the idea behind my solution is that no corp resources are available unless you are on VPN. So the network just provides restricted internet access and forces users to VPN in.
Hope that makes sense.
Yes, this is an important step when evaluating employing ZTNA controls across an enterprise, but this in itself ≠ ZTNA.
06-09-2025 02:39 PM
Hello @Brandon_Wertz ,
Would love to hear your thoughts on why and how to improve the design.
Regards,
06-10-2025 08:15 AM
@OtakarKlier wrote:
Hello @Brandon_Wertz ,
Would love to hear your thoughts on why and how to improve the design.
Regards,
@OtakarKlier -- I guess the title of the thread, to me, is mistitled. It should be "A Zero-Trust Strategy incorporating Prisma xxxxxxx" For me, given that we're starting off on the wrong foot you're not going to achieve the outcome you're looking for.
My interpretation of ZTNA's intention is to really segment and isolate the enterprise as a whole, while creating specific granularized (authorized) access consistently throughout your enterprise no matter where you are both logically and physically. You want to create a consistent user experience that no matter where the user is, the user accesses resources the same way and the support and oversight of the technical components are consistent for the IT and SecOps support teams.
ZTNA, is the realization that cyber exploitation / compromise in a legacy network design is a foregone conclusion and networks/applications need to mirror to a degree the controls that exist in more secured networks like PCI or the military.
The above stated, if someone is going to leverage Prisma Access Mobile Users (VPN) that's one external component, are there others? Is there a VDI solution? What's that OEM? What controls exist there? What does access from the internal network look like? What visibility is there? What controls exist? Are they the same as when a mobile user? If as MU you're super locked down with great visibility, but internally you're wide open, with little control and near zero visibility with visibility just on what's happening externally then that's not really a ZTNA paradigm. At all layers of your network you should have consistent application and use and user based controls, business application based access restrictions as well as some level of network access control (NAC) employment.
To do this you're going to want components that integrate with each other sharing data, visibility and functionality (if possible.) A single pane of glass into your entire enterprise. So if you block or allow something that action should be executed in one location (view) with the action happening in maybe 4+ separate network segments/layers.
06-10-2025 09:34 AM
Hello @Brandon_Wertz ,
Thank you for your thoughts. You are correct and I agree with you. The VPN is only a portion of the over all strategy.
Cheers!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
