Zero Trust

Question 1

What is trust?

Answer 1

a vulnerability

Question 2

What shouldn’t be trusted and always verified? (4)

Answer 2

1. packets
2. identities
3. devices
4. services

Question 3

What does eliminating trust help to achieve? (3)

Answer 3

1. prevent successful data breaches
2. simplify operations through automation and a reduced rulebase
3. simplify regulatory compliance and audits because Zero Trust environments are designed for compliance and easy auditing

Question 4

What does DAAS stand for?

Answer 4

• Data
• Applications
• Assets
• Services

Question 5

What question needs to be asked when it comes to data?

Answer 5

What data needs to be protected?

proprietary code or processes, personally identifiable information (PII), payment card information (PCI), and personal health information (PHI) such as Health Insurance Portability and Accountability Act (HIPAA) information

Question 6

What questions needs to be asked when it comes to applications? (2)

Answer 6

1. Which applications consume sensitive information?
2. Which applications are critical for business functions?

Question 7

What question needs to be asked when it comes to assets?

Answer 7

Which assets are the most sensitive?

Supervisory Control and Data Acquisition (SCADA) controls, POS terminals, medical equipment, manufacturing equipment, and groups of critical servers

Question 8

What question needs to be asked when it comes to services?

Answer 8

Which services can attackers exploit to disrupt IT operations and negatively impact the business?

Question 9

What are the 5 steps of Zero Trust?

Answer 9

1. Define your protect surface
2. Map the protect surface transaction flows
3. Architect a Zero Trust network
4. Create the Zero Trust Policy
5. Monitor and maintain the network

Question 10

What is the protect surface?

Answer 10

what is valuable to the business—DAAS elements that need to be protected to ensure normal business operations

Question 11

Why is defining the protect surface important?

Answer 11

enables to focus on defending what really matters to the business instead of trying to identify and protect the entire attack surface or focusing on just the perimeter

Question 12

Why is the protect surface easier to protect than the perimeter?

Answer 12

it is much smaller than the perimeter

Question 13

What does mapping the protect surface transaction flows entail?

Answer 13

mapping the transaction flows or interactions between critical DAAS elements and users to understand their interdependencies - who has business reasons to access each element, in what manner, and at what time

Question 14

Why is mapping the protect surface transaction flows important?

Answer 14

helps to understand how to create a Security policy that allows only authorized users access to specific data and assets using the specified applications - helps to enforce the principle of least privilege

Question 15

What are the ways to map the transaction flows? (9)

Answer 15

1. leverage existing flow diagrams if available
2. work with application, network, and enterprise architects, as well as business representatives, to understand the purpose of applications and the transaction flow they envision
3. insert one or more FWs transparently into network in virtual wire mode to gain visibility into traffic
4. use third-party tools from Palo Alto Networks integrated partners
5. use log information from the Cortex Data Lake to gain visibility into, and map, transaction flows
6. map the flow of application data across the network, the computing objects required for each application, and who uses each application
7. find out who uses the data, where you collect, store, use, and transfer the data, and how the data is stored, encrypted, archived, or destroyed after use
8. for each asset, find out its location, who uses it, when they use it, and where the asset fits into workflows
9. map the service workflows across the environment

Question 16

When should you begin to architect a zero trust network?

Answer 16

after understanding of your protect surface and transaction flows

Question 17

What is the cornerstone of the zero trust architecture?

Answer 17

segmentation gateways—physical or virtual Palo Alto Networks next-generation firewalls that connect network segments and enforce Layer 7 policy

Question 18

What are the rules for using segmentation gateways effectively? (3)

Answer 18

1. run all traffic through a segmentation gateway
2. place segmentation gateways as close as possible to the resources they protect,
3. use them in conjunction with other Palo Alto Networks capabilities to automate as much as possible

Question 19

What should be kept in mind when designing a zero trust network?

Answer 19

ease of operation and maintenance, as well as flexibility to accommodate protect surface and business changes

Question 20

What should be done to set a best-practice configuration baseline and measure progress towards Zero Trust goals?

Answer 20

run tool to set a best-practice configuration baseline and measure progress toward your Zero Trust goals

Question 21

What are the roles of a NGFW in a zero trust network?

Answer 21

1. create a microperimeter in Layer 7 policy around each protect surface
2. aggregate security capabilities into a single control point for all traffic entering and exiting the protect surface

Question 22

Why is creating a microperimeter in Layer 7 policy around each protect surface useful?

Answer 22

prevents lateral movement because the microperimeter provides granular policy controls for who (User-ID) accesses what applications (App-ID) and resources in what manner (Content-ID) and at what time through the segmentation gateway

Question 23

On which method is the zero trust policy based on?

Answer 23

Kipling Method

Question 24

What are the Rudyard Kipling’s six-tuple questions?

Answer 24

1. who
2. what
3. when
4. where
5. why
6. how