* [Blog](https://www.paloaltonetworks.com.au/blog) * [Palo Alto Networks](https://www.paloaltonetworks.com.au/blog/corporate/) * [Data Center](https://www.paloaltonetworks.com.au/blog/category/data-center-2/) * A QA on Zero Trust # A QA on Zero Trust [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2012%2F02%2Fa-qa-on-zero-trust%2F) [](https://twitter.com/share?text=A+QA+on+Zero+Trust&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2012%2F02%2Fa-qa-on-zero-trust%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2012%2F02%2Fa-qa-on-zero-trust%2F&title=A+QA+on+Zero+Trust&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/2012/02/a-qa-on-zero-trust/&ts=markdown) \[\](mailto:?subject=A QA on Zero Trust) Link copied By [Palo Alto Networks](https://www.paloaltonetworks.com/blog/author/palo-alto-networks-staff/?ts=markdown "Posts by Palo Alto Networks") Feb 21, 2012 5 minutes [Data Center](https://www.paloaltonetworks.com/blog/category/data-center-2/?ts=markdown) [data center](https://www.paloaltonetworks.com/blog/tag/data-center/?ts=markdown) [data center summit](https://www.paloaltonetworks.com/blog/tag/data-center-summit/?ts=markdown) [ethernet fabric](https://www.paloaltonetworks.com/blog/tag/ethernet-fabric/?ts=markdown) [network segmentation](https://www.paloaltonetworks.com/blog/tag/network-segmentation/?ts=markdown) [Zero Trust](https://www.paloaltonetworks.com/blog/tag/zero-trust/?ts=markdown) I mentioned in my last blog that we're kicking off a **[Data Center Summit](https://www.paloaltonetworks.com "Data Center Summit")** starting in Dallas, Texas today. One of the special guests at our seminar will be John Kindervag from Forrester Research, presenting on the Zero Trust Model. If you haven't yet heard of Zero Trust, check out the video [here](http://www.paloaltonetworks.com/literature/video/forrester-kindervag.php "Zero Trust Video"). With the current state of security attacks on organizations, this new security model, called "Zero Trust" recommends that enterprise take a new architectural approach to securing their networks. Kindervag's model recommends trusting no one (not even internal users), ensuring secure access to all resources, and inspecting and logging all traffic among other things. He also introduces what he calls a network segmentation gateway or a "firewall on steroids" that does firewall, IPS, content filtering and encryption without a performance impact. There has been lots written up on this Zero Trust model, but we really wanted to drill down on the actual implementation of the Zero Trust model, in particular in the data center. We spoke with John Kindervag, security analyst at Forrester to get his perspective: **Question: What's with the state of attacks recently? Zappos, Justice department? Are attackers just getting better at finding holes in networks, or are enterprises just not thinking of security in the right manner?** **Kindervag:** *I doubt that much has changed other than public awareness of these breaches. The fact that the SEC requires disclosure means that most companies will have to at least acknowledge breaches. Look at Verisign. They weren't exactly forthcoming about their recently reported breaches. The SEC forced their hand. Compliance mandates such as that from the SEC or the PCI Security Standards council have gone a long way to increasing public -- and corporate executive -- awareness of these breaches.* ![](https://www.paloaltonetworks.com/researchcenter/wp-content/uploads/2012/02/fingerprint.jpg) *Having said that, I do believe that the gap between the attackers and the enterprise is getting wider. Attackers are mutating their attacks in near-real time. Enterprises are trying to secure old, clunky network designs. One global CIO told me "It just not fair." That's true. Enterprises continue to be encumbered by old designs, broken processes and apathy about security at the highest levels of the organization. Those things must change before we stand a chance in fighting off these attacks.* **Question: How does the Zero Trust Model apply to a data center environment?** **Kindervag** : *Zero Trust is data centric which is precisely why it applies to the data center. It mandates building the network from the inside out. This means the controls start at the data itself and then we figure out the transport later. Too many companies are focused on the transport -- the network -- or the place -- the physical data center -- when they should be focused on the data. That's what attackers are trying to steal.* **Question: You discuss the importance of segmentation in Zero Trust. This is important to limit the scope of compliance or limit the scope of vulnerabilities. What's the best practice you recommend for segmentation -- VLANs, physical segmentation, zones?** **Kindervag:** *Modern networks must be segmented. Flat networks are too easy to compromise. Throw in the reality that many compliance initiatives can only be effectively met through segmented networks and you have a convergence of outside pressure that will force network designers to adopt segmented networks. That's why it's important to understand what equals segmentation.* *Segmentation must enforce separation of traffic. VLANs just don't do that. They were never designed for security and as a result are inherently insecure. If we want to mitigate the ability of attackers to own our entire network, it must be segmented by a control that does the segmentation that can be enforced by affecting traffic that tries to bypass segmentation controls. The controls must be at Layer 3 or above. In the real world segmentation is done with firewall technology of some type, which is why Zero Trust relies on Uber-Firewalls we call Segmentation Gateways.* ![](https://www.paloaltonetworks.com/researchcenter/wp-content/uploads/2012/02/secure1-230x280.jpg) **Question: How can customers start implementing Zero Trust in their data center, in particular when they are considering new designs like virtualization or Ethernet fabric architectures?** **Kindervag:** *Zero Trust allows you to secure evolve your network and securely adopt new technologies. Zero Trust as a* *model and a concept translates to any environment and Zero Trust as a design methodology helps secure virtualization by default. It creates virtualization-friendly Layer 2 segments that make deploying virtualization easy. Plus, fabric architectures fit well with Zero Trust. Fabric architectures have given very little thought to security and Zero Trust gives fabric technologies a path towards security.* Thank you John for a great explanation of how Zero Trust applies in the data center. At our data center summit, we'll be talking about this in-depth. In particular the afternoon technical segment goes into detail on how customers are implementing network security in the data center. We'll also describe how you segment servers appropriately as advocated by Zero Trust, where traffic in and out of a segment is only allowed via the Palo Alto Networks next-generation firewall. Calling all you fellow data center security geeks out there....I hope to see you at one of our **[Data Center Summit venues](https://www.paloaltonetworks.com "Data Center Summit")**! *** ** * ** *** ## Related Blogs ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown) [#### Network Segmentation for the NHS](https://www.paloaltonetworks.com.au/blog/2023/06/network-segmentation-for-the-nhs/) ### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown) [#### Zero Trust for Applications: Verifying Access Between Workloads](https://www.paloaltonetworks.com.au/blog/cloud-security/zero-trust-for-applications-access/) ### [カテゴリーなし](https://www.paloaltonetworks.com/blog/category/%e3%82%ab%e3%83%86%e3%82%b4%e3%83%aa%e3%83%bc%e3%81%aa%e3%81%97/?lang=ko&ts=markdown) [#### 「レイヤーは皆平等」ではない](https://www.paloaltonetworks.com.au/blog/2019/07/network-layers-not-created-equal/?lang=ja) ### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown) [#### All Layers Are Not Created Equal](https://www.paloaltonetworks.com.au/blog/2019/05/network-layers-not-created-equal/) ### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown) [#### You Want Network Segmentation, But You Need Zero Trust](https://www.paloaltonetworks.com.au/blog/2019/01/you-want-network-segmentation-but-you-need-zero-trust/) ### [Financial Services](https://www.paloaltonetworks.com/blog/category/financial-services/?ts=markdown) [#### Find Opportunities to Introduce Network Segmentation](https://www.paloaltonetworks.com.au/blog/2017/09/find-opportunities-introduce-network-segmentation/) ### Subscribe to the Blog! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language