* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Cloud Network Security](https://www2.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/)
* Best Practices for Cloud ...

# Best Practices for Cloud Infrastructure: Zero Trust Microsegmentation

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F01%2Fcloud-zero-trust-microsegmentation%2F)  
[](https://twitter.com/share?text=Best+Practices+for+Cloud+Infrastructure%3A+Zero+Trust+Microsegmentation&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F01%2Fcloud-zero-trust-microsegmentation%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F01%2Fcloud-zero-trust-microsegmentation%2F&title=Best+Practices+for+Cloud+Infrastructure%3A+Zero+Trust+Microsegmentation&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2021/01/cloud-zero-trust-microsegmentation/&ts=markdown)  
\[\](mailto:?subject=Best Practices for Cloud Infrastructure: Zero Trust Microsegmentation)  
Link copied  
By [Keith Mokris](https://www.paloaltonetworks.com/blog/author/keith-mokris/?ts=markdown "Posts by Keith Mokris")  
Jan 11, 2021  
4 minutes  
[Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown)  
[DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[Zero Trust](https://www.paloaltonetworks.com/blog/tag/zero-trust/?ts=markdown)  
[Zero Trust Throughout Your Infrastructure](https://www.paloaltonetworks.com/blog/tag/zero-trust-throughout-your-infrastructure/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/2021/02/cloud-zero-trust-microsegmentation/?lang=ja "Switch to Japanese(日本語)")

Zero Trust has become a widely adopted cybersecurity strategy, and organizations are learning to operate under the assumption that no user, endpoint, workload, application or content can be trusted within their networks, no matter what's been previously checked or what will be checked later on. In other words, each device, application and microservice must be responsible for its own security.

There's a [learning curve](https://www.paloaltonetworks.com/blog/2020/04/network-zero-trust-learning-curve/), however, to understanding how to apply that principle [throughout your infrastructure](https://www.paloaltonetworks.com/blog/tag/zero-trust-throughout-your-infrastructure/). In the case of cloud native technologies, infrastructure and development processes often don't look the same as in traditional environments. The way we apply Zero Trust must shift as well. In constantly changing cloud environments, Zero Trust microsegmentation is a technique that can help enforce cloud security policies that follow [Zero Trust best practices](https://docs.paloaltonetworks.com/best-practices/10-0/zero-trust-best-practices/zero-trust-best-practices).

Developers and DevOps teams continue to use cloud native technologies like microservices and containers to scale development and speed up releases, along with multi-cloud architectures to optimize efficiency. However, it's these same core components of cloud native development that are causing fundamental shifts in the way network security policies are administered in the cloud. Zero Trust microsegmentation can help solve issues where environments are constantly changing and the IP addresses that were traditionally used for managing and defining security policies are no longer sufficient.

## Why Cloud Security Policies Can't Be Based on IP Addresses

Cloud native development can present a challenge to traditional enterprise policies, partially due to the nature of constant change within the environments. [Cloud workloads](http://blog.paloaltonetworks.com/2020/08/cloud-native-zero-trust) move across locations, and instances within an application can scale dynamically as demands fluctuate and containers come and go in seconds -- making validation a serious concern.

In these environments, the IP-based security that many enterprises are used to can quickly become unmanageable. Hybrid and multi-cloud environments introduce shifting IP domains as containerized workloads can be replicated, rescheduled and rehosted within the scope of an hour. And microservices are exposed through APIs accessible via HTTP/gRPC, making IP address irrelevant. In order to achieve end-to-end visibility, administrators would have to stitch together IP flows across the multitude of environments, which becomes unworkable at scale.

Because IP addresses are no longer as persistent as they once were, they cannot be relied upon to accurately identify workloads in the cloud, thereby making them unusable for security policies following Zero Trust best practices.

## Identity-Based Microsegmentation

[Identity-Based Microsegmentation](https://www.paloaltonetworks.com/blog/prisma-cloud/aporeto-integration-prisma-cloud/) in Prisma Cloud gives users the ability to base security policies on strong, machine-generated identity for individual workloads instead of broad IP addresses. This makes it possible to track a workload as it moves through your environment, even if IP addresses and other traditional identifiers change. Development risk posture is improved while managing the needs of dynamic cloud native environments.

Once workload identities are assigned, Prisma Cloud can automatically discover and learn application communication behaviors inside and across clouds. These flows can then be monitored in real time using a visualized map of the network.
![Application dependency mapping with Identity-Based Microsegmentation in Prisma Cloud.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/01/microsegmentation-map-view.png)
Application dependency mapping with Identity-Based Microsegmentation in Prisma Cloud.

Users can set policies to authenticate and authorize connection requests among these generated identities, and they can automatically deny unknown requests. Compliance teams, for example, can create policies to isolate systems that may be subject to specific regulations.

## Microsegmentation for Zero Trust

Microsegmentation gives organizations a way to implement Zero Trust best practices for cloud native application development. A trusted identity can be used for security policy enforcement while allowing the seamless use of technology like containers and microservices. You can learn more in our e-book, "[Identity-Powered Microsegmentation with Prisma Cloud](https://www.paloaltonetworks.com/resources/ebooks/identity-powered-microsegmentation)."

Microsegmentation is just one aspect of an enterprise Zero Trust strategy. Watch as Palo Alto Networks Founder and CTO Nir Zuk [explains how it all fits together](https://youtu.be/zzZ4q9DSnbg?t=650). And be sure to check out the rest of the blogs in our [Zero Trust series](https://www.paloaltonetworks.com/blog/tag/zero-trust-throughout-your-infrastructure/).

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### How Your Security Operations Team Can Maintain Zero Trust](https://www2.paloaltonetworks.com/blog/2021/01/zero-trust-security-operations-team/)

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### 6 Reasons Our Firewall Platform is Critical for Zero Trust Across Workloads](https://www2.paloaltonetworks.com/blog/2021/01/netsec-zero-trust-across-workloads/)

### [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Bringing Zero Trust SASE to Your Doorstep with SASE Private Location](https://www2.paloaltonetworks.com/blog/sase/bringing-zero-trust-sase-to-your-doorstep-with-sase-private-location/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Achieve True Zero Trust and Peak Performance with Prisma Access 6.1](https://www2.paloaltonetworks.com/blog/sase/achieve-true-zero-trust-and-peak-performance-with-prisma-access-6-1/)

### [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown), [Partner Integrations](https://www.paloaltonetworks.com/blog/sase/category/partner-integrations/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Prisma SD-WAN Supports AWS Cloud WAN Service Insertion](https://www2.paloaltonetworks.com/blog/sase/prisma-sd-wan-supports-aws-cloud-wan-service-insertion/)

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Creating a Security Program with Less Complexity and More Visibility](https://www2.paloaltonetworks.com/blog/2024/05/creating-a-security-program/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language