* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Computing](https://www2.paloaltonetworks.com/blog/category/cloud-computing-2/)
* Zero Trust for Applicatio...

# Zero Trust for Applications: Verifying Access Between Workloads

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fzero-trust-for-applications-access%2F)  
[](https://twitter.com/share?text=Zero+Trust+for+Applications%3A+Verifying+Access+Between+Workloads&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fzero-trust-for-applications-access%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fzero-trust-for-applications-access%2F&title=Zero+Trust+for+Applications%3A+Verifying+Access+Between+Workloads&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/zero-trust-for-applications-access/&ts=markdown)  
\[\](mailto:?subject=Zero Trust for Applications: Verifying Access Between Workloads)  
Link copied  
By [Jason Williams](https://www.paloaltonetworks.com/blog/author/jason-williams/?ts=markdown "Posts by Jason Williams")  
Mar 01, 2022  
5 minutes  
[Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown)  
[Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown)  
[data center](https://www.paloaltonetworks.com/blog/tag/data-center/?ts=markdown)  
[Workloads](https://www.paloaltonetworks.com/blog/tag/workloads/?ts=markdown)  
[Zero Trust](https://www.paloaltonetworks.com/blog/tag/zero-trust/?ts=markdown)

#### No Zero Trust initiative in the cloud is complete without verifying all network access across workloads and applications.

![A picture containing shape Description automatically generated](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/02/a-picture-containing-shape-description-automatica.png)

Zero Trust is a cybersecurity concept that companies are applying to users, applications, and infrastructure. Today, organizations adopt Zero Trust principles by removing implicit trust from every [identity](https://www.paloaltonetworks.com/blog/prisma-cloud/identities-and-infrastructure/), [workload](https://www.paloaltonetworks.com/blog/prisma-cloud/zero-trust-cloud-workloads/), access request, and data transaction on the network - always verify their integrity across every digital interaction.

When moving to the cloud, developer and DevOps teams often take on modern compute architectures and development practices in order to build and deploy applications faster. Cloud native environments introduce new security risks and challenges which change the way security teams approach Zero Trust principles.

Enforcing least privilege network access between workloads and applications is critical to a Zero Trust architecture in the cloud.

#### Cloud Native Development Without Automated Security Facilitates Risk

In a cloud native world, change is constant. Developers and DevOps teams have operationalized the automation of deploying, scaling, and removing microservices rapidly - sometimes in a matter of seconds. However, if security workflows cannot keep up, this can lead to toxic outcomes.

Moreover, Palo Alto Networks [Unit 42 Cloud Threat Researchers](https://www.paloaltonetworks.com/prisma/unit42-cloud-threat-research-1h21) found that between April and June 2020, firewall configurations allowing all traffic to Kubernetes clusters increased by an astounding 122%. In other words, this implies trusted network access within the cloud.

**What happens when there is a cloud breach?**

In the event of a breach, attackers leverage privileged network connectivity to move laterally within the cloud fast. For example, threat variants like malware can spread to as many as [45,000+ instances in a matter of 30 minutes](https://start.paloaltonetworks.com/why-seconds-matter.html).
![One successful attack can spread fast](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/02/a-picture-containing-chart-description-automatica.png)
One successful attack can spread fast

Organizations who have figured out how to accelerate their cloud workload adoption must also understand how to integrate network security into their automation workflows.

#### What Does Zero Trust Mean for Network Access

At its core, Zero Trust seeks to eliminate implicit trust throughout the enterprise by continuously validating all digital transactions. When it comes to workloads accessing other workloads, all communications between entities must follow a least-privilege approach. The goal of this requirement is to minimize the blast radius of any security incident, by limiting the ability of an attacker to implement a lateral move across cloud applications.

If you want to reduce the risk of lateral movement, you must remove implicit trust from workloads, applications, and connection requests within the cloud ecosystem --- always verify before authorizing.

Establishing trust between workloads in a cloud native environment may sound difficult, but Palo Alto Networks can help ease the journey to Zero Trust.

#### How We Can Help

Prisma Cloud [Identity-Based Microsegmentation](https://www.paloaltonetworks.com/prisma/cloud/identity-based-microsegmentation) together with [VM-Series](https://www.paloaltonetworks.com/network-security/vm-series-virtual-next-generation-firewall) and [CN-Series](https://www.paloaltonetworks.com/network-security/cn-series) software next-generation firewalls (NGFWs) deliver on the promise of Zero Trust for applications. The Palo Alto Networks portfolio combines workload identity with application context to enforce continuous least privilege access with Zero Trust principles.

![Graphical user interface Description automatically generated](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/02/graphical-user-interface-description-automaticall.png)

#### **Prisma Cloud**

Prisma Cloud delivers [microsegmentation](https://www.paloaltonetworks.com/cyberpedia/what-is-microsegmentation) for hosts, VMs, and containers across on-premise, cloud, and hybrid cloud environments. With Identity-Based Microsegmentation, security teams can visualize application dependencies, verify connectivity between workloads, and limit access between workloads.

Rather than IP-based policy, administrators manage segmentation policy using workload identities. For example, allow web microservices to database microservices or separate developer instances and production instances.

For fast moving cloud native environments, Prisma Cloud offers [microsegmentation policy-as-code](https://www.paloaltonetworks.com/blog/prisma-cloud/microsegmentation/). This enables DevOps teams to codify identity-based segmentation policy and integrate policy-as-code files into continuous deployment pipelines. As applications are built and deployed, microsegmentation policy is deployed with the application ensuring new workloads enforce least-privilege network access.

For cloud environments without mature DevOps models, Prisma Cloud makes microsegmentation policy creation simple. With a single click, Prisma Cloud uses learned traffic patterns to automatically generate [optimal microsegmentation policy](https://www.paloaltonetworks.com/blog/prisma-cloud/identity-based-microsegmentation/) for any application.

Prisma Cloud is purposely built to help organizations simplify and accelerate their Zero Trust adoption for applications inside and across clouds.
![Prisma Cloud visualizes flow mapping between workloads and recommends least privilege connectivity](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/02/graphical-user-interface-application-description-2.png)
Prisma Cloud visualizes flow mapping between workloads and recommends least privilege connectivity

#### **Software NGFWs**

The software NGFWs deliver precise application access controls to protect hosts, Kubernetes, and data across data centers, cloud, and hybrid cloud environments. This is made possible with [App-ID](https://www.paloaltonetworks.com/technologies/app-id)™, a patented and industry-leading technology built into the software NGFWs. App-ID identifies applications within traffic regardless of their port, protocol, and evasive tactics.

As workloads access other workloads, software NGFWs inspect traffic at layer 7 and leverage App-ID to classify applications and enforce application access control. For example, instead of allowing all traffic on tcp/443, the software NGFWs can authorize Slack for instant messaging but block file transfer requests.

The software NGFWs come built-in with policy optimizer, a workflow that helps administrators identify overly permissive security policies and safely remove unused App-IDs without worry of application availability.

VM-Series and CN-Series NGFWs are engineered to continuously verify all application traffic and apply context-based policies as you move to the cloud.
![Software NGFWs illustrate network activity with App-ID context and block threats](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/02/a-screenshot-of-a-computer-description-automatica-6.png)
Software NGFWs illustrate network activity with App-ID context and block threats

#### Learn More

No Zero Trust initiative is complete without an evaluation of existing privileged access. Together, Identity-Based Microsegmentation and software NGFWs consistently enforce context-based access policies to workloads and applications.

If you want to see how Prisma Cloud Identity-Based Microsegmentation works in your environment, then [request a 30-day trial](https://www.paloaltonetworks.com/prisma/request-a-prisma-cloud-trial) for Cloud Network Security. If you want to get your hands on the software NGFWs, then sign up for an [ultimate test drive](https://www.paloaltonetworks.com/resources/test-drives?topic=vm-series-aws).

*** ** * ** ***

## Related Blogs

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)

[#### Zero Trust for Applications: Securing Content within Transactions](https://www2.paloaltonetworks.com/blog/cloud-security/zero-trust-for-applications-securing-content-within-transactions/)

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Building a Zero Trust Framework for Cloud Native Applications](https://www2.paloaltonetworks.com/blog/cloud-security/zero-trust-cloud-native-applications/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown)

[#### 2021 Forrester New Tech Report for Microsegmentation](https://www2.paloaltonetworks.com/blog/cloud-security/2021-forrester-new-tech-report-for-microsegmentation/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Five steps to deploy a zero-trust attack surface management solution](https://www2.paloaltonetworks.com/blog/security-operations/zero-trust-attack-surface-management-framework/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)

[#### Applying White House Ransomware Best Practices for the Cloud](https://www2.paloaltonetworks.com/blog/cloud-security/ransomware-best-practices-for-cloud/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Simplifying Identity-Based Security in a Cloud-First World](https://www2.paloaltonetworks.com/blog/2021/06/simplifying-identity-based-security/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language