* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Cybersecurity](https://origin-researchcenter.paloaltonetworks.com/blog/category/cybersecurity-2/)
* Define a Protect Surface ...

# Define a Protect Surface to Massively Reduce Your Attack Surface

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2018%2F09%2Fdefine-protect-surface-massively-reduce-attack-surface%2F)  
[](https://twitter.com/share?text=Define+a+Protect+Surface+to+Massively+Reduce+Your+Attack+Surface&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2018%2F09%2Fdefine-protect-surface-massively-reduce-attack-surface%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2018%2F09%2Fdefine-protect-surface-massively-reduce-attack-surface%2F&title=Define+a+Protect+Surface+to+Massively+Reduce+Your+Attack+Surface&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2018/09/define-protect-surface-massively-reduce-attack-surface/&ts=markdown)  
\[\](mailto:?subject=Define a Protect Surface to Massively Reduce Your Attack Surface)  
Link copied  
By [John Kindervag](https://www.paloaltonetworks.com/blog/author/john-kindervag/?ts=markdown "Posts by John Kindervag")  
Sep 04, 2018  
3 minutes  
[Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)  
[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)  
[Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)  
[Attack Surface](https://www.paloaltonetworks.com/blog/tag/attack-surface/?ts=markdown)  
[Protect Surface](https://www.paloaltonetworks.com/blog/tag/protect-surface/?ts=markdown)  
[Thought Bubble with John Kindervag](https://www.paloaltonetworks.com/blog/tag/thought-bubble-with-john-kindervag/?ts=markdown)  
[Zero Trust](https://www.paloaltonetworks.com/blog/tag/zero-trust/?ts=markdown)

This post is also available in: [繁體中文 (Chinese (Traditional))](https://origin-researchcenter.paloaltonetworks.com/blog/2018/10/define-protect-surface-massively-reduce-attack-surface/?lang=zh-hant "Switch to Chinese (Traditional)(繁體中文)") [Nederlands (Dutch)](https://origin-researchcenter.paloaltonetworks.com/blog/2018/10/definieer-een-verdedigingsoppervlak-om-uw-aanvalsoppervlak-enorm-te-verkleinen/?lang=nl "Switch to Dutch(Nederlands)") [Deutsch (German)](https://origin-researchcenter.paloaltonetworks.com/blog/2018/11/reduzieren-sie-ihre-angriffsflaeche-erheblich-durch-definition-einer-schutzflaeche/?lang=de "Switch to German(Deutsch)") [Italiano (Italian)](https://origin-researchcenter.paloaltonetworks.com/blog/2018/11/definisci-la-superficie-da-proteggere-riducendo-notevolmente-la-superficie-di-attaco/?lang=it "Switch to Italian(Italiano)") [한국어 (Korean)](https://origin-researchcenter.paloaltonetworks.com/blog/2018/10/define-protect-surface-massively-reduce-attack-surface/?lang=ko "Switch to Korean(한국어)") [Español (Spanish)](https://origin-researchcenter.paloaltonetworks.com/blog/2018/11/defina-una-superficie-de-proteccion-para-reducir-drasticamente-la-superficie-de-ataque/?lang=es "Switch to Spanish(Español)") [Türkçe (Turkish)](https://origin-researchcenter.paloaltonetworks.com/blog/2018/11/saldiri-yuzeyinizi-buyuk-olcude-azaltmak-icin-bir-koruma-yuzeyi-tanimlayin/?lang=tr "Switch to Turkish(Türkçe)")

In cybersecurity, one of the things people tend to focus on the least is defining what they're trying to protect. The general consensus is that they want to protect against attacks, but the attacks are attacking something. What is that thing?

Over the years, we have been working diligently to reduce the attack surface, but unfortunately, it is a bit like the universe in that it is always expanding. With every new technology comes a new set of problems and vulnerabilities. Most notably, the internet of things has led to a massive increase in the attack surface. Newly revealed vulnerabilities such as those underlying the attacks on chip sets -- [Spectre and Meltdown](https://www.paloaltonetworks.com/blog/2018/01/threat-brief-meltdown-spectre-vulnerabilities) -- have added almost every modern computational system to the overall attack surface as well.

![thought\_1](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/08/thought_1.png)

In Zero Trust, instead of focusing on the macro level of the attack surface, we determine what we need to protect: the smallest possible reduction of the attack surface, or the protect surface. Typically, a Zero Trust network defines a protect surface based upon at least one of these four things (remembered by the acronym DAAS):

* **D** ata: *What data needs to be protected?*
* **A** pplications: *Which applications consume sensitive information?*
* **A** ssets: *Which assets are most sensitive?*
* **S** ervices: *Which services, such as DNS, DHCP, and Active Directory, can be exploited to disrupt normal IT operations?*

The awesome thing about the protect surface is that not only is it orders of magnitude smaller than the overall attack surface but it is always knowable. You may not know what it should be today, but you can always find out. Most organizations can't really define the attack surface, which is why penetration testers always get inside. There are myriad ways to intrude upon an organization's macro-perimeter. This is why the idea of a large perimeter-based security approach has demonstrated itself to be unsuccessful. In the old model, controls such as firewalls and intrusion prevention technologies were pushed to the edge of the perimeter, which is as far away from the protect surface as you can possibly get.

In Zero Trust, by defining a protect surface, we can move controls as close as possible to that protect surface to define a micro-perimeter. With our next-gen technology functioning as a segmentation gateway, we can segment networks in Layer 7 policy and granularly control what traffic moves in and out of the micro-perimeter. There is a very limited number of users or resources that actually need access to sensitive data or assets in an environment. By creating policy statements that are limited, precise, and understandable, we can limit the ability of our adversary to execute a successful cyberattack.

*** ** * ** ***

## Related Blogs

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### You Want Network Segmentation, But You Need Zero Trust](https://origin-researchcenter.paloaltonetworks.com/blog/2019/01/you-want-network-segmentation-but-you-need-zero-trust/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### All Layers Are Not Created Equal](https://origin-researchcenter.paloaltonetworks.com/blog/2019/05/network-layers-not-created-equal/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Clarifying What Zero Trust Is -- and Is Not](https://origin-researchcenter.paloaltonetworks.com/blog/2018/08/clarifying-zero-trust-not/)

### [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### The Zero Trust Learning Curve: Deploying Zero Trust One Step at a Time](https://origin-researchcenter.paloaltonetworks.com/blog/2020/04/network-zero-trust-learning-curve/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Effective Cybersecurity Is Not Easy, but It Is Achievable](https://origin-researchcenter.paloaltonetworks.com/blog/2018/12/effective-cybersecurity-not-easy-achievable/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### The Cybersecurity Moonshot and Zero Trust](https://origin-researchcenter.paloaltonetworks.com/blog/2018/04/cybersecurity-moonshot-zero-trust/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language