Defining the initial best practice security policy for user traffic flowing to the data center begins the process of developing a data center application allow list. The ultimate goal is to use positive security enforcement to protect your data center with a Zero Trust architecture. You accomplish this by explicitly controlling who can access the data center, which data center applications they can access, and what resources they can access inside the data center. Allow access only to users who have legitimate business reasons to access the data center. When you finish developing your best practice security policy, no unknown users should be able to access the data center and no unknown applications or resources should reside in the data center.

Risks to the data center from user access include attackers gaining control of a network device outside of the data center and using it to move laterally into the data center to plant malware, exfiltrate data, and gain control of data center devices, the accidental downloading of malware to the data center, and unauthorized access to data center applications and assets.

The following sections show you the types of application traffic to allow and how to control it, how to authenticate users to prevent unauthorized user access to the data center, and how to decrypt the traffic: