Securing US Federal Agency Remote Workers and Branch Offices

During the COVID-19 pandemic, governments everywhere are focusing on delivering essential citizen services and maintaining critical infrastructure while keeping their workers safe. While Palo Alto Networks has announced programs to help rapidly scale secure telework options during this pandemic, we’re also working on longer-term plans to address the changing world of work. Here in the U.S., this crisis has demonstrated the continuing need to ensure confidentiality, integrity and availability of services to federal agency personnel, regardless of location

Recently, the Office of Management and Budget (OMB) released a memorandum outlining updates to the Trusted Internet Connections (TIC) initiative. TIC 3.0 aims to help agencies adopt modern security capabilities while connecting to the internet and other services outside their traditional perimeter. 

Older TIC guidance has hindered agency adoption of cloud and mobile services, which are key aims of the Cloud Smart strategy. Traditionally, federal agencies had few options to secure their branch offices and remote users connecting to the internet for cloud and Software-as-a-Service (SaaS) access. They could build and manage their own TICs or acquire TICs from managed services providers. They backhauled their branch office traffic over private links to their data centers and then to the TICs. 

Mobile workers are key to achieving many agency missions, but similarly, securing them has been challenging. Agencies typically use different security products to connect remote users to their office or data center. This introduces another security stack to manage, and application performance for remote users falls the farther they get from their connection point. For both remote users and branch offices, this architecture created a less-than-ideal user experience for everyday applications such as Office 365. 

A secure access service edge (SASE) helps federal agencies embrace cloud and mobility by providing networking and network security services from a cloud-based, unified platform. Prisma Access by Palo Alto Networks is a comprehensive SASE solution that delivers networking and security ideal for agency branch offices and remote users, two TIC use cases. Palo Alto Networks just announced that Prisma Access has achieved the designation of “In Process” for the Federal Risk and Authorization Management Program (FedRAMP). Prisma Access is working toward a FedRAMP Moderate authorization, which will enable agencies to meet TIC policy for branch and remote user use cases, and provide a unified policy framework across users. 

Rather than creating single-purpose technology overlays that are normally associated with point products, Prisma Access uses a cloud-based infrastructure to deliver security and networking services, which include: 

Networking 

  • SD-WAN that supports Palo Alto Networks Next-Generation Firewalls and integrates with third-party SD-WAN appliances.
  • VPN options for connecting users and networks, including IPsec, SSL/IPsec, and clientless VPN.
  • Quality of service (QoS) that prioritizes bandwidth for critical applications.

Security

  • Firewall as a service (FWaaS) for branch offices and remote locations.
  • Zero Trust network access (ZTNA) for application access control and threat prevention. 
  • DNS security featuring advanced analytics and machine learning to protect against threats in DNS traffic.
  • Threat prevention that blocks exploits, malware, and command-and-control (C2) traffic using threat intelligence.
  • Cloud secure web gateway (SWG) that blocks malicious sites using static analysis and machine learning.
  • Data loss prevention (DLP) that categorizes sensitive data and applies policies to control access.
  • Cloud access security broker (CASB) that provides governance and data classification to stop threats with in-line and API-based security.

All users, regardless of where they are located, connect to cloud-delivered Prisma Access to safely use cloud and data center applications. For agency branch offices, Prisma Access offers not only security but SD-WAN hub as-a-service, providing high-performance, low-latency interconnect between branch offices and cloud workloads. Combining security and end-to-end SD-WAN provides excellent user to application experience. By consuming Prisma Access SD-WAN hub as-a-service, agencies eliminate the complexity of building their own SD-WAN hub and interconnect fabric.

Palo Alto Networks SD-WAN delivers an optimal user experience for cloud applications without compromising security. All users, whether at headquarters, branch offices or remote, can connect to Prisma Access to easily access SaaS, public cloud and data center applications, delivering security and optimized end-to-end performance. Additionally, with our recently announced SLAs for SaaS delivered by the Prisma fabric, agencies can be confident in their cloud experience, with guaranteed access to a growing list of SaaS providers, such as Microsoft Office 365, Box.com, Salesforce.com and more. 

Agencies no longer have to deploy and manage a separate security stack for teleworkers or other remote workers. With Prisma Access, they can extend consistent security and performance to branch offices and workers, no matter where they are. And in the event of natural disasters, public health emergencies or unexpected infrastructure damage, Prisma Access can help agencies quickly and efficiently develop secure communications. As a cloud-delivered service, Prisma Access scales automatically to meet demand, requires no infrastructure deployment, and operationalizes quickly with zero-touch provisioning. 

SASE is the next wave of evolution for both security and connectivity, and Prisma Access is bringing new SASE innovations to federal agencies. For more information on how Palo Alto Networks can help agencies address TIC 3.0 requirements, please read our tech brief.