Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Branch Connectivity and Remote Worker Security – A New Twist
There’s a paradigm shift I’m seeing with how organizations are securing their branch offices and remote workforce: they’re moving away from the traditional firewall at every branch office for a north-south perimeter security architecture. Let’s dig a little deeper.
In many branch office deployments, we have traditionally seen the use of MPLS as a private WAN to connect the branch offices to a datacenter at headquarters. Another design model was to have a firewall at every branch office and connect back to the HQ datacenter via an IPSEC VPN connection. This deployment may have been fully meshed or partially meshed, depending on the dispersal of resources that required access. In the IPSEC VPN scenario, manually creating and maintaining the VPN connections on every firewall is a configuration and operational headache. Supporting this architecture requires not only the creation of all phase 1 and phase 2 profiles, but also the creation and validation of all of the routing that goes along with this type of deployment. Additionally burdensome is the ongoing care and feeding and the requirement to “refresh” this firewall hardware based on either a depreciation schedule or as the equipment’s life ends. This constant “refresh” brings additional headaches around the cost to acquire, configure, ship, deploy and test new hardware. Depending on the timing of this refresh, it may also require the running of a newer version of the operating system, which may require an upgrade to a management platform as well to support this new version. In summary, the IPSEC VPN model is a very time-and resource-intensive effort for organizations to maintain.
The COVID pandemic has played a part in how organizations support their mobile workforce. Many enterprises were built for a subset of their employees to work remotely, but very few were prepared for their entire force to work from home. This required many organizations to quickly come up with a 100% remote design. In some cases, this required new HQ or datacenter hardware. It may have included the need to move to a split-tunnel VPN scenario to alleviate bandwidth constraints and trade-off security for performance. It also meant that no one was working in the branch office.
Many CISOs began looking at SASE solutions and their potential to quickly deploy a secure architecture to support a mobile workforce. They also took this time to reevaluate how their branch offices were deployed and secured.
These organizations started to look at whether SASE solutions might also be a fit for securing their branch offices. In some cases, organizations realized they no longer wanted to be in the “firewall business.” The constant care, feeding and refreshing of this equipment every three-to-five years no longer made business sense.
Palo Alto Prisma Access for Remote Networks
One of the solutions that these customers started looking at was Palo Alto Networks Prisma Access for Remote Networks. The constant configuring and managing endpoints at every branch office can become complex and the difficulty is compounded with each newly added branch office (and its specific mesh requirements). Utilizing Prisma Access for remote networks, a branch office is onboarded to the service via an IPSEC tunnel. This IPSEC tunnel on the branch office end can be established from any device that supports IPSEC connectivity, like an SD-WAN device or even on on-premise router. Once onboarded and established, all traffic from the remote branch can traverse through a Palo Alto Networks firewall in your dedicated Prisma Access environment.
What do I mean by “can”? Customers that have deployed an SD-WAN overlay for their internal branch office communications to possibly replace MPLS can onboard the SD-WAN device onto Prisma Access. They can then route all internet or SaaS-based application traffic through the SD-WAN device and through Prisma Access to have the same visibility and control of this traffic as they would with an on-premise Palo Alto Networks firewall. The only difference is this firewall lives in the Prisma Access cloud.
High Level Diagram
Shared Management Model
Prisma Access follows a shared management model. This responsibility breaks out as indicated below.
As part of the service, Palo Alto Networks takes care of:
Another paradigm to consider is the “new” home office user. Many organizations are now considering a permanent or hybrid work-from-home (WFH) environment. One of the concerns with this is securing home users. Do I treat them as mobile users or as a branch office of one? A few things to consider:
If I wanted to treat this home user as a branch office of one, how would I securely connect him/her to the network? Backhaul all the traffic over a VPN tunnel from a device I can’t manage?
Palo Alto Networks now offers a home solution called Okyo Garde. This device provides powerful Wi-Fi 6 coverage, provides corporate Wi-Fi in the home while segmenting the home network and can also be onboarded to Prisma Access and managed via the Prisma Access Cloud Manager. Below is a high-level diagram showing how the corporate traffic would traverse and be secured by Prisma Access and the home user personal traffic would be protected by the Okyo Garde device.
Okyo Garde provides new capabilities for visibility and control for both the user and the enterprise:
Organizations that have a large number of branch offices deployed with traditional firewall appliances providing north-south internet perimeter control and VPN connectivity for private application access now have another option. They may be looking to move away from a CapEx model, where they’re having to purchase/refresh, configure and deploy new branch firewalls every three-to-five years, to an OpEx model, where they consume this branch security as a service.
The pandemic has introduced us all to a much more extensive WFH model. Many organizations are thinking of these remote employees as branch offices of one. And as we know, home offices have a number of devices on the network that are potentially vulnerable to compromise and malware. Being able to segment these home networks with a device the corporate office can manage reduces risk for the organization and provides an additional layer of security.
Optiv Security: Secure greatness.™
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Third-Party Risk Challenges in Work-From-Home Environments
In this guest post, CyberGRX examines cyber attack vectors and offers advice on securing third-party relationships.
Work From Home Device Security
Optiv IoT expert John Bock walks us through a step-by-step process that safeguards you against 99% of the home network IoT threats you’ll face.
Remote Work: Making the Culture Shift
Here are several tips that will help ease the transition to working at home.
Let us know what you need, and we will have an Optiv professional contact you shortly.