Frequently asked questions about the NHS Secure Boundary.
Scope of NHS Secure Boundary
Which NHS organisations are in scope for NHS Secure Boundary?
NHS organisations: Acute Trusts, Ambulance Service Trusts, Community Health Service Trusts, Mental Health Trusts, Commissioning Support Units (CSUs) and Local Health and Care Record Exemplars (LHCREs). With Approval from NHS England, Integrated Care Boards (ICBs) are in-scope also.
Central Network Service Providers (CNSPs) migrating HSCN internet traffic.
Are both the HSCN internet connection and local internet breakout(s) in scope of NHS Secure Boundary?
Your Organzation must have a connection to the Health and Social Care Network (HSCN) to benefit from Secure Boundary through your CNSP provider.
Secure Boundary also provides protection for NHS organisations with local internet breakouts; a direct connection will be established via IPSec tunnels between a suitable edge device(s) in your organisation and your dedicated Prisma tenant.
What type of internet traffic does NHS Secure Boundary protect?
The NHS Secure Boundary service comprises of two core technology platforms, provided as Software-as-a-Service (SaaS) services, protecting two types of internet traffic.
Bi-directional internet traffic: traffic which is initiated from within the NHS perimeter. For example, an NHS worker accessing the internet from their NHS device. This connection is protected by the Palo Alto Prisma Access Service.
Inbound website traffic: traffic which is initiated from the Internet. For example, a member of the public accessing an NHS hosted site via the internet from their own personal device. This connection is protected through the Imperva Cloud WAF service.
Is there any cost to NHS organisations or is it all centrally funded?
There is a modest one-off cost for on-boarding onto the NHS Secure Boundary solution (cost per Secure Boundary product*). This cost covers the standing up a project team to hand-hold organizations through the on-boarding process. During the on-boarding, an Organization should commit to providing relevant technical resource with the best intent to complete the on-boarding project in reasonable timescales. A typical on-boarding onto the Palo Alto Prisma service can have a duration of 8 weeks whereas on-boarding onto the Imperva Cloud WAF service will typically take 1.5 weeks. Note not all effort will be contiguous.
*CNSPs are exempt from on-boarding onto the Imperva Cloud WAF service. However, an NHS Organization can still on-board onto the Imperva Cloud WAF service by contracting direct with the NHS Secure Boundary Team
What support is available to aid migration from your existing system to the NHS Secure Boundary solution?
Your organisation will be assigned a dedicated project manager and technical resource from within the NHS Secure Boundary team. These resources will be your first port of call for support throughout your on-boarding from the point at which you enrol, until your handover to BaU is complete and the on-boarding service has been formally signed off.
Will adoption of NHS Secure Boundary become mandatory?
This is not currently mandatory. NHS organisations manage their own cyber risk. It is therefore the responsibility of the organisation to decide whether to accept the solution or not. If the management of cyber risk becomes centralised in the future, this position may change; there are currently no plans to make this mandatory.
The Solution
Does the NHS Secure Boundary Solution use virtual firewalls or physical hardware?
The NHS Secure Boundary service comprises of two core technology platforms, the firewalls that make up the core platforms are virtual, they will be dynamically spun up as organisations on-board.
Palo Alto Prisma Access Service: Each organisation who is connecting directly to the platform will have their own virtual firewall instances in Google Cloud Platform.
Imperva Cloud WAF Service: This is a Web Application Firewall (WAF), stored in the cloud.
How much control will an organisation have over its own firewall configuration?
The solution is built to be flexible. Directly connected NHS organisations who wish to manage their own firewall instance and maintain the rules within it can choose our self-managed service. This gives the NHS organisation access to a web-based management console (Panorama) where they can maintain rules and decide what gets logged. Computer Based Training training will be available to personnel in your organisation upon selecting the self-managed service.
NHS organisations can also choose the managed option where rule changes are requested and updated through the service management function.
If you are connecting via the HSCN route you will receive the national ruleset applied to every CNSP; a change to the ruleset must be requested through your CNSP.
If I select the self-managed service will I still be able to contact the NHS Secure Boundary team if I need help/assistance?
Yes. The NHS Secure Boundary team are still accessible after the on-boarding project completes and you are handed into BaU. For help and assistance whilst in BaU simply raise a Service Request ticket HERE.
How will an NHS organisation connect to NHS Secure Boundary?
The NHS Secure Boundary solution is flexible with the network topology it can accommodate. The approach for your NHS organisation will be validated during requirements capture and assessed on its own merits, based upon your organizational requirements. Connections to Prisma will be via an IPSec tunnel.
How do CNSPs connect to NHS Secure Boundary?
CNSPs can connect to their Prisma instance either via Clean Pipe or IPsec tunnels.
Are there any technical pre-requisities to be met before on-boarding onto Prisma?
Yes. There are a number of technical pre-requisites that must be met before on-boarding onto Prisma. The on-boarding team will complete a gap analysis during project initiation, the outputs of which will be a remediation report detailing the activities that must be completed ahead of implementation.
The primary technical pre-requisite is that your organisation has an on-premise device (firewall, router or SD-WAN device) that can establish an IPSec tunnel to the Prisma service at the rate which your internet access is set. For example, if you have a 200Mb/s internet circuit, the device needs to be able to create an IPSec tunnel and encrypt at 200Mb/s. All IPsec VPN tunnels will be created in accordance with the National Cyber Security Centres using the PRIME cryptographic profile (FOUNDATION components can be used for compatibility on a case by case basis).
Are there any technical pre-requisites/constraints associated with on-boarding onto Imperva?
Yes. Generally speaking an NHS Organization which contracts a third-party to manage and host public facing websites on their behalf are exempt from on-boarding onto Imperva on the grounds that the contractual relationship should stipulate that appropriate cyber-security protections should be in-place.
In addition there are certain use cases associated with taking Imperva. Further details are available from the NHS Secure Boundary team by raising a Service Request via ssd.nationalservicedesk@nhs.net
What are the benefits using NHS Secure Boundary for organisations who have existing Palo Alto firewalls?
The existing Palo Alto firewall can be used as the on-premise device to establish an IPSec tunnel to the Prisma service. If you are currently paying for subscription services on this firewall (e.g. URL filtering, Anti-Virus, Wildfire) NHS Secure Boundary will provide these subscriptions as part of the centrally funded solution; you can therefore stop paying for these subscriptions.
An important benefit of using the service is the provision of enriched threat intelligence to the NHS England’s Cyber Security Operations Team (CSOC), enabling the CSOC to identify malicious content on behalf of the wider NHS, facilitating enterprise detection, analysis and prevention.
SSL decryption is a notable feature of the Secure Boundary solution, how is decryption controlled and what are the policies for an NHS Organisation?
Prisma Access allows granular control of which domains and clients will be included and excluded from SSL Decryption. Traffic can be decrypted (or not) based on a combination of parameters (e.g.URL categories, source/destination IP address), the decryption policies are fully customisable and owned by NHS organisation themselves.
However, not all traffic should be decrypted. SSL decryption should adhere to regulatory requirements that may be imposed and should not decrypt URL categories that contain sites that exchange personal information e.g. Financial Services, Government, Health and Medicine.
Visibility & Reporting
Can the solution be integrated with an NHS organaisations local monitoring and reporting capabilities?
Yes, this can be configured. Prisma Access logs are stored in the Cortex Data Lake (CDL), CDL can forward Syslog messages over the internet using TLS encryption to an accessible destination (e.g. a local SIEM).
SSL decryption is a notable feature of the Secure Boundary solution, how is decryption controlled and what are the policies for an NHS Organisation?
Logs from the NHS Secure Boundary solution will be forwarded to the NHS England’s Cyber Operations Team. This will enable visibility across organisations who have adopted the solution, allowing the CSOC to act rapidly as new threats or risks emerge.
