FAQs

By March 2020 HSCN internet traffic will be migrated onto Palo Alto Prisma Access, we will work directly with your CNSP provider to do this, consequently the process should be invisible to your organisation. To note, your organisation must have completed migration from N3 to HSCN to benefit from NHS Secure Boundary through your CNSP provider.

NHS Secure Boundary also provides protection for NHS organisations with local internet breakouts; a direct connection will be established via IPSec tunnels between a suitable edge device(s) in your organisation and your dedicated Palo Alto Access Prisma tenant. Additionally NHS organisations can benefit from Imperva Web Application Firewall to protect inbound website traffic.

Yes. HSCN Traffic that is currently protected by advanced network monitoring (ANM) will be migrated onto NHS Secure Boundary by the end of March 2020.

NHS Secure Boundary comprises of two Software-as-a-Service (SaaS) technology platforms protecting two types of internet traffic.

Bi-directional internet traffic: traffic which is initiated from within the NHS perimeter. For example, an NHS worker accessing the internet from their NHS device. Both HSCN internet traffic and NHS organisations local internet breakout traffic (including public WiFi) will be protected by Palo Alto Prisma Access as part of Secure Boundary.

Inbound website traffic: traffic which is initiated from the Internet. For example, a member of the public accessing an NHS hosted site via the internet from their own personal device. NHS organisations with this type of traffic will be protected through the Imperva Cloud Web Application Firewall service.

Inbound internet traffic is on the Palo Alto road map however this is not part of the current offering.

The NHS Secure Boundary solution is centrally funded. If during on-boarding it is determined that technical remediation is required, then the associated costs are the responsibility of the NHS organisation. However, NHS England DSC can offer policy advice and guidance.

Your organisation will be assigned a dedicated project manager and technical resource from within the NHS Secure Boundary on-boarding team. These resources will be your first port of call for support throughout your on-boarding from the point at which you enroll, until your handover to BaU is complete and the on-boarding service has been formally signed off.

The NHS Secure Boundary solution comprises of two Software-as-a-Service (SaaS) technology platforms; Palo Alto Prisma Access Next Generation Firewall (NGFW) and the Imperva Cloud Web Application Firewall service. An NHS Organisation has the option to avail one or both components of the service depending on the organisations needs.

If availing the Palo Alto Prisma Access NGFW an NHS organisation also has the option to tailor the functionality within the platform. The suite of functionality will be discussed during onboarding, an overview of the core offering can be found here.

It is anticipated that every organisation will need to allocate time from a project manager and technical resource as a minimum, specific FTE requirements will be discussed and agreed with you during project initiation.

The solution is currently not mandated however, by availing NHS Secure Boundary, it will offer a number of key benefits:

Visibility: Increased visibility of network traffic, so NHS organisations can better manage their own risk. Enabling the DSC to identify malicious content within encrypted traffic on behalf of the wider NHS, facilitating enterprise detection, analysis and prevention.

Intelligence: Provision of enriched threat intelligence, enabling the DSC to respond at pace and scale during incidents and emerging risks. Enable working with advanced threat protection to provide a more detailed view of what is happening locally.

Compliance: Provide capabilities to improve organisations’ Data Security Protection Toolkit (DSPT) and Cyber Essentials plus (CE+) assessment scores. The solution is compliant with CE+, DSPT, National Cyber Security Centre (NCSC) and IT Healthcare (ITHC) regimes and will remain compliant throughout the development of the service.

Value: Procure at scale to one national standard, enabling improved planning and better value for money for the NHS. The solution is centrally funded for NHS organisations.

An NHS organisation has the option to on-board as a self-service or managed organisation. By adopting the self-service option, and organisation will be able to configure local rules and features themselves through the platform management consoles, giving increased visibility to traffic. On demand training will be need to be completed during onboarding to ensure appointed administrators in an organisation understand how to manage and configure the platform.

By adopting the managed option, an organisation will need to go through the Customer Service Function (CSF) to make any changes to their platform; these will be carried out on their behalf by the relevant service management teams including Accenture and Palo Alto and/or Imperva.

If you are connecting via the HSCN route you will receive the national rule-set applied to every CNSP; a change to the rule-set must be requested through your CNSP.

The NHS Secure Boundary solution is flexible with the network topology it can accommodate. The approach for your organisation will be validated during the discovery phase but as a general principle, if you have multiple sites each with their own dedicated internet connection we will connect each location to their Palo Alto Prisma Access instance via an IPSec tunnel.

If the internet breakout comes from a centralised location with multi-protocol label switching (MPLS) or wide area network (WAN) linking other locations together then connection to Prisma will be as if the NHS organisation is a single site. All traffic that passes through the Prisma instance will be subject to the rules and policies applied.

Yes. There are a number of technical pre-requisites that must be met before implementing the solution. The onboarding team will complete a gap analysis of your organisation during the discovery phase, the outputs of which will be a remediation report detailing the activities that must be completed ahead of implementation.

The primary technical pre-requisite is that your organisation has an on-premise device (firewall, router or SD-WAN device) that can establish an IPSec tunnel to the Prisma service at the rate which your internet access is set. For example, if you have a 200Mb/s internet circuit, the device needs to be able to create an IPSec tunnel and encrypt at 200Mb/s. All IPSec VPN tunnels will be created in accordance with the National Cyber Security Centre using the PRIME cryptographic profile (FOUNDATION components can be used for compatibility on a case by case basis).

The existing Palo Alto Prisma Access firewall can be used as the on-premise device to establish an IPSec tunnel to the Palo Alto Prisma Access instance. If you are currently paying for subscription services on this firewall (e.g. URL filtering, AV, Wildfire) NHS Secure Boundary will provide these subscriptions as part of the centrally funded solution; you can therefore stop paying for these subscriptions.

An important benefit of availing the service is the provision of enriched threat intelligence to the NHS England Cyber Security Operations Centre (CSOC), enabling the CSOC to identify malicious content on behalf of the wider NHS. NHS Secure Boundary also takes threat data from sources outside the service (for example NHSmail, NHS England CSOC or the wider customer network of Palo Alto) and allows that threat data to be used by the firewalls in the solution.