Contractors and the Prisma Access Browser Solution
In this blog
In my previous article on the Prisma Access Browser, or PAB for short, I briefly covered leveraging the PAB to allow contractors or vendors access to secure resources without shipping them a company laptop or a VPN service. This article will go more in-depth, looking at the infrastructure and settings required to make this simple solution work for the users.
Why do we need this solution?
Contractors regularly connect to multiple clients, and personally owned computers offer more significant risks than most enterprises want to tolerate. This is why some companies choose costly solutions, such as shipping company laptops to contractors or using expensive virtual desktop solutions to control access to sensitive resources.
GlobalProtect users, Palo Alto's VPN client, can access secure resources, but that requires installing and configuring the GlobalProtect client. This is safe and secure for managed endpoints and has been used by enterprises since VPNs were first established. However, the lack of control over the endpoint raises security concerns for contractors or employees who want to use their equipment. We've all heard stories of breaches or compromised access resulting from a vendor security issue.
Why would you want to use only a browser to allow access to sensitive resources?
Well, it's more than just a simple web browser. The Prisma Access Browser is custom-built from the ground up from the Chromium project to be a secure platform. It leverages encryption not found in other browsers to ensure that content can only be opened or viewed in the Prisma Access Browser or decrypted when uploaded to secure and sanctioned storage sites. Its robust DLP features block the ability to take screen captures or share a screen in an online meeting if needed. Those settings are controlled by a policy tightly integrated with identity platforms to allow granular policy control and exceptions when required. There are quite a few other security benefits also available that we would be happy to talk to you about in greater detail.
It's also flexible enough to provide access to remote desktop sessions or terminal windows for Linux devices directly in the browser. Previously, this level of access would require an expensive VPN or remote desktop session. lt is now built into the Prisma Access Browser as a service known as Privileged Remote Access. The feature offers an excellent option for administrators who need to access systems remotely, and it also provides a secure method of access for protected systems with command-line access, including OT or other critical infrastructure devices.
Another reason to use it is its deployment simplicity and flexibility. Installation of the browser can be automated for enterprise devices, or it can be a simple install file provided to contractors that does not require administrative rights to install. Because it is based on the Chromium project, it will look and feel like the standard Chrome browser built with custom branding to confirm it is used for the enterprise. Often, a significant challenge for any new product is teaching users how to use the new tool, but they most likely already know how to use Chrome, so they know how to use the Prisma Access browser.
What do we need to enable this solution?
A few components are required to make this solution work: a Prisma Access Browser Enterprise license, Prisma Access, and at least one ZTNA connector or Service Connection. Prisma Access is Palo Alto's FWaaS or SSE solution, essentially the Strata firewalls we use today but hosted in the cloud for easy scalability and redundancy. Think of the ZTNA connector or Service Connection as a conduit or access point for authenticated users to access secure resources behind Prisma Access. The Prisma Access Browser has two license options: Standalone or bundled with Prisma Access. The standalone version cannot connect to Prisma Access but can be used to provide secure access to the internet. In contrast, the bundle version is tied to your instance of Prisma Access, allowing the use of all the Prisma Access features for another layer of security and functionality.
How do you enable this solution?
Once you license the bundled version of the browser and have configured Prisma Access, the ZTNA connector or Service Connections can be configured to allow access only from specified Prisma Access Browser source IP addresses, which you can get from the portal. When paired with an identity provider, such as Okta or Entra AD, you can use group or user-specific policies to allow access to specific resources in your environment, just as you would if they were on a VPN. The browser will evaluate the host computer to ensure it meets the access criteria you configure, and you can prompt the user if there are any problems. There are many options to configure to control who gets access to what and what they can do once they do have access.
What do I do if I have questions?
Ready to securely enable contractor access without the cost and complexity of VPNs or shipped laptops? Discover how the Prisma Access Browser delivers powerful, policy-driven security, seamless deployment, and flexible remote access—all from a familiar browser interface. Whether you're supporting vendors, admins or critical infrastructure, PAB simplifies secure access like never before.
The Prisma Access Browser has many unique capabilities that you may have more questions about. At WWT, we can address those questions and show you how the browser works in the real world. If you have any more detailed questions, you can contact your local WWT sales team to thoroughly discuss how the Prisma Access Browser can help your organization. Deploying the Prisma Access Browser can seem daunting. Still, our skilled teams can help you solve this challenge and add another critical layer of security while bringing flexibility to your offerings.
We are excited to hear from you.