NetSec Platform: Strata Cloud Manager (SCM)

The NetSec platform reference model defines 3 layers: management, inspection, and enforcement. These layers must operate as a coherent system rather than as independent components.

This post focuses on the management layer – the control plane responsible for policy, visibility, and operational workflows.

Most organisations already operate security across multiple domains - remote access, data centre, cloud, SaaS, internet edge, and endpoint. Although they may have capability coverage, the main issue is fragmentation.

Policy, telemetry, and operations are typically distributed across separate tools and teams. No single system has authoritative visibility or control.

SCM as the Control Plane

Traditional network security management evolved around appliances. Each service operated as its own configuration and telemetry domain.

In a distributed enforcement architecture, policy authority must be managed centrally rather than by individual devices or systems.

SCM is a cloud-delivered management and visibility layer for the Palo Alto NetSec platform. It is the anchor point that makes the rest of the system consistent and observable.

Architecturally, it functions as the control plane to:

  • Define and distribute policy
  • Normalise telemetry across enforcement form factors
  • Provide lifecycle management and configuration governance
  • Centralise operational workflows and analytics

SCM maintains a hierarchical model where global policy, shared objects, and service-specific rules are defined centrally and applied consistently across the platform.

SCM leverages Strata Logging Service (SLS), which normalises telemetry from different enforcement form factors into a common data model.

On top of this unified data model, SCM applies analytics and deep learning to surface contextual insights, policy recommendations, and operational guidance.

Enforcement remains distributed across firewalls and cloud-delivered services; policy authority and logging are centralised.

High level visual summary of Strata Cloud Manager as the NetSec platform control plane
Example screenshots of network security convergence in SCM

Example Platform Outcome: ADEM

Autonomous Digital Experience Management (ADEM) is an observability and experience management solution delivered through SCM.

ADEM would not be possible in a fragmented architecture. It depends on policy context, enforcement telemetry, and endpoint signals existing within the same control plane.

It uses machine learning to identify issues and determine root cause across multiple domains:

  • End-to-end segment monitoring (RUM, synthetic testing)
  • Endpoint telemetry (CPU, memory, WiFi)
  • First and last mile metrics (LAN, ISP)
  • Security service telemetry (Prisma Access, NGFW)
  • Application performance metrics (latency, connection time)

ADEM calculates a health score for every user, site, and application. It can alert IT, generate a ticket, or provide automated self-service guidance to users.

This reduces help desk volume, manual investigation, and Mean Time to Resolve (MTTR).

Operational Scenario

Scenario: User reports Teams is slow.

Without SCM:

  • Check the endpoint
  • Check the remote access solution
  • Check the firewall logs
  • Check the ISP metrics
  • Check the SaaS application portal

With SCM:

  • Complete user experience view
  • Enforcement, endpoint, and network telemetry in one place
  • Health score with domain breakdown for troubleshooting
  • Suggested root cause is provided
Example screenshots of the user experience view in SCM Pro

Operational Considerations

From a deployment and operations perspective:

  • SCM Essentials is included with relevant Palo Alto products
  • SCM Pro enables broader platform-level operational capabilities
  • A migration tool is available for existing Panorama users
  • Cloud-delivered services are hosted on hyperscale infrastructure
  • Region selection on deployment (for example, UK) supports data residency requirements

Platform Outcomes

When SCM is implemented as the control plane for the NetSec platform, the outcomes include:

  • Centralised policy authority across distributed enforcement points
  • Consistent management and visibility across network security services
  • Reduced operational fragmentation between products and enforcement points
  • Faster extension of policy and control into new environments and use cases
  • A simple, more scalable operating model for future growth

Read more