TECHunplugged analyst Max Mortillaro recently had the opportunity to travel to San Jose, California for Security Field Day 11. One of the presenting companies, Palo Alto Networks, focuses on cloud data security with its Prisma Cloud solution.
Organizations Lack Data Awareness
According to Palo Alto Networks, CIOs and organizations have a general lack of awareness when it comes to data, with:
- No visibility on data footprint, data usage and adherence to regulatory compliance (PII, GDPR, CCPA, etc.)
- No visibility on potential data exfiltration activities or ransomware attacks (except, of course, when it’s already too late)
Palo Alto Networks also sees that cloud datastores are primary targets for attacks, however no compute or network dedicated security solutions (EDR, NDR) exist.
The reason for targeting cloud datastores is quite understandable: many security incidents in the past have been linked with improperly protected repositories (let’s not dig this rabbit hole).
Furthermore, the explosion of data footprint in public clouds is fueled by PaaS (storage, databases, analytics), IaaS (unmanaged assets such as public cloud VMs used as data repositories), and DBaaS, with fully managed DB services such as Snowflake and Databricks.
Discovering Prisma Cloud
Palo Alto Networks presentation revolved around their Prisma Cloud solution, which addresses two areas of cloud native security: DSPM (Data Security Posture Management), and DDR (Data Detection and Response).
- DSPM (Data Security Posture Management)
- Discovery & classification of all data cross clouds & deployment modes, structured & unstructured
- Static risk identification (data/bucket misconfiguration, access permissions, data sovereignty)
- Data Detection & Response
- Real-time data detection & response (alert & automate actions on any data threat)
Figure 1 – Prisma Cloud Discovery & Classification capabilities – Source: Palo Alto Networks
Discovery and classification capabilities are straightforward and highlighted in Figure 1 above. The solution is capable of identifying and orphaned data, i.e. data that no longer has an owner assigned (for example, after someone left the organization) but also orphaned snapshots, i.e. snapshots that still exist even if the source data was deleted.
This becomes important in the second aspect of DSPM capabilities, i.e. risk identification. That area focuses on identifying misconfigurations at several levels. Examples include unencrypted repositories, lax or inexistent access controls (for example datastores with full internet public access because someone forgot to explicitly restrict access to), and adherence to data sovereignty laws.
Coming back to orphaned snapshots, if the original permissions on the source (now deleted) object were for example set to public access, a malicious actor would still be able to access the snapshot and its data.
Besides static configuration issues, Data Detection and Response focuses on active threats that impact the customer’s cloud data landscape. In the example below, an SQL and code injection attempt is detected by Prisma Cloud.
The screenshot is interesting because it does not only demonstrate detection capabilities but also provides insights into the management interface of Prisma Cloud. Whether it relates to DSPM or DDR, the management interface will automatically tag findings and will allow those to be assigned to specific owners or resolvers.
Figure 2 – An example of Data Detection & Response, showing the full attack path – Source: Palo Alto Networks
The solution is built specifically for cloud environments, and currently does not support on-premises environments.
Partial Convergence of DSPM and UDM
As a final comment, there is an interesting overlap (or convergence) between DSPM and Unstructured Data Management (UDM), notably around data discovery and classification. DSPM looks at data from a security and risk perspective: in that context, data classification is important to identify if the organization is in violation of internal and regulatory policies around personally identifiable information (PII), or consumer privacy regulations such as GDPR, CCPA, and more.
Even if this aspect is important (and even key) for UDM solutions, UDM focuses more on holistic data management, considering not only security and regulatory aspects, but also more mundane aspects of data management such as data placement optimization, policy-based orchestration (migrations, data repatriation, data sovereignty, etc.) and all sorts of reporting (including costs).
Another noteworthy point is a solution’s ability to cover both on-premises and public cloud environments (in the broader sense, i.e. PaaS, IaaS, and DBaaS).
TECHunplugged’s Opinion
Prisma Cloud was a pleasant surprise, one of those gems that delegates happily stumble upon at Tech Field Day events. Security is a very broad topic, and if delegates could agree on one thing, it is how often one area of enterprise IT affects another. This sort of “blast radius” forces the IT practitioner to explore outside of their core area of focus.
Understanding Prisma Cloud capabilities was beneficial, notably when it comes to data classification capabilities of DSPM, an area that is often covered by unstructured data management solutions. Data detection and response capabilities, although laudable, are more traditional and in line with what the layman would expect of such a solution.
Regardless of the context and persona within an organization, maintaining a good data hygiene is important. Security and data management practices should go hand in hand, and the organization should put in place adequate processes and tools to ensure a full coverage, not only across clouds, but also for all sorts of workloads including the on-premises infrastructure. That is perhaps the only area where Prisma Cloud needs to improve.
Unfortunately, Palo Alto Networks findings about CIOs’ lack of data awareness remains to date the crux of the issue when it comes to proper data management practices. It’s not that the CIOs’ can’t, but it’s a more general problem of understanding and acknowledging the criticality of data assets for any organization. This awareness shouldn’t be a matter of concern only for security or data infrastructure teams, but also and mainly for C-Level executives such as the CEO, the CFO, and the CIO.
In TECHunplugged’s opinion, DSPM, DDR, and UDM should be driven top down, at the organizational level, perhaps through Compliance functions, rather than emanate from the desires or needs of the data infrastructure or security teams (which should nevertheless be praised for doing their best in addressing organizational gaps).
Additional Resources
Check out Tech Field Day website for Security Field Day 11 presentations and videos.
Also, check out TECHunplugged’s review of Prisma Cloud’s presentation at Security Field Day 11:
Disclosure: Max Mortillaro was invited to Security Field Day 11 by Tech Field Day, a Futurum Group company, and had his travel and accommodation expenses covered. TECHunplugged was not compensated by Tech Field Day or any presenting companies and has no obligation to create content.