Help Protect Sensitive Data with a Cloud Native Security Platform

Oct 13, 2020
5 minutes

The near-limitless capacity offered by cloud storage services like Amazon Web Service Simple Storage Service (AWS S3) has enabled organizations to collect massive amounts of data – volumes that quickly exhaust traditional, manual processes for data classification. 

The Prisma Cloud Data Security module has been purpose-built to address these challenges. It can continuously discover and help automatically protect sensitive cloud data at the scale and velocity common in public cloud environments. Combining both Palo Alto Networks Enterprise Data Loss Prevention (DLP) Engine and Wildfire for malware analysis, users gain deep visibility and direct control for AWS S3 within their Prisma Cloud console.

“This marks an important milestone in our commitment to bringing our customers the most comprehensive cloud native security platform, already trusted by nearly 50% of the Fortune 100," says Rahul Sood, SVP, Prisma Cloud.

"Securing sensitive data is 'job zero' when I talk to our customers, and I’m thrilled we can offer yet another best-of-breed capability for classifying and protecting data stored in public cloud."

Here's what the new Data Security module can do for users. 


One-Click Activation

Prisma Cloud Data Security can be enabled with a single click under the subscriptions tab inside the Prisma Cloud console. The new module automatically provides customers an inventory of their S3 buckets, and offers two options for scanning: 

  1. Backward Scan - scans all existing objects in a bucket 
  2. Forward Scan - scans all new objects added to the bucket 


Pop-up for enabling the Data Security module in Prisma Cloud.
Data Security module pop-up in Prisma Cloud.


Detecting Sensitive Data in S3 Objects

The new module incorporates the Palo Alto Networks Enterprise DLP engine, which uses machine learning to identify and categorize data. It can automatically recognize specific types of sensitive and regulated data within S3 objects: personally identifiable information (PII) like social security and other personal identification numbers; credit card numbers; financial information; healthcare information; and intellectual property.


Inventory of categorized S3 object data in Prisma Cloud.
Inventory of categorized S3 object data in Prisma Cloud.


Detecting Malware Objects in S3 Buckets

Ensuring any stored data is free from malware that can spread across cloud environments is an essential, yet often overlooked, security requirement for platform-as-a-service (PaaS) data stores. By leveraging the WildFire malware analysis engine, Prisma Cloud identifies and helps protect against known and unknown file-based threats that have infiltrated the customer’s S3 buckets.


Wildfire malware scan result detail in Prisma Cloud.
Wildfire malware scan result detail in Prisma Cloud.


Exposure Calculation for S3 Buckets and Objects

Publicly-exposed sensitive data is one of the most commonly-seen vulnerabilities across public cloud environments. The exponential growth of collected data amplifies this issue. Prisma Cloud Data Security helps solve this problem by automatically and continuously monitoring configurations for access control, policy, objects, and others to calculate the exposure of both S3 buckets and individual objects. This allows users to quickly remediate unintended settings for buckets that have been identified as containing sensitive data.


Configuration alerts in Prisma Cloud for AWS S3.
Configuration alerts in Prisma Cloud for AWS S3.


AWS S3 Policy Compliance Alerts

The Data Security module provides five out-of-the-box policies for detecting publicly exposed objects with sensitive data and objects that contain malware. These five policies are for healthcare information, intellectual property, financial information, malware, and PII. 


Examples of out-of-the-box data security policies in Prisma Cloud.
Out-of-the-box data security policies.


Users can also create their own customized policies and send alert notifications to Amazon Simple Queue Service (SQS), Splunk, and webhooks for remediation.


Creating custom policies for S3 objects in Prisma Cloud.
Creating custom policies for S3 objects in Prisma Cloud.


Comprehensive AWS Account Visibility 

Interactive dashboards provide visibility into users’ data security posture across AWS accounts and regions, including the total number of buckets, number of publicly exposed objects with sensitivity, and the geographical distribution of publicly exposed objects.


Data security dashboard in Prisma Cloud
Data security dashboard in Prisma Cloud.


Unified DLP Policies Across the Enterprise

Palo Alto Networks is your partner in helping ensure consistent data protection and internal policy compliance across the enterprise – including networks, clouds and users. That's why the Enterprise DLP cloud service is not just limited to Prisma Cloud. It is integrated into all Palo Alto Networks Prisma and firewall products, to help extend configurations and policies consistently wherever sensitive data exists, both at-rest and in-motion. Data protection policies can be configured once, and automatically synchronized across Palo Alto Networks products, thus eliminating time-consuming duplication of processes.


Protect Sensitive Cloud Data Using Prisma Cloud

Users can enable Prisma Cloud Data Security with either a single click in the Prisma Cloud console or a single API call. Current customers can use the new Data Security module to scan up to 300GB of data at no additional cost.

Learn more on our documentation page.


Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.