The near-limitless capacity offered by cloud storage services like Amazon Web Service Simple Storage Service (AWS S3) has enabled organizations to collect massive amounts of data – volumes that quickly exhaust traditional, manual processes for data classification.
The Prisma Cloud Data Security module has been purpose-built to address these challenges. It can continuously discover and help automatically protect sensitive cloud data at the scale and velocity common in public cloud environments. Combining both Palo Alto Networks Enterprise Data Loss Prevention (DLP) Engine and Wildfire for malware analysis, users gain deep visibility and direct control for AWS S3 within their Prisma Cloud console.
“This marks an important milestone in our commitment to bringing our customers the most comprehensive cloud native security platform, already trusted by nearly 50% of the Fortune 100,” says Rahul Sood, SVP, Prisma Cloud.
“Securing sensitive data is ‘job zero’ when I talk to our customers, and I’m thrilled we can offer yet another best-of-breed capability for classifying and protecting data stored in public cloud.”
Here’s what the new Data Security module can do for users.
Prisma Cloud Data Security can be enabled with a single click under the subscriptions tab inside the Prisma Cloud console. The new module automatically provides customers an inventory of their S3 buckets, and offers two options for scanning:
- Backward Scan – scans all existing objects in a bucket
- Forward Scan – scans all new objects added to the bucket
Detecting Sensitive Data in S3 Objects
The new module incorporates the Palo Alto Networks Enterprise DLP engine, which uses machine learning to identify and categorize data. It can automatically recognize specific types of sensitive and regulated data within S3 objects: personally identifiable information (PII) like social security and other personal identification numbers; credit card numbers; financial information; healthcare information; and intellectual property.
Detecting Malware Objects in S3 Buckets
Ensuring any stored data is free from malware that can spread across cloud environments is an essential, yet often overlooked, security requirement for platform-as-a-service (PaaS) data stores. By leveraging the WildFire malware analysis engine, Prisma Cloud identifies and helps protect against known and unknown file-based threats that have infiltrated the customer’s S3 buckets.
Exposure Calculation for S3 Buckets and Objects
Publicly-exposed sensitive data is one of the most commonly-seen vulnerabilities across public cloud environments. The exponential growth of collected data amplifies this issue. Prisma Cloud Data Security helps solve this problem by automatically and continuously monitoring configurations for access control, policy, objects, and others to calculate the exposure of both S3 buckets and individual objects. This allows users to quickly remediate unintended settings for buckets that have been identified as containing sensitive data.
AWS S3 Policy Compliance Alerts
The Data Security module provides five out-of-the-box policies for detecting publicly exposed objects with sensitive data and objects that contain malware. These five policies are for healthcare information, intellectual property, financial information, malware, and PII.
Users can also create their own customized policies and send alert notifications to Amazon Simple Queue Service (SQS), Splunk, and webhooks for remediation.
Comprehensive AWS Account Visibility
Interactive dashboards provide visibility into users’ data security posture across AWS accounts and regions, including the total number of buckets, number of publicly exposed objects with sensitivity, and the geographical distribution of publicly exposed objects.
Unified DLP Policies Across the Enterprise
Palo Alto Networks is your partner in helping ensure consistent data protection and internal policy compliance across the enterprise – including networks, clouds and users. That’s why the Enterprise DLP cloud service is not just limited to Prisma Cloud. It is integrated into all Palo Alto Networks Prisma and firewall products, to help extend configurations and policies consistently wherever sensitive data exists, both at-rest and in-motion. Data protection policies can be configured once, and automatically synchronized across Palo Alto Networks products, thus eliminating time-consuming duplication of processes.
Protect Sensitive Cloud Data Using Prisma Cloud
Users can enable Prisma Cloud Data Security with either a single click in the Prisma Cloud console or a single API call. Current customers can use the new Data Security module to scan up to 300GB of data at no additional cost.
Learn more on our documentation page.