Announced at Ignite: Secrets, API, CIEM and More Enhancements in Prisma Cloud

Dec 13, 2022
6 minutes
The Prisma Cloud team is continuously innovating. I’m excited to share that today at the Palo Alto Networks Ignite '22 Conference we announced impactful capabilities added to Prisma Cloud to help you secure your application lifecycle from code to cloud.

Preventing Secret Leaks

For improving code and build security, we have a significant shift-left enhancement, Prisma Cloud Secrets Security. Developers use secrets to enable their applications to securely communicate with other services. But hardcoded access keys and other sensitive data often make it into production and become exposed to unauthorized users. With these credentials in hand, a bad actor can gain access to workloads, data, applications, storage and more.

In fact, this past September, The Hacker News reported that hardcoded Amazon Web Services (AWS) credentials have been identified in 1,859 Android and iOS apps, 77% of which had valid AWS access tokens enabling private AWS cloud service access. But secrets come in many forms, such as text keys, access tokens, API keys, certificates, and passwords. Without effective secret management natively integrated in the developer build environment, a consequential breach can occur in production.

Introducing Prisma Cloud Secrets Security

I’m pleased to announce that Prisma Cloud Secrets Security is the industry’s first integrated CNAPP solution to combine signature-based secrets detection with a fine-tuned entropy model that leverages string context for high fidelity discovery and alerting.

Prisma Cloud now scans all files, including Infrastructure as Code (IaC) and source code. This solution offers full application lifecycle protection by scanning for hardcoded secrets in code pre-commit, in your version control system (VCS) and continuous integration (CI) pipelines. Additionally, it now alerts on exposed secrets in cloud workloads and resources using built-in runtime policies. My team wrote a deep-dive Secrets Security blog post so you can learn more about implementation and use cases.

I won’t list all the 25+ new features helping our clients secure their application lifecycle across the code and build, deploy, and run stages, but here are a few exciting highlights.

  • API Risk Profiling: Cloud-native applications rely on application programming interfaces (API) for communication, and they have become a common vector of attack. A recent example was reported as the point of access in the recent Optus breach. The article says that Optus had an API exposed to the internet that didn’t require authorization or authentication to access customer data.

Prisma Cloud has enhanced its Web Application and API Security (WAAS) capabilities with API risk profiling. With this innovation, the Prisma Cloud API Security solution understands and prioritizes risks based on 200+ factors for every API in your environment.

With Prisma Cloud, security operations can auto-discover all the APIs in their environment, understand API risks, identify sources of risk, and prioritize remediation tasks. With prevention-first architecture, Prisma Cloud also delivers real-time protection for the OWASP API Top 10, rate limiting and bad bots.

  • Cloud Infrastructure Entitlement Management (CIEM) Integration with AWS IAM Identity Center: To evaluate the overall identity risk in a cloud environment, you need to calculate the net-effective permissions, which is done by understanding which identities have access to critical infrastructure.

Due to inconsistent IAM mechanisms across cloud service providers (CSPs) and identities that access cloud infrastructure using identity providers (IdPs) or single sign-on (SSO) tools, these calculations are complex to do manually. Only after understanding net-effective permissions can you enforce least-privilege access to cloud resources – ensuring that if unauthorized users gain access to a role they are limited on the damage they can do.

The CIEM capabilities in Prisma Cloud automate cloud permissions mapping and calculates net-effective permissions. This net-effective permissions score helps you enforce consistent least-privilege access across multicloud environments.

AWS IAM Identity Center helps securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications. The integration of Prisma Cloud with IAM Identity Center allows for the ingestion of data from IAM Identity Center and all AWS supported IdPs. Prisma Cloud then aggregates this data with other data sources to automate net-effective permissions mapping so that overly permissive roles are highlighted and least-privilege can be enforced across multicloud environments.

  • Agentless Workload Scanning for Containers: Now Prisma Cloud can scan container workloads for software vulnerabilities without the need of an agent. Identified vulnerabilities are prioritized with a risk score and a description of risk factors. The risk factor description guides the security team to the best course of action by reporting details — vulnerable packages, attack complexity and attack vector.

With the addition of container agentless scanning, customers can centralize visibility across hosts, VMs, serverless, and containers.

  • Vulnerability Explorer Enhancements: Accurate risk prioritization is crucial, and the first step is to have a comprehensive view of your vulnerabilities. This is where Vulnerability Explorer comes in.

With Vulnerability Explorer, you can filter the CVE viewer by risk factors. We’ve also added additional environmental risk factors, such as "Exploit in the wild”, for better context, clarity, and improved risk score calculation. Lastly, we’ve improved the mechanism for detecting Remote Code Execution and DoS risk factors.

  • Application Control for Hosts: We’ve added new capabilities to control applications and their versions that can run on your host machines. With this protection policy, we provide compliance controls that give users the ability to select which applications can run on their host machines and specify the allowed versions. Now you can reduce the attack surface and ensure continuous compliance controls on all your hosts.
  • France Hosting: Expanding European data sovereignty support and scale, Prisma Cloud has added a hosting site in France, which brings Prisma Cloud hosting sites to 11 countries.
  • The New Adoption Advisor: Prisma Cloud Adoption Advisor assists you in operationalizing the platform to take advantage of its full potential for code-to-cloud security. Adoption Advisor analyzes your deployment to deliver a report that considers where you are on your cloud adoption maturity model. The report guides you on which security capabilities to enable to most effectively raise your security posture at each stage of the application lifecycle, code and build, deploy, and run.

Approximately 2,000 global customers trust Prisma Cloud to protect their application lifecycle from code to cloud. Prisma Cloud secures over 1.5 billion assets and protects over 2.5 million workloads by processing over 2 billion events every day. Prisma Cloud is continually recognized by the industry.

Frost & Sullivan, in fact, recently evaluated 15 vendors and tools for their ability to protect cloud-native applications throughout the application development lifecycle. According to the Frost Radar Report for Cloud-native Application Protection Platforms, “Palo Alto Networks is one of the first vendors in the market that can provide a full-stack CNAPP platform that delivers all aspects of security for the cloud-native applications.”

The firm also noted, “Prisma Cloud is one of the most comprehensive and marketable CNAPP platforms, providing full security stack protection for cloud environments, including DevOps security, IaC, serverless security, CSPM, CWPP, CIEM and CNWS.”

Learn More

Watch the webinar Code to Cloud Security Hour: The Rise of the CNAPP to learn more about the latest additions to Prisma Cloud. Or discover the Prisma Cloud advantage firsthand with a hands-on trial.


