Palo Alto Networks adds new cloud modules to their Prisma Cloud Native Security Platform

In addition to their Prisma Cloud 2.0 announcement, Palo Alto Networks has announced the availability of their first Canadian-based cloud region.

Palo Alto Networks has launched the 2.0 version of their Prisma Cloud platform, the company’s Cloud Native Security Platform [CNSP].  Prisma Cloud 2.0 includes technology from their Twistlock and Aporeto acquisitions, as well as organically developed capabilities. The new content is incorporated in four new cloud security modules: Data Security; Web Application and API Security; Identity-Based Microsegmentation; and Identity and Access Management.

The Prisma Cloud platform was originally introduced last year, and at that time it was principally about bringing together recently acquired products and rebranding them.

“Our initial Prisma release was focused more on making acquisitions available under the Prisma brand,” said John Morello, VP of Product Management for Prisma Cloud Compute at Palo Alto Networks. “Prisma 2.0 is unique because it incorporates other new acquisitions, but also organic development that has been built specifically around the notion of having this all in a platform.”

CNSP is Palo Alto Networks’ proprietary term, which they believe best describes the optimal type of services for customers.

John Morello, VP of Product Management for Prisma Cloud Compute, Palo Alto Networks

“The analyst definitions aren’t always sufficient for what customers need,” Morello said. “CNSP emphasizes multiple layers for customers, and also encompasses the full DevOps lifecycle to protect applications from the very beginning. Our platform tries to solve both of the layers of cloud security customers care about. The third and bottom layer is not their problem. That’s Azure – the cloud. But above that is the service plane layer, and the compute is on top. We cover those two layers, not just for containers but serverless and host. Everything is designed to work together, and provide a cohesive experience as if though the applications were all organically built by the same company.”

Most of the applications on the Prisma platform were acquired, so have different code bases. Historically, most companies have not considered that an asset, but Morello said it matters much less today, and the fact that all the acquired applications are completely cloud-native provides a significant differentiation.

“All these applications had different back end – and they are still different,” he stated. “But we can deliver a unified user experience because everything is built with microservices. CNSP is not just a repackaging of existing applications, like many others do. It is an integrated platform built from acquisitions and organic development, so it’s a much more cloud-native approach.”

The new modules begin with Data Security, a Data Loss Prevention [DLP] module that provides discovery, classification and malware detection for AWS S3.

“Data Security solves a problem with cloud storage services,” Morello indicated.

When used in conjunction with Cloud Security Posture Management [CSPM] capabilities, Data Security gives customers context about their true cloud risks around data exposure, and can also be used by regulated industries for compliance purposes.

“The technology for this was built internally,  rather than acquired,” Morello said.

The second module is Web Application and API Security, which helps protect web applications against Layer 7 and OWASP [ Open Web Application Security Project] Top 10 threats. It integrates with the Cloud Workload Protection Platforms [CWPP] unified agent framework.

“This is basically built on the Twistlock container security technology we acquired in 2019, which provides different ways of delivering HTTP inspections,” Morello noted. “It is an updated form of a Web Application Firewall [WAF], doing web app filtering to selectively intercept traffic. Because we run next to the application, we scale perfectly with the app. This also make it easier for developers, because it can consumer Swagger API manifest, and determine much stricter rules on endpoints that should be allowed.”

The third module, Identity-Based Microsegmentation, uses technology that came from Palo Alto Networks’ acquisition of Aporeto in late 2019.

“It provides for a zero-trust networking policy, rather than the classical model where everything inside the edge can talk to each other,” Morello said. “This is an agent-based approach, which is not based on IP addresses, but on a machine’s identity, using metadata.”

Identity and Access Management [IAM] Security is the fourth new module.

“This is not traditional IAM, but rather protection for the way that you configure those services,” Morello stated. “The granularity can be overwhelming for many customers, so they give broad access. What this does is identify where you have given an overly high level of privilege to a person or a machine. For example, giving a person or a machine that only reads out of an S3 bucket a very high level of privilege increases risk. Controlling these configurations, at scale, can significantly reduce overall risk.”

In addition to the Prisma 2.0 announcement, Palo Alto Networks has announced that they have established a cloud region in Canada, their first. This will provide Canada-based customers with a Canadian cloud location for all of the company’s cloud offerings – Prisma Cloud, Cortex Data Lake, Cortex XDR and WildFire.

“We did not have a region in Canada before,” Morello indicated. “We would use U.S. based regions instead. Some customers had specifically asked us for this, especially in government, health care and financial services. This is about making them happy.”