CNAPP, DSPM and DDR: A New Age in Cloud Security

It’s clear that organizations need more robust capabilities for detecting sensitive data, monitoring access and usage, and tackling misconfigurations and vulnerabilities.

Multiple market forces have brought us to this moment. The rise of AI, machine learning and surging interest in generative AI have increased the volume of data that organizations store in the cloud, creating new risk vectors related to the models themselves. Cloud service sprawl and multicloud deployments add complexity and create fluid environments where sensitive data is hard to monitor. Regulatory compliance has become a major concern, with data privacy and protection regulations creating the possibility of severe consequences for companies that fail to find, classify, and reasonably protect regulated data sets.

The market has spoken: AI, cloud sprawl, and data regulation drive demand for a holistic, platform approach.

In tackling these growing challenges, organizations have come to realize that fragmented, legacy point solutions cannot be the way forward. Organizations are demanding better controls around data to support their increased appetite for innovation — but in 2023, there is neither budget nor spare working hands to manage dozens of different security tools. Data security has to become a holistic and native aspect of the tools that organizations are already using.

Where CNAPP Meets Data Security

CNAPPs are integrated security solutions that address the entire development lifecycle and runtime operations for cloud-native applications. They consolidate infrastructure-as-code (IaC) scanning, cloud security posture management (CSPM), workload protection (CWPP), software composition analysis (SCA), and other capabilities, with the goal of identifying and prioritizing risk across cloud applications and infrastructure.

Where does data security come in? Adding data context allows security teams to zero in on the most important vulnerabilities and misconfigurations, while providing more actionable paths to remediation when data risk is detected.

Data-Centric Capabilities are Key to Prioritizing CNAPP Incidents

Cloud-native development results in a sprawling attack surface spanning containers, virtual machines (VMs), serverless platform-as-a-service (PaaS), IaC, and more. When there are so many components to secure, there’s a lot that can go wrong. Accordingly, CNAPPs encompass many different monitoring capabilities across application development, staging, and runtime.

Prioritization is a major challenge. It’s nearly impossible for security teams and developers to address every flashing light on their dashboards. They need to decide which incidents require immediate remediation, which can be deferred, and which can be automated. Attack path analysis is used to help determine which vulnerabilities can lead to significant breach of sensitive data or a major compliance violation, by looking at:

• The level of exposure — for example, stale permissions are not as big a problem as publicly accessible resources; and
• The sensitivity of the exposed asset — for example, anonymized system logs have less security implications when compared to customer SSNs or credit card numbers.

To understand risk, we have to understand data. Data is both the lifeblood of the modern organization and the prime target for attackers; it is also at the heart of compliance frameworks such as PCI DSS.

Discovering, classifying, and monitoring sensitive data are key to effective attack path analysis. E.g., an unpatched VM might not be a very serious problem, from a security perspective; but if it’s running a database that stores customer information and is now exposed to the world, it needs to be addressed immediately. Delineating between these scenarios cannot be done solely on the configuration level and requires insight into data content and context.

We can think of the Log4Shell vulnerability, which impacted countless applications: in some enterprises, there were potentially hundreds of codebases that relied on the Log4J framework and were now at risk. Security teams had to decide which of these to patch first, an often-painful process which would include upgrading dependencies and potentially lead to application downtime. Knowing where critical data was at risk could help security teams prioritize remediation, and save a tremendous amount of time and resources.

DSPM, DDR, and CNAPP for Holistic Cloud Protection

Data-centric security and cloud-native application protection are the ultimate ‘better together’ — feeding into the other’s strengths to deliver a more complete and streamlined solution for security, data, and development teams. This combination promises many benefits for customers using Dig Security, as well as those who rely on Palo Alto Networks’ Prisma Cloud.

The Benefits of Integrated CNAPP for Dig Customers

By combining Prisma Cloud's CNAPP with Dig's data-centric approach, users will be able to gain end-to-end visibility and control over their sensitive data across the software development lifecycle (SDLC). There’s a lot of potential here to build on Dig’s data-centric approach and enhance it, in areas such as:

• Full cloud context: Data security teams can gain visibility into cloud infrastructure and cloud pipelines including workloads, containers, and CI/CD pipelines. This allows them to better understand lineage, network exposure, and data flow mapping — allowing for a clearer picture of the downstream impacts of data risk, as well as the implications of potentially-breaking changes.
• Integrated malware analysis: Palo Alto Networks WildFire^® is the industry’s largest cloud-based malware protection engine — which can provide an integrated solution for Dig customers to help discover malware and ransomware in cloud storage, in addition to existing data classification capabilities.
• Remediation and threat detection: CNAPP offers strong vulnerability management capabilities, highlighted by Prisma Cloud’s recent Darwin release for Code to Cloud™ intelligence. Dig’s DDR can detect when PII is exposed in a VM. A CNAPP allows security teams to remediate the issue in the code (by changing the IaC templates that create the asset and permissions) as well as in the cloud resource in production (by directly modifying the permission).
• Best-in-class vulnerability and misconfiguration analysis for data stores: Dig’s DSPM shows you where your sensitive data is stored and who has access to it. Prisma Cloud is the industry leader in identifying the relevant threat vectors resulting from cloud misconfigurations and active attacks against applications. Together, the two dramatically improve security posture.

The Benefits of Data-Centric Security for Prisma Cloud Customers

For Prisma Cloud customers, Dig will bring additional capabilities for understanding and securing sensitive data within cloud environments — allowing for robust CNAPP protections to be applied alongside granular data security and compliance in complex cloud ecosystems. For example:

• Adding data access governance (DAG) to cloud infrastructure entitlement management (CIEM): Dig provides critical insight into usage patterns of data assets (e.g., to identify stale permissions), enrich data with relevant labels, and easily see access by user and role. This allows organizations to better understand and control their permissions architecture, with a focus on sensitive data assets.
• Attack path analysis for APIs, workloads: Dig gives visibility into data lineage and flow, which helps fully understand the attack path to the application, and the data that’s exposed as a result. For example, Dig can help create an inventory of APIs that handle PCI data or identify developer secrets used in containerized code. This allows for better prioritization of related CNAPP incidents.
• CSPM + DSPM: Prisma Cloud offers cloud security posture management to identify misconfiguration and vulnerabilities in cloud resources. Dig’s data security posture management adds data context into the mix, which is crucial due to increased scrutiny of data and a larger focus on AI and related technologies.
• Darwin + DDR: Dig’s pioneering data detection and response can help enrich network logs with data events, and allow security research and SOC teams to better identify data-related incidents in real time.

Forward-Looking Statements

This blog contains forward-looking statements that involve risks, uncertainties and assumptions, including, but not limited to, statements regarding the anticipated benefits and impact of the acquisition. There are a significant number of factors that could cause actual results to differ materially from statements made in this blog, including, but not limited to, the ability of Palo Alto Networks to integrate Dig’s technology, operations and business. Additional risks and uncertainties that could affect our results are included under the captions "Risk Factors" and "Management's Discussion and Analysis of Financial Condition and Results of Operations" in Palo Alto Networks’ Quarterly Report on Form 10-Q filed with the SEC on November 17, 2023, which is available at investors.paloaltonetworks.com and on the SEC's website at www.sec.gov. Additional information will also be set forth in other filings that Palo Alto Networks makes with the SEC from time to time. All forward-looking statements in this blog are based on information available as of the date hereof, and we do not assume any obligation to update the forward-looking statements provided to reflect events that occur or circumstances that exist after the date on which they were made.

Palo Alto Networks, Prisma, Wildfire, Code to Cloud and the Palo Alto Networks logo are trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available.