Secure the Cloud

• ASIA PACIFIC COLLEGE

School of SM Foundation & IBM Phils.

Real projects. Real learning.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Secure the Cloud (PRISMA)

Application development methodologies are moving away from the

traditional “waterfall” model toward more agile continuous
integration/continuous delivery (CI/CD) processes with end-to-end
automation.
 This new approach brings a multitude of benefits, such as shorter
time to market and faster delivery, but it also introduces security
challenges because traditional security methodologies weren’t
designed to address these modern application workflows.
As developer teams embrace cloud-native technologies, security
teams find themselves scrambling to keep up.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Secure the Cloud (PRISMA)

Limited prevention controls, poor visibility, and tools that lack

automation yield incomplete security analytics – all of these things
increase the risk of compromise and the likelihood of successful
breaches in cloud environments.
Meanwhile, the demand for an entirely new approach to security
emerges.
Enter cloud-native security platforms (CNSPs).

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Secure the Cloud (PRISMA)

The term “cloud native” refers to an approach to building and

running applications that takes full advantage of a cloud
computing delivery model instead of an on-premises data center.
This approach takes the best of what cloud has to offer –
scalability, deployability, manageability, and limitless on-demand
compute power – and applies these principles to software
development, combined with CI/CD automation, to radically
increase productivity, business agility, and cost savings.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Secure the Cloud (PRISMA)
Cloud-native architectures consist of cloud services, such as containers,
serverless security, platform as a service (PaaS), and microservices.
These services are loosely coupled, meaning they are not hardwired to any
infrastructure components, allowing developers to make changes
frequently without affecting other pieces of the application or other team
members’ projects – all across technology boundaries, such as public,
private, and multicloud deployments.
In short, “cloud native” refers to a methodology of software development
that is essentially designed for cloud delivery and exemplifies all the
benefits of the cloud by nature.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Secure the Cloud (PRISMA)
As more organizations have embraced DevOps and developer teams have
begun to update their application development pipelines, security teams
quickly realized their tools were ill-suited for the developer-driven, API-
centric, infrastructure-agnostic patterns of cloud-native security.
As a result, cloud-native security point products began to hit the market.
These products were each engineered to address one part of the problem
or one segment of the software stack, but on their own they could not
collect enough information to accurately understand or report on the risks
across cloud-native environments.
This situation forced security teams to juggle multiple tools and vendors,
which increased cost, complexity, and risk in addition to creating blind spots
where the tools overlapped but didn’t integrate.
Cybersecurity Survival Guide, Palo Alto 5th Edition
 Secure the Cloud (PRISMA)
 Solving this problem requires a unified platform approach that can envelop the entire
CI/CD lifecycle and integrate with the DevOps workflow.
 Just as cloud-native approaches have fundamentally changed the how cloud is used,
CNSPs are fundamentally restructuring how the cloud is secured.
 CNSPs share context about infrastructure, PaaS, users, development platforms, data,
and application workloads across platform components to enhance security.
 They also:
 Provide unified visibility for SecOps and DevOps teams
 Deliver an integrated set of capabilities to respond to threats and protect cloud-
native applications
 Automate the remediation of vulnerabilities and misconfigurations consistently
across the entire build-deploy-run lifecycle

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Secure the Cloud (PRISMA)
 In the past, organizations that wanted to embrace new compute options were stifled by
the need to buy more security products to support those options.
 Stitching together disparate solutions in an attempt to enforce consistent policies across
technology boundaries became more of a problem than a solution.
 CNSPs, however, provide coverage across the continuum of compute options,
multicloud, and the application development lifecycle.
 This coverage allows organizations to choose the right compute options for any given
workload, granting them freedom without worry over how to integrate solutions for
security.
 CNSPs epitomize the benefits of a cloud-native strategy, enabling agility, flexibility, and
digital transformation.
 The Palo Alto Networks CNSP includes the following solutions to secure the cloud:
Prisma Cloud, Prisma Access, and Prisma SaaS.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Cloud application security (Prisma Cloud)
Prisma Cloud is the most comprehensive cloud-native security platform,
designed to protect all aspects of cloud usage with the industry’s leading
technology
Prisma Cloud provides broad security and compliance coverage for the
entire cloud-native technology stack, as well as applications and data
throughout the entire application lifecycle, across multicloud and hybrid
cloud environments.
Prisma Cloud takes an integrated approach that enables SecOps and
DevOps teams to accelerate cloud-native application deployment by
implementing security early in the development cycle.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Cloud application security (Prisma Cloud)

Prisma Cloud rests on four pillars:

Visibility, governance, and compliance.
Compute Security.
Network protection
Identity security

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Cloud governance and compliance
 Ensuring that your cloud resources and SaaS applications are correctly
configured and adhere to your organization’s security standards from day one
is essential to prevent successful attacks.
 Additionally, making sure that these applications, as well as the data they
collect and store, are properly protected and compliant is critical to avoid costly
fines, a tarnished image, and loss of customer trust.
 Meeting security standards and maintaining compliant environments at scale,
and across SaaS applications, is the new expectation for security teams.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Cloud governance and compliance

Despite the availability of numerous tools, most

organizations struggle to effectively control their data
exposure and enforce security policies across ever-
changing cloud environments and SaaS applications.
Furthermore, ensuring compliance where data is stored
across distributed environments puts a significant burden
on your already constrained security teams.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Cloud governance and compliance

Ensuring governance and compliance across multicloud

environments and SaaS applications requires:
 Real-time discovery and classification
 Configuration governance
 Access governance
 Compliance Auditing
 Seamless user experience

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Compute security

The cloud-native landscape is constantly evolving with new

technologies and levels of abstraction.
Hosts, containers, and serverless workloads provide unique
benefits and have different security requirements.
Prisma Cloud provides best-in-class solutions for securing
any type of cloud-native workload, throughout the
development lifecycle.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Compute security

Prisma Cloud provides cloud-native compute security from

build to run, including:
 Vulnerability management
 Runtime security
 Application security
 DevSecOps enabled.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Network protection
Network protection must be adapted for cloud-native environments
while still enforcing consistent policies across hybrid environments.
Prisma Cloud detects and prevents network anomalies by enforcing
container-level micro-segmentation, inspecting traffic flow logs, and
leveraging advanced Layer 7 threat protection.
Prisma Cloud network protection capabilities include:
Network visibility and anomaly detection.
Identity-based micro-segmentation.
Cloud-native firewalling.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Identity security

Managing a large number of privileged users with access to an ever-

expanding set of sensitive resources can be challenging.
On top of that, cloud resources themselves have permission sets
that need to be managed. Prisma Cloud helps you leverage the
identity of cloud resources to enforce security policies and ensure
secure user behavior across your cloud environments.
Key capabilities include:
Identity and access management (IAM) security.
Access management
Machine identity
UEBA
Cybersecurity Survival Guide, Palo Alto 5th Edition
 Secure Access Service Edge (Prisma Access)
 With increasing numbers of mobile users, branch offices, data, and services
located outside the protections of traditional network security appliances,
organizations are struggling to keep pace and ensure the security, privacy, and
integrity of their networks and their customers’ data.
 Today, many of the technologies on the market are built upon architectures
that were not designed to handle all types of traffic and security threats.
 This forces organizations to adopt multiple point products to handle different
requirements, such as secure web gateways, firewalls, secure VPN remote
access, and SD-WAN. For every product, there is an architecture to deploy, a
set of policies to configure, and an interface to manage, each with its own set
of logs.
 This situation creates an administrative burden that introduces cost,
complexity, and gaps in security posture.
Cybersecurity Survival Guide, Palo Alto 5th Edition
 Secure Access Service Edge (Prisma Access)

To address these challenges, Secure Access Service Edge (SASE) has
emerged. SASE (pronounced “sassy”) is designed to help
organizations embrace cloud and mobility by providing network and
network security services from a common cloud-delivered
architecture.
A SASE solution must provide consistent security services and
access to all types of cloud applications (
By removing multiple point products and adopting a single cloud-
delivered SASE solution, organizations can reduce complexity while
saving significant technical, human, and financial resources.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Secure Access Service Edge (Prisma Access)

A SASE solution converges networking and security services into

one unified, cloud-delivered solution (see Figure 3-12) that includes
the following:
 Networking:
Software-defined wide-area networks (SD-WANs)
Virtual private networks (VPNs)
Zero Trust network access (ZTNA)
Quality of service (QoS)

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Secure Access Service Edge (Prisma Access)

A SASE solution converges networking and security services into

one unified, cloud-delivered solution (see Figure 3-12) that includes
the following:
 Security:
 Firewall as a service (FWaaS)
 Domain Name System (DNS) security
 Threat prevention
 Secure web gateway (SWG)
 Data loss prevention (DLP)
 Cloud access security broker (CASB)

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Secure Access Service Edge (Prisma Access)
 SASE delivers
advanced
network and
security
capabilities in a
converged,
cloud-delivered
solution.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Secure Access Service Edge (Prisma Access)

Prisma Access delivers globally distributed networking and

security to all your users and applications.
Whether at branch offices or on the go, your users connect to
Prisma Access to safely access cloud and data center
applications as well as the internet.
Prisma Access consistently protects all traffic, on all ports and
from all applications, enabling your organization to:
Prevent successful cyberattacks
Fully inspect all application traffic
Benefit from comprehensive threat intelligence

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Secure Access Service Edge (Prisma Access)

The Prisma Access SASE

architecture consists of a network-
as-a-service layer, a security-as-a-
service layer, and a common
management platform to secure
branch/retail and mobile users
across SaaS, public cloud, internet,
and headquarters/data center
environments (see Figure 3-13).
Figure 3-13
The Prisma Access architecture
Cybersecurity Survival Guide, Palo Alto 5th Edition
 Network-as-a-service layer

The network-as-a-service layer in Prisma Access delivers

key SASE capabilities, including:
Software-defined wide-area network (SD-WAN)
Virtual private network (VPN)
Zero Trust network access (ZTNA)
Quality of service (QoS)

Cybersecurity Survival Guide, Palo Alto 5th Edition

 SD-WAN

 Companies are embracing software-defined wide-area network (SD-WAN) to

connect branch offices to the corporate network and provide local internet
breakout as an alternative to costly multiprotocol label switching (MPLS)
connections.
 The challenge with SD-WAN, however, is how to combine security with the SD-
WAN fabric, which leads to the need for multiple overlays.
 In a SASE solution, SD-WAN edge devices can be connected to a cloud-based
infrastructure, rather than to physical SD-WAN hubs located in data center or
collocation facilities.
 This approach enables the interconnectivity between branch offices without
the complexity of deploying and managing physical SD-WAN hubs.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 SD-WAN

 SD-WAN should be something you are already considering or have already

adopted into your organization’s network infrastructure as a way to securely
connect and control access to branch offices and remote employees.
 SASE creates a unified framework for SD-WAN services and other solutions to
connect to, providing a single point of view and simplified management
solution to protect your network.
 Prisma Access connects branch offices over a standard IPsec VPN tunnel using
common IPsec-compatible devices, such as your existing branch router, SD-
WAN edge device, or a third-party firewall.
 It uses Border Gateway Protocol (BGP) or static routes for routing from the
branch and equal-cost multi-path (ECMP) routing for faster performance and
better redundancy across multiple links.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Virtual Private Network

Organizations rely on virtual private networks (VPNs) to provide a

secure encrypted connection for mobile users and branch offices to
access corporate data, applications, and internet access.
There are many types of VPN services – from IPsec VPN to SSL VPN,
clientless VPN, and remote access VPN – all of which require a
connection to a VPN gateway.
VPNs are not optimized for access to the cloud, resulting in no
security or access control when users disconnect to reach cloud
apps or services.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Virtual Private Network

A SASE solution encompasses VPN services and enhances the

capabilities to operate in a cloud-based infrastructure in order to
securely route traffic to the public cloud, SaaS, internet, or private-
cloud apps.
 In an IPsec VPN example, you can create a site-to-site connection
to a cloud-based infrastructure from any IPsec-compatible device
located at a branch or retail location via a branch router, wireless
access point, SD-WAN edge device, or firewall.
Mobile users employ an always-on IPsec or SSL VPN connection
between their endpoint or mobile device, and a SASE solution
ensures consistent traffic encryption and threat prevention.
Cybersecurity Survival Guide, Palo Alto 5th Edition
 Virtual Private Network

No matter which type of VPN service you use in your organization, a
SASE solution provides a unified cloud infrastructure to connect to,
instead of backhauling to a VPN gateway at corporate
headquarters.
This solution dramatically simplifies the management and policy
control needed to enforce least-privileged access rules.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Virtual Private Network

Prisma Access (formerly GlobalProtect cloud service)

provides cloud-delivered security infrastructure that makes
it possible for your organization to connect users to a
nearby cloud gateway, enable secure access to all
applications, and maintain full visibility and inspection of
traffic across all ports and protocols.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Virtual Private Network

 For managed mobile devices:

 Users with managed devices have the GlobalProtect app installed on their
laptop, mobile phone, or tablet. The GlobalProtect app connects to Prisma
Access automatically whenever internet access is available, without
requiring any user interaction.
 Users can access all of their applications, whether in the cloud or the data
center. The connectivity layer connects applications in different locations,
making it possible to establish secure access (based on App-ID and User-ID
policies) to public cloud, SaaS, and data center applications.
 Prisma Access delivers protection through the security service layer, such
as protections against known and unknown malware, exploits, C2 traffic,
and credential-based attacks.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Virtual Private Network

 For unmanaged/BYOD devices:

 Your organization can deploy Prisma Access in conjunction with mobile
device management (MDM) integration to support bring-your-own-device
(BYOD) policies. The integration enables capabilities such as per-app VPN.
 Users with unmanaged devices, such as contractors and employees with
BYOD devices, can access applications without an app installed by using
Prisma Access with Clientless VPN.
 Clientless VPN also enables secure access to SaaS applications from
unmanaged devices with inline protections by using Security Assertion
Markup Language (SAML) proxy integration. This functionality works in
conjunction with Prisma SaaS.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Zero Trust network access

 Zero Trust network access (ZTNA) is a key part of the Zero Trust philosophy of
“never trust, always verify,” developed by Forrester to identify the need to
protect data.
 ZTNA requires users who want to connect to the cloud to authenticate through
a gateway before gaining access to the applications they need.
 This requirement provides an IT admin the ability to identify users and create
policies to restrict access, minimize data loss, and quickly mitigate any issues or
threats that may arise.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Zero Trust network access
 Many ZTNA products are based on software-defined perimeter (SDP)
architectures, which do not provide content inspection, thus creating a
discrepancy in the types of protection available for each application.
 In terms of consistent protection, the organization must build additional
controls on top of the ZTNA model and establish inspection for all traffic across
all applications.
 SASE builds on the ZTNA key principles and applies them across all the other
services within a SASE solution.
 By identifying users, devices, and applications, no matter where they are
connecting from, policy creation and management are simplified.
 SASE removes the complexity of connecting to a gateway, by incorporating the
networking services into a single unified cloud infrastructure.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Zero Trust network access
 A SASE solution should incorporate ZTNA concepts for protecting applications
as well as apply other security services for the consistent enforcement of DLP
and threat prevention policies.
 Access controls, in and of themselves, are useful for establishing who a person
is, but other security controls are also necessary to make sure that their
behaviors and actions are not harmful to the organization.
 And it is necessary to apply the same controls across access to all applications.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Quality of service
 As organizations transition from MPLS to SD-WAN using broadband services,
they are finding that the service quality varies. Quality of service (QoS)
establishes bandwidth allocation assigned to particular apps and services.
 Businesses rely on QoS to ensure that their critical apps and services perform
adequately (for example, medical equipment or credit card processing
services).
 If these systems were to get bogged down due to lack of bandwidth, business
operations and sales would be severely impacted. QoS prioritizes business-
critical apps, based on a ranking system, so that you can choose which apps
and services take precedence over others.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Quality of service
 QoS is an important step when you begin migrating from MPLS. A SASE
solution incorporates QoS services in the cloud, allowing you to easily mark
sensitive applications (such as VoIP) as higher priority than general internet
browsing and entertainment apps.
 QoS is immensely important for businesses of any size. Managing the QoS
traffic and allocation doesn’t need to be difficult.
 SASE enables you to dynamically shape traffic based on the policies that
prioritize critical application requirements.
 Make sure that your SASE solution contains QoS capabilities.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Security-as-a-service layer

 The security-as-a-service layer in Prisma Access delivers key SASE

capabilities, including:
 DNS security
 Firewall as a service (FWaaS)
 Threat prevention
 Secure web gateway (SWG)
 Data loss prevention (DLP)
 Cloud access security broker (CASB)

Cybersecurity Survival Guide, Palo Alto 5th Edition

 DNS security
 Every organization uses DNS to translate a domain name into an IP address. DNS is an
open service, and by default it does not have a way to detect DNS-based threats.
 As a result, malicious activity within DNS can be used to propagate an attack.
 DNS security protects your users by predicting and blocking malicious domains while
neutralizing threats.
 A SASE solution embraces DNS security features by providing consistent security across
the network and users, no matter their location.
 Your SASE solution should contain DNS protections, delivered within the cloud
environment as part of the network access.
 DNS security should be built-in, rather than bolted-on, to the solution your branch
offices and mobile users use to connect to the internet.
 The DNS security provided in your SASE solution should leverage a combination of
predictive analytics, machine learning, and automation to combat threats in DNS traffic.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 DNS security
Prisma Access delivers the Palo Alto Networks DNS
Security service (discussed in Section 2.6.2.1), which
provides a combination of predictive analytics, machine
learning, and automation to combat threats in DNS traffic.
Organizations can block known malicious domains, predict
new malicious domains, and stop DNS tunneling.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Firewall as a Service

 Firewall as a service (FWaaS) is a deployment method for delivering a firewall as

a cloud-based service. FWaaS has the same features as a next-generation
firewall, but it is implemented in the cloud.
 By moving the firewall to the cloud, organizations can benefit from cost savings
by eliminating the need to install or maintain security hardware at branch and
retail locations.
 A SASE solution incorporates FWaaS into its unified platform. By encompassing
the FWaaS service model within a SASE framework, organizations can easily
manage their deployments from a single platform.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Firewall as a Service
 A SASE solution should enable FWaaS capabilities in order to provide the protection of
a next-generation firewall by implementing Network Security policy in the cloud. It is
important to ensure that your SASE solution does not provide only basic port blocking
or minimal firewall protections.
 You need the same features that a next-generation firewall embodies as well as the
features that cloud-based security offers, such as threat prevention services and DNS
security.
 Prisma Access provides FWaaS, which protects branch offices from threats while also
providing the security services expected from a next-generation firewall.
 The full spectrum of FWaaS includes threat prevention, URL filtering, sandboxing, and
more.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Threat prevention
 In today’s world of small- and large-scale breaches, where ransomware attacks
occur on a daily basis, threat prevention is key to protecting your organization’s
data and employees.
 A variety of threat prevention tools are available, from anti-malware and
intrusion prevention to SSL decryption and file blocking, providing
organizations ways to block threats.
 However, these point products require separate solutions, making
management and integration difficult.
 Within a SASE solution, all these point products and services are now
integrated into a single cloud platform.
 This integration provides simplified management and oversight of all threats
and vulnerabilities across your network and cloud environments.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Threat prevention
 Stopping exploits and malware by using the latest threat intelligence is crucial
to protecting your employees and data.
 Your SASE solution should incorporate threat prevention tools into its
framework so that you can react quickly and swiftly to remediate threats.
 Be sure to check the quality of threat intelligence that is being provided by the
vendor.
 The vendor should be gathering and sharing data from various sources,
including customers, other vendors, and other related thought leaders, to
provide continuous protection from unknown threats.
 Using Prisma Access for threat prevention combines the proven technologies in
the Palo Alto Networks platform, together with global sources of threat
intelligence and automation, to stop previously known or unknown attacks.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Secure web gateway

 Organizations rely on secure web gateway (SWG) to protect employees and

devices from accessing malicious websites.
 SWG can be used to block inappropriate content (such as pornography and
gambling) or websites that businesses simply don’t want users accessing while
at work, such as streaming services like Netflix.
 Additionally, SWG can be used to enforce an acceptable use policy (AUP)
before internet access is granted.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Secure web gateway

 SWG is just one of the many security services that a SASE solution must
provide.
 As organizations grow and add ever greater numbers of remote users, coverage
and protection become more difficult.
 A SASE solution moves SWG into the cloud, providing protection in the cloud
through a unified platform for complete visibility and control over the entire
network.
 A SASE solution includes the same security services in a SWG, allowing
organizations to control access to the web and enforce security policies that
protect users from hostile websites.
 It is important to remember that SWG is just one service of the SASE solution.
 Other security services – such as FWaaS, DNS security, threat prevention, DLP,
and CASB – should also be included.
Cybersecurity Survival Guide, Palo Alto 5th Edition
 Secure web gateway

Prisma Access for SWG functionality is designed to

maintain visibility into all types of traffic while stopping
evasions that can mask threats.
The Palo Alto Networks web filtering capabilities also drive
its credential theft prevention technology, which can stop
corporate credentials from being sent to previously
unknown sites.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Data loss prevention
 Data loss prevention (DLP) tools protect sensitive data and ensure that it is not lost, stolen,
or misused. DLP is a composite solution that monitors data within the environments where
it is deployed (such as networks, endpoints, and clouds) and through their egress points.
 It also alerts key stakeholders when policies are violated. Due to compliance requirements
– such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card
Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), and
others – DLP is a crucial solution needed for data security and compliance.
 Legacy DLPs rely on old core technology initially designed for on-premises perimeters and
subsequently extended and adapted to cloud applications.
 Loaded with features, disjointed policies, configurations, and workarounds, DLPs have
become very complex, difficult to deploy at scale, and too expensive.
 Digital transformation and new data usage models demand a fresh approach to data
protection.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Data loss prevention
 Through the SASE approach, DLP becomes one cloud-delivered solution
centered around the data itself, everywhere.
 The same policies are consistently applied to sensitive data, whether at rest, in
motion, and in use, and regardless of its location. In the SASE architecture, DLP
is not a standalone solution anymore but is embedded in the organization’s
existing control points, thus eliminating the need to deploy and maintain
multiple tools.
 With SASE, organizations can finally enable a comprehensive data protection
solution that relies on a scalable and simple architecture and allows effective
machine learning by leveraging access to global traffic.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Data loss prevention
 DLP is a necessary tool to protect sensitive data and ensure compliance throughout the
organizations.
 To this end, the SASE solution must include this core capability
 With SASE, DLP is an embedded, cloud-delivered service used to accurately and
consistently identify, monitor, and protect sensitive data everywhere across networks,
clouds, and users.
 Prisma Access combines integration with DLP controls that are API-driven (through Prisma
SaaS) as well as inline (through Prisma Access).
 These DLP policies allow organizations to categorize data and establish policies that
prevent data loss.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Cloud access security broker

 Many organizations depend on cloud access security brokers (CASBs) to

provide visibility into SaaS application usage, understand where their sensitive
data resides, enforce company policies for user access, and protect their data
from hackers.
 CASBs are cloud-based security policy enforcement points that provide a
gateway for your SaaS provider and your employees.
 CASB should be another security feature that is part of your SASE solution,
creating a single platform for stakeholders to manage security controls.
 A SASE solution helps you understand which SaaS apps are being used and
where data is going, no matter where users are located.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Cloud access security broker

 Your SASE solution should incorporate both inline and API-based SaaS controls
for governance, access controls, and data protection.
 Also called a multimode CASB, the combination of inline and API-based CASB
capabilities provides superior visibility, management, security, and zero-day
protection against emerging threats.
 Prisma Access and Prisma SaaS implement security controls that combine inline
security API security and contextual controls, acting as a CASB to determine
access to sensitive information.
 These controls are implemented in an integrated manner and applied
throughout all cloud application policies.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Prisma SaaS
To safely enable SaaS usage in your organization, start by clearly
defining the SaaS applications that should be used and which
behaviors within those applications are allowed. This step requires a
clear definition of which applications are:
Sanctioned (allowed and provided by IT)
Tolerated (allowed because of a legitimate business need, with
restrictions, but not provided by IT)
Unsanctioned (not allowed), then prevent their usage with
granular policies

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Prisma SaaS
Sanctioned SaaS applications provide business benefits and are fast
to deploy, require minimal cost, and are infinitely scalable.
Tolerated SaaS applications fulfill a legitimate business need, but
certain usage restrictions may be necessary to reduce risk.
Unsanctioned SaaS applications either clearly provide no business
benefits or the security risks of the application outweigh the
business benefits.
For example, an unsanctioned SaaS application may violate
regulatory compliance mandates, create an unacceptable risk of
loss of corporate intellectual property or other sensitive data, or
enable malware distribution (see Figure 3-14).

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Prisma SaaS
Figure 3-14
Impacts of
sanctioned
and
unsanctioned
SaaS
applications

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Prisma SaaS
To control sanctioned SaaS usage, an enterprise
security solution must provide the following:
 Threat prevention
 Visibility and data exposure control.
 Risk prevention, not just risk response

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Prisma SaaS
 Data residing within enterprise-enabled SaaS applications is not visible to an
organization’s network perimeter.
 Prisma SaaS connects directly to sanctioned SaaS applications to provide data
classification, sharing/permission visibility, and threat detection within the
application.
 This capability yields unparalleled visibility, which allows organizations to inspect
content for data exposure violations and control access to shared data via a
contextual policy.
 Prisma SaaS builds on the existing SaaS visibility and granular control capabilities
of the Security Operating Platform provided through App-ID, with detailed SaaS-
based reporting and granular control of SaaS usage.
 Figure 3-15 shows an example of the granular controls for SaaS applications
supported by App-ID.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Prisma SaaS
 Figure 3-15
 Example of granular controls supported by App-ID

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Prisma SaaS
Prisma SaaS is a completely cloud-based, end-to-end security
solution that provides visibility and control within SaaS
applications, without the need for any proxies, agents, software,
additional hardware, or network changes.
 Prisma SaaS isn’t an inline service, so it doesn’t impact latency,
bandwidth, or end-user experience.
Prisma SaaS communicates directly with the SaaS applications
themselves and looks at data from any source, regardless of the
device or location from which the data was sent.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 SaaS threat prevention

 WildFire threat cloud integration with Prisma SaaS provides cyberthreat

prevention to block known malware and to identify and block unknown
malware.
 This integration extends the existing integration of WildFire to prevent threats
from spreading through the sanctioned SaaS applications, which prevents a
new insertion point for malware.
 When new malware is discovered by Prisma SaaS, the threat information is
shared with the rest of the Security Operating Platform, even if it is not
deployed inline with the SaaS applications.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Data exposure visibility
 Prisma SaaS provides complete visibility across all user, folder, and file activity,
which provides detailed analysis that helps you transition from a position of
speculation to one of knowing exactly what is occurring in the SaaS
environment at any given point in time.
 Because you can view deep analytics into day-to-day usage, you can quickly
determine if there are any data risk or compliance-related policy violations.
 This detailed analysis of user and data activity allows for granular data
governance and forensics.
 Prisma SaaS connects directly to the applications themselves, so it provides
continuous silent monitoring of the risks within the sanctioned SaaS
applications, with detailed visibility that is not possible with traditional security
solutions

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Contextual data exposure control
 Prisma SaaS enables you to define granular, context-aware policy control that
provides you with the ability to drive enforcement and quarantine users and
data as soon as a violation occurs.
 This control enables you to quickly and easily satisfy data risk compliance
requirements such as PCI and PII while still maintaining the benefits of cloud-
based applications.
 Prisma SaaS prevents data exposure in unstructured (hosted files) and
structured (application entries such as Salesforce.com) data.
 Both data types are common sources of improper data shares.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Advanced document classification
 Prisma SaaS inspects documents for common sensitive data strings (such as
credit card numbers, SSH keys, and Social Security numbers) and flags them as
risks if they are improperly shared. Unique to Prisma SaaS is the ability to
identify documents by type, through advanced document classification
regardless of the data that is contained in the document itself.
 Prisma SaaS has been designed to automatically identify sensitive documents,
such as those related to medical, tax, and legal issues.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Retroactive policy
A traditional network security solution can see only inline data and
apply security policies to data that is accessed inline, after the policy
is created.
This approach doesn’t effectively prevent SaaS data exposure,
however, because SaaS data may have been shared long before the
policy was created.
This data may not be accessed inline for many months or years,
potentially leaving sensitive data exposed indefinitely to malware
infection and unauthorized access.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Retroactive policy
Prisma SaaS retroactively applies security policies to all users and
data from the beginning of the SaaS account’s creation, rather than
the policy’s creation, to identify any potential vulnerabilities or
policy violations.
 Prisma SaaS does not wait for someone to access the data inline to
apply policies and resolve any vulnerabilities or violations; SaaS data
and shares are proactively discovered, protected, and resolved, no
matter when they were created.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Retroactive policy
Policies are context-driven to allow for granular definitions
of data exposure risks.
This granularity is necessary to enable SaaS use by users
while still preventing accidental data exposure.
 Policies take several factors in context to create an overall
data exposure risk profile.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Retroactive policy
One or two factors may not provide enough insight into
the potential risk of the share.
The overall risk of exposure is determined only after the
full context of the share is understood.
Risks are calculated by user type, document type, sensitive
data contained, how the data is shared, and whether
malware is present.
This capability provides the ability to control the exposure
at a granular level based on several important factors.

Cybersecurity Survival Guide, Palo Alto 5th Edition

 Retroactive policy
For example, a financial team may be able to share
financial data with other people on their team, but not
beyond that.
Even though the original share is allowed, they cannot
share data that is infected with malware.
The financial team may, however, be allowed to share non-
sensitive data company-wide or, in some cases, with
external vendors.
The key to enabling this level of granularity is the ability to
look at the share in the context of all the factors.
Cybersecurity Survival Guide, Palo Alto 5th Edition
 Thank You

ASIA PACIFIC COLLEGE

Real projects. Real learning

Cybersecurity Survival Guide, Palo Alto 5th Edition