A while back Palo Alto acquired a company called Red Lock (Now called Prisma Cloud) which provides a Cloud Native Security Platform. You can integrate it with Public Cloud platform such as (Azure, AWS, GCP and Alibaba Cloud) to get overview of Governance, Monitoring and Security of the platform. (I also written about it before –> Palo Alto Redlock and Public Cloud Threat Defense | Marius Sandbu (msandbu.org) but it has gotten some overhaul in terms of services and management capabilities.
When you connect it to a cloud environment it will automatically start inspecting the configuration and provide feedback (such as with the Azure connection that I’ve done here)
It also provides an integration with IaC (using a VS Code extension) to scan code and provide context as well in regards to how to secure your code (this is scanning the code repository on Terraform)
Now the product itself is fine, from a CISO perspective it can provide rich and easy insight into the overall security and compliance from a cloud perspective and providing rich predefined compliance reporting. However, there is one thing that this product like most Cloud Security Posture services has an issue with and that is lack of support for some main services, which provides some blind spots in the customer environment.
Palo Alto Prisma documents here what kind of Azure services they ingest from their API’s (Microsoft Azure APIs Ingested by Prisma Cloud (paloaltonetworks.com))
Let me give an example on some of the features that is missing from the API at the current time.
- Azure Firewall
- Azure Bastion
- Azure VWAN
- Azure Functions
Azure Policies does provide much of the same compliance mechanisms that Prisma provides, however. For instance, if I create a Policy in Prisma it will automatically create an Azure Policy for me to remediate a security alert for me.
I would expect that like non-compliant resources in Azure could also be available in Prisma, but it does not provide a view like that at this time. Secondly is Azure Firewall which is becoming an increasingly normal part of the Azure virtual datacenter, which Prisma now does not support to ingest information about, essentially creating a blind spot for the CISO.
The second is that much of the policies or configuration drifts that it finds is also something that a lot of the features that built-in features in Azure provide natively. One example is Endpoint Protection features
Azure Security Center recommendations
Cloud Prisma Alerts
Now while Prisma does provide information on how to solve this, Defender has for some resources a OneClick remediation solution for some of these. However, Prisma provides some remediation tasks for some alerts.
Another issue that I would also like that Prisma Cloud should be solving… is ingesting Security Graph API alerts and other alerts, so that the CISO had one portal to see the current security posture for public clouds or even more like a TLP (Traffic Light) indicator. While Prisma still has a better integration with AWS, the support for Azure is gotten a lot better since last time. However, do we need it? If you are fully invested into a full Azure environment and the native capabilities that it provides, then I recommend using the Azure native way since this can provide blindspots and policies still needs to be done cloud native. One main point can be Multi Public Cloud, but we already see that Microsoft is moving into that direction as well (as I’ve written about here) Integration Azure Defender with Google Cloud and AWS and Cloud Security Posture Management systems | Marius Sandbu (msandbu.org).
Summary
I belive that Cloud Security Posture services should be aiming at simplifying security and providing centralized view of the cloud setup and it should be aiming at providing better context and other alerting mechanisms which is currently not available from the cloud provider natively, Prisma is still not there yet, at least not for Azure.