Palo Alto Networks is upgrading its Prisma Cloud platform to expand the security of applications in an increasingly distributed IT environment that has only accelerated since the COVID-19 pandemic and the dramatic shift to remote working.
The moves announced this week at the vendor’s Ignite ’21 event puts a spotlight on the vulnerability of applications as more of them migrate to the cloud and puts an emphasis on securing the networks that they run across from the data center to the cloud or between multiple clouds.
Palo Alto officials pointed to a Gartner study that found that by 2023, 70 percent of enterprise workloads will be deployed on cloud infrastructure and platform services, a jump from 40 percent last year. In addition, the company’s Unit 42 threat intelligence researchers said that between April and June 2020, cloud security incidents jumped 188 percent year-over-year, with some industries seeing increases of more than 400 percent.
“The challenge in securing these cloud environments stems from the nature of the cloud itself,” Ankur Shah, senior vice president and general manager of Palo Alto’s Prisma Cloud business, wrote in a blog post. “Workloads and resources in the cloud are broadly distributed and highly ephemeral. One new cloud account connects with workloads, applications and data, where each point presents potential attack vectors. In order to secure cloud native applications and infrastructure, organizations need to adapt to be more agile and integrated.”
Also read: Falco Rocks AWS Cloud Security One Louder
Building Out Prisma Cloud
Helping organizations do that is the aim of Prisma Cloud 3.0, which comes two years after the platform was first launched. It comes with a range of new features that are designed to help enterprises adopt a DevOps mentality, including adding security to infrastructure-as-code (IaC) environments, greater security capabilities for Microsoft’s Azure public cloud, network microsegmentation improvements and faster detection of misconfigurations.
In addition, Palo Alto unveiled its Next-Generation CASB (cloud access security broker) to deliver greater security for software-as-a-service (SaaS) security at a time when the business world has moved to hybrid work models.
“With the en masse shift to a hybrid workforce and rapid adoption of the cloud, the way work gets done has changed,” Lee Klarich, chief product officer for Palo Alto, said in a statement. “SaaS collaboration apps are becoming key to a productive hybrid workforce, but SaaS security has not caught up.”
The new CASB, which is available on Prisma Cloud 3.0, is designed to address that security need, Klarich said.
Changing Needs in Network and Security
The moves by Palo Alto and other vendors are part of a larger evolution of network security that has been going on for years, according to Rob Enderle, principal analyst with The Enderle Group, adding that “over the last two decades, the network has become the greatest exposure companies have for outside attacks and where you need to focus on executing a viable defense.”
Initially everything was air-gapped, which made it difficult to propagate without someone physically enabling the attack, Enderle told Enterprise Networking Planet. That gave way to a premier defense, which worked until tools like VPNs and trusted links made permits excessively porous.
“The current approach is AI [artificial intelligence]-based and looks for unusual traffic or behavior in the enterprise, and much of this activity can be picked up on the network,” he said. “This evolution puts the network provider in a critical role, either responsible for the firm’s vulnerabilities or providing the most vigorous defense against an ever-growing number of vulnerabilities.”
With the move to the cloud, “security solutions have to expand into this new frontier or fail,” Enderle said. “When we first started, there wasn’t a network to secure. Now the network is the area you generally need to focus on for any successful security solution. If a security solution doesn’t include the cloud, it really can’t be called adequate in this hybrid and cloud-native world where we now operate.”
Focusing on IaC
To address misconfigurations in IaC templates, Prisma Cloud 3.0 offers embedded scanning and code fixes in developer tools that span the application development lifecycle, a key capability at a time when DevOps teams are increasingly using such templates as Amazon Web Services (AWS) CloudFormation and HashiCorp Terraform, Shah wrote.
The Unit 42 group in a recent report found that almost half of CloudFormation templates in use contain misconfigurations.
“If a misconfigured IaC template is used dozens or hundreds of times, it could easily add hundreds or thousands of misconfigurations and alerts for security teams to address later in the process,” he wrote.
Palo Alto earlier this year bought IaC security vendor Bridgecrew, a key acquisition for its larger ambitions around security for the full application lifecycle. Palo Alto has since integrated Bridgecrew’s technology into Prisma Cloud, giving enterprises a single solution for addressing risks associated with IaC and for integrating security into the development pipeline.
The vendor also is making its WildFire cloud-based threat analysis tool a standalone product, which crowd-sources intelligence from more than 80,000 customers. In addition, its Next-Generation CASB was designed to address limitations of current solutions on the market when it comes to SaaS workloads.
The Latest in CASBs
According to Anand Oswal, senior vice president and general manager at Palo Alto, those limitations include not being able to protect most critical applications because they focus on apps accessible via HTTP/S, which doesn’t include SaaS and non-web apps that account for more than half of enterprise traffic. They also use static databases and support requests for app discovery, as well as lack APIs to secure modern collaboration applications.
They also use inaccurate pattern-based detection and rely on third-party sandboxing across HTTP/S traffic as the only method of threat detection, Oswal wrote in a blog post. The vendor’s Next-Generation CASB addresses those issues and is part of a consolidated secure access service edge (SASE) offering.
“SASE must converge best-of-breed security and SD-WAN [software-defined WAN] capabilities in the cloud to deliver exceptional user experiences while reducing security risks,” he wrote. “Prisma SASE … converges network security, SD-WAN, and Autonomous Digital Experience Management into a single cloud-delivered service, without compromises.”
It consolidates such point products as SD-WAN, zero-trust network access, cloud secure web gateway, firewall-as-a-service (FWaaS), and the Next-Generation CASB into a fully integrated service designed to reduce network and security complexity and improving organizational agility, according to Osawal.