Prisma Cloud Data Loss Prevention

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter



This blog was authored by @MRendon

Data theft is on the rise. When data is not sufficiently protected, bad actors can profit by using several methods to gain access to your data. They can then monetize the theft by selling your data—and your identity. The tools used by these bad actors are such that detecting the intrusion can be easily overlooked. 


With the explosive growth of cloud applications and services, combined with an increasing number of remote workers, data loss vulnerabilities are more prevalent than ever before. Security teams must be able to discover, monitor and protect sensitive data regardless of location, application, and storage type. 


That's where data loss prevention software such as Prisma Cloud Data Security (PCDS) comes in. It is always on, always scanning for sensitive data, and provides actionable alert information.


Prisma Cloud Data Security - Data Security Settings


Scan Settings

When you select Forward and Backward Scan, the forward scan inspects any new or modified files, and the backward scan is retrospective, meaning that it inspects files that exist in the storage bucket. 


The size and number of Supported File Extension you want to scan within your storage bucket will determine how many Prisma Cloud credits are used for Data Security. However, in the event that you trigger the scan quota threshold where the Prisma Cloud Data Security scan is paused, if you have enabled both forward and backward scan, all files will be inspected when you increase the scan quota when Data Security Scan is resumed. 


For backward scan, all existing files in the bucket are scanned in a batch operation. Depending on the number of files in your bucket, backward scan can possibly consume more credits. With forward scan only, Prisma Cloud scans all files that are modified or created new and added to the bucket after you enable scanning. With For forward scan, the scan-scope is unknown and therefore an estimate of data to be scanned and the corresponding credit consumption is not displayed on screen.





Data Profiles

By default, the predefined profiles—Financial Information, Healthcare, Intellectual Property & PII—are enabled. To disable a data profile, toggle Enabled for one or more data profiles. When disabled, the patterns associated with the profile are not used to discover sensitive content in your storage buckets.





Data Patterns

Prisma Cloud data patterns are contained within the data profile. If you select a data pattern, the data pattern will be shown. For example, if you select financial Information and click on the name, data patterns will be revealed. Only enabled data patterns will be included in the scan. 





Confidence Level

Low Confidence: A low confidence match looks at the specified pattern only. It uses multiple techniques such as regular expressions, Machine Learning, and check sum to identify the content.


High Confidence: A high confidence match looks for proximity keywords, 200 characters on either side of the match, in addition to the techniques used by a low confidence match.


Proximity Keywords: Keywords help reduce false-positives and improve accuracy, while proximity keywords are within 200 characters.




Snippet Masking

There are three types of masks that you can apply to your sensitive data. The default option is partial mask, which displays only the last four characters in clear text such as XXXX-XXXX-XXXX-1234. 


If you do not want to cloak sensitive data then you can toggle “do not mask,” which displays your data in plain text such as 1234-1234-1234-1234. 


The last option is full mask which cloaks all the values of the sensitive data such as XXXX-XXXX-XXXX-XXXX. When a mask is applied, 200 bytes before and after the pattern match is displayed.





Data Security Dashboard

The Data Security Dashboard is a single pane that summarizes the security posture for your onboarded resources. The dashboard provides an instant view across all onboarded resources.






Data Security Inventory

The Data Security Inventory displays the number of buckets being scanned, as well as the number of total objects and the state they are in. For example, buckets that have public exposure, sensitive objects and malware.




Data Security Policies

Prisma Cloud policies enable you to monitor and manage potential misconfiguration or risks across your cloud infrastructure. You can use the graphs and tables on Policies to assess your policy coverage and utilization of policies.


To help you find the relevant policies based on your role, you can interact with graphs or add filters such as Policy Category, Class, Type, and Subtype and use Group By to aggregate policies using criteria that are important to you.


The graphs help you visualize how many policies are enabled as a number or as a percentage of the total, review the split across different policy types, how many policies of different severities are identified in your infrastructure, and gain greater context on the policy category and Prisma Cloud versus custom policies that are generating alerts.




Organizations must have an accurate accounting of what is actually within their Cloud Storage resources, for example (AWS S3).

One of the first steps of securing your data is actually knowing what is actually stored within those S3 Buckets.


When you onboard a fully configured account into Prisma Cloud Data Security, Prisma begins to scan your onboarded S3 Buckets.  Using the PCDS System settings, you configure the system to seek out the status of each document and provide a status.   As you continue to add more accounts into PCDS, you will quickly build a CMDB based on what resources are being monitored. Prisma also allows you to scan not only the documents that you have today, but the documents that you add moving forward in time.


Robinhood Case Study, November 8, 2021: 

"Robinhood Hack Exposes Millions of Customer Names, Email Addresses. NO SSNs or Account numbers were stolen."


I can imagine that some security professionals were not happy with this in the news. Had they deployed Prisma Cloud Data Security, they would have been able to leverage Prisma to protect their sensitive data. The unauthorized party obtained a list of email addresses for about five million people. (Plus the names of an additional two million people.) 


"The online brokerage, which has about 18.9 million retail clients, announced Monday that a Nov. 3 data breach resulted in various information about 7 million customers being exposed. For 5 million of them, email addresses were accessed, and another 2 million had their full names revealed." (Source)


Though Robinhood says the hack did not lose customers any money, it certainly affected their reputation and bottom line.


Are certain states mandating cybersecurity?

In some states, there are laws that ensure certain online security measures for businesses. In California for instance, companies that store data related to California citizens are required to provide notification in the event of a breach. Organizations are not required to maintain any specific types of cybersecurity protections, but they are held responsible if those protections prove inadequate. New York is another state with specific regulations, but they apply only to businesses in the financial services sector. These businesses must submit an annual certificate demonstrating they meet minimum levels of cybersecurity. A small number of states have their own laws in place, but businesses should not assume they are fully compliant until investigating laws at the state and local level.



Prisma Cloud dynamically discovers cloud resources and sensitive data across Amazon Web Services (AWS), and Microsoft Azure(releasing by early 2022) to detect risky configurations, network threats, suspicious user behavior, malware, data leakage, and host vulnerabilities.


Prisma Cloud Data Security uses Palo Alto Networks’ Enterprise DLP and WildFire services to process and scan S3 objects for sensitive data and malware. When S3 objects are sent to Enterprise DLP for analysis, these objects are stored temporarily in Prisma Cloud’s S3 buckets for less than 24 hours, and then deleted. Enterprise DLP does not retain any data after it provides a data classification verdict on your files.


Don’t get caught with your sensitive data exposed. It is not uncommon for data to be moved from one location to another. When security protocols are not adhered to, breaches such as the one outlined above can result. Prisma Cloud is constantly scanning and verifying that the data you are attempting to protect is actually not subject to hackers whether inside or outside of your organization.  


This blog was authored by @MRendon





Register or Sign-in
Top Liked Authors