System Components

Prisma Cloud DSPM uses native, built-in deployment methods for each public cloud. You can integrate Prisma Cloud DSPM with any cloud provider to provide real-time monitoring capabilities without affecting the monitored environment’s performance, making it a completely out-of-band solution. 

Prisma Cloud DSPM’s scanning and monitoring tool consists of three main components:

Prisma Cloud DSPM Orchestrator

Prisma Cloud DSPM Orchestrator is the component responsible for analyzing data from your environment. This component enables Prisma Cloud DSPM’s compute resources - e.g., EC2 for AWS, VM for Azure - to scan and analyze your different accounts across the selected cloud platform. You can either install Orchestrator in a single dedicated account (a security tooling account) while monitoring other scanned accounts, or install it in each scanned account separately; installation is configurable in order to meet the client’s needs. 

Prisma Cloud DSPM Read-Only Permissions

Used as read-only access for the client’s environment, read-only permissions enable Prisma Cloud DSPM to access assets’ metadata such as size, name and region, as well as collect logs for DDR capabilities. This component is installed in every account monitored by Prisma Cloud DSPM and enables asset discovery and protection.

Prisma Cloud DSPM Scanner Permissions

Scanner permissions enable Prisma Cloud DSPM to discover and scan data for analysis and classification. It is installed in every account monitored by Prisma Cloud DSPM (in addition to read-only permissions), and cannot be used outside the client’s environment. This ensures that all sensitive data discovered, scanned and classified by Prisma Cloud DSPM’s resources never leaves the client's environment.

An example of Prisma Cloud DSPM's components deployed on AWS environment