* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Discovery and Exposure Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-discovery-and-exposure-management/)
* Where to Start When Deali...

# Where to Start When Dealing with Shadow Cloud Assets

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcloud-discovery-exposure-management-cspm-counterpart%2F)  
[](https://twitter.com/share?text=Where+to+Start+When+Dealing+with+Shadow+Cloud+Assets&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcloud-discovery-exposure-management-cspm-counterpart%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcloud-discovery-exposure-management-cspm-counterpart%2F&title=Where+to+Start+When+Dealing+with+Shadow+Cloud+Assets&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/cloud-discovery-exposure-management-cspm-counterpart/&ts=markdown)  
\[\](mailto:?subject=Where to Start When Dealing with Shadow Cloud Assets)  
Link copied  
By [Cameron Hyde](https://www.paloaltonetworks.com/blog/author/cameron-hyde/?ts=markdown "Posts by Cameron Hyde")  
Jul 11, 2024  
4 minutes  
[Cloud Discovery and Exposure Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-discovery-and-exposure-management/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)  
[CSPM](https://www.paloaltonetworks.com/blog/tag/cspm/?ts=markdown)

**Exploring the latest enhancements of Cloud Discovery \& Exposure Management (CDEM) to combat shadow IT with Prisma Cloud.**

The flexibility and scalability of [cloud-native development](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-native?ts=markdown) create a strong platform for organizations to drive innovation. These benefits, though, can disperse cloud assets, which poses challenges. The go-to solution addressing the essential need for visibility is [cloud security posture management (CSPM)](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-security-posture-management?ts=markdown). CSPM's capabilities span the organization's cloud ecosystem, equipping security teams with visibility into all of their cloud assets. And enabling this visibility in most cases entails merely onboarding your cloud accounts with read access.

But what happens if you don't onboard your account at the organizational level (which is often the case)? What if a developer spins something up in another account or with a cloud service provider (CSP) that's not onboarded to your CSPM tool?

The short answer is; You won't have visibility into risks emerging from non-onboarded cloud accounts and services.

In reality, it's quite easy for developers to create cloud resources outside of the CSPM's scope and for those resources to go unnoticed. In fact, approximately [30% to 40% of an organization's publicly accessible attack surface is unknown](https://www.paloaltonetworks.com/resources/research/executive-summary-unit-42-cloud-threat-report-volume-7?ts=markdown). What does this mean to you? Your organization likely has a far greater infrastructure than you know.

## How Does CDEM Fit into Your Cloud Security Strategy?

CDEM and CSPM are counterparts. While CSPM scans your cloud ecosystem based on internal configuration, cloud discovery and exposure management (CDEM) implements IP-based scans to look at your exposures from the outside-in. CDEM covers the void, in other words, discovering assets and accounts that have escaped the view of your CSPM because they were never onboarded into your CSPM.

## Are Your Managed Assets Interacting with Unmanaged Assets?

A capability of CSPM within Prisma Cloud is the ingestion of network flow logs across AWS, Azure and GCP. By ingesting VPC flow logs and cloud network configuration logs, you can monitor network traffic. This vantage allows you to explore the interconnectivity of your cloud resources by account and region using data points such as, packets, bytes, source or destination resource, source or destination IP address, and source or destination port information.

With CDEM, you can identify unmanaged assets attributed to your organization by their IP addresses. By leveraging the ability to visualize traffic flow between internet-exposed (unmanaged) and secure (managed) assets, you can make informed decisions to prioritize and take appropriate actions to secure the internet-exposed assets.

## With 5 Minutes to Fix Unmanaged Assets, Where Should I Start?

Oftentimes, you end up with a sea of unmanaged assets and aren't sure where your biggest risks are and how to go about prioritizing them. Here's our thoughts on how to approach unmanaged asset prioritization.

### Start with What's Critical

Focus on exposed assets with vulnerabilities, those that are interacting with managed assets. Assets exposed to the internet, vulnerable to exploitation, and connected to a managed asset in Prisma Cloud are patchable.

### Progress Through the Hierarchy of Risk

Once critical vulnerabilities are fixed, move to assets with patchable and exploitable vulnerabilities and work down the list.

1. **Exploitable:** Assets exposed to the internet containing a vulnerability with a known exploit and is patchable
2. **Patchable:** Assets exposed to the internet containing a patchable vulnerability
3. **Vulnerable:** Assets exposed to the internet containing a vulnerability
4. **Exposed:** Assets exposed to the internet

![Top Risks from Unmanaged Assets](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-324706-1.png)
Figure 1: Top Risks from Unmanaged Assets

In some instances, you may encounter issues that you don't want to address immediately or that are intentionally exposed. Regardless, you'll still want to convert unmanaged assets to managed. Within Prisma Cloud, you can temporarily or permanently snooze these unmanaged (internet-exposed) assets while inspecting them in the Discovery and Exposure Management Dashboard widgets. This functionality allows you to separate active assets from snoozed assets in the unmanaged assets inventory, providing greater flexibility in asset management.

## Learn More

Prisma Cloud is dedicated to helping organizations secure their applications from code to cloud. The platform provides visibility into internal risks and external attack surfaces, and it correlates risk signals to help security teams connect the dots across their cloud-native environments.

Discover more about internet-exposed assets, the processes involved with identifying and prioritizing risks, and how to remediate risks posed by unmanaged assets, download our white paper [Cloud Discovery and Exposure Management](https://www.paloaltonetworks.com/blog/prisma-cloud/cdem-closes-security-gap/#:~:text=our%20white%20paper-,Cloud%20Discovery%20and%20Exposure%20Management,-.%20And%20if%20you%E2%80%99d?ts=markdown). If you'd like to see CDEM technology in action, [book a demo](https://www.paloaltonetworks.com/blog/prisma-cloud/cdem-closes-security-gap/#:~:text=technology%20in%20action%2C-,book%20a%20demo,-with%20one%20of?ts=markdown) with one of our experts.

*** ** * ** ***

## Related Blogs

### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/cloud-security/category/research/?ts=markdown)

[#### An Inside Look into ASPM: Five Findings from New Industry Research](https://www.paloaltonetworks.com/blog/cloud-security/aspm-research-omdia/)

### [Cloud NGFW](https://www.paloaltonetworks.com/blog/network-security/category/cloud-ngfw/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)

[#### Modernizing Security on AWS: From Firewall Ops to Security Intent](https://www.paloaltonetworks.com/blog/network-security/modernizing-security-on-aws-from-firewall-ops-to-security-intent/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Software Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/software-firewalls/?ts=markdown)

[#### Turn Your Multicloud Security into a Business Enabler](https://www.paloaltonetworks.com/blog/network-security/turn-your-multicloud-security-into-a-business-enabler/)

### [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown), [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Palo Alto Networks and Veracode: Unifying Application Security from Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/application-security-veracode-partnership/)

### [AI Security](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security/?ts=markdown), [AI-SPM](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-spm/?ts=markdown), [CIEM](https://www.paloaltonetworks.com/blog/cloud-security/category/ciem/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [DSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/dspm/?ts=markdown), [Identity Security](https://www.paloaltonetworks.com/blog/cloud-security/category/identity-security/?ts=markdown)

[#### Is AI a New Challenge for Cloud Security? Yes and No.](https://www.paloaltonetworks.com/blog/cloud-security/ai-security-gap-cloud-models-agents/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)

[#### The Multicloud Double Tax: Why You're Overpaying for Insecurity](https://www.paloaltonetworks.com/blog/network-security/the-multicloud-double-tax-why-youre-overpaying-for-insecurity/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language