{"id":109951,"date":"2020-04-28T06:00:21","date_gmt":"2020-04-28T13:00:21","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=109951"},"modified":"2020-07-31T08:09:40","modified_gmt":"2020-07-31T15:09:40","slug":"cloud-compute-security","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2020\/04\/cloud-compute-security\/","title":{"rendered":"Highlighting the Latest Compute Security Capabilities in Prisma Cloud"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Last month, we announced the latest release of <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/prisma\/cloud\"><span style=\"font-weight: 400;\">Prisma Cloud<\/span><\/a><span style=\"font-weight: 400;\">, a comprehensive Cloud Native Security Platform (CNSP). You can find the details in our launch blog, \u201c<\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/03\/cloud-native-security-platform\"><span style=\"font-weight: 400;\">Prisma Cloud Native Security Platform Embeds Security into DevOps Lifecycle<\/span><\/a><span style=\"font-weight: 400;\">.\u201d <\/span><span style=\"font-weight: 400;\">In this blog post, we take a deeper dive into the new <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/prisma\/cloud\/compute-security.html\"><span style=\"font-weight: 400;\">Compute Security<\/span><\/a><span style=\"font-weight: 400;\"> capabilities that are available as part of our latest Prisma Cloud release. Compute Security is one of the four key pillars that comprise our CNSP, along with <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/prisma\/cloud\/visibility-governance-compliance.html\"><span style=\"font-weight: 400;\">Visibility, Compliance and Governance<\/span><\/a><span style=\"font-weight: 400;\">, <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/prisma\/cloud\/network-protection.html\"><span style=\"font-weight: 400;\">Network Protection<\/span><\/a><span style=\"font-weight: 400;\"> and <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/prisma\/cloud\/identity-security.html\"><span style=\"font-weight: 400;\">Identity Security<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Before I dive in, as a recap, there are two Prisma Cloud editions you can choose from for leveraging these new Compute Security capabilities:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><b>Prisma Cloud Enterprise Edition<\/b><span style=\"font-weight: 400;\"> is a full Cloud Native Security Platform, where host, container, and serverless capabilities are delivered via SaaS, along with the cloud security posture management capabilities Prisma Cloud is well known for. Enterprise Edition provides a comprehensive platform for protecting both the service plane and the compute plane and can protect hosts, containers, and serverless running in any cloud, including on-premises.<\/span><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2019\/11\/cloud-prisma-cloud-compute-edition\/\"><b>Prisma Cloud Compute Edition<\/b><\/a><span style=\"font-weight: 400;\"> is the downloadable, self-hosted software that you deploy and operate on your own so that you can maintain full custody of your data. This is effectively the same experience you\u2019re familiar with from all our previous releases. Prisma Cloud Compute Edition can protect hosts, containers, and serverless running in any cloud \u2013 including on-premises and even fully air-gapped environments.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The usual fun facts from GitHub: we\u2019ve worked on more than 12,100 issues, pushed more than 9,200 commits, built Twistlock more than 1,400 times and shipped over 425 customer-requested features over more than four years!\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">While we\u2019re highlighting new key Compute Security features in this post, we\u2019re also shipping other features such as:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Free form notes field to annotate every rule and result in the product.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Integration with <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/02\/cortex-xsoar\/\"><span style=\"font-weight: 400;\">Cortex XSOAR<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Direct deep linking to results across the product: email a link to the scan results of a specific image.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">IaC scanning in Compute: scan your Terraform, CloudFormation, and other Infrastructure as Code assets for compliance problems.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Support for the latest OpenShift, CoreOS, and even dockerless environments.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Improving Host Security with AMI Scanning\u00a0<\/span><\/h2>\n<p><div style=\"max-width:100%\" data-width=\"1025\"><span class=\"ar-custom\" style=\"padding-bottom:51.41%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-109953 alignnone lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/monitor1.png\" alt=\"A screenshot showing how Prisma Cloud is improving host security with AMI scanning.\" width=\"1025\" height=\"527\" \/><\/span><\/div><\/p>\n<p><span style=\"font-weight: 400;\">Prisma Cloud has long provided the ability to scan and continually monitor the host OS for vulnerabilities and compliance issues during CI and at runtime. These vulnerability management and compliance capabilities work in conjunction with our runtime defense, cloud native firewalling, and access control functionality \u2013 allowing users to implement file integrity monitoring, log inspection, Layer 4 and Layer 7 firewalling, and application control and whitelisting of hosts, in addition to containers and functions.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With our latest releases, we\u2019re expanding our vulnerability management capabilities to scan Amazon Machine Images (AMIs) like we would any container repository or serverless repo. This provides DevOps and security teams with added visibility into the security posture of their AMIs, both before a deployment and in production. All policies for AMI scanning are configurable within Console.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Vulnerability Explorer v4<\/span><\/h2>\n<p><div style=\"max-width:100%\" data-width=\"1024\"><span class=\"ar-custom\" style=\"padding-bottom:62.5%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-109966 alignnone lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/monitor2.png\" alt=\"A screenshot showing Prisma Cloud's Vulnerability Explorer v4\" width=\"1024\" height=\"640\" \/><\/span><\/div><\/p>\n<p><span style=\"font-weight: 400;\">Managing risk and understanding vulnerabilities across hosts, images, and functions is a top concern for any organization today. With our latest update to Vulnerability Explorer, we\u2019re enhancing our UI to better allow security and risk teams to quickly and easily prioritize risk across any cloud native environment.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We\u2019ve added a top 10 list of serverless function vulnerabilities, spanning AWS, Azure, and Google Cloud, to our main dashboard so users can see top 10 lists across hosts, containers, and functions right next to one another.<\/span><\/p>\n<p><div style=\"max-width:100%\" data-width=\"1024\"><span class=\"ar-custom\" style=\"padding-bottom:82.13%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-109979 alignnone lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/CVE2018.png\" alt=\"A screenshot showing how users of Prisma Cloud can now see a specific CVE spanning each compute type in a single window with an improved risk tree. \" width=\"1024\" height=\"841\" \/><\/span><\/div><\/p>\n<p><span style=\"font-weight: 400;\">Additionally, users can now see a specific CVE spanning each compute type in a single window with an improved risk tree. The risk tree now includes new context, such as namespaces, to more easily understand which applications are impacted by a specific CVE.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Trusted Images v3<\/span><\/h2>\n<p><div style=\"max-width:100%\" data-width=\"1024\"><span class=\"ar-custom\" style=\"padding-bottom:62.5%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-109992 alignnone lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/createnew.png\" alt=\"A screenshot showing how to create a new image trust group in Prisma Cloud. \" width=\"1024\" height=\"640\" \/><\/span><\/div><\/p>\n<p><span style=\"font-weight: 400;\">Preventing untrusted images from being deployed in any environment is a top concern for security teams. Organizations want to ensure that their images are vetted to meet vulnerability and compliance criteria and deployed from trusted sources.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With our latest update to Trusted Images, we\u2019re providing additional support for Trusted Groups, sets of multiple images, and controls over how teams can whitelist or blacklist these images across environments. This extends these capabilities for better control over registries and repositories.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Centralizing CI\/CD Policy from Console<\/span><\/h2>\n<p><div style=\"max-width:100%\" data-width=\"1024\"><span class=\"ar-custom\" style=\"padding-bottom:62.5%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-110005 alignnone lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/createnew2.png\" alt=\"A screenshot showing how to create a new vulnerability rule in Prisma Cloud. \" width=\"1024\" height=\"640\" \/><\/span><\/div><\/p>\n<p><span style=\"font-weight: 400;\">In the latest release, we\u2019re providing the ability to set policies for vulnerability and compliance governing CI and CD workflows directly from Console. Previously, users would have to set these policies within our Jenkins plugin or as part of scripting with twistcli.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Now, users will notice a new CI tab within our Defend menu, under both Vulnerabilities and Compliance, that will allow security teams to govern their CI policies more easily. All image and function scans will be surfaced in a central location as part of Vulnerability Explorer and Compliance Explorer.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Open Policy Agent (OPA) Integration<\/span><\/h2>\n<p><div style=\"max-width:100%\" data-width=\"1024\"><span class=\"ar-custom\" style=\"padding-bottom:62.5%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-110018 alignnone lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/opapolicy.png\" alt=\"A screenshot showing how to create a new admission rule in Prisma Cloud. \" width=\"1024\" height=\"640\" \/><\/span><\/div><\/p>\n<p><a href=\"https:\/\/www.openpolicyagent.org\/\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">Open Policy Agent<\/span><\/a><span style=\"font-weight: 400;\"> is an open source, general-purpose policy engine that unifies policy enforcement across the cloud native stack. OPA provides a high-level declarative language, <\/span><a href=\"https:\/\/www.openpolicyagent.org\/docs\/latest\/policy-language\/\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">called Rego<\/span><\/a><span style=\"font-weight: 400;\">, that lets users specify policy as code with simple APIs to offload policy decision-making from user software. OPA can enforce policies in microservices, Kubernetes, CI\/CD pipelines, API gateways, and more.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With our latest release, we\u2019re providing users with the ability to create policies for OPA directly from the Prisma Cloud UI and implement those policies with an admission controller. Policies can be created and managed within the Access Control policy engine and then stored in both Console and Defender.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Serverless Security: Auto-Protect for AWS Lambda Functions<\/span><\/h2>\n<p><div style=\"max-width:100%\" data-width=\"1024\"><span class=\"ar-custom\" style=\"padding-bottom:62.5%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-110031 alignnone lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/radar.png\" alt=\"A screenshot showing Prisma Cloud's expanded serverless security capabilities. \" width=\"1024\" height=\"640\" \/><\/span><\/div><\/p>\n<p><span style=\"font-weight: 400;\">Following our expanded serverless security capabilities with our integration of PureSec in November, we\u2019re improving the ability for security teams to better protect AWS Lambda functions being used by their organization, specifically at runtime.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">While we provide runtime security today via our embedded Defender of Lambda Layer, this approach can present a challenge for security teams who need developers or DevOps teams to perform the action of implementing this agent for serverless runtime protection. With our latest release, we\u2019re making this motion easier by providing an easy flow for serverless auto-protection directly from Console or the API.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Now, users can navigate to either Radar or the Defender deployment UI to easily identify individual functions or functions from a specific region or repo that they want to protect. Once selected, Prisma Cloud will automatically deploy the appropriate Lambda Layer to protect the function. With this release, we support:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">.NET Core 2.1<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Java 8<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Nodejs 10.x<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Python 2.7, 3.6, and 3.7<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Defender Auto-Upgrade<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">With our unified Defender architecture, Prisma Cloud supports the ability to protect cloud native applications across standalone VMs, containers, Kubernetes, PaaS, and serverless stacks. With our latest release, we\u2019re making the upgrades of the deployed Host and Container Defenders easier to manage from the UI or API with the ability to auto-upgrade the agents to match the version of Console. This should save users time and cycles spent redeploying Defenders to match the latest version of Console.\u00a0<\/span><\/p>\n<p><div style=\"max-width:100%\" data-width=\"1024\"><span class=\"ar-custom\" style=\"padding-bottom:51.27%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-110044 alignnone lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/advdefender.png\" alt=\"A screenshot showing Advanced Defender settings in Prisma Cloud. \" width=\"1024\" height=\"525\" \/><\/span><\/div><\/p>\n<p><span style=\"font-weight: 400;\">Now, users simply enable the auto-upgrade capability from the Manage &gt; Defender UI and Prisma Cloud. This functionality supports Host Defenders, Container Defenders, and DaemonSet deployments. App-Embedded Defender and Serverless Defenders will continue to function until those applications are redeployed with the latest Defender.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Cloud Metadata Awareness\u00a0<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Users regularly ask us to provide cloud-specific metadata within Console. This allows users to more easily filter Prisma Cloud findings using this metadata and implement or filter policies across vulnerability management and compliance.<\/span><\/p>\n<p><div style=\"max-width:100%\" data-width=\"1024\"><span class=\"ar-custom\" style=\"padding-bottom:73.44%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-110057 alignnone lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/hostdetails.png\" alt=\"A screenshot showing how users can access cloud-specific metadata within Prisma Cloud's Console. \" width=\"1024\" height=\"752\" \/><\/span><\/div><\/p>\n<p><span style=\"font-weight: 400;\">In our latest release, we\u2019ve added the ability to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Ingest and surface AWS, Azure, and GCP metadata for VMs and images, along with tags for AWS Lambda functions.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Support collections based on the metadata.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Support filtering and implementing vulnerability and compliance policies based on the metadata.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Try It Today<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">See the power of all these capabilities combined \u2013 <\/span><a href=\"https:\/\/marketplace.paloaltonetworks.com\/s\/product-rdl\"><span style=\"font-weight: 400;\">access a free trial of Prisma Cloud today<\/span><\/a><span style=\"font-weight: 400;\">!<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Take a deep dive into the new Compute Security capabilities that are available as part of our latest Prisma Cloud release.<\/p>\n","protected":false},"author":663,"featured_media":109520,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6768],"tags":[6901,6890],"coauthors":[6882],"class_list":["post-109951","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-cloud","tag-cloud-native-security-platform","tag-prisma-cloud","cloud_sec_category-devsecops"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/pan_generic-gtm-social_prisma-blog-350x300-1.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/109951","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/663"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=109951"}],"version-history":[{"count":6,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/109951\/revisions"}],"predecessor-version":[{"id":110074,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/109951\/revisions\/110074"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/109520"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=109951"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=109951"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=109951"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=109951"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}