Last month, we announced the latest release of Prisma Cloud, a comprehensive Cloud Native Security Platform (CNSP). You can find the details in our launch blog, “Prisma Cloud Native Security Platform Embeds Security into DevOps Lifecycle.” In this blog post, we take a deeper dive into the new Compute Security capabilities that are available as part of our latest Prisma Cloud release. Compute Security is one of the four key pillars that comprise our CNSP, along with Visibility, Compliance and Governance, Network Protection and Identity Security.
Before I dive in, as a recap, there are two Prisma Cloud editions you can choose from for leveraging these new Compute Security capabilities:
The usual fun facts from GitHub: we’ve worked on more than 12,100 issues, pushed more than 9,200 commits, built Twistlock more than 1,400 times and shipped over 425 customer-requested features over more than four years!
While we’re highlighting new key Compute Security features in this post, we’re also shipping other features such as:
Prisma Cloud has long provided the ability to scan and continually monitor the host OS for vulnerabilities and compliance issues during CI and at runtime. These vulnerability management and compliance capabilities work in conjunction with our runtime defense, cloud native firewalling, and access control functionality – allowing users to implement file integrity monitoring, log inspection, Layer 4 and Layer 7 firewalling, and application control and whitelisting of hosts, in addition to containers and functions.
With our latest releases, we’re expanding our vulnerability management capabilities to scan Amazon Machine Images (AMIs) like we would any container repository or serverless repo. This provides DevOps and security teams with added visibility into the security posture of their AMIs, both before a deployment and in production. All policies for AMI scanning are configurable within Console.
Managing risk and understanding vulnerabilities across hosts, images, and functions is a top concern for any organization today. With our latest update to Vulnerability Explorer, we’re enhancing our UI to better allow security and risk teams to quickly and easily prioritize risk across any cloud native environment.
We’ve added a top 10 list of serverless function vulnerabilities, spanning AWS, Azure, and Google Cloud, to our main dashboard so users can see top 10 lists across hosts, containers, and functions right next to one another.
Additionally, users can now see a specific CVE spanning each compute type in a single window with an improved risk tree. The risk tree now includes new context, such as namespaces, to more easily understand which applications are impacted by a specific CVE.
Preventing untrusted images from being deployed in any environment is a top concern for security teams. Organizations want to ensure that their images are vetted to meet vulnerability and compliance criteria and deployed from trusted sources.
With our latest update to Trusted Images, we’re providing additional support for Trusted Groups, sets of multiple images, and controls over how teams can whitelist or blacklist these images across environments. This extends these capabilities for better control over registries and repositories.
In the latest release, we’re providing the ability to set policies for vulnerability and compliance governing CI and CD workflows directly from Console. Previously, users would have to set these policies within our Jenkins plugin or as part of scripting with twistcli.
Now, users will notice a new CI tab within our Defend menu, under both Vulnerabilities and Compliance, that will allow security teams to govern their CI policies more easily. All image and function scans will be surfaced in a central location as part of Vulnerability Explorer and Compliance Explorer.
Open Policy Agent is an open source, general-purpose policy engine that unifies policy enforcement across the cloud native stack. OPA provides a high-level declarative language, called Rego, that lets users specify policy as code with simple APIs to offload policy decision-making from user software. OPA can enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more.
With our latest release, we’re providing users with the ability to create policies for OPA directly from the Prisma Cloud UI and implement those policies with an admission controller. Policies can be created and managed within the Access Control policy engine and then stored in both Console and Defender.
Following our expanded serverless security capabilities with our integration of PureSec in November, we’re improving the ability for security teams to better protect AWS Lambda functions being used by their organization, specifically at runtime.
While we provide runtime security today via our embedded Defender of Lambda Layer, this approach can present a challenge for security teams who need developers or DevOps teams to perform the action of implementing this agent for serverless runtime protection. With our latest release, we’re making this motion easier by providing an easy flow for serverless auto-protection directly from Console or the API.
Now, users can navigate to either Radar or the Defender deployment UI to easily identify individual functions or functions from a specific region or repo that they want to protect. Once selected, Prisma Cloud will automatically deploy the appropriate Lambda Layer to protect the function. With this release, we support:
With our unified Defender architecture, Prisma Cloud supports the ability to protect cloud native applications across standalone VMs, containers, Kubernetes, PaaS, and serverless stacks. With our latest release, we’re making the upgrades of the deployed Host and Container Defenders easier to manage from the UI or API with the ability to auto-upgrade the agents to match the version of Console. This should save users time and cycles spent redeploying Defenders to match the latest version of Console.
Now, users simply enable the auto-upgrade capability from the Manage > Defender UI and Prisma Cloud. This functionality supports Host Defenders, Container Defenders, and DaemonSet deployments. App-Embedded Defender and Serverless Defenders will continue to function until those applications are redeployed with the latest Defender.
Users regularly ask us to provide cloud-specific metadata within Console. This allows users to more easily filter Prisma Cloud findings using this metadata and implement or filter policies across vulnerability management and compliance.
In our latest release, we’ve added the ability to:
See the power of all these capabilities combined – access a free trial of Prisma Cloud today!