* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/)
* Cloud Native Zero Trust: ...

# Cloud Native Zero Trust: Securing Applications

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2020%2F09%2Fcloud-native-zero-trust%2F)  
[](https://twitter.com/share?text=Cloud+Native+Zero+Trust%3A+Securing+Applications&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2020%2F09%2Fcloud-native-zero-trust%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2020%2F09%2Fcloud-native-zero-trust%2F&title=Cloud+Native+Zero+Trust%3A+Securing+Applications&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2020/09/cloud-native-zero-trust/&ts=markdown)  
\[\](mailto:?subject=Cloud Native Zero Trust: Securing Applications)  
Link copied  
By [Brian Buquoi](https://www.paloaltonetworks.com/blog/author/brian-buquoi/?ts=markdown "Posts by Brian Buquoi")  
Sep 17, 2020  
4 minutes  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[Container Security](https://www.paloaltonetworks.com/blog/tag/container-security/?ts=markdown)  
[Prisma Cloud](https://www.paloaltonetworks.com/blog/tag/prisma-cloud/?ts=markdown)  
[Zero Trust](https://www.paloaltonetworks.com/blog/tag/zero-trust/?ts=markdown)  
[Zero Trust Throughout Your Infrastructure](https://www.paloaltonetworks.com/blog/tag/zero-trust-throughout-your-infrastructure/?ts=markdown)

Despite their ubiquity, cloud native applications are still not necessarily widely understood, which can create gaps for security teams tasked with protecting them.

These apps are built with newer technologies like containers and microservices, which allow organizations to deploy and iterate faster than ever before. It's that same speed that defies traditional approaches to [Zero Trust](https://www.paloaltonetworks.com/network-security/zero-trust?ts=markdown) models: resources are continually shifting, services are in constant communication and hybrid architectures are difficult to map. This creates serious obstacles for identification and validation.

In order to adapt, organizations are "[shifting left](https://www.paloaltonetworks.com/blog/2019/07/4-practical-steps-shift-left-security/?ts=markdown)" and integrating security touchpoints in the development pipeline. As part of those touchpoints, two critical security requirements for cloud native Zero Trust are container images and runtime defense.

## Visibility Into Container Images

In a cloud native world, developers move fast. They can do this thanks to things like containers -- a standalone file or package of files with components needed to run an application. At rest, it's called a container image. They're handy for DevOps teams, but because they're ephemeral by nature, it can be difficult for an organization to grasp what they're used for and where they originate.

In some cases, developers use public image repositories like [Docker Hub](https://www.docker.com/products/docker-hub) to generate the base layer of an application. While these public repositories can be an efficient resource, they sometimes resemble a vending machine without a window, with little to no information provided about what item you're selecting.

Ensuring developers have the tools to secure container images at every stage in the development lifecycle is a great first step to achieving Zero Trust. One-time vulnerability scanning, while useful, isn't a complete solution to this problem. In order to ensure existing container images deployed across the environment don't contain malicious files, teams need the ability to quickly differentiate between what is good and what is not.
![This screenshot of Prisma Cloud shows a monitor/vulnerabilities screen that displays information about container image vulnerability scanning](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/09/images.png)
Image 1: Container image vulnerability scanning in Prisma Cloud

Consistent image vulnerability scanning must be combined with "image trust" to obtain the visibility and control necessary for Zero Trust in cloud native applications. Image trust policies allow users to specify which container images are safe to run within their environment, either by image or by image layers. Prisma Cloud [Trust Groups](https://www.paloaltonetworks.com/blog/2020/05/cloud-container-image-trust-groups/?ts=markdown) provide a cohesive set of capabilities for image security to achieve Zero Trust.
![This Monitor / Compliance screenshot from Prisma Cloud shows information about trusted and untrusted container images in Prisma Cloud. Container images are a critical security point for cloud native Zero Trust.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/09/trust-audits.png)
Image 2: Differentiation between trusted and untrusted container images in Prisma Cloud

## Protecting Running Applications

While continuously scanning images and verifying their trustworthiness is important, protections need to be continued into runtime as well.
![This screenshot of Prisma Cloud shows an example (carts:0.4.8) of a container runtime with blocked network activities. Runtime defense is a critical security point for cloud native Zero Trust.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/09/carts.png)
Image 3: Container runtime with blocked network activities in Prisma Cloud

Having continuous visibility into running applications becomes of the utmost importance to validate that they are operating within defined specifications and ensure that they are only communicating with relevant entities.

Creating a model of known-good processes and network connections, then alerting on or blocking any deviations from this model, helps give organizations full control over how an application performs.
![This screenshot of Prisma Cloud shows a window labeled "Explore infra/my.jenkins.latest" and presents an example of container runtime process modeling.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/09/infra.png)
Image 4: Container runtime process modeling in Prisma Cloud

Prisma Cloud provides a comprehensive solution of runtime protections -- including process, networking and file system modeling -- to ensure that cloud native applications, including any combination of VMs, containers, applications on Kubernetes, or serverless applications, stay within spec and in line with any [Zero Trust best practices](https://docs.paloaltonetworks.com/best-practices/10-0/zero-trust-best-practices/zero-trust-best-practices) put in place.

## Putting It Together

Securing cloud native applications should be an integral part of your Zero Trust infrastructure. These applications play an integral role in how an organization interfaces with the world and should be protected as such.

Container image and runtime protections are components of an enterprise Zero Trust strategy. Watch as Palo Alto Networks Founder and CTO Nir Zuk [explains how it all fits together](https://youtu.be/zzZ4q9DSnbg?t=650). And be sure to check out the rest of the blogs in our [Zero Trust series](https://www.paloaltonetworks.com/blog/tag/zero-trust-throughout-your-infrastructure/?ts=markdown).

*** ** * ** ***

## Related Blogs

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Zero Trust for Cloud Users and Environments](https://www.paloaltonetworks.com/blog/2020/07/cloud-zero-trust-for-cloud/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Achieving End-to-End Zero Trust](https://www.paloaltonetworks.com/blog/2020/05/network-end-to-end-zero-trust/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Rethinking Zero Trust Network Access for a Zero Trust Strategy](https://www.paloaltonetworks.com/blog/2020/06/network-zero-trust-strategy/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### 9 Essential Infrastructure Security Considerations for Kubernetes](https://www.paloaltonetworks.com/blog/cloud-security/kubernetes-infrastructure-security-considerations/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Unit 42 Discloses Newly Discovered Vulnerabilities in GKE Autopilot](https://www.paloaltonetworks.com/blog/2022/03/gke-autopilot-vulnerabilities/)

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Building a Zero Trust Framework for Cloud Native Applications](https://www.paloaltonetworks.com/blog/cloud-security/zero-trust-cloud-native-applications/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language