Container as a Service (CaaS) is a cloud service managed by cloud providers that allows running apps on containers without having to manage the infrastructure and instances that are running the apps. CaaS platforms are considered to be more secure and better managed. These platforms are designed to help users to allocate and use resources in an on-demand manner, which is a very easy and efficient scaling mechanism that reduces costs dramatically.
The easy deployment and management of CaaS solutions makes them popular among both DevOps and software developers. Deploying an application on a CaaS platform is a straightforward operation which can be done using API calls or UI console.
Secure CaaS Solutions
There are a variety of CaaS solutions which are all managed by the cloud providers, to name a few: Google Cloud Run, AWS ECS Fargate, AWS EKS Fargate, Azure Container Instances, and more. The cloud provider manages the underlying infrastructure and does not supply access to the management plane of its platform. This makes CaaS solutions more secure, but, on the other hand, this makes them much harder and complex to secure especially for runtime issues.
In order to combat this, we at Prisma Cloud built the App-embedded Defender. This Defender protects workloads in a platform-agnostic manner. The App-embedded Defender can protect both containerized workloads and CaaS containers as well (including ECS on Fargate). Customers have been using the App-embedded Defender for years, and we continue to enhance its capabilities.
With our App-embedded Defender, customers get the assurance they need for security which allows them to integrate new technologies easily and safely into their tech-stack.
How to Protect CaaS Workloads with Prisma Cloud
Prisma Cloud allows you to deploy an App-embedded Defender to your environment in just a few steps from either our UI Console, API or CLI tool. The App-embedded Defender can be deployed as a part of your image or as a sidecar to your Fargate tasks.
Many customers leverage the ECS on Fargate Defender, which requires the ENTRYPOINT
of the image, however many times it's not listed in the task. To simplify the deployment process for more customer cases and procedures, you no longer need to specify the image ENTRYPOINT when creating an ECS Fargate Defender. The ENTRYPOINT
will be fetched automatically from the image. Users can now also choose to export your task in the Cloud Formation format.
After embedding the Defender and running your app, you can manage and monitor your deployed Defenders under the Defenders page:
Detect Vulnerabilities and Compliance Issues
Users can continue using the protected images and tasks in your chosen CaaS solution. In the below example, you can see a ECS Fargate service running a task that is protected by the Prisma Cloud ECS Fargate task Defender. For each deployed container you can see its vulnerabilities and compliance issues.
Starting from this release, you also get vulnerability and compliance analysis for all your deployed CaaS workloads. This enables you to monitor your full vulnerability and compliance posture cross all your workloads whether running on managed clusters or on CaaS services:
Protecting Runtime Attacks
Prisma Cloud’s vulnerabilities and compliance detections are essential for minimizing risks taken by your organization in the build, deploy and runtime phases. CaaS workloads, as all running workloads, can be exposed to runtime attacks that can’t be fully predicted in the build and deploy phases. These attacks can cause harm to your organization in many ways such as leaking PII, secrets, confidential information and more.
Prisma Cloud Compute runtime capabilities allows you to detect and prevent such attacks on CaaS workloads using our App-embedded Defenders.
From the upcoming release you can detect and prevent file system runtime attacks, combined with WildFire malware analysis.
From a quick view and filtering of the events page, it is easy to observe triggered file system audits. Just by navigating to the events page, it is clear to see the most recent audit which identifies that a binary named “/bin/imnotamalware” launched and does not belong to the original container image.
To understand the above attack story and investigate other related activities one can navigate to the ATT&CK explorer and filter the dashboard to see the workload's relevant observations. It is also possible to drill down and investigate the adversary actions by clicking the Forensics icon to view the historical and ongoing activities:
To respond to the attack and remediate, it is required to know which task was targeted, where it is deployed and who owns it.
Prisma Cloud now collects cloud metadata and provides insight into the running apps protected by App-embedded Defenders. Navigating to the App-embedded observation tab will allow you to easily search for the app, view the images and containers and additional information about the environment such as Cloud provider, Account, Cluster etc.
Prisma Cloud’s vision is to relieve customers from worrying about security and focus on developing the latest technologies. CaaS solutions, even though they are easy, efficient and save costs - are hard to protect since cloud providers don’t allow security solutions to have a footprint in the orchestration level. Despite all of these challenges, Prisma Cloud gives you full coverage and visibility to your CaaS deployments while continuing to improve and enhance our capabilities further.
To learn more about the latest enhancements to Prisma Cloud, request a hands-on demo or join us at one of our upcoming webinars.