Beyond Visibility: Proactive Cloud Workload Security in the Real World

Jun 20, 2023
11 minutes

Over the last 5 years, our team at Prisma Cloud has witnessed an extraordinary surge in the adoption of cloud-native technologies. One trend that stands out is the ongoing migration to the public cloud. According to the latest findings from Unit 42’s Cloud Threat Report, Volume 7: Navigating the Expanding Attack Surface, an impressive 53% of cloud workloads now find their home on public clouds. That number speaks for itself, showcasing the increasing reliance on the public cloud as the infrastructure of choice. Moreover, the report shows that this trend will continue its upward trajectory, soaring to an astonishing 64% within the next 24 months.

Even more interesting is the diversity of these workloads, notably serverless and platform as a service (PaaS) workloads, which account for 36% of cloud-based workloads, signifying their growing importance in modern technology landscapes. Virtual machines (VMs) secure a solid 22% share, while both container as a service (CaaS) and containers contribute equally, each making up 18% of the overall workload ecosystem.

This transformative era presents incredible opportunities for organizations to unlock their potential and reap the benefits of scalability, flexibility and enhanced security. As the CTO of Prisma Cloud, I'm thrilled to share our insights and the learnings gained from witnessing the rise of cloud-native technologies and the rapid adoption of the public cloud.

3 Foundational Takeaways

Let's explore three vital learnings that have emerged in this dynamic landscape, shaping the way organizations approach cloud security.

The Importance of Real-Time Protection

Organizations now understand that security visibility isn’t enough. Security teams recognize the importance of deploying real-time proactive cloud workload protection. It's no longer sufficient to merely monitor and react to security incidents. Organizations must take a proactive stance, leveraging advanced security measures to safeguard their cloud workloads.

Not All Applications Are Built the Same

Real-world applications make use of a diversity of workload types, container runtimes, engines and architectures, which poses a significant challenge to runtime protection solutions. Each workload type comes with its unique traits, complicating security efforts. To address this complexity, organizations are extending active runtime protection across all their workloads, regardless of their environment. It's about ensuring comprehensive security coverage that adapts to the ever-changing cloud landscape.

Cloud Security Is a Shared Responsibility

Cloud security is a team sport that involves DevOps teams, cloud security teams and even the security operations center (SOC) engineers. Together, they should work harmoniously to ensure that workloads receive effective runtime protection from the get-go. In the realm of cloud security, the role of security operations center (SOC) engineers shouldn’t be forgotten. Their expertise and diligence are indispensable alongside DevOps and security teams.

Importance of Real-Time Protection for Cloud Workloads

In fast-paced cloud environments, threats arise and proliferate swiftly. A narrow window exists to address minor security incidents before they become major breaches. Active real-time protection lets you intervene, not just witness unfolding threats.

So what does real-time protection for cloud workloads entail? It's more than visibility and data collection. Real-time protection requires proactive measures to thwart attacks across workloads, networks and application layers. It empowers you to swiftly detect and preempt exploits like Log4Shell and SpringShell. An advanced runtime protection solution should employ a behavioral modeling engine that draws on machine learning to analyze workload behavior and establish positive security models.

Proactive measures to halt threats before they cause damage is the essence of active, real-time protection. Implementing various protection layers, strict access controls and continuous monitoring of suspicious activities are key to a robust defense, enabling real-time reactions to detected threats.

Active real-time protection aligns with security by design, incorporating security into all aspects of cloud operations — from workload design and configuration to ongoing cloud environment management. This proactive, holistic security strategy ensures that protection isn’t an afterthought but a core element of your cloud strategy.

Cloud workloads, part of a larger, often distributed application framework, differ significantly from traditional server or endpoint devices. They use internal APIs to communicate and interact continually with their cloud environment and its services. Their runtime protection, as a result, must be tailored to these specific requirements. The ideal protection agent should understand each workload's purpose and behavior, as well as the overall architecture. This intelligent understanding enables the agent to provide effective runtime protection for cloud-native workloads, ensuring their security and integrity.

Not All Applications Are Built the Same

If only the cloud-native world consisted of containerized microservices on Kubernetes clusters. Reality, though, involves a diverse application deployment mix. Applications come in various forms and operate in an array of environments, reflecting cloud flexibility and robustness while posing security challenges.

New applications often use scalable and cost-effective serverless functions. Containers don't just exist in orchestrated environments like Kubernetes or Openshift clusters. They also run on bare metal servers to reap containerization benefits without virtualization layers.

Virtual machines remain a foundational cloud computing element, offering isolation and control of the underlying infrastructure. Managed containerized environments like AWS Fargate, Google Cloud Run or Azure Container Instances are also gaining traction due to ease-of-use and scalability.

Organization and team diversity mean technological preferences differ based on distinct needs, workflows and expertise. Docker, a popular container runtime, isn't a one-size-fits-all solution. Some organizations prefer alternatives like Containerd or CRI-O. The same applies to container engines. Docker has been a staple, but many organizations with unique requirements and operational considerations are exploring other options, like Podman.

This vast mix of workload types, container runtimes, engines and technologies, each with unique traits, complicates security. Organizations are required to extend active runtime protection across all workloads in various environments. This protection must be unified, seamless and nonintrusive to efficiently counter threats. It must also integrate with different workload types, as well as operating systems like Linux or Windows and architectures like x64 or ARM. Solutions must be as adaptive and versatile as the workloads they protect.

Deploying and managing individual agents for different workloads can be overwhelming. A single, versatile agent that caters to all cloud workloads makes the deployment and maintenance process seamless and easily integrated into the CI/CD workflow.

Workload protection for the cloud-native landscape
Figure 1: Just a small fraction of the CNCF Cloud Native Landscape

Cloud Security Is a Shared Responsibility

Cloud security is a group effort with DevOps and cloud security teams at the forefront of securing workload vulnerabilities and misconfiguration throughout the application lifecycle. They also implement runtime protection from the outset. But In the world of cloud security, the role of SOC engineers can’t be overstated. In fact, they’ve become even more indispensable alongside the DevOps and security teams that ensure workloads have effective runtime protection from the get-go.

Many of our Prisma Cloud customers have already deployed thousands of cloud workloads across numerous applications, public clouds and regions. In this common scenario, vigilantly monitoring, accurately analyzing and effectively responding to security events is no easy task. On the contrary, it’s one that outstrips the capacity of any single DevOps or cloud security team. It’s here where SOC engineers, with their specialized skills, tools and scale, come to the fore.

SOC engineers not only offer real-time monitoring and response but also contribute significantly to long-term security analysis. Trained for efficient security event management, they excel at separating critical threats from less urgent events. They can prioritize incidents based on severity and act appropriately to mitigate risks, thanks to their advanced tools and playbooks.

By integrating security event data into an extended detection and response (XDR) platform, SOC engineers create a comprehensive view of an organization's cloud security posture over time.

The Prisma Cloud Approach

Prisma Cloud’s runtime protection agent offers extensive support for a wide range of environments, providing comprehensive, real-time security for diverse architectures and operating systems. Its defenses include advanced threat protection, sophisticated attack prevention, malware analysis and ML-based behavioral modeling. Importantly, its lightweight design ensures the efficient resource use and scalability essential for cloud environments.

Prisma Cloud delivers a range of protection capabilities, including an advanced threat protection feed maintained by Palo Alto Networks Unit 42 research team. It also delivers prevention of Kubernetes-specific attacks and cloud provider API abuse, as well as malware analysis.

Additionally, Prisma Cloud’s runtime agent delivers ML-based workload behavioral modeling and real-time protection, including:

  • Process monitoring and prevention of unauthorized processes
  • Antimalware and exploit prevention ((e.g., cryptominers, reverse shells, lateral movement, etc.)
  • Network monitoring and real-time prevention of malicious networking activity, such as port scanning, use of raw sockets, DNS queries and connection to unauthorized endpoints
  • File system monitoring that can detect and prevent changes to binaries, detection of suspicious encrypted/packed binaries, file integrity monitoring (e.g., changes to SSH or critical system files) and detection of binaries with suspicious ELF headers.

Given that the workload is just a means for packaging and running microservices and applications, it’s critical that the runtime protection agent will be able to detect and prevent application layer attacks in real time. Prisma Cloud’s runtime protection agent, provides built-in, best-of-breed WAAS (Web Application and API Security) capabilities, tailored specifically for cloud-native applications. These capabilities include:

  • Real-time visibility into risks facing web and APIs
  • Positive security of API traffic and API risks
  • Bot risk management capable of stopping automated processes, such as malicious bots and vulnerability scanning tools
  • Application-layer DoS protection through intelligent rate controls
  • Automated virtual patching for common high risk vulnerabilities and exploits
  • Real-time prevention of OWASP Top 10 types of attack

On top of all these types of protection, Prisma Cloud is robust and versatile. It has earned the trust of Fortune 500 companies, securing their critical applications and demonstrating dependability. It supports a wide array of real-world environments used by Prisma customers and provides protection for manifold environments.

Diverse OS support includes:

  • Popular Linux distributions, such as Amazon Linux, CentOS, RHCOS, Debian, GCOOS, Red Hat Enterprise Linux, Ubuntu, SUSE, Oracle Linux, RockyLinux, VMWare Photon
  • Windows server versions 2016, 2019 and 2022
  • Support for x64 and ARM operating systems

Protection for containers on runtimes, such as:

  • Docker
  • CRI Containerd
  • CRI-O
  • Podman

Protect containerized workloads running on orchestrators such as:

  • Kubernetes
  • Openshift
  • VMWare Tanzu
  • AWS ECS, EKS, Fargate
  • Azure AKS (both Windows and Linux)
  • GCP GKE and Autopilot
  • Additional support for container-specific OSs, such as Bottlerocket or TalOS

Real-time protection of serverless functions, such as:

  • Azure serverless functions
  • AWS Lambda

Resulting from years of development based on customer requirements, Prisma Cloud's runtime protection support matrix is unmatched.

Cloud Workload Runtime Protection Checklist

When evaluating a cloud workload runtime protection solution, use this checklist to ensure your choice will optimally equip your organization with the complete suite of game-changing capabilities and attributes.

  • Real-Time Protection: Ability to actively intervene and stop threats before they cause harm.
  • CI/CD Integration: Seamlessly integrate security into CI/CD pipeline, from the initial design to ongoing monitoring and management.
  • Robust: Capable of working in public, private, hybrid and multicloud environments, protecting workloads running on any operating system and architecture.
  • Versatile: Support various types of workloads, including containerized applications, serverless functions, virtual machines and bare metal servers running a range of operating systems, container runtimes, engines and in different cloud environments
  • Comprehensive Protection: Provide holistic protection across different layers including the cloud networking, application and workload layers, detecting and preventing exploits, malware and sophisticated cloud attacks.
  • Behavioral Modeling: Distinguish legitimate behavior from potential threats by using machine learning to examine workload behavior and apply positive security models.
  • Scalable: Capable of handling large-scale environments with thousands of cloud workloads, effectively monitoring security events and analyzing data without overwhelming cloud security or DevOps teams.
  • Lightweight and Efficient: Minimize resource usage with lightweight runtime agent, ensuring optimal performance and scalability of cloud workloads — and seamlessly update without disruptions.
  • Customizable: Enable users to create custom rules and policies to tailor the protection to their specific requirements.
  • Application Layer Protection: Provide built-in web and API security capabilities, including automated detection, profiling and prevention of common attack types, such as the OWASP Top 10 for web apps and APIs.
  • Integrated: Allow teams to benefit from a more intelligent and unified approach to protecting their applications in the cloud with centralized security integrated in a best-in-breed cloud-native application protection platform (CNAPP).

Learn More

To learn more about the runtime protection capabilities of Prisma Cloud, check out the Cloud Workload Protection or Web App and API Security pages — and take it for a free 30-day test drive to experience the advantages.

Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.