[](https://www.paloaltonetworks.com/?ts=markdown)

* Sign In
  
  * Customer
  * Partner
  * Employee
  * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown)
  * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown)

* EN
  
  * [USA (ENGLISH)](https://www.paloaltonetworks.com)
  * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au)
  * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br)
  * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca)
  * [CHINA (简体中文)](https://www.paloaltonetworks.cn)
  * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr)
  * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de)
  * [INDIA (ENGLISH)](https://www.paloaltonetworks.in)
  * [ITALY (ITALIANO)](https://www.paloaltonetworks.it)
  * [JAPAN (日本語)](https://www.paloaltonetworks.jp)
  * [KOREA (한국어)](https://www.paloaltonetworks.co.kr)
  * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat)
  * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx)
  * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg)
  * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es)
  * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw)
  * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk)

* ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg)

* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)

* [What's New](https://www.paloaltonetworks.com/resources?ts=markdown)

* [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount)

* [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html)
  ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg)

* [](https://www.paloaltonetworks.com/?ts=markdown)

* Products  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products  
  [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)
  
  * [AI Security](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)
  
  * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)
  
  * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)
  
  * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)
  
  * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)
  
  * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)
  
  * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)
  
  * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)
  
  * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)
  
  * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)
  
  * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)
  
  * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown)
  
  * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)
  
  * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)
  
  * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)
  
  * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)
  
  * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)
  
  * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)
  
  * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)
  
  * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)
  
  * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)
  
  * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)
  
  * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)
  
  * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)
  
  * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)
  
  * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)
  
  * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)
  
  * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)
  
  * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)
  
  * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)  
    [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)
  
  * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)
  
  * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)
  
  * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)
  
  * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)
  
  * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)
  
  * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)
  
  * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)
  
  * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)
  
  * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)
  
  * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown)
  
  * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)
  
  * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown)
  
  * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)
  
  * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown)
  
  * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)
  
  * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* Solutions  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions  
  Secure AI by Design
  
  * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)
  * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)  
    Network Security
  * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)
  * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown)
  * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)
  * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)
  * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown)
  * [OT Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown)
  * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown)
  * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown)
  * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown)
  * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown)
  * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown)
  * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)  
    Cloud Security
  * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown)
  * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown)
  * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown)
  * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown)
  * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown)
  * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown)
  * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown)
  * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown)
  * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown)
  * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown)  
    Security Operations
  * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown)
  * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown)
  * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown)
  * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown)
  * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown)
  * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown)
  * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)
  * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown)
  * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown)
  * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown)
  * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown)
  * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown)  
    Endpoint Security
  * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown)
  * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown)
  * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown)
  * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown)  
    [Industries](https://www.paloaltonetworks.com/industry?ts=markdown)
  * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown)
  * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown)
  * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown)
  * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown)
  * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown)

* Services  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services  
  [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)
  
  * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)
  
  * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown)
  
  * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown)
  
  * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown)
  
  * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown)
  
  * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown)
  
  * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown)
  
  * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown)
  
  * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown)
  
  * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown)
  
  * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown)
  
  * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown)
  
  * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown)
  
  * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown)
  
  * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown)
  
  * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown)
  
  * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)
  
  * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown)
  
  * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown)
  
  * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown)
  
  * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown)
  
  * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown)
  
  * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)
  
  * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown)
  
  * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)
  
  * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown)
  
  * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown)
  
  * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown)
  
  * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown)  
    [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown)
  
  * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown)
  
  * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown)
  
  * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown)
  
  * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown)
  
  * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown)  
    [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg)  
    UNIT 42 RETAINER
    Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial.
    Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown)

* Partners  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners  
  NextWave Partners
  
  * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown)
  * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown)
  * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown)
  * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown)
  * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown)
  * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown)
  * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown)
  * [XMDR Partners](https://www.paloaltonetworks.com/partners/managed-security-service-providers/xmdr?ts=markdown)  
    Take Action
  * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown)
  * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown)
  * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner)
  * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess)
  * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator)  
    [CYBERFORCE
    CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise.
    Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown)

* Company  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company  
  Palo Alto Networks
  
  * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
  * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown)
  * [Investor Relations](https://investors.paloaltonetworks.com)
  * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
  * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown)
  * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
  * [Military \& Veterans](https://jobs.paloaltonetworks.com/military)  
    [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown)
  * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown)
  * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown)
  * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown)
  * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown)
  * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown)
  * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
  * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown)  
    Careers
  * [Overview](https://jobs.paloaltonetworks.com/)
  * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/)  
    [A Newsweek Most Loved Workplace
    "Businesses that do right by their employees"
    Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown)

* More  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More  
  Resources
  
  * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
  * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/)
  * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
  * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
  * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
  * [Tech Insider](https://techinsider.paloaltonetworks.com/)
  * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/)
  * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/)
  * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown)
  * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown)
  * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown)
  * [Tech Docs](https://docs.paloaltonetworks.com/)
  * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown)
  * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/)
  * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown)  
    Connect
  * [LIVE community](https://live.paloaltonetworks.com/)
  * [Events](https://events.paloaltonetworks.com/)
  * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown)
  * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown)
  * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)  
    [Blog
    Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity
    Learn more](https://www.paloaltonetworks.com/blog/)

* Sign In  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In
  
  * Customer
  * Partner
  * Employee
  * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown)
  * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown)

* EN  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language
  
  * [USA (ENGLISH)](https://www.paloaltonetworks.com)
  * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au)
  * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br)
  * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca)
  * [CHINA (简体中文)](https://www.paloaltonetworks.cn)
  * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr)
  * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de)
  * [INDIA (ENGLISH)](https://www.paloaltonetworks.in)
  * [ITALY (ITALIANO)](https://www.paloaltonetworks.it)
  * [JAPAN (日本語)](https://www.paloaltonetworks.jp)
  * [KOREA (한국어)](https://www.paloaltonetworks.co.kr)
  * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat)
  * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx)
  * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg)
  * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es)
  * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw)
  * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk)

* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)

* [What's New](https://www.paloaltonetworks.com/resources?ts=markdown)

* [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount)

* [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html)

* [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown)  
  Search  
  All

* [Tech Docs](https://docs.paloaltonetworks.com/search)  
  Close search modal
  [Deploy Bravely --- Secure your AI transformation with Prisma AIRS](https://www.deploybravely.com)  
  [](https://www.paloaltonetworks.com/?ts=markdown)

1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
2. [Cloud Security](https://www.paloaltonetworks.com/cyberpedia/cloud-security?ts=markdown)
3. [Container Security](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security?ts=markdown)
4. [What Is Container Registry Security?](https://www.paloaltonetworks.com/cyberpedia/container-registry-security?ts=markdown)  
   Table of Contents

* [What Is Container Security?](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security?ts=markdown)
  * [Container Security Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security#container-security?ts=markdown)
  * [Understanding the Attack Surface](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security#attack-surface?ts=markdown)
  * [How to Secure Containers](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security#secure-containers?ts=markdown)
  * [Container Security Solutions](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security#solutions?ts=markdown)
  * [Container Security FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security#faq?ts=markdown)
* [Managing Permissions with Kubernetes RBAC](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac?ts=markdown)
  * [Kubernetes RBAC Defined](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#kubernetes?ts=markdown)
  * [Why Is RBAC Important for Kubernetes Security?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#important?ts=markdown)
  * [RBAC Roles and Permissions in Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#roles?ts=markdown)
  * [How Kubernetes RBAC Works](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#how?ts=markdown)
  * [The Role of RBAC in Kubernetes Authorization](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#authorization?ts=markdown)
  * [Common RBAC Permissions Risks and Vulnerabilities](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#common?ts=markdown)
  * [Kubernetes RBAC Best Practices and Recommendations](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#best?ts=markdown)
  * [Kubernetes and RBAC FAQ](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#faqs?ts=markdown)
* [Kubernetes: How to Implement AI-Powered Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security?ts=markdown)
  * [Common Threats to Kubernetes Clusters](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security#common?ts=markdown)
  * [How Is AI Used to Enhance Kubernetes Security?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security#how?ts=markdown)
  * [How Do You Implement AI-Powered Security in Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security#do?ts=markdown)
  * [What Are the Best Types of AI-Powered Tools for Kubernetes Security?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security#what?ts=markdown)
  * [Kubernetes and AI-Powered Security FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security#faqs?ts=markdown)
* [What Is Container Runtime Security?](https://www.paloaltonetworks.com/cyberpedia/runtime-security?ts=markdown)
  * [Container Runtime Security for Modern Applications](https://www.paloaltonetworks.com/cyberpedia/runtime-security#runtime-security?ts=markdown)
  * [Models and Rules: Understanding Container Runtime Security](https://www.paloaltonetworks.com/cyberpedia/runtime-security#models?ts=markdown)
  * [Components of Container Runtime Security](https://www.paloaltonetworks.com/cyberpedia/runtime-security#components?ts=markdown)
  * [Best Practices for Optimal Runtime Security](https://www.paloaltonetworks.com/cyberpedia/runtime-security#best-practices?ts=markdown)
  * [At-a Glance Runtime Security Checklist](https://www.paloaltonetworks.com/cyberpedia/runtime-security#checklist?ts=markdown)
  * [Runtime Security FAQs](https://www.paloaltonetworks.com/cyberpedia/runtime-security#faq?ts=markdown)
* [What Is Kubernetes Security?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security?ts=markdown)
  * [Kubernetes Security Explained](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#kubernetes?ts=markdown)
  * [The Importance of Kubernetes Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#importance?ts=markdown)
  * [Application Security in Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#application?ts=markdown)
  * [7 Common Kubernetes Security Mistakes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#mistakes?ts=markdown)
  * [Kubernetes Security Best Practices](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#practices?ts=markdown)
  * [Kubernetes Security FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#faqs?ts=markdown)
* [Multicloud Management with Al and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management?ts=markdown)
  * [Multicloud Kubernetes Defined](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#multicloud?ts=markdown)
  * [How Does Kubernetes Facilitate Multicloud Management?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#how?ts=markdown)
  * [Multicloud Management Using AI and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#kubernetes?ts=markdown)
  * [Key AI and Kubernetes Capabilities](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#key?ts=markdown)
  * [Strategic Planning for Multicloud Management](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#strategic?ts=markdown)
  * [Steps to Manage Multiple Cloud Environments with AI and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#steps?ts=markdown)
  * [Multicloud Management Challenges](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#challenges?ts=markdown)
  * [Kubernetes Multicloud Management with AI FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#faqs?ts=markdown)
* [What Is Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes?ts=markdown)
  * [Kubernetes Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#kubernetes?ts=markdown)
  * [Kubernetes Architecture](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#architecture?ts=markdown)
  * [Nodes: The Foundation](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#nodes?ts=markdown)
  * [Clusters](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#clusters?ts=markdown)
  * [Pods: The Basic Units of Deployment](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#pods?ts=markdown)
  * [Kubelet](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#kubelet?ts=markdown)
  * [Services: Networking in Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#services?ts=markdown)
  * [Volumes: Handling Persistent Storage](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#volumes?ts=markdown)
  * [Deployments in Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#deployments?ts=markdown)
  * [Kubernetes Automation and Capabilities](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#capabilities?ts=markdown)
  * [Benefits of Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#benefits?ts=markdown)
  * [Kubernetes Vs. Docker](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#compare?ts=markdown)
  * [Kubernetes FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#faq?ts=markdown)
* [What Is Kubernetes Security Posture Management (KSPM)?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm?ts=markdown)
  * [Kubernetes Security Posture Management Explained](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#kspm?ts=markdown)
  * [What Is the Importance of KSPM?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#importance?ts=markdown)
  * [KSPM \& the Four Cs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#kspm-cs?ts=markdown)
  * [Vulnerabilities Addressed with Kubernetes Security Posture Management](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#vulnerabilities?ts=markdown)
  * [How Does Kubernetes Security Posture Management Work?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#how?ts=markdown)
  * [What Are the Key Components and Functions of an Effective KSPM Solution?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#components?ts=markdown)
  * [KSPM Vs. CSPM](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#vs?ts=markdown)
  * [Best Practices for KSPM](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#best-practices?ts=markdown)
  * [KSPM Use Cases](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#use-cases?ts=markdown)
  * [Kubernetes Security Posture Management (KSPM) FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#faq?ts=markdown)
* [What Is Orchestration Security?](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security?ts=markdown)
  * [Orchestration Security Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security#orchestration-security?ts=markdown)
  * [Securing the Build Layer](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security#build-layer?ts=markdown)
  * [Orchestration Access Security](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security#access-security?ts=markdown)
  * [At-a-Glance Container Orchestration Security Checklist](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security#checklist?ts=markdown)
  * [Container Orchestration FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security#faq?ts=markdown)
* [What Is Container Orchestration?](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration?ts=markdown)
  * [Container Orchestration Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#container-orchestration?ts=markdown)
  * [Orchestration Tools](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#tools?ts=markdown)
  * [Key Components of Orchestrators](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#components?ts=markdown)
  * [Container Orchestration and the Pipeline](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#pipeline?ts=markdown)
  * [Benefits of Container Orchestration](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#benefits?ts=markdown)
  * [The Container Ecosystem](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#ecosystem?ts=markdown)
  * [Container Orchestration FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#faq?ts=markdown)
* [How to Secure Kubernetes Secrets and Sensitive Data](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets?ts=markdown)
  * [Kubernetes Secrets Explained](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#kubernetes?ts=markdown)
  * [Importance of Securing Kubernetes Secrets](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#importance?ts=markdown)
  * [How Kubernetes Secrets Work](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#kubernetes-secrets?ts=markdown)
  * [How Do You Store Sensitive Data in Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#sensitive-data?ts=markdown)
  * [How Do You Secure Secrets in Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#secure-secrets?ts=markdown)
  * [Challenges in Securing Kubernetes Secrets](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#challenges?ts=markdown)
  * [What Are the Best Practices to Make Kubernetes Secrets More Secure?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#best-practices?ts=markdown)
  * [What Tools Are Available to Secure Secrets in Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#tools?ts=markdown)
  * [Kubernetes Secrets FAQ](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#faq?ts=markdown)
* [Kubernetes and Infrastructure as Code](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code?ts=markdown)
  * [Infrastructure as Code in the Kubernetes Environment](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#kubernetes-environment?ts=markdown)
  * [Understanding IaC](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#iac?ts=markdown)
  * [IaC Security Is Key](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#iac-security?ts=markdown)
  * [Kubernetes Host Infrastructure Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#host-infrastructure-security?ts=markdown)
  * [IAM Security for Kubernetes Clusters](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#iam-security?ts=markdown)
  * [Container Registry and IaC Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#container-registry?ts=markdown)
  * [Avoid Pulling "Latest" Container Images](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#container-images?ts=markdown)
  * [Avoid Privileged Containers and Escalation](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#privileged-containers?ts=markdown)
  * [Isolate Pods at the Network Level](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#isolate-pods?ts=markdown)
  * [Encrypt Internal Traffic](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#encrypt?ts=markdown)
  * [Specifying Resource Limits](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#resource-limits?ts=markdown)
  * [Avoiding the Default Namespace](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#namespace?ts=markdown)
  * [Enable Audit Logging](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#audit-logging?ts=markdown)
  * [Securing Open-Source Kubernetes Components](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#kubernetes-components?ts=markdown)
  * [Kubernetes Security Across the DevOps Lifecycle](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#devops-lifecycle?ts=markdown)
  * [Kubernetes and Infrastructure as Code FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#faq?ts=markdown)
* [What Is the Difference Between Dockers and Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker?ts=markdown)
  * [Docker Defined](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#defined?ts=markdown)
  * [Kubernetes Explained](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#explained?ts=markdown)
  * [Docker and Kubernetes: Comparison of Containerization Platforms](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#platforms?ts=markdown)
  * [Kubernetes Vs. Docker: Complementary, Not Competitors](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#competitors?ts=markdown)
  * [Benefits of Integrating Docker and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#benefits?ts=markdown)
  * [Use Cases and Applications for Docker and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#usecases?ts=markdown)
  * [Dockers and Kubernetes FAQ](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#faqs?ts=markdown)
* [Securing Your Kubernetes Cluster: Kubernetes Best Practices and Strategies](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security?ts=markdown)
  * [What Is the Importance of a Secure Kubernetes Cluster?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security#importance?ts=markdown)
  * [Understanding Kubernetes Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security#security?ts=markdown)
  * [What Are Kubernetes Security Considerations and Security Best Practices?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security#practices?ts=markdown)
  * [What Are Advanced Strategies for Kubernetes Security?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security#advanced?ts=markdown)
  * [Kubernetes Cluster Security FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security#faqs?ts=markdown)
* [What Is a Host Operating System (OS)?](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers?ts=markdown)
  * [The Host Operating System (OS) Explained](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#os?ts=markdown)
  * [Host OS Selection](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#selection?ts=markdown)
  * [Host OS Security](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#security?ts=markdown)
  * [Implement Industry-Standard Security Benchmarks](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#benchmarks?ts=markdown)
  * [Container Escape](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#container-escape?ts=markdown)
  * [System-Level Security Features](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#security-features?ts=markdown)
  * [Patch Management and Vulnerability Management](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#patch-management?ts=markdown)
  * [File System and Storage Security](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#storage-security?ts=markdown)
  * [Host-Level Firewall Configuration and Security](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#firewall-configuration?ts=markdown)
  * [Logging, Monitoring, and Auditing](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#logging?ts=markdown)
  * [Host OS Security FAQs](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#faq?ts=markdown)
* [What Is Docker?](https://www.paloaltonetworks.com/cyberpedia/docker?ts=markdown)
  * [Docker Explained](https://www.paloaltonetworks.com/cyberpedia/docker#docker?ts=markdown)
  * [Understanding Docker Containers](https://www.paloaltonetworks.com/cyberpedia/docker#understanding?ts=markdown)
  * [Core Components of Docker](https://www.paloaltonetworks.com/cyberpedia/docker#core?ts=markdown)
  * [What Platforms and Environments Does Docker Support?](https://www.paloaltonetworks.com/cyberpedia/docker#what?ts=markdown)
  * [How Does Docker Work?](https://www.paloaltonetworks.com/cyberpedia/docker#how?ts=markdown)
  * [Docker Tools](https://www.paloaltonetworks.com/cyberpedia/docker#tools?ts=markdown)
  * [Docker Use Cases and Benefits](https://www.paloaltonetworks.com/cyberpedia/docker#benefits?ts=markdown)
  * [Docker FAQ](https://www.paloaltonetworks.com/cyberpedia/docker#faqs?ts=markdown)
* What Is Container Registry Security?
  * [Container Registry Security Explained](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#container-registry?ts=markdown)
  * [Components of Container Registry Security](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#components?ts=markdown)
  * [Promoting Image and Artifact Integrity in CI/CD](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#artifact-integrity?ts=markdown)
  * [At-a-Glance Container Registry Security Checklist](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#checklist?ts=markdown)
  * [Container Registry FAQs](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#faq?ts=markdown)
* [What Is a Container?](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container?ts=markdown)
  * [Containers Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#containers?ts=markdown)
  * [Understanding Container Components](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#components?ts=markdown)
  * [Container Infrastructure](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#infrastructure?ts=markdown)
  * [Know Your Container Types](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#types?ts=markdown)
  * [Harnessing the Efficiency of Containerization](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#efficiency?ts=markdown)
  * [Container FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#faq?ts=markdown)
* [What Is Containerization?](https://www.paloaltonetworks.com/cyberpedia/containerization?ts=markdown)
  * [Why Is Containerization Important?](https://www.paloaltonetworks.com/cyberpedia/containerization#why?ts=markdown)
  * [Containers: A Modern Contender to VMs](https://www.paloaltonetworks.com/cyberpedia/containerization#containers?ts=markdown)
  * [To Container or Not to Container: Moving Applications to the Cloud](https://www.paloaltonetworks.com/cyberpedia/containerization#apps?ts=markdown)
  * [Architecture and Migration](https://www.paloaltonetworks.com/cyberpedia/containerization#architecture?ts=markdown)
  * [Choosing a Cloud Migration Method](https://www.paloaltonetworks.com/cyberpedia/containerization#migration?ts=markdown)
  * [When Micro Means Fast](https://www.paloaltonetworks.com/cyberpedia/containerization#micro?ts=markdown)
* [Container FAQs](https://www.paloaltonetworks.com/cyberpedia/containerization#faq?ts=markdown)

# What Is Container Registry Security?

3 min. read  
Table of Contents

* * [Container Registry Security Explained](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#container-registry?ts=markdown)
  * [Components of Container Registry Security](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#components?ts=markdown)
  * [Promoting Image and Artifact Integrity in CI/CD](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#artifact-integrity?ts=markdown)
  * [At-a-Glance Container Registry Security Checklist](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#checklist?ts=markdown)
* [Container Registry FAQs](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#faq?ts=markdown)

1. Container Registry Security Explained

* * [Container Registry Security Explained](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#container-registry?ts=markdown)
  * [Components of Container Registry Security](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#components?ts=markdown)
  * [Promoting Image and Artifact Integrity in CI/CD](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#artifact-integrity?ts=markdown)
  * [At-a-Glance Container Registry Security Checklist](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#checklist?ts=markdown)
* [Container Registry FAQs](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#faq?ts=markdown)

Container registry security focuses on protecting container registries, the centralized storage and distribution systems for container images. Container registries play a pivotal role in the container ecosystem, ensuring the integrity and security of containerized applications. Proper container registry security involves using trusted registries, implementing rigorous access control, monitoring for vulnerabilities, and securing the hosting server. Additionally, it requires denying insecure connections and removing stale images. By prioritizing container registry security, organizations can safeguard their containerized environments and maintain the trust of users and clients.

## Container Registry Security Explained

Container registry security zeroes in on a critical component of the container ecosystem --- the container registry. In the broader narrative of [container security](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security?ts=markdown), the registry acts as the custodian of container images, the building blocks of containerized applications. As such, the container registry is more than a storage unit. It is, rather, a nexus point where the integrity of application images is both maintained and distributed.

### Understanding Container Registries

In a [containerized](https://www.paloaltonetworks.com/cyberpedia/containerization?ts=markdown) environment, as you know, applications with their dependencies are packaged into containers, making them portable and easy to deploy across platforms. Container registries serve this process by providing a location where container images can be versioned, retrieved, and deployed in a consistent manner.

The container registry, then, is a centralized storage and distribution system for container images. The registry allows developers and operations teams to store, manage, and share container images, which they'll use to create and deploy containerized applications and [microservices](https://www.paloaltonetworks.com/cyberpedia/what-are-microservices?ts=markdown).

#### Public and Private Registries

Organizations may use a combination of public and private container registries to manage their container images, as well as other artifacts.

Public registries, such as Docker Hub and GitHub Container Registry, a sub-feature of GitHub Packages, offer a vast collection of open-source images that organizations can use as a foundation for their applications. These registries are generally accessible to anyone, making it easy for developers to find and use pre-built images.

But organizations often have specific requirements and proprietary software that necessitate the use of private registries.  
![Container registry / repository public vs. private](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/container-registry-repository.png "Container registry / repository public vs. private") *Figure 1: Container registry / repository public vs. private*

Private container registries, such as Azure Container Registry, Amazon Elastic Container Registry, and Google Container Registry, provide secure, controlled environments for storing and managing proprietary images and related artifacts. These registries are accessible only to authorized users within the organization to help ensure that sensitive information and custom-built images remain secure.

By using a combination of public and private registries, organizations can leverage the benefits of open-source images while maintaining control over their proprietary software. This dual approach allows organizations to optimize their container management workflows and streamline the deployment process.

## Components of Container Registry Security

Given that the registry is central to the way a containerized environment operates --- and that organizations can easily have tens of thousands of images stored in them --- securing the registry is integral to the [integrity of the software development lifecycle](https://www.paloaltonetworks.com/cyberpedia/what-is-secure-software-development-lifecycle?ts=markdown).

Vulnerabilities can compromise more than the application. An attacker leveraging a misconfiguration could gain unauthorized access to the [CI/CD system](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security?ts=markdown) and move laterally to access the underlying OS. They could potentially manipulate legitimate CI/CD flows, obtain sensitive tokens, and move to the production environment where identifying an exposed credential might allow them to enter the organization's network.

**Related article** : [Anatomy of a Cloud Supply Pipeline Attack](https://www.paloaltonetworks.com/cyberpedia/anatomy-ci-cd-pipeline-attack?ts=markdown)

Registry security begins with using only trusted registries and libraries. Continuous monitoring for vulnerability changes is foundational, along with securing the hosting server and implementing substantial access policies. Proper registry security should deny insecure connections, flag or remove stale images, and enforce stringent authentication and authorization restrictions.

Let's look at these measures in greater detail.

## Promoting Image and Artifact Integrity in CI/CD

Understanding the risks associated with images and artifacts drives home the importance of implementing staunch checks to ensure their integrity. Consider implementing the following strategies.

### Deny Insecure Connections

While public registries may allow anonymous access to container images, to prevent man-in-the-middle attacks, unauthorized tampering, and unauthorized access to sensitive information, you must maintain secure connections.

To deny insecure connections, configure your systems to only accept secure protocols like HTTPS or TLS-encrypted connections. Start by obtaining and installing a valid SSL/TLS certificate from a trusted certificate authority (CA) for your domain. Then, update your server or service configuration to enforce the use of HTTPS or TLS, disabling insecure protocols like HTTP. Depending on your setup, this may involve adjusting settings in your web server (e.g., Nginx, Apache), load balancer, or application. Also, consider using security features like HSTS (HTTP Strict Transport Security) to instruct browsers to always use secure connections when accessing your site or service.

### Remove Stale Images

Establish a policy to define stale images --- images older than a specific time frame or unused for a certain period --- and use registry tools or APIs to list and filter images based on the policy. For example, in Docker Registry, use the Docker Registry API to retrieve image metadata and filter by last pushed date or tag. In other registries, similar APIs or CLI tools may be available. Once you've identified the stale images, use the appropriate commands or APIs to delete them, ensuring you follow the registry's best practices for garbage collection.

### Avoid IAM Issues in Third-Party Registries

[Identity and access management (IAM)](https://www.paloaltonetworks.com/cyberpedia/what-is-identity-and-access-management?ts=markdown) is crucial for organizations, particularly in source control management systems (SCM) like GitHub, where repositories store valuable code and assets. Inadequate IAM can lead to security risks in the CI/CD pipeline. To optimize security and governance for repositories, organizations can use single sign-on (SSO) and system for cross-domain identity management (SCIM) for managing access controls. SSO, however, is only available for GitHub Enterprise, leaving other licenses exposed to risks.

To mitigate issues involving private email addresses in GitHub accounts, ghost GitHub accounts, and incomplete offboarding, enforce two-factor authentication (2FA), establish an onboarding protocol with dedicated corporate accounts, and maintain an inventory of user accounts. For SSO-enabled organizations, implementing SCIM ensures automatic deprovisioning of users and eliminates access through stale credentials. Addressing IAM risks helps protect repositories, the CI/CD ecosystem, and maintain a high-security level across all systems.

**Related article** : [Top 3 IAM Risks in Your GitHub Organization](https://www.paloaltonetworks.com/blog/prisma-cloud/prevent-inadequate-IAM-github-organization/?ts=markdown)

### Employ Sufficient Authentication and Authorization Restrictions

Identities granted more permissions than needed for the repository open opportunities for privilege escalation and can result in unauthorized code changes, tampering with the build process, and access to sensitive data. Automation can help validate access controls, check user permissions, and identify potential vulnerabilities, enabling organizations to enact routine proactive measures, such as:

* Analyzing and mapping all identities across the engineering ecosystem. For each identity, continuously map the identity provider, permissions granted, and permissions used. Ensure that analysis covers all programmatic access methods.
* Removing unnecessary permissions for each identity across various systems in the environment.
* Establishing an acceptable period for disabling or removing stale accounts. Disable and remove identities that exceed this inactivity period.
* Mapping all external collaborators and aligning their identities with the principle of least privilege. When possible, grant permissions with an expiry date for human and programmatic accounts.
* Prohibiting employees from accessing SCMs, CIs, or other CI/CD platforms using their personal email addresses or addresses from domains not owned by the organization. Monitor non-domain addresses across different systems and remove non-compliant users.
* Disallowing users from self-registering to systems and granting permissions based on necessity.
* Avoiding granting base permissions in a system to all users and to large groups with automatically assigned user accounts.
* Creating dedicated accounts for each specific context, versus using shared accounts, and grant the exact set of permissions required for the given context.

### Implement Secure Storage

Establish a secure tamper-proof repository to store artifacts. Enable versioning to maintain a historical record of artifact changes and implement real-time monitoring to track and alert on suspicious activity. In case of compromised artifacts, configure the system to facilitate rollbacks to previous, known-good versions.

### Conduct Integrity Validation Checks from Development to Production

Implement processes and technologies that validate resource integrity throughout the software delivery chain. As developers generate a resource, they should sign it using an external resource signing infrastructure. Before consuming a resource in subsequent pipeline stages, cross-check its integrity against the signing authority.

**Code Signing**

SCM solutions offer the capability to sign commits with a unique key for each contributor, preventing unsigned commits from progressing through the pipeline.

**Artifact Verification Software**

Tools designed for signing and verifying code and artifacts, such as the Linux Foundation's Sigstore, can thwart unverified software from advancing down the pipeline.

**Configuration Drift Detection**

Implement measures to detect configuration drifts, such as resources in cloud environments not managed using a signed [infrastructure-as-code](https://www.paloaltonetworks.com/cyberpedia/what-is-iac?ts=markdown) template. Such drifts could indicate deployments from untrusted sources or processes.

### Employ Cryptographic Signing

Use public key infrastructure (PKI) to cryptographically sign artifacts at each stage of the CI/CD pipeline. This practice validates signatures against a trusted certificate authority before consumption. Configure your CI/CD pipeline to reject artifacts with invalid or missing signatures to reduce risks of deploying tampered resources or unauthorized changes.

### Use Only Secured Container Images

Container images can contain vulnerabilities that attackers can exploit to gain unauthorized access to the container and its host. To prevent this, use secure, trusted container images from reputable sources and scan them regularly. When deploying a container from a public registry, it's particularly important to first scan the container for malware and vulnerabilities.

### Enforce Multi-Source Validation

Adopt a multisource validation strategy that verifies the integrity of artifacts using various sources, such as checksums, digital signatures, and secure hash algorithms, as well as trusted repositories. Keep the cryptographic algorithms and keys up to date to maintain their effectiveness.

### Third-Party Resource Validation

Third-party resources incorporated into build and deploy pipelines, like scripts executed during the build process, should undergo rigorous validation. Before utilizing these resources, compute their hash and compare it against the official hash provided by the resource provider.

### Integrate Security Scanning

The CI/CD pipeline should use only vetted code (production approved) when creating images. Incorporate vulnerability scanning tools --- as well as [software composition analysis (SCA)](https://www.paloaltonetworks.com/cyberpedia/what-is-sca?ts=markdown) and [static application security testing (SAST)](https://www.paloaltonetworks.com/cyberpedia/what-is-sast-static-application-security-testing?ts=markdown) --- into the CI/CD pipeline to ensure image integrity before pushing images to the registry from which production deployment will pull them. Be sure, as well, to follow best practices. Don't build images, for instance, before removing all unnecessary software components, libraries, configuration files, secrets, etc.

Taking a conservative, cautious approach will allow teams to address vulnerabilities early in the development process and maintain a high level of code quality while reducing the risk of security incidents. Choose a container image scanning solution that can integrate with all registry types. Platforms like Cortex Cloud provide administrators with a flexible, one-stop image scanning solution.

### Image Analysis Sandbox

Using an image analysis [sandbox](https://www.paloaltonetworks.com/cyberpedia/sandboxing) will enhance your container security strategy during the development and deployment of containerized applications, allowing you to safely pull and run container images that possibly contain outdated, vulnerable packages and embedded malware from external repositories.

The sandbox's capabilities will allow you to scan for suspicious anomalous container behavior like cryptominers, port scanning, modified binaries, and kernel module modifications in a controlled environment. You can expose risks and identify [suspicious dependencies](https://www.paloaltonetworks.com/cyberpedia/dependency-chain-abuse-cicd-sec3?ts=markdown) buried in your software supply chain that static analysis otherwise would have missed.

* Capture detailed [runtime profile of the container](https://www.paloaltonetworks.com/cyberpedia/runtime-security?ts=markdown)
* Assess the risk of an image
* Incorporate dynamic analysis in your workflow

### Establish Validation Policies and Audit Schedule

To ensure proper image and artifact integrity validation, organizations should establish clear policies that define validation processes. Once established, regularly audit compliance with internal policies to identify and address weaknesses, as well as areas of noncompliance. Continuous monitoring and analysis will help detect anomalies and unauthorized activities.

## At-a-Glance Container Registry Security Checklist

* Use trusted registries and libraries
* Secure hosting server and implement robust access policies
* Implement sufficient authentication and authorization restrictions
* Establish secure storage for artifacts
* Perform integrity validation checks throughout CI/CD
* Employ cryptographic signing
* Enforce multi-source validation
* Validate third-party resources
* Integrate security scanning in the CI/CD pipeline
* Establish validation policies and regular audit schedules

## Container Registry FAQs

### What is continuous integration (CI)?

Continuous integration (CI) is a development practice where developers frequently merge their code changes into a central repository, followed by automated builds and tests. The main goal of CI is to detect and fix integration errors as quickly as possible, improving software quality and reducing the time to deliver it. Automated tools run tests on each integration to ensure that the new code does not break or degrade the application. CI is a fundamental component of modern software development, enabling teams to maintain a high velocity and agility in their development processes.

### What is continuous deployment (CD)?

Continuous deployment (CD) is a software release process where every change that passes the automated testing phase is automatically deployed to the production environment. It extends continuous integration by deploying all code changes to a testing or production environment after the build stage. CI ensures a rapid and consistent flow of changes into production, enabling teams to quickly and reliably deliver features, updates, and fixes to customers. CD minimizes manual intervention, making the deployment process efficient.

### What is a CI/CD pipeline?

A [CI/CD pipeline](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security) automates the steps involved in getting software from version control into the hands of end users. It encompasses continuous integration (CI) and continuous deployment (CD), automating the process of software delivery and infrastructure changes. The pipeline typically includes stages like code compilation, unit testing, integration testing, and deployment. This automation ensures that software is always in a deployable state, facilitating rapid and reliable software release cycles. CI/CD pipelines are essential for DevOps practices, enabling teams to deliver code changes more frequently and reliably.

### What is source control management (SCM)?

Source control management (SCM) is a system that tracks changes in source code and other development-related assets, allowing developers to collaborate, version their code, and maintain a history of code changes. Popular SCM tools include Ansible, GitHub, Mercurial, and Puppet.

### Benefits of SCM Systems

* SCM helps maintain the consistency and traceability of code used to build container images, allowing developers to easily identify the specific code version used to create a container image.
* SCM enables developers to collaborate on code, ensuring that the container images built and stored in the registry meet the organization's quality requirements.
* SCM tools enhance workflow by integrating with CI/CD pipelines and automating the process of building, testing, and pushing container images to the registry.

### What is image signing?

Image signing is the process of digitally signing container images to verify their authenticity and integrity. By attaching a digital signature to an image, image signing ensures that the image hasn't been tampered with and comes from a trusted source. Tools like Docker Content Trust and Notary are commonly used for signing container images, providing an additional layer of security in containerized application deployment.

### What is content trust?

Content trust refers to the security practice of ensuring that only trusted content is received, transmitted, and deployed. In the context of containerized applications, it involves verifying the integrity and origin of container images using digital signatures. Content trust mechanisms ensure that images aren't tampered with and are from verified sources, mitigating risks like man-in-the-middle attacks and malicious code injections. Implementing content trust is vital for maintaining the security of software supply chains in cloud-native environments.

### What is image encryption?

Image encryption involves encoding container images to protect sensitive data and configurations contained within them. This process ensures that images can only be accessed or used by entities with the decryption key, safeguarding against unauthorized access and data breaches. Image encryption is particularly important when images are stored or transferred across potentially insecure environments, like public cloud storage or shared registries. It adds a critical security layer, protecting proprietary information and compliance-sensitive data within containerized applications.

### What are image retention policies?

Image retention policies are rules set by organizations to manage the lifecycle of container images in a registry. These policies determine how long images are kept, when they should be archived or deleted, and which versions to retain. Implementing such policies helps in managing storage costs, maintaining compliance with data governance standards, and ensuring that only relevant, up-to-date images are available for deployment.

### What is a webhook?

A webhook is a method for augmenting or altering the behavior of a webpage or web application with custom callbacks. These callbacks may be maintained, modified, and managed by third-party users and developers who don't necessarily have access to the source code of the webpage or application. In cloud computing and DevOps, webhooks are used to trigger automated workflows, such as [CI/CD pipelines](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security), when specific events occur in a repository or deployment environment. Webhooks enable real-time notifications and automatic reactions to events, enhancing automation and integration between cloud services and tools.

### What is an image tag?

An image tag in container technology is a label applied to a container image in a registry. It serves as a mechanism to identify different versions of the same image, such as latest, stable, 1.2.3, or beta. Tags allow developers and operators to reference specific versions of an image for deployment, ensuring the correct and consistent deployment of applications. Using image tags is essential for version control and deployment management in containerized environments.

### What is Quay?

Quay is a private container image registry from Red Hat that enables users to build, store, and distribute container images. It offers advanced features like image vulnerability scanning, geographic replication, and extensive access controls. Quay is designed to integrate with CI/CD systems, providing a secure and efficient way to handle container images for Kubernetes and other container environments.

### What is Docker Content Trust (DCT)?

Docker Content Trust (DCT) is a security feature within Docker for signing and verifying container images. It ensures that the images being used are exactly as the publisher intended, unmodified, and verified. DCT uses The Update Framework (TUF) and Notary for secure image signing and verification. When enabled, Docker clients verify the integrity and publisher of all the images it pulls, providing a safeguard against the use of tampered images.

### What is Notary?

Notary is an open-source tool that provides a framework for publishing and verifying the signatures of content, such as container images. It implements The Update Framework (TUF) specifications for secure content delivery and updates. Notary ensures that the content a user receives is exactly what the publisher intended, safeguarding against unauthorized modifications.

Notary is commonly used in conjunction with Docker Content Trust to sign and verify Docker images.

### What is the Update Framework (TUF)?

The Update Framework (TUF) is a specification designed to secure software update systems, protecting against common attacks such as key compromise and man-in-the-middle attacks. TUF provides a flexible framework that developers can integrate into software update systems, ensuring the integrity and authenticity of software updates. It's particularly important in distributed environments, where software is often delivered over insecure channels. TUF's design helps prevent tampering with update files, ensuring that only safe, authorized updates are applied.

### What is the container registry API?

The container registry API is a set of programming interfaces that allow users to interact programmatically with a container registry. It enables tasks such as pushing, pulling, listing, and deleting container images. This API is essential for automating workflows in containerized environments, allowing for seamless integration with continuous integration and deployment pipelines. By using the container registry API, developers and operations teams can efficiently manage container images, enhancing productivity and ensuring consistency in deployments.

### What is an immutable repository?

An immutable repository in the context of container registries is a storage model where once an image is pushed, it can't be modified or deleted. Immutable repositories are crucial for maintaining a consistent and secure software supply chain, especially in environments where compliance and traceability are important. They provide a safeguard against accidental or malicious alterations and ensure that a specific version of an image is always retrievable.

### What is image promotion?

Image promotion is the process of moving container images from one environment to another in a controlled and traceable manner, typically as part of a CI/CD pipeline. It involves advancing an image through various stages, such as from development to testing and then to production, ensuring that only verified and tested images are deployed. Image promotion practices enhance the reliability and stability of deployments, as they enforce quality checks and validations at each stage.

### What is image mirroring?

Image mirroring refers to the process of replicating container images from one registry to another. The practice is used for redundancy, performance optimization, and compliance with data sovereignty requirements. By mirroring images, organizations ensure availability in case the primary registry is down or inaccessible. It also speeds up deployment times by locating images closer to where they're used, reducing latency.

### What is geo-replication?

Geo-replication involves replicating data across multiple geographic locations to enhance data availability and disaster recovery. In cloud computing, it ensures that applications remain available and performant even in the event of regional outages or network issues. Geo-replication provides redundancy, ensuring data integrity and availability across different regions.

### What is a container registry proxy?

A container registry proxy acts as an intermediary between a private network and a public container registry. It caches container images locally, reducing the need to repeatedly download images from the public registry. This not only speeds up the deployment process but also reduces bandwidth usage and improves reliability. A container registry proxy is particularly useful in environments with strict network security controls or limited internet access, as it allows for efficient management of container images while adhering to security policies.

### What is Skaffold?

Skaffold is an open-source command-line tool that facilitates continuous development for Kubernetes applications. It automates the workflow for building, pushing, and deploying applications, allowing developers to iterate on their applications in real-time. Skaffold handles the workflow for building container images, pushing them to a registry, and deploying them to a Kubernetes cluster. It is designed to work in different stages of a development lifecycle, from local development to continuous integration. Skaffold streamlines the development and deployment process, making it more efficient and consistent.

### What is Flux?

Flux is an open-source tool that implements GitOps for Kubernetes, ensuring that the state of a cluster matches the configuration stored in a Git repository. It automatically applies new changes made in the repository to the cluster, enabling continuous and automated deployment. Flux supports complex workflows and multi-environment setups, providing features like automated updates, rollback, and alerting. It enhances the reliability and consistency of deployments in Kubernetes, aligning with the principles of declarative infrastructure and version-controlled configuration.
Related Content  
[The Definitive Guide to Container Security
Securing your containerized applications is a critical component of maintaining the integrity, confidentiality and availability of your cloud services.](https://www.paloaltonetworks.com/resources/ebooks/container-security-definitive-guide?ts=markdown)  
[Kubernetes Privilege Escalation: Excessive Permissions in Popular Platforms
To understand the impact of excessive permissions, we analyzed popular Kubernetes platforms --- distributions, managed services, and common add-ons --- to identify infrastructure compo...](https://www.paloaltonetworks.com/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms?ts=markdown)  
[Container Security 101
Understanding the Basics of Securing Containers breaks down what organizations need to know to protect against breaches, malware, and malicious actors.](https://www.paloaltonetworks.com/resources/guides/prisma-container-security101?ts=markdown)  
[Guide to Operationalizing Your IaC Security Program
Infrastructure as code (IaC) plays a key role in containerized applications. Get a step-by-step plan to help you choose your IaC security path based on your needs, operationalize a...](https://www.paloaltonetworks.com/resources/whitepapers/guide-to-operationalizing-your-iac-security-program?ts=markdown)  
![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=What%20Is%20Container%20Registry%20Security%3F&body=Secure%20container%20registries%3A%20maintain%20image%20integrity%20by%20mitigating%20threats%20intrinsic%20to%20public%20and%20private%20registries%20and%20protect%20your%20CI%2FCD%20pipeline.%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/container-registry-security)  
Back to Top  
[Previous](https://www.paloaltonetworks.com/cyberpedia/docker?ts=markdown) What Is Docker?  
[Next](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container?ts=markdown) What Is a Container?  
{#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2025 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language