Container Security

Secure Kubernetes® and other container platforms on any public or private cloud, from code to cloud with Prisma Cloud
Container Security Hero Front Image
Container Security Hero Back Image

Containers, Kubernetes and containers as a service (CaaS) have become mainstream ways to package and orchestrate services at scale. At the same time, businesses need to ensure they have purpose-built security to address vulnerability management, compliance, runtime protection and network security requirements for their containerized applications.

Prisma Cloud Named a leader in CWS in The Forrester Wave™.

Container security that spans the full application lifecycle

Prisma Cloud scans container images and enforces policies as part of continuous integration and continuous delivery workflows, continuously monitors code in repositories and registries, and secures both managed and unmanaged runtime environments – combining risk prioritization with runtime protection at scale.
  • Support for public and private clouds
  • Single console for managed and unmanaged environments
  • Full lifecycle security for repositories, images and containers
  • Vulnerability management
    Vulnerability management
  • Container compliance
    Container compliance
  • CI/CD security
    CI/CD security
  • Runtime defense
    Runtime defense
  • Access control
    Access control

THE PRISMA CLOUD SOLUTION

Our approach to Container Security

Vulnerability management

Start with full visibility into all dependencies from containers during the build, deploy and run phases. Prisma Cloud aggregates and prioritizes vulnerabilities continuously in CI/CD pipelines and containers running on hosts or on containers as a service, in public and private clouds.

  • Prioritize remediation with guidance:

    Establish risk prioritization across all known CVEs, remediation guidance and per-layer image analysis with vulnerability Top 10 lists.

  • Add guardrails with alerts and blocks for severity levels:

    Control the alert and blocking severity level for individual and groups of services during build time and runtime.

  • Leverage unmatched accuracy:

    Minimizing false positives with more than 30 upstream data sources. Prisma Cloud is focused on providing only accurate vulnerability information back to developers and security teams.

  • Surface vulnerability information throughout the lifecycle:

    Integrate vulnerability management to scan repositories, registries, CI/CD pipelines and runtime environments.

Vulnerability management

Container compliance

Maintainers of container environments face unique configuration challenges compared to server-based monoliths. Prisma Cloud provides more than 400 out-of-the-box and customizable compliance checks to improve posture in containerized environments.

  • Maintain an audit history of compliance over time:

    See your total compliance rate with Prisma Cloud, based on continuous and up-to-date views of your container posture, as well as a thorough history of previous scans.

  • Control builds and deployments based on prebuilt and custom policies:

    Use templates from leading frameworks, including PCI DSS, HIPAA, GDPR, DISA STIG and NIST SP 800-190, and customize them to your organization’s needs.

  • Implement CIS Benchmarks and proprietary checks:

    Leverage preconfigured checks from the CIS Benchmarks and Prisma Cloud’s research for Docker®, Kubernetes, Linux, Windows® and Istio™.

  • Set license compliance levels:

    Automatically alert on and block licenses that don’t meet your organization’s requirements or require additional details, such as attribution.

  • Manage image trust:

    Leverage trusted groups and trusted images to only allow safe images to reach production.

  • Add compliance checks during build and runtime:

    Provide alerts and guardrails for misconfigurations at every step of the development lifecycle to decrease patch friction and prevent misconfigurations in production.

test

CI/CD security

The most effective strategy to securing containers is to catch and remediate issues at every step of the development lifecycle. CI/CD workflows offer an opportunity to embed automated security checks in existing development processes, reducing the load on both developers and security teams.

  • Scan repositories and registries for vulnerabilities and misconfigurations:

    Check source code and images for vulnerabilities and compliance issues across repositories, such as GitHub, and registries, such as Docker, Quay, Artifactory and more.

  • Lock down deployments to vetted images:

    Leverage trusted groups and trusted images to only allow safe images to reach production.

  • Integrate security into CI tooling:

    Prisma Cloud includes integrations to alert on and block images with issues from CI tools, such as Jenkins, GitHub Actions, CircleCI, AWS CodeBuild, Azure DevOps, Google Cloud Build and more.

  • Provide software composition analysis (SCA) at every stage:

    Provide feedback on package vulnerabilities and open-source licenses from the CLI and repository scans.

CI/CD checks

Runtime defense

Containers scale automatically while running in a variety of environments. Prisma Cloud secures ephemeral containers using predictive and threat-based protection without adding overhead. Our flexible deployments, including agents and agentless options, secure containers running stand-alone on vanilla and managed Kubernetes as well as CaaS environments.

  • Simplify security with a single console:

    Leverage support for containers in cloud and on-premises environments across all unmanaged and managed offerings, plus all CRI-compliant runtimes.

  • Detect anomalous behavior automatically:

    Automatically profile running containers based on processes, networking and file system behavior and detects and blocks known-bad and anomalous behavior.

  • Gain network visibility across environments:

    View all container network communications across your cloud environments in real time.

  • Respond to incidents quickly with automatically captured forensic details:

    View the history of events that led up to and followed an incident for threat hunting and lifecycle analysis.

Runtime defense

Access control

Container runtimes and Kubernetes defaults create overly permissive access. Prisma Cloud locks down user and control plane access to Docker and Kubernetes to decrease the attack surface area.

  • Control Docker command access:

    Add fine-grained control over which user should have access to run Docker commands on a per-environment basis.

  • Inject secrets safely into containers:

    Prisma Cloud integrates with secrets management tools, like CyberArk and HashiCorp, to secure secrets and securely provide them to containers as needed.

  • Simplify policy enforcement with managed Open Policy Agent:

    Simplify the creation of policy as code and enforce OPA’s decisions.

  • Automate and aggregate detailed logging:

    Audit events for vulnerabilities, compliance violations and runtime events are automatically generated, collected and aggregated in a single, searchable dashboard.

Access control
Prisma Cloud
Prisma Cloud
Prisma® Cloud is the industry’s most complete cloud-native application protection platform (CNAPP), with the industry’s broadest security and compliance coverage — for infrastructure, workloads and applications across the entire cloud-native technology stack—throughout the development lifecycle and across hybrid and multicloud environments.

Cloud Workload Protection modules

HOST SECURITY

Secure virtual machines (VMs) on any public or private cloud.

CONTAINER SECURITY

Secure Kubernetes and other container platforms on any public or private cloud.

SERVERLESS SECURITY

Secure serverless functions across the full application lifecycle.

WEB APPLICATION & API SECURITY

Protect against Layer 7 and OWASP Top 10 threats in any public or private cloud.

Resources

Get more insight into what Prisma Cloud can do for your business