Cloud Workload Protection

With Prisma Cloud, you can secure hosts, containers and serverless deployments across the entire application lifecycle.
Cloud Workload Protection Platform Hero Front Image
Cloud Workload Protection Platform Hero Back Image

Cloud-native applications are increasingly distributed across VMs, hosts, containers, Kubernetes® and serverless architectures. Unique security requirements for each make consistent workload protection a challenge.

Download the latest datasheet on Cloud Workload Protection Platform (CWPP)

Secure hosts, containers and serverless across multicloud and hybrid environments

Prisma Cloud is a comprehensive Cloud Workload Protection solution that delivers flexible protection to secure cloud VMs, containers and Kubernetes apps, serverless functions and containerized offerings like AWS Fargate® tasks. With Prisma Cloud, DevOps and cloud infrastructure teams can adopt the architecture that fits their needs without worrying about security keeping pace with release cycles or protecting a variety of tech stacks.
  • Support for public and private clouds
  • Flexible agentless scanning and agent-based protection
  • Security integrated across the application lifecycle
  • Vulnerability management
    Vulnerability management
  • Compliance
    Compliance
  • CI/CD security
    CI/CD security
  • Runtime defense
    Runtime defense
  • Container access control
    Container access control
  • Image Analysis Sandbox
    Image Analysis Sandbox
  • Trusted Images
    Trusted Images
  • Web App and API Security
    Web App and API Security
  • Agentless and agent-based security
    Agentless and agent-based security

THE PRISMA CLOUD SOLUTION

Our approach to cloud workload protection

Vulnerability management

Securing cloud-native applications requires a comprehensive view into vulnerabilities across the application lifecycle. Prisma Cloud delivers a centralized view to help prioritize risks in real time across public cloud, private cloud and on-premises environments for every host, container and serverless function.

  • Manage risk from a single UI.

    Prioritize risk across host OS, container images and serverless functions with intelligent risk scoring.

  • See vulnerability status with remediation guidance.

    View every CVE with details and up-to-date vendor fix information, supporting all cloud-native technologies.

  • Alert on or prevent vulnerabilities across environments.

    Set precise policies to alert on or prevent vulnerable components from running on your environments.

  • Integrate security into your CI/CD pipeline.

    Continuously monitor container registries as well as explicitly define trustworthy images, registries and repositories.

  • Integrate data with your existing systems.

    Integrate vulnerability alerts into common endpoints, including JIRA®, Slack®, PagerDuty®, Splunk®, Cortex® XSOAR™, ServiceNow® and more.

Vulnerability management

Compliance

Cloud-native applications require purpose-built controls to gain visibility into compliance posture and maintain compliance for dynamic, ephemeral infrastructures. Prisma Cloud delivers real-time and historical views into compliance status for hosts, containers and serverless functions.

  • Achieve compliance from a single solution.

    Centrally monitor compliance posture with a single dashboard that covers hosts, containers and serverless functions as well as Kubernetes and Istio®.

  • Use 400+ customizable checks for cloud-native applications.

    Cover leading frameworks, including PCI DSS, HIPAA, GDPR and NIST SP 800-190, with prebuilt compliance templates.

  • Leverage CIS Benchmarks.

    Implement or customize checks based on CIS Benchmarks, with approved coverage for the AWS®, Docker®, Kubernetes and Linux CIS Benchmarks.

  • Ensure image trust.

    Use trusted images to ensure that application components only originate from authorized sources.

  • Integrate compliance across the application lifecycle.

    Add compliance checks as part of the full application lifecycle to alert on or prevent misconfigurations in your applications from reaching production.

Compliance

CI/CD security

To secure cloud-native applications, security must be addressed before deployment and integrated across the application lifecycle. You can scale these efforts with a consolidated platform that integrates vulnerability scanning and hardens checks into the CI/CD workflow.

  • Connect your infrastructure and application risks

    Identify exposed issues within your codebase and eliminate false positives to prioritize critical remediations faster.

  • Visualize your software supply chain.

    Create a consolidated inventory of code risks and CI/CD pipelines across your engineering ecosystem.

  • Surface scan results in developer tooling and central dashboards.

    View scan results and details, both at their source and with an aggregated view.

  • Visualize breach pathways.

    Unravel complex relationships to help identify breach pathways to reach business-critical assets.

  • Enforce security policies to prevent builds from moving forward in pipelines.

    Control exactly what progresses through the development pipeline with centralized policies across the entire application lifecycle.

CI/CD security

Runtime defense

Cloud-native applications scale dynamically, requiring a modern automated approach to protection that prevents applications from unwanted activity and threats. With Prisma Cloud, ensure hosts, containers and serverless applications are secure — whether you’re running on public clouds, private clouds or on-premises.

  • Unify protection with a single agent.

    Secure them all from a single solution. Prisma Cloud supports Linux and Windows® hosts, containers and Kubernetes, as well as emerging technologies like PaaS and serverless.

  • Automate security without needless manual effort.

    Automate baseline policies across process, file system and network activity to achieve security at enterprise scale.

  • Capture detailed forensics of every audit or security incident.

    Automatically and securely gather forensics details in a powerful timeline view to enable incident response. You can view data in Prisma Cloud or send it to other systems for deeper analysis.

  • Prevent activity across any environment.

    Manage runtime policies all from a centralized console to ensure security is always present as part of every deployment.

  • Enable your SOC teams with context-rich data.

    With mapping of incidents to the MITRE ATT&CK® framework, along with detailed forensics and rich metadata, eliminate the challenges for SOC teams in identifying and tracking threats for ephemeral cloud-native workloads.

Runtime defense

Container Access Control

Modern applications need deep, integrated security to protect the entire application stack. With Prisma Cloud, organizations can leverage security optimized for cloud-native architectures.

  • Gain control over Docker activities.

    Manage rules governing Docker configurations, containers, images, nodes, plugins, services and more to ensure your environment runs as you choose.

  • Manage secrets for your containers.

    Take advantage of integration with secrets management tools, like CyberArk® and HashiCorp®, to ensure your secrets are properly managed and secured.

  • Capture Kubernetes audits.

    Deploy security purpose-built for cloud-native tech stacks. Prisma Cloud ingests Kubernetes audit data and surfaces rules to identify events to alert on.

  • Secure deployments with Open Policy Agent.

    Craft rules in Rego policy language to gain control over every deployment.

  • View audit results in a single dashboard.

    Surface all audit alerts and activities in a single pane of glass for analysis.

Access control

Image Analysis Sandbox

Safely pull and run container images that possibly contain outdated, vulnerable packages and embedded malware from external repositories. With Image Analysis Sandbox, you can expose risks and identify suspicious dependencies buried deep in your software supply chain that would otherwise be missed by static analysis.

  • Capture detailed runtime profile of the container.

    Dynamically scan images in a sandbox virtual machine by collecting processes, networking and filesystem events that occurred while the container was running in the sandbox. The events are displayed for an overview of the container behavior at runtime.

  • Assess the risk of an image.

    Scan for suspicious and anomalous container behavior, such as malware, cryptominers, port scanning, modified binary or kernel module modification.

  • Incorporate dynamic analysis into your workflow.

    Shift container security left by integrating the Image Analysis Sandbox into CI/CD workflows.

Image Analysis Sandbox

Trusted Images

Not all container images are created equal. While it is practical to pull images from external repositories, it leaves you vulnerable to one of the most common high-risk scenarios: These images may contain outdated, vulnerable packages and can contain embedded malware. Trusted Images is a security control that lets you declare by policy which registries, repositories and images you trust, as well as how to respond when untrusted images are started in your environment.

  • Enable key countermeasures for major container risks.

    Define which images are permitted to run in your environment. Specify registries, repositories and images that are considered trustworthy. If an untrusted image runs, Prisma Cloud will issue an audit, raise an alert and optionally block the container from running.

  • Establish trust.

    Establish trust by point of origin (registry or repository) or base layer. Monitor the origin of all containers on the hosts.

Trusted Images

Flexible control

Cloud workloads and apps constantly evolve. Organizations need agile, integrated controls to ensure the entire stack is protected. Only Prisma Cloud offers the flexibility to use agentless and agent-based protections that suit your needs.

  • Agentless scanning for easy visibility:

    Gain rapid visibility without deploying preventive or blocking capabilities. Agentless scanning provides quick assessments of risk, including known CVEs, misconfigurations and other security issues.

  • Agent-based protection for runtime threats:

    A unified agent framework supports defense in depth to secure cloud-native apps. Agent-based protection provides deep forensic visibility and preventive policies to block and stop suspicious activity.

  • Unified console and one policy engine for both approaches:

    Prisma Cloud is the industry's only solution to offer both agentless and agent-based security — all managed from a single location.

Flexible control
Prisma Cloud
Prisma Cloud
Prisma® Cloud is the industry’s most complete Cloud-Native Application Protection Platform (CNAPP), with the industry’s broadest security and compliance coverage — for infrastructure, workloads and applications across the entire cloud-native technology stack — throughout the development lifecycle and across multicloud and hybrid environments.

Cloud Workload Protection modules

HOST SECURITY

Secure virtual machines (VMs) on any public or private cloud.

CONTAINER SECURITY

Secure Kubernetes and other container platforms on any public or private cloud.

SERVERLESS SECURITY

Secure serverless functions across the full application lifecycle.

WEB APPLICATION & API SECURITY

Protect against Layer 7 and OWASP Top 10 threats in any public or private cloud.

Featured Resources

Valuable Cloud Workload Protection documents