Virtual Machines: Foundational Cloud Technology That Powers Cloud Applications

While the containers vs serverless debate continues, many cloud workloads still run in virtual machines. When you need a lot of compute resources in a single instance, or you’re moving an existing application to the cloud, a VM is the natural choice.

A cloud virtual machine is the closest analog to a traditional on-premises workload, but that doesn’t mean that you shouldn’t take advantage of cloud security tools to augment the more traditional controls you might deploy on-premises.

Virtual Machines: Flexibility, Choice, Responsibility.

Virtual machines are the most mature platform for running applications in cloud environments, with hypervisor technology dating back to the mainframe era. VMs provide the greatest levels of isolation, compatibility, and control suitable for running nearly any type of workload.

VMs give you a wide range of cloud images and frameworks, languages and configurations. They are a natural choice for migrating existing monolithic applications or for self-hosting traditional resource-intensive workloads like relational databases. They’re also a common option for running a containerized stack.

VMs also require you take responsibility for more of the stack than managed container or serverless workloads. With VM’s, your responsibility begins at the operating system and extends all the way through whatever components you layer on top. Add in the flexible, API driven nature of cloud platforms, where new VMs can be created with a few keystrokes and a git commit, and despite their maturity, cloud VM’s still present a significant security challenge.

The Cloud Brings New Ways To Secure Virtual Machines

If cloud virtual machines offer a mature application platform do traditional security tools offer all the protection they need? In the cloud, probably not. VM instances in a public cloud still tend to be more dynamic, easier to create, and easier to expose to public access, intentionally or not. Traditional security tools like virtualized network firewalls still have a vital part to play, but your scope must extend beyond them to include more host-based protection and to take advantage of the additional insights that a cloud control plane can provide.

Cloud platforms are API driven, so many aspects of a cloud environment can be inventoried and audited. VM images can be built (using a hardened base operating system, for instance) and stored for deployment -opening them up for security scanning and compliance checks. In addition, user behavior can be audited and network traffic flow captured. Your cloud security solution should leverate all the insights a cloud platform can give you.

Host based security embeds powerful network and application defensive capabilities within your VM’s to defend against web application layer attacks and isolate hosts connectivity in a learned least-privileged connectivity mesh. Policies are tied to hosts and applications, not static IP-based configurations.

Unit 42 Cloud Threat Report

Cloud VM's Need Cloud Security

Prisma Cloud protects your VM’s by continuously identifying your compute instances, protecting your Linux and Windows instances at runtime, and ensuring complete vulnerability management and compliance:

Vulnerability Management

Prisma Cloud provides full lifecycle vulnerability management for VMs- scanning VMs as part of golden pipelines and continuously monitoring vulnerability status of running VMs. Leverage vulnerability intelligence from Prisma Cloud or third-party sources.

Runtime Protection, Including file integrity monitoring (FIM) and log inspection

When your VM is running, Prisma Cloud monitors network traffic between cloud VM’s, process execution, and file system access, by building a model of known behavior. Default rules and custom runtime rules enhance protection to alert on or block anomalous behavior.

Prisma Cloud also provides host-based network and application firewalling - intercepting and blocking layer 7 threats such as injection attacks, or reconnaissance tools, protecting against brute force attacks and preventing sensitive information leakage.

Compliance

Prisma Cloud supports the Linux CIS Bechmarks, compliance checks for Windows, and custom compliance checks, ensuring you can always meet and continuously audit for internal or external compliance regimes.