Palo Alto Networks is one of the biggest security companies of the world. Every year, they organize the well visited event Palo Alto Ignite. In November last year, it was a virtual event. In the same period, Prisma Cloud 3.0 saw the light. It was announced at Ignite. Prisma Cloud is a comprehensive platform to protect cloud (native) applications and infrastructure components from source code to production. In version 3.0, Palo Alto added a lot more features to extend the platform and to better support the developer experience. In this article, we’ll explore what’s new and exiting.
On-the-fly discovery of misconfigurations
Developers which are not so experienced with cloud technology yet can quickly create cloud misconfigurations. Every misconfiguration can lead to the exposure of (critical) data. Another threat is resource abuse by an unwanted party. The new version of Prisma Cloud uses intelligence to reduce the number of alerts for misconfigurations. Security experts and developers can focus on the most important alerts to save time. It helps to reduce the so called “alert fatigue”. Besides these benefits, your organization can save costs since you do not have to call cloud APIs which charge you per request. On top of that, you don’t to investigate big chunks of log files to find the exact problem.
All of this comes together at the new and improved Alerts overview dashboard. At this screen, you can filter and sort alerts by severity. Furthermore, you can group them based on policy type and also find the compliance standard(s) to which they belong. It’s possible to select multiple alerts and trigger a follow up for all of them at once.
Advanced techniques for micro-segmentation
In one of the previous articles, we discussed the backgrounds and concepts of micro-segmentation. It’s vital to understand the way applications use identities to authenticate and authorize themselves to each other. Traditional techniques such as IP address or (Network) subnet does not work anymore in a cloud native world. Prisma Cloud uses a “scanner” to capture applications and find the communication paths from one application to another.
This last feature is improved since it now uses application profiling and out of the box rules to secure common applications in a matter of minutes. Security teams now don’t need to follow time-consuming procedures to do this manually. It also reduces human errors since all is automated and based on common profiles. These profiles are derived from industry standards and the already deployed applications. Policies are easier to create and understand, Prisma Cloud helps to generate the most optimal rules for the cloud native applications it scans.
Based on this new feature, teams can adopt zero trust platforms and truly implement the least privilege principle in a quicker and safer fashion. One of the other benefits is trial and error of which you first grant zero permissions and gradually add more permissions. Since this requires constant deployment and checking (often no debugging is possible), this is a time consuming habit. Luckily, that is something of the past now.
Integration with Azure Active Directory
Azure is on the rise, therefore Prisma Cloud extends it’s support for this cloud provider. Great news for private companies and governmental organizations that trust Microsoft for their cloud solution.
Every piece of infrastructure in the cloud requires an entity to access it. In Azure, entities reside within Azure Active Directory. Service principals and application identities are just two examples of entities. Prisma Cloud now integrates with Azure Active Directory in a smooth fashion.
Critical infrastructure should only be accessible to entities that have minimum level of permissions. A vast majority of entities has overly permissions that increases the attack surface. Therefore Prisma Cloud can now analyze and monitor (customer) accounts, resources and other workloads which are managed by Azure. Permissions are fetched from Azure AD for which it also offers Single Sign On. From here, the net-effective identity permissions are reported and security teams can then decide to limit the permissions of those identities to what is absolutely necessary.
Zero agent approach for workload protection
Workload protection, as discussed in a previous article requires an agent to check your runtime environments in the cloud. To do so, Prisma Cloud offers a so called “defender¨ which is a more advanced solution compared to Azure Defender. It’s possible to run defenders for Virtual Machines, containers (also in Kubernetes) and serverless applications. Besides this, you can add defenders to application definition files such as task definitions for Fargate.
Installation
You need to execute a custom script or Helm template to rollout a defender on a Virtual Machine or Kubernetes cluster. The defender connects back to the Prisma Cloud console (dashboard) to which it reports vulnerabilities and compliance related issues. Defenders can alert or block on suspicious behavior through Machine Learning capabilities, on critical vulnerabilities or compliance issues. Even when the (secure) connection between a defender and the Prisma Cloud console is lost, your workload remains protected.
Security teams can set the desired rules and also manage exceptions. Teams’ permissions are scoped using so called “collections” which act as a namespace. Therefore sensitive security related information is only shown to the teams it needs.
Auto upgrade and auto detect
Since Prisma Cloud 3.0, defenders can now automatically upgrade themselves to a newer version of the software it runs. Defenders should always run the same version as the Prisma Cloud console to stay compatible to each other. This auto-upgrade process frees the DevOps teams to manually keep track of which version the defender runs.
In addition to this feature, Prisma Cloud now also offers a way to discover unprotected assets in Google Cloud, Azure and AWS. Auto discovery was already possible for AWS, now for the other major cloud providers as well. In the so called “radar” you can kick off a discovery scan to get an overview of the unprotected hosts. In AWS, Prisma Cloud users get the option to auto-protect any instance which it sees. Google Cloud and Azure will offer this feature in the future.
Improved advisor dashboard
Every security tool requires a clear dashboard to capture the most prominent risks and the intended follow ups. This reduces the likelihood of problems in all stages of the software development life-cycle.
A new advisor dashboard groups related problem areas into three categories. The first one is visibility, compliance and governance, the second one focuses on thread detection and the last category offers options to respond to those threads and other security issues. This ensures the security operators can quickly focus on what they need to do in every development stage.
It’s not just a huge list of options which you might use. Activated features are highlighted. In contrast to this big list, the dashboard provides (background) guidance on unused platform capabilities. The intention is to make you more productive without distracting you from the core capabilities which focuses on Cloud Security Posture Management (CSPM).
Secure IaC templates
Not long ago, Palo Alto also acquired Bridgecrew to add Checkov to Prisma Cloud. DevOps team use Checkov to scan their Infrastructure as Code templates for cloud misconfigurations and security related issues. The following key aspects demand why you need to scan your IaC templates:
- DevSecOps pushes developers to develop and deploy even faster than before. CI/CD processes are automated to the max. Infrastructure is created on the fly and also torn down once their function is over. Don’t automate processes that can get out of control and security risks pop up to keep a close watch on your Cloud security posture.
- Become proactive in terms of security checks. It’s too late if you detect and respond to security issues in a reactive way. This way, you already got so many security issues very late in the process. Security teams will be overwhelmed by the number of issues. The communication overhead increases and security issues on runtime lead to unacceptable and uncontrollable business risks.
Checkov is supported by a large (open source) community so that serves as a big plus for it’s adoption. It supports the following IaC templates: Helm, ARM, Cloudformation, Terraform, Kubernetes and Serverless frameworks.
Witch Checkov, Prisma Cloud offers continuous policy as code right in the IDE of the developer. It’s also embedded in the DevOps workflows and tooling that developers use on a daily base. Fixes can be executed automatically (Prisma Cloud learns from previous situations) and this hooks in into the process of Pull requests. Suggestions that Checkov present are actionable and directive, so that developers feel supported to actually follow them up.
With these factors in mind, developers are less disturbed to prevent, identify and fix security issues they might not be so familiar with.
Conclusion
Prisma Cloud from Palo Alto Networks is a well known platform in the world of security. Recently, version 3.0 was released. Among smaller updates, the most prominent improvements are scanning of IaC templates, an improved advisor dashboard, agentless workload protection and integration with Azure Active Directory services. In this article I highlighted these additions and new features so developers can speed up their efforts to build better and more secure software and infrastructure components.
If you have questions related to this topic, feel free to book a meeting with one of our solutions experts, mail to sales@amazic.com.
