Lead Image © alexmillos, 123RF.com

Lead Image © alexmillos, 123RF.com

Secure cloud-native services with Prisma Cloud Compute

Safe Clouds

Article from ADMIN 57/2020
Improve the security of cloud-native components by integrating them into the Prisma Cloud Compute Edition security suite.

The recent notable milestones in the evolution of software development and how applications are served over the Internet, not least of which are the popularity of portable containers and Docker's remarkable rate of adoption, had security professionals scratching their heads until the security challenges that they presented were fully understood. Few niche vendors fully embraced container security headaches as Docker's toolbox took the developer world by storm. The sophisticated security suite Twistlock, now Prisma Cloud Compute Edition [1] after their acquisition by Palo Alto Networks (see the "What's in a Name?" box), stood out from the crowd and, through natural selection, took center stage in the container security space.

What's in a Name?

The rebranding from Twistlock to Prisma Cloud Compute is still in transition, so you'll see both product names mentioned throughout this article. Adding to the confusion, Palo Alto Networks offers two similarly named products [2]: the software-as-a-service (SaaS) version Prisma Cloud Compute, for which Palo Alto Networks hosts the console and you deploy the agents, and the Prisma Cloud Compute Edition on-premises product, which you deploy and operate in your own environment. In this article, "Prisma Cloud Compute" refers to the self-hosted version.

Now, having increased its feature set significantly, the cloud-native security suite is exceptionally sophisticated. After the introduction of multiple new features (e.g., the ability to protect host machines that aren't running containers, serverless function protection, and improvements in continuous integration-continuous delivery), it's safe to say that the product has raised its game significantly. Moreover, Prisma Cloud Compute no longer focuses only on protecting Amazon Web Services (AWS); the security suite now supports the Google Cloud and Microsoft Azure platforms, as well.

Admittedly, it's difficult to do the product justice in a single article, so I will have to skip some details to fit as much content as possible. Although Prisma Cloud Compute is not an open source product, I will point you at some open source code that might be useful in the container security niche. Once you've had a look at what's included in the box, I hope you will be suitably motivated to request a demo to try it out yourself.

To get started, I'll begin with some basic terminology, and then briefly look at the three areas most important to supporting the DevSecOps life cycle: runtime defense, vulnerability management, and the all-important area of compliance, which is especially key in enterprises. In this article, I'll run through a basic installation, get your hands dirty with a look at Prisma Cloud Compute in action, and take a look at how Prisma Cloud Compute can be configured to prevent serverless functions from being compromised.

The Automation

To my mind one of the most powerful aspects of Prisma Cloud Compute is its inclusion of machine learning, which creates behavior models for discovered resources automatically. After an initial period of monitoring a resource, any deviations to a model triggers alerts of varying severities. Once the (sometimes thousands of) intricate profiles for all of your resources have been created, you can then fine-tune associated rules at a surprisingly granular level. This process not only saves vast amounts of time (not forgetting typing errors and misconfigurations commonly made by humans), but after discovering the "normal" behavior of your resources, you can then tweak the rulesets to account for anomalies with great ease.

The Mothership

The architecture includes a centralized server known as the Console, to which other components phone home with their audit logs and receive new rules in return. The Console currently needs Docker running in the background and is provided as a container that listens on TCP port 8084 for what are known as Defenders. In addition to chatting away merrily to Defenders, the Console presents a well-designed and easy-to-use dashboard over a web interface. Normally this would be over TCP port 8083, but it's not uncommon to add your own TLS/SSL certificate and move it to HTTPS to avoid site is not to be trusted errors from your browser and simplify internal firewall rules. Take note that if you write scripts around the API then some settings will default to TCP port 8083 and will need to be tweaked.

The Enforcers

Currently three types of Defenders are offered: Container, Host, and Serverless. Each is responsible for monitoring a specific type of resource. Once your Console is up and running, most of your time will likely be spent tweaking the rules to which your Defenders adhere and ensuring that all your resources have a Defender monitoring their behavior.

Prisma Cloud Compute not only offers the Defenders to protect your resources, but it also offers two types of firewalls (which make some use of the machine learning models too). One, as you might expect, deals with simple network access and allows whitelisting and blacklisting of IP address ranges. The other is a relatively simple but effective web application firewall named the Cloud Native Application Firewall (CNAF). Note that rolling CNAF rules across all resources might affect performance.

Also employed to keep common threat information current is a custom threat intelligence system that works by aggregating a number of commercial online feeds. The intel is updated frequently to catch the latest security issues and can be tweaked manually so that you can add, for example, your own malware signatures, whitelisted vulnerabilities, and banned IP address ranges.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=