Prisma Cloud Reinvents the Firewall for Cloud Native Security

A sponsored post from Palo Alto Networks, about Prism Cloud's new-look web application firewall, several different functions are combined to protect your cloud services.

Feb 2nd, 2021 1:52pm by Steven J. Vaughan-Nichols

Featued image for: Prisma Cloud Reinvents the Firewall for Cloud Native Security

Prisma Cloud, from Palo Alto Networks, is a sponsor of The New Stack.

The latest version of Prisma Cloud, Palo Alto Networks’ (PANW) cloud native security platform, now includes what the company calls “the industry’s most accurate web application firewall (WAF) capabilities.”

A cloud native WAF protects any kind of cloud workload. It also provides all of the layers required today for protecting your web and APIs against application-layer attacks. It inspects traffic intelligently and blocks attacks, fends off bots, and stops automated attack processes such as account takeover bots or web scrapers. The API protection also works on both north-south and east-west traffic between microservices.

“Today your assets are in the cloud. Some of them are running on containers or serverless functions that are ephemeral. It’s a challenge for application security teams to comprehensively secure these applications. You have clusters coming up and down being deployed everywhere. Some of the workloads are running in public cloud, private cloud or on-premises,” explained PANW Senior Distinguished Research Engineer and well-known cloud security expert Ory Segal. “So today’s enterprises require a web application firewall optimized for cloud native architectures. You need to come up with a new novel approach, which is what we tried to do with Prisma Cloud.”

In PANW’s new-look web application firewall, several different functions are combined to protect your cloud services. Its WAF combines application programming interface (API) security, runtime protection, and a bot defense platform into a strong defense for cloud native applications.

Palo Alto Networks faced three major challenges in building its next-gen web application firewall, Segal explained. “One was the inability of deploying legacy firewalls in modern clouds. In orchestrated cloud containers and serverless, it’s simply impossible to deploy an appliance. You can’t bolt on an archaic firewall as a service in the cloud.” So, “we needed something that is cloud native by itself to support the cloud native architectures and to support microservices with support for inspecting East-West traffic.

“The second problem was the auto-scaling nature of cloud native applications,” Segal continued. “You have containers spinning up and down and serverless functions running and then disappearing. To manage spikes of traffic from hundreds, if not thousands of instances, you must build in capacity planning. That means it must scale up and down together with the application with its serverless functions and containers.

Finally, PANW needed to integrate web application security with cloud security posture management, Identity and Access Management (IAM) security and data prevention loss (DLP) for scanning Virtual Machines (VM), containers, and/or functions. Segal added, “you can’t really expect customers to buy many point solutions from multiple different vendors. We see this fragmentation as a serious problem in the cybersecurity space. And we wanted something that will be all-encompassing, you know, a one-stop-shop for all of your cloud security problems.”

The protection work is done by defender agents, which run inside every host container, serverless function, or VM, either in the cloud or on-premises. These report back to the console, where you can manage them, and you can manage them at scale.

This, Segal explained, makes it “very easy for us to protect any kind of cloud workload, because we are essentially attached to the workload itself. It doesn’t matter how many instances you have, so there’s no bottleneck or auto-scaling issues. The architecture is fully supported. We support all the big cloud security providers and all the major serverless, Kubernetes, and container environments.”

Ory Segal – A New Approach to the Firewall for Protecting Cloud-Native Services

Also available on Apple Podcasts, Google Podcasts, Overcast, PlayerFM, Pocket Casts, Spotify, Stitcher, TuneIn

Beyond the Firewall: New Prisma Cloud Features

There’s more to the new Prisma Cloud offering than WAF. Via its modules, such as Host Security, Container Security, and Web Application and API Security (WAAS), it includes a variety of cloud workload protection capabilities. The protections include:

Bot Risk Management: Prisma Cloud Web Application and API Security (WAAS) customers can now manage web bots and decide how to handle access for different bot types. Users have customizable visibility and protection covering known, unknown, and user-defined bots.
Host Security With Custom Compliance Policies: Prisma Cloud enhances compliance for virtual machines with custom compliance checks for operating systems, orchestrators, and runtime configurations.
Container Security With Enhanced Kubernetes Cluster Awareness and CRI-O Compliance Checks: Prisma Cloud now has deeper Kubernetes integration with enhanced Kubernetes cluster awareness. This makes it simpler to gain quick visibility, manage security policies and view runtime audits via Kubernetes cluster filters. For CRI-O, Prisma Cloud maps 25 specific compliance checks to CRI-O across containers, images, and host configurations.
Advanced denial-of-service (DoS) Protection: Prisma Cloud WAAS now includes the ability to defend against application-layer DOS attacks by applying rate controls.

PANW’s DoS protection is especially interesting. Instead of simply counting how many requests an IP does in five seconds — for example, no client of these APIs should send 500 requests per second — it takes a more analytical approach. These days the world isn’t as simple as that.

Segal explained, “you don’t want to punish users just because they share the same IP or gateway with some rotten apples. So, what we did was switch or allow our customers to apply rate controls not only based on IP but also based on the layer seven application level. So we track user sessions; the HTTP sessions themselves; the web sessions; and the specific session cookie.” This enables DevOps “to do more granular work for the rate accounting.” This way, “we can prevent spiky traffic coming from malicious hackers behind NAT gateways for example.”

In addition, Segal continued, besides being able to alert, log, or block dodgy network activities, “we also provide a very cool trick which we call ‘ban.’ This is basically a penalty box. Once we detect that an attacker, a user or a client is doing malicious actions, sysadmins can decide to ban the malicious user in the penalty box for five minutes. Now, it’s not only annoying for the attacker that they have to stop every five minutes to continue with the attack. It’s also a very cool protection layer. Because most times attackers will not start with their most sophisticated attack payloads, they will start by sending reconnaissance probes, and those probes will already trigger the ban action, we’ll put them on the side for five minutes. And then it doesn’t matter if they pull out the big gun or the big trick or the sophisticated attack, those will be automatically and categorically blocked, because they’re in the penalty box, which again, is a very good defense against such attacks.”

It’s an interesting approach and having spent several decades working on network security, it could really foul up the typical automated botnet attacks.

WAF in the Bigger Cloud Native Security Picture

At the same time that cloud native users want as much protection as possible, they also want it delivered as simply as possible across the cloud native continuum, said Varun Badhwar, PANW’s senior vice president for Prisma Cloud. That means “securing hosts, containers and Kubernetes, and serverless functions — both at runtime and across the application lifecycle. Many organizations are moving to the cloud and need to protect applications end-to-end, starting from infrastructure and going all the way to the application layer.” Badhwar concluded, “Prisma Cloud delivers the best-of-breed and comprehensive solution designed to protect these organizations from third-party attacks.”

If that sounds complex, even if PANW is doing its best to make it simple, you’re right. It is. Security in the cloud is much more complicated than it was back when all you had to worry about was the servers in the back room. But, consider the results from the 2020 Cloud Native Computing Foundation (CNCF) Survey. The CNCF found that:

Container usage continues to rise: The use of containers in production has increased by 300% since 2016, up 84% just in the last year.
Kubernetes is more mainstream than ever: A full 91% of CNCF respondents report using Kubernetes, with 83% of them using Kubernetes in production.
Serverless adoption continues: 30% of respondents reported using serverless technologies in production today.
CI/CD technologies are essential to cloud native users: More than 80% of respondents use CI/CD pipelines in production.

In other words, as we all keep moving ever faster to a cloud native IT world, we need security solutions such as cloud-smart security programs like the latest Prisma Cloud to protect ourselves.

The Cloud Native Computing Foundation is a sponsor of The New Stack.

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting-edge PC operating system, 300bps was a fast internet connection, WordStar was the state-of-the-art word processor, and we liked it.

TNS owner Insight Partners is an investor in: Pragma, The New Stack.