Prisma Cloud Container Security
A security framework for containerized environments, particularly in Azure Container Registry and Azure Kubernetes Service (AKS).
| Category | Container & Kubernetes Security |
|---|---|
| This page updated | 23 days ago |
| Pricing Details | Contact for pricing details. |
| Target Audience | Organizations using Azure Container Registry and Azure Kubernetes Service (AKS) for containerized applications. |
Prisma Cloud addresses the complex security challenges inherent in containerized environments, particularly in Azure Container Registry and Azure Kubernetes Service (AKS), by providing a comprehensive security framework.
At its core, Prisma Cloud deploys Defenders, which are not agents installed on individual containers but rather deployed via Daemon sets on the Kubernetes nodes. This approach allows for host and container protection without the need to rebuild containers with an agent inside.
The technical architecture involves integrating Prisma Cloud with Azure Container Registry to automatically scan container images for vulnerabilities and misconfigurations. Once a Defender is installed in an AKS cluster, it can immediately protect and monitor containers and hosts, providing real-time visibility and security enforcement. The Defender communicates with the Prisma Cloud Compute Console via WebSocket connections over port 443, which may require updates to allow lists if NAT gateways or proxies are in use.
Operationally, Prisma Cloud requires careful configuration to ensure seamless integration. For instance, egress connections through proxies may need authentication, and specific IP addresses must be allowed for Defender communication with the Prisma Cloud console. Additionally, the solution supports micro-segmentation based on identity, which differs from the tag-based approach of CN-Series firewalls, highlighting the need to choose the right tool based on specific security priorities.
Key technical details include the ability to scan container images in registries and during CI/CD pipelines, detecting known vulnerabilities and compliance issues. Prisma Cloud also provides access control, network segmentation, and monitoring capabilities, ensuring that container environments comply with industry regulations such as DISA STIG for Docker environments.
However, there are operational considerations and limitations. For example, managing large-scale deployments can be complex, and the solution's performance may degrade if not properly configured. Additionally, the cost of retaining scan data and compliance reports can increase in multi-account setups, necessitating careful resource planning.