Securing Google Cloud Run with Prisma Cloud

Nov 20, 2019
4 minutes

Organizations can be challenged by the complexity of Kubernetes and its potentially large attack surface. As Kubernetes adoption increases, enterprise architects and security professionals are looking for new compute offerings to better power this modern application, while also offering a seamless developer experience. 

Earlier in 2019, Google Cloud announced Cloud Run, a new serverless platform designed to run containers in an event-driven way. Cloud Run is a fully managed or unmanaged serverless execution environment, meaning that it can operate on its own or on Google Anthos. Cloud Run also provides a serverless developer experience and workload portability for your GKE cluster, allowing the enterprise to shrink the attack surface in times of low utilization.


Anthos and Cloud Run: Architecture and Security

Most enterprises have hybrid or multi-cloud deployments, and maintaining consistent security posture across all deployments is always a top priority—the serverless nature of Google Cloud Run is no exception.

While Cloud Run helps minimize the cloud native attack surface, infrastructure and security teams require security solutions that are consistent with the environment they are using. With Prisma Cloud by Palo Alto Networks, and comprehensive capabilities resulting from the integration of Twistlock, organizations can achieve consistent security posture regardless of how they leverage GKE, Anthos and Cloud Run.  

Anthos, a platform that provides organizations with app modernization both in the cloud and on-premises, can also use Cloud Run to provide customers with a serverless or event-driven architecture by running on top of Google’s cloud-based Kubernetes engine in an on-premises environment. Users run containerized workloads in this environment within the data center on a platform that is validated and kept up-to-date by Google. Anthos On-Prem helps to remove the complexities when running a Kubernetes cluster on-prem. This, in turn, allows for easier management since policies can be enforced across all user clusters, whether on-prem or in the cloud.


How Prisma Cloud Secures Cloud Run Environments

With the integration of Twistlock capabilities, Prisma Cloud provides security for any configuration of Anthos, including Anthos on-premises, as well as managed or unmanaged Cloud Run. Prisma Cloud is driven by APIs and deployed agents called Defenders. Because Prisma Cloud supports any Kubernetes platform, organizations gain a consistent security posture across on-premises, cloud and multi-cloud environments. 

Prisma Cloud provides organizations with unmatched visibility and defense-in-depth for workloads and applications running on Google Cloud Platform. Here’s how:

Real-time visibility: Because cloud-native environments are constantly changing, organizations can be challenged to understand current vulnerability or compliance status and how containers or applications are communicating with one another. Prisma Cloud provides integrated data about risk and compliance status along with a live network topology, which is visible in our Radar view.

Shift security left into every build and deployment: Because developers play a vital role in the security posture of containers, integrating security into CI/CD workflows becomes an essential requirement for security teams--that’s why Prisma Cloud supports container image scanning as part of Google Cloud Build and Google Container Registry (GCR). Security teams can even set thresholds to block builds based on specific criteria, such as images with critical vulnerabilities that contain vendor fixes.

Runtime protection for cloud-native applications: Prisma Cloud, with Defenders deployed as containerized agents, DaemonSets, or embedded within the Dockerfile, provides powerful runtime security for Kubernetes applications. By automatically modeling application behavior, security teams achieve a baseline of security policy configured precisely for each application, both in the cloud and on-premises. This baseline supports deployments for any scale.

Prisma Cloud provides full visibility into all of the Cloud Run services. It can be SaaS-hosted or self-managed and is deployed in Google Cloud to utilize all the combined Prisma Cloud and Twistlock functionality. This includes visibility into the namespaces being utilized by Anthos and Cloud Run while protecting all GKE resources, regardless of where they live, on-prem or in the cloud.


Get Running with Cloud Run - Securely

Prisma Cloud and Anthos, coupled with unmanaged Cloud Run, provide a compelling proposition for on-prem Kubernetes workloads. Jointly, this deployment model allows enterprises that are starting their cloud journey a robust and secure posture no matter what their attack surface looks like. At Palo Alto Networks, we make every effort to provide complete protection for your workloads wherever they are running - without exception. With support for Anthos on-premises and Anthos GKE using unmanaged Cloud Run, we are able to offer complete support to keep all of your workloads secure.

We’re at Google Cloud Next London this week. Stop by our booth (#V7) if you have questions or would like some first hand insight into what we’re up to. Or you can visit our website to learn more about our partnership and integrations with Google Cloud Platform


Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.