The Future of the Cloud Native Security Platform: Q&A with John Morello

Feb 10, 2020
6 minutes

On Feb. 11, Palo Alto Networks hosted the Cloud Native Security Summit, which you can now view for free on-demand. Prior to the event, we sat down with John Morello, vice president of product for Prisma Cloud Compute Edition, to get his thoughts on Cloud Native Security Platforms

What is something people might not know about Prisma Cloud?

There’s already a strong understanding among DevOps of what it means to shift left, and while it’s incredibly important, it’s not the whole story. One of the key things Prisma does is to help customers “shift right” as well, so to speak; that is, to utilize the metadata generated from the applications being built. This means not just monitoring and fixing vulnerabilities throughout the build but also informing and automating the security response after deployment to production. 

Not only can you have Prisma Cloud monitor as you build an image but also at deployment and runtime. Even if the app is already deployed and a vulnerability is discovered later, Prisma can automatically notify the developer of the issue by opening a ticket in JIRA or telling Jenkins to kick off a new build.

And that’s the benefit offered by a Cloud Native Security Platform (CNSP) – it spans the full continuous integration/continuous deployment (CI/CD) pipeline. It alleviates the difficulties of determining what issues may exist in a build that, two weeks ago, had no known vulnerabilities. That’s really powerful, and most people don’t realize Prisma Cloud can do it. 

Who benefits the most from a Cloud Native Security Platform?

One of the most important things is to build a platform that’s a great experience for both developers and security professionals.

First, we want to meet the developer where they are by integrating seamlessly into their projects. We build plugins and components that run natively in the tools developers use. Agile teams can’t be expected to build something and then have to go run some separate security scanning tool. Instead, we provide tools that just naturally become another step for the build, in the pipeline tools they’re already using.

We focus on automation, from setup and configuration to compliance and auditing. Everything we do is built around APIs. This allows customers to go as far as they want to from, say, a GitOps scenario — and we actually have customers today that are doing this, where instead of working with the Prisma UI, you manage rules as JSON objects in a GitHub repository and use Jenkins to push them to Prisma Cloud.

Having a platform that's designed to be very developer-friendly, utilizing modern tooling for automation and REST API endpoints allows people to really feel like it's not just a tool that the security team owns but something that anyone in the organization can embrace.

Of course, security teams still expect to have a level of control in all this. In the build, they can block vulnerable or noncompliant code from leaving the developer environment. Then they can prevent an image or a function from deploying if it’s noncompliant or not in line with vulnerability policies. 

At runtime, one of the market-leading things we do is apply machine learning to build 4D models of every application in your environment, based on actual observed behaviors of every individual build, of every single app, automatically. Then you can get an alert or prevent anything that falls outside of an expected behavior – all with no human involvement. Even better, Prisma Cloud won’t just flood you with alerts. Rather, it correlates multiple data points and automatically ranks risks by level of severity.

Is a culture shift needed to adopt a Cloud Native Security Platform?

The culture shift is already happening. I think most development teams understand the need for and the benefits of shifting left. The philosophy around DevSecOps is integral for organizations to fully realize their digital transformation. You need a symbiotic relationship between the development organization and the security organization.

While a CNSP lays the foundation, you really need to embrace the notion of cloud native in general – of removing friction in the development and delivery process. Otherwise, you’re just compounding complexity by adding modern security tools into the old process. 

What’s the business case for adopting the Cloud Native Security Platform?

In my opinion, the business case is fairly straightforward. If you’ve invested in the people and processes necessary to shift to cloud native application development, it’s not really a choice whether to adopt a CNSP. 

Typically, companies adopt cloud native development to stay competitive by being able to quickly iterate on applications and to scale much more rapidly if and when needed. It’s about being able to react quickly to the market. A CNSP helps you stay secure in that process. 

What’s coming next?

I don’t think we can say that in five or even 10 years there's going to be some dramatically new way of doing computing. Rather, the cloud native approach that exists now will become more pervasive, with more diversity in approaches. 

By that, I mean we already have this continuum of cloud native technologies that describes the many different ways you can provide compute to your apps. On one end, you have VMs, toward the center are containers, then at the other end of the spectrum is serverless. It’s not an either/or decision, nor a migration path from left to right. Instead, each of these options has its own strengths. And organizations choose the right ones per workload, based on the needs of that particular workload.

I think in the future we’ll see an increasing number of midpoints between these technologies. We’re already seeing things like AWS Firecracker for microVMs and Kata containers, or AWS Fargate and Azure Container Instances. I think that you'll continue to see cloud service providers look for ways they can offer an even more streamlined developer experience while still leveraging the same basic underlying technologies. 

For us, we’ll look to iterate and build capacity to meet the demands for greater security as the threats and application architectures keep evolving. You can expect us to continue to be in all the clouds, covering all the compute options throughout the dev lifecycle as this ecosystem evolves.

Keep Learning

Hear more from John and other industry experts as we take a deep dive into container technologies, Kubernetes and cloud native environments – including how to seamlessly secure them. View the Cloud Native Security Summit on-demand, for free.

Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.