Google Cloud and Prisma Cloud: Partnering to protect cloud VMs

Mar 29, 2021
6 minutes

Enterprises take cloud security seriously, and they’re willing to invest in solutions that protect their cloud infrastructure, applications and data. In 2020, Gartner predicted that global spending on cloud security would grow faster than spending on any other type of security. But the challenge is how to deliver first-rate cloud security without sacrificing speed, agility, and innovation—the capabilities that make cloud native applications so compelling in the first place. 

Palo Alto Networks is partnering with Google Cloud to help our customers achieve this critical balance between security, usability and performance in the cloud. Google recently took a big step toward this goal with its Host Defender Auto Deployment, which integrates the security capabilities of Prisma Cloud Compute Edition with Google Cloud's powerful automation and management tools. Host Defender Auto Deployment also implements a custom deployment UI that turns the process of using these tools into a fast, simple, and seamless experience—giving teams a better way to manage and secure cloud environments at massive scale.

Let’s take a closer look at how Google Cloud's Host Defender Auto Deployment works and how it addresses one of our customers' most important cloud challenges.


Getting Ahead of Multi-Cloud Complexity

Enterprises are deploying more cloud native applications, more quickly, to solve a greater variety of business challenges. Some workloads may run as hosts or VMs; others might be containerized or serverless deployments that run within distributed microservices environments.

You get the picture: A modern, multi-cloud environment can be extremely tough to manage, and even tougher to secure. 

Taming these multi-cloud challenges is a big reason why Google Cloud has focused on creating solutions like Google Anthos to make it simpler and easier to manage applications across multiple clouds. And it's also a big reason why Google Cloud contributes to the open source community with technologies like Kubernetes. And today, it's why the Prisma Cloud team is partnering with them to solve our customers' most urgent cloud security challenges.

Prisma Cloud is central to this partnership. We designed our Cloud Native Security Platform specifically to secure modern, multi-cloud environments—no matter where cloud workloads are deployed or how they happen to be running. That means Prisma Cloud is equally adept at securing public, private and hybrid cloud environments. It offers the same, holistic protection whether cloud workloads run as hosts, containers or serverless deployments; and its capabilities extend across the entire software lifecycle.


Defenders: A Better Approach to Multi-Cloud Security

Prisma Cloud has two key components: the Console, which provides a management interface with tools to define your security policy and monitor your cloud environment; and Defenders, which are agent-like components that protect a specific type of resource based on a user's security policies. 

Defenders come in a variety of flavors, including options for defending a host and its containers, a host environment without a running container engine, or serverless functions. Other types of Defenders are deployed as app-embedded or manually configured versions that can protect pretty much any other cloud-based runtime in use today.

There's a lot more happening under the hood, of course, but the end result is that Prisma Cloud gives enterprises a cloud native security architecture that keeps pace with today's dynamic, fast-evolving, and massively scalable multi-cloud environments. Unlike many security solutions, Defenders are architected to avoid creating new security issues (for example, relying on a least-privilege security design that avoids using kernel extensions or any other host OS modifications). And every Defender type running in a customer's cloud environment reports back to a single Console—giving teams simple, single-pane-of-glass visibility into their hybrid cloud and multi-cloud environments. 


Auto Deployments Clear the Barriers to Scalable Cloud Security

Qualities like visibility, simplicity and usability have been major points of emphasis for the partnership between Google Cloud and Palo Alto Networks. As multi-cloud environments get bigger and more complex, even the simplest management tasks can turn into burdens that drain a team's time and resources. That's why businesses need solutions that not only protect multi-cloud environments, but also make managing the cloud security simpler and less stressful, even at massive scale.

Google Cloud's Host Defender Auto Deployment is important because it's truly a team win, showing how Prisma Cloud and Google Cloud work together to deliver security, performance and usability within a single, integrated package. To show you why, let's walk through a quick example of how the deployment works, and how it benefits customers:


  • First, let's review the use case for Host Defender: Virtual Machines (VMs) deployed as Google Compute Engine instances in a customer's Google Cloud environment. We know that many of our customers continue to depend on this deployment model. Host Defender maintains security, visibility and control even as the number of VMs being managed continues to scale.
  • Of course, different groups of VMs are likely to have different security and management requirements, or they may require you to deploy different security toolsets. Defining multiple security policies in Prisma Cloud is pretty simple—but ensuring that every new VM gets an up-to-date Host Defender instance, with the right security policy, can quickly become unmanageable as an environment scales and gets more complex.
  • Google Cloud solves this problem with interactive tools that give customers a faster, easier, and more intuitive way to deploy Host Defender agents. The key innovation is a custom deployment UI on the Google Cloud Console that turns this essentially into a single-step process. Once a customer adds Host Defender via Marketplace, the custom deployment UI takes them seamlessly through the deployment process: identifying groups of VM-based hosts based on their instance name prefix or instance label, and defining security policies that Host Defender should implement each time Compute Engine spins up a new VM within a defined group.
  • That's it. The same interactive deployment process, based on the same custom UI, can scale easily to set effective security policies for any group of supported VMs. And once the initial deployment is complete, Host Defender with Auto Deploy continues to work hand in hand with Google Cloud, automatically deploying a Host Defender agent with the correct security policy each time Compute Engine spins up a new virtualized host. 


There’s More to Come From the Google Cloud and Palo Alto Networks Partnership

Google Cloud's approach to integrating Host Defender with its Auto Deploy makes a difference for Prisma Cloud administrators. What was once a tedious and time-consuming deployment process is now a simpler, faster and far more efficient path to value for admins.

Better yet, these auto deployments can help nearly eliminate the risk of misconfigured or missing Host Defender deployments. Customers get a solution that extends their visibility and control, and sets the stage for more accurate reporting, compliance and governance.

Keep in mind that this is just one example of how the integrated capabilities between Google Cloud and Palo Alto Networks products create unique value and benefits for customers. The more our customers learn about using these capabilities, the better they'll get at managing and securing their cloud workloads at scale.

To learn more about Host Defender with Auto Deploy, including the setup requirements for your environments, get started with our hands-on Qwiklabs.

Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.