Prisma Cloud Identity-

Based Microsegmentation
Enforce Identity-Based Network Defense Across Hosts,
Containers, and Kubernetes
Reduce the attack surface and prevent the lateral spread of breaches across
hybrid and multi-cloud environments. Prisma® Cloud combines identity with
network segmentation to deliver uniform visibility and protection across
hosts, containers, and Kubernetes® on any cloud.

Prisma by Palo Alto Networks | Prisma Cloud Identity-Based Microsegmentation | Datasheet 1

Comprehensive ­ icrosegmentation comes with several challenges, creating
m

­Microsegmentation for the

friction with multi-cloud adoption and rendering security ben-
efits useless. Prisma Cloud Identity-Based ­Microsegmentation
­Multi-Cloud Reality simplifies segmentation across multi-cloud without relying on
the network.
Enterprises have diversified their compute form factors,
Network infrastructure and constructs (e.g., VLANs/VXLANs,
­including on-premises virtual machines (VMs), cloud-based
ACLs, subnets) are not fit for microsegmentation because
VMs, and containers into their private and public cloud infra-
­application topologies and network topologies don’t match
structures. With the accelerated growth of cloud computing,
(see figure 1). Prisma Cloud decouples security from the net-
security teams are presented with a sprawling attack surface
work and conforms to application topologies, enabling simple
across their multi-cloud environments. Microsegmentation
and effective application isolation (see figure 2).
is an effective security control proven to shrink the attack
­surface; however, managing disparate traditional tools for

Point-of-sale
Public Cloud

VM VM VM VM
VM

Subnet Subnet Subnet Subnet

ERP

VM
VM VM

VM VM
VM VM

VM

Payment

VXLAN VXLAN VXLAN

VM

Private Cloud Shopping cart

Applications: Point-of-sale Payment app Shopping cart ERP App

Figure 1: Network segmentation isolating networks Figure 2: Prisma Cloud Identity-Based

Microsegmentation isolating applications

Table 1: Before and After Deploying Identity-Based Microsegmentation

Before Identity-Based Microsegmentation After Identity-Based Microsegmentation

Network boundaries (e.g., subnets, ACLs, security groups) don’t Segmentation is driven by application and workload context
match with application topologies, making segmentation difficult rather than relying on network constructs

The network offers limited visibility and no understanding of End-to-end visibility into inter- and intra-application traffic
application requirements flows helps teams understand application dependencies

Policy changes with traditional network security workflows can Automation and DevSecOps reduce policy change times and
take days or weeks, resulting in slower application development ­accelerate application delivery

Internal NAT and ephemeral IP addresses in Kubernetes make Policies are enforced using Kubernetes pod identity rather than
IP-based rules irrelevant network addresses

Disparate tools required across hosts, containers, and clouds Unified security policies protect VMs and containers across hy-
create inconsistent protection brid- and multi-cloud environments

Prisma by Palo Alto Networks | Prisma Cloud Identity-Based Microsegmentation | Datasheet 2

Prisma Cloud Identity-Based
­Microsegmentation Capabilities
Network Security Powered by Workload
­Identity
Workload identity is the key element that enables Zero Trust
with Identity-Based Microsegmentation. Prisma Cloud ­assigns
every protected host and container with a cryptographically
signed workload identity. Each identity consists of ­contextual
attributes, including metadata from cloud ­native sources
across Amazon Web Services (AWS®), ­Microsoft Azure®, ­Google
Cloud, Kubernetes, and more. ­Traditional network ­security
controls use IP addresses to ­allow or deny access. ­Prisma Cloud
uses workload identity to authenticate and authorize appli-
cation communication ­requests. Only workloads verified by
their identity are allowed to communicate on the network. By
normalizing network security with identity, organizations can
effectively understand their applications and embrace a Zero
Trust security posture.
Figure 3: Workload identity attributes and application dependency map
Prisma by Palo Alto Networks | Prisma Cloud Identity-Based Microsegmentation | Datasheet
Application Dependency Mapping
Prisma Cloud delivers real-time and historical visibility of
network flows across hosts, containers, and Kubernetes no
matter where they run. This allows you to visualize applica-
tion dependencies in a map without requiring any knowledge
of the ­underlying network architecture. Seeing how applica-
tions communicate helps application and security teams make
­informed policy decisions. Before Prisma Cloud, collecting
and interpreting network flow data was a constant challenge.
The nature of cloud and Kubernetes makes IP addresses less
­reliable when teams want to understand how applications
­communicate. With Identity-Based Microsegmentation,
workloads mutually authenticate identity each time applica-
tions communicate. By capturing identity with every network
flow, Prisma Cloud ensures accurate visibility without relying
on source or destination network addresses.
3
Policy Management

Network Policy Language with Application C

­ ontext
Identity-Based Microsegmentation policies use ­contextual,
application-driven tags (e.g., service=frontend can talk
to ­service=backend) instead of network-centric language
(­Allow 192.168.10.20 to 10.0.0.31). Managing policy across
heterogeneous environments becomes a possibility since
you have a common workload identifier that is abstracted
from infrastructure.

Automated Policy Suggestions

Enterprises can begin the policy building process with ­simple
policy suggestion workflows. Prisma Cloud takes learned
­application behavior and couples it with identity attributes to Figure 4: Deploying identity-based
automatically recommend microsegmentation policies with policy via a web console or code
minimal user input.

Policy Testing and Modeling policies natively fit into continuous integration/­continuous
deployment (CI/CD) and other ­automation workflows to ­ensure
Prisma Cloud eliminates the hesitancy that comes with provi-
security never hinders application delivery.
sioning new network security configurations. Security teams
can test new microsegmentation policies by visualizing their Identity-Based Policy Enforcement with Z­ero Trust
impact on application communications before applying them.
Prisma Cloud does away with the traditional network security
This helps organizations incrementally transition to a Zero
practice of filtering application traffic based on IP addresses.
Trust posture without any worry about network outages or
With Identity-Based Microsegmentation, protected workloads
disruptions to application development workflows.
are assigned cryptographic identities, which the workloads
Microsegmentation Policy as Code then use to mutually authenticate and authorize application
communication requests. The Zero Trust approach enabled by
Prisma Cloud provides security and DevOps teams the ­ability to
Prisma Cloud allows only verified applications to intercommu-
deploy microsegmentation policies as code without ­requiring
nicate, ensuring optimal protection of cloud workloads.
any knowledge of network-centric language. ­Codified ­network

Traditional IP-Based Network Security Prisma Cloud

Connection request Connection request

Client Server Client Server

SYN SYN
(SRC=CLIENT IP) (CLIENT NONCE, ATTRIBUTES, SIGNATURE)

SYN ACK SYN ACK

(SRC=SERVER IP) (SERVER NONCE, ATTRIBUTES, SIGNATURE)

ACK ACK
(SRC=CLIENT IP) (C-NONCE, S-NONCE, SIGNATURE)

Figure 5: Identity-based enforcement to verify workload authenticity before authorizing access

Prisma by Palo Alto Networks | Prisma Cloud Identity-Based Microsegmentation | Datasheet 4

Monitoring and Reporting
Flow Records for Compliance Reporting
Prisma Cloud stores historical flow records with workload
context for compliance reporting. You can apply queries with
flexible filters to get the data you need. Network and security
teams use this data to generate reports for compliance.
Identity-Based Microsegmentation
Secures Hosts and Containers
Prisma Cloud provides microsegmentation support for
hosts and containers across all cloud environments,
­whether­ ­private, public, or a mixture of both. Identity-Based
­Microsegmentation provides host protection for Linux and
Windows Server operating systems as well as container pro-
tection for Kubernetes, OpenShift®, and Docker®.
The Identity-Based Microsegmentation module is fully inte-
grated into the Prisma Cloud platform. To learn more, you can
visit us online or request a personalized demo now.
3000 Tannery Way
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
www.paloaltonetworks.com
About Prisma Cloud
Prisma Cloud is a comprehensive Cloud Native Security
­Platform with the industry’s broadest security and compliance
coverage—for applications, data, and the entire cloud native
technology stack—throughout the development lifecycle and
across hybrid and multi-cloud environments. Its integrated
approach enables security operations and DevOps teams to
stay agile, collaborate effectively, and accelerate cloud native
application development and deployment securely.
Prisma Cloud eliminates the security constraints around cloud
native architectures, rather than masking them, and breaks
down security operational silos across the ­entire ­application
lifecycle, allowing DevSecOps adoption and ­enhanced
­responsiveness to the changing security needs of cloud native
architectures.
© 2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered
­trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
marks mentioned herein may be trademarks of their respective companies.
prisma_ds_prisma-cloud-identity-based-micro-segmentation_030521