• Home
  • Prisma Cloud by Palo Alto Networks vs. Red Hat Advanced Cluster Security for Kubernetes

Prisma Cloud by Palo Alto Networks vs Red Hat Advanced Cluster Security for Kubernetes comparison

Cancel
You must select at least 2 products to compare!
Comparison Buyer's Guide
Download the complete report
Buyer's Guide
Prisma Cloud by Palo Alto Networks vs. Red Hat Advanced Cluster Security for Kubernetes
May 2024
Executive Summary
Updated on Jul 4, 2023

We performed a comparison between Prisma Cloud by Palo Alto Networks and Red Hat Advanced Cluster Security for Kubernetes based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.

  • Features: Prisma Cloud by Palo Alto Networks is highly regarded for its extensive visibility and management features, including Cloud Security Posture Management and container security. On the other hand, Red Hat Advanced Cluster Security for Kubernetes receives acclaim for its excellent resource-sharing and segmentation capabilities. Prisma Cloud could be more customizable and integrate with ticketing solutions better. Red Hat Advanced Cluster Security for Kubernetes requires enhancements in testing, documentation, usability, and stability.

  • Service and Support: Some Prisma Cloud customers have called Palo Alto support exceptional and prompt, while others have reported sluggish response times. Customers have generally provided positive remarks about the customer service offered by Red Hat, deeming it to be of high quality.

  • Ease of Deployment: Some Prisma Cloud users found the setup process to be simple, but others said it was somewhat complicated. The deployment time varies depending on the customer environment. The setup for Red Hat Advanced Cluster Security for Kubernetes involves creating multiple customer resource files and deploying the desired image as a container. The setup is considered moderately easy and the deployment time varies based on the customer's needs, with financial institutions typically taking longer.

  • Pricing: Users have differing opinions on the setup cost of Prisma Cloud by Palo Alto Networks, but many find it to be reasonable and competitive. On the other hand, Red Hat Advanced Cluster Security for Kubernetes is moderately priced and offers subscription-based options along with a bundled price.

  • ROI: Prisma Cloud by Palo Alto Networks has proven to be highly effective at preventing breaches, enhancing risk visibility, streamlining operations, and mitigating cyberattack threats. Users have provided limited feedback regarding the ROI of Red Hat Advanced Cluster Security for Kubernetes.

Comparison Results: Prisma Cloud by Palo Alto Networks is preferred over Red Hat Advanced Cluster Security for Kubernetes. Prisma Cloud offers comprehensive visibility and management options through a user-friendly web GUI. Users appreciate its anomaly detection abilities, seamless integration with other tools, and the ability to provide security across multi- and hybrid-cloud environments. Compared to Prisma Cloud, Red Hat Advanced Cluster Security for Kubernetes falls short in terms of usability, documentation, and stability.

To learn more, read our detailed Prisma Cloud by Palo Alto Networks vs. Red Hat Advanced Cluster Security for Kubernetes Report (Updated: May 2024).
Download the complete report
771,212 professionals have used our research since 2012.
Featured Review
Anonymous User
Researched Prisma Cloud by Palo Alto Networks but chose Singularity Cloud Security by SentinelOne: It is easy to use, requires no configuration, and is agentless
I have used Prisma Cloud extensively at several organizations. We have also used Wiz and Cloud Native Security. Cloud Native Security is... Read more →
Anonymous User
Automation and integration capabilities of Prisma have allowed us to save a lot of engineer time
It's hard for me to say how Prisma has improved our organization because it was implemented before I joined. But given the number of security... Read more →
PavanKumar19
A highly stable solution that can be used to perform system-level event monitoring
My company has been using the solution for quite a long time, and it's been working really well. The productivity and visibility of the entire... Read more →
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"I like CSPM the most. It captures a lot of alerts within a short period of time. When an alert gets triggered on the cloud, it throws an alert within half an hour, which is very reasonable. It is a plus point for us.""There's real-time threat detection. It can show threats and find issues based on their severity and helps us with real-time monitoring.""The multi-cloud support is valuable. They are expanding to different clouds. It is not restricted to only AWS. It allows us to have different clouds on one platform.""We use the infrastructure as code scanning, which is good.""PingSafe offers three key features: vulnerability management notifications, cloud configuration assistance, and security scanning.""Cloud Native Security's most valuable features include cloud misconfiguration detection and remediation, compliance monitoring, a robust authentication security engine, and cloud threat detection and response capabilities.""The visibility is the best part of the solution.""We've seen a reduction in resources devoted to vulnerability monitoring. Before PingSafe we spent a lot of time monitoring and fixing these issues. PingSafe enabled us to divert more resources to the production environment."

More Singularity Cloud Security by SentinelOne Pros →

"It scans our containers in real time. Also, as they're built, it's looking into the container repository where the images are built, telling us ahead of time, "You have vulnerabilities here, and you should update this code before you deploy." And once it's deployed, it's scanning for vulnerabilities that are in production as the container is running.""The first aspect that is important is the fact that Prisma Cloud is cloud-agnostic. It's actually available for the five top cloud providers: AWS, GCP, Azure, Oracle, and Alibaba Cloud. The second aspect is the fact that we can write our own rules to try to detect misconfigurations in those environments.""The CVEs are valuable because we used to have a tool to scan CVEs, at the language level, for the dependencies that our developers had. What is good about Prisma Cloud is that the CVEs are not only from the software layer, but from all layers: the language, the base image, and you also have CVEs from the host. It covers the full base of security.""We are provided with a single tool to protect all of our cloud resources and applications without having to manage and reconcile compliance reports.""The application visibility is amazing. For example, sometimes we don't know what a particular custom port is for and what is running on it. The visibility enables us to identify applications, what the protocol is, and what service is behind it. Within Azure, it is doing a great job of providing visibility. We know exactly what is passing through our network. If there is an issue of any sort we are able to quickly detect it and fix the problem.""Integration is very easy. And because it supports security that spans multi- and hybrid-cloud environments, it's very easy to use.""The most valuable features of Prisma Cloud are its cloud security posture management and cloud workload protection capabilities.""The initial setup is seamless."

More Prisma Cloud by Palo Alto Networks Pros →

"The most valuable feature is the ability to share resources.""The benefit of working with the solution is the fact that it's very straightforward...It is a perfectly stable product since the details are very accurate.""Scalability-wise, I rate the solution a nine out of ten.""One of the most valuable features I found was the ability of this solution to map the network and show you the communication between your containers and your different nodes.""The technical support is good.""Segmentation is the most powerful feature.""The most valuable feature of the solution is its monitoring feature.""It is easy to install and manage."

More Red Hat Advanced Cluster Security for Kubernetes Pros →

Cons
"In terms of ease of use, initially, it is a bit confusing to navigate around, but once you get used to it, it becomes easier.""It would be really helpful if the solution improves its agent deployment process.""Whenever I view the processes and the process aspect, it takes a long time to load.""They can work on policies based on different compliance standards.""We recently adopted a new ticket management solution, so we've asked them to include a connector to integrate that tool with Cloud Native Security directly. We'd also like to see Cloud Native Security add a scan for personally identifying information. We're looking at other tools for this capability, but having that functionality built into Cloud Native Security would be nice. Monitoring PII data is critical to us as an organization.""With Cloud Native Security, we can't selectively enable or disable alerts based on our specific use case.""There is a bit of a learning curve for new users.""In some cases, the rules are strictly enforced but do not align with real-world use cases."

More Singularity Cloud Security by SentinelOne Cons →

"Though Prisma Cloud by Palo Alto Networks provides excellent security, is a pioneer in this space, and knows what it's doing, from a user perspective, it would have been better if it was a little easier to use.""This solution is more AWS and Azure-centric. It needs to be more specific on the GCP side, which they are working on.""The automation must continue to become much smoother.""The area for improvement is less about the product and more about the upsell. If we've already agreed that we'd like your product x, y, or z, don't try to add fries to my burger. I don't need it.""The alignment of Twistlock Defender agents with image repositories needs improvement. These deployed agents have no way of differentiating between on-premise and cloud-based image repositories. If I deploy a Defender agent to secure an on-premise Kubernetes cluster, that agent also tries to scan my ECR image repositories on AWS. So, we have limited options for aligning those Defenders with the repositories that we want them to scan. It is scanning everything rather than giving us the ability to be real granular in choosing which agents can scan which repositories.""We face some GUI issues related to new permissions for AWS. So far, we don't have any automation to complete them through the GUI. We have to manually update the permissions. Our customers have faced some issues with that.""The regional cost of Prisma Cloud in South Africa is high and could be improved.""We'd like to have more native integration with clouds and additional security checks in the future."

More Prisma Cloud by Palo Alto Networks Cons →

"The deprecation of APIs is a concern since the deprecation of APIs will cause issues for us every time we upgrade.""Red Hat is somewhat expensive.""The solution's price could be better.""The documentation about Red Hat Advanced Cluster Security available online is very limited... So it's very limited to the documentation.""They're trying to convert it to the platform as a source. They are moving in the direction of Cloud Foundry so it can be easier for a developer to deploy it.""The solution lacks features when compared to some of the competitors such as Prisma Cloud by Palo Alto Networks and has room for improvement.""The initial setup is pretty complex. There's a learning curve, and its cost varies across different environments. It's difficult.""The solution's visibility and vulnerability prevention should be improved."

More Red Hat Advanced Cluster Security for Kubernetes Cons →

Pricing and Cost Advice
  • "As a partner, we receive a discount on the licenses."
  • "It's a fair price for what you get. We are happy with the price as it stands."
  • "I wasn't sure what to expect from the pricing, but I was pleasantly surprised to find that it was a little less than I thought."
  • "Singularity Cloud Workload Security's pricing is good."
  • "Singularity Cloud Workload Security's licensing and price were cheaper than the other solutions we looked at."
  • "I understand that SentinelOne is a market leader, but the bill we received was astronomical."
  • "It's not expensive. The product is in its initial growth stages and appears more competitive compared to others. It comes in different variants, and I believe the enterprise version costs around $55 per user per year. I would rate it a five, somewhere fairly moderate."
  • "The pricing is fair. It is not inexpensive, and it is also not expensive. When managing a large organization, it is going to be costly, but it meets the business needs. In terms of what is out there on the market, it is fair and comparable to what I have seen, so I do not have any complaints about the cost"

    • More Singularity Cloud Security by SentinelOne Pricing and Cost Advice →

  • "The purchasing process was easy and quick. It is a very economical solution."
  • "Our licensing fees are $18,000 USD per year."
  • "One thing we're very pleased about is how the licensing model for Prisma is based on work resources. You buy a certain amount of work resources and then, as they enable new capabilities within Prisma, it just takes those work resource units and applies them to new features. This enables us to test and use the new features without having to go back and ask for and procure a whole new product, which could require going through weeks, and maybe months, of a procurement process."
  • "The pricing and the licensing are both very fair... The biggest advice I would give in terms of costs would be to try to understand what the growth is going to look like. That's really been our biggest struggle, that we don't have an idea of what our future growth is going to be on the platform. We go from X number of licenses to Y number of licenses without a plan on how we're going to get from A to B, and a lot of that comes as a bit of a surprise. It can make budgeting a real challenge for it."
  • "From my exposure so far, they have been really flexible on whatever your current state is, with a view to what the future state might be. There's no hard sell. They "get" the journey that you're on, and they're trying to help you embrace cloud security, governance, and compliance as you go."
  • "If a competitor came along and said, "We'll give you half the price," that doesn't necessarily mean that's the right answer, at all. We wouldn't necessarily entertain it that way. Does it do what we need it to do? Does it work with the things that we want it to work with? That is the important part for us. Pricing wasn't the big consideration it might be in some organizations. We spend millions on public cloud. In that context, it would not make sense to worry about the small price differences that you get between the products."
  • "The pricing and licensing are expensive compared to the other offerings that we considered."
  • "I don't know a better way to do it, but their licensing is a little confusing. That's due to the breadth of different types of technologies they are trying to cover. The way you license depends on where you're securing. When they were Twistlock it was a simple licensing scheme and you could tell what you were doing. Now that they've changed that scheme with Palo Alto, it is quite confusing. It's very difficult to predict what your costs are going to be as you try to expand coverage."

    • More Prisma Cloud by Palo Alto Networks Pricing and Cost Advice →

  • "The pricing model is moderate, meaning it is not very expensive."
  • "Red Hat offers two pricing options for their solution: a separate price, and a bundled price under the OpenShift Platform Plus."
  • "We purchase a yearly basis license for the solution."

    • More Red Hat Advanced Cluster Security for Kubernetes Pricing and Cost Advice →

    report
    See Which Vendors Are Best For You
    Use our free recommendation engine to learn which Container Security solutions are best for your needs.
    See Recommendations
    771,212 professionals have used our research since 2012.
    Questions from the Community
    What do you like most about PingSafe?
    Top Answer:The dashboard gives me an overview of all the things happening in the product, making it one of the tool's best… more »
    Read all 44 answers   →
    What is your experience regarding pricing and costs for PingSafe?
    Top Answer:I'm not aware of the exact pricing.
    Read all 31 answers   →
    What needs improvement with PingSafe?
    Top Answer:When I joined my organization, I saw that PingSafe was already implemented. I started to use the tool's alerting… more »
    Read all 44 answers   →
    What is your primary use case for Prisma Cloud by Palo Alto Networks ?
    Top Answer:Prisma Cloud helps support DevSecOps methodologies, making those responsibilities easier to manage.
    Read all 7 answers   →
    What Cloud-Native Application Protection Platform do you recommend?
    Top Answer:We like Prisma Cloud by Palo Alto Networks, since it offers us incredible visibility into our entire cloud system. We… more »
    What do you think of Aqua Security vs Prisma Cloud?
    Top Answer:Aqua Security is easy to use and very manageable. Its main focus is on Kubernetes and Docker. Security is a very… more »
    What do you like most about Red Hat Advanced Cluster Security for Kuberne...
    Top Answer:I like virtualization and all those tools that come with OpenShift. I also like Advanced Cluster Management and the… more »
    Read all 6 answers   →
    What needs improvement with Red Hat Advanced Cluster Security for Kuberne...
    Top Answer:The solution's visibility and vulnerability prevention should be improved.
    Read all 6 answers   →
    What is your primary use case for Red Hat Advanced Cluster Security for K...
    Top Answer:Red Hat can be utilized for anything, including OpenShift, Kubernetes, dev environments, automation, banking, and many… more »
    Read all 6 answers   →
    Comparisons
    Also Known As
    PingSafe
    Palo Alto Networks Prisma Cloud, Prisma Public Cloud, RedLock Cloud 360, RedLock, Twistlock, Aporeto
    StackRox
    Learn More
    SentinelOne
    Palo Alto Networks
    Red Hat
    Video Not Available
    Overview

    Singularity Cloud Security is SentinelOne’s comprehensive, cloud-native application protection platform (CNAPP). It combines the best of agentless insights with AI-powered threat protection, to secure and protect your multi-cloud infrastructure, services, and containers from build time to runtime. SentinelOne’s CNAPP applies an attacker’s mindset to help security practitioners better prioritize their  remediation tasks with evidence-backed Verified Exploit Paths™. The efficient and scalable runtime protection, proven over 5 years and trusted by many of the world’s leading cloud enterprises, harnesses local, autonomous AI engines to detect and thwart runtime threats in real-time. CNAPP data and workload telemetry is recorded to SentinelOne’s unified security lake, for easy access and investigation.

    Singularity Cloud Security includes both agentless and AI-powered cloud security controls, which represent two halves of our strategy to keep public cloud and container environments safe. Radically reduce your cloud attack surface with Singularity Cloud Native Security, formerly PingSafe, with agentless insights and evidence-based prioritization; protect runtime compute and container with Singularity Cloud Workload Security, SentinelOne’s real-time CWPP, with AI-powered machine-speed blocking of threats.

    Prisma Cloud by Palo Alto Networks is a cloud security solution used for cloud security posture management, cloud workload protection, container security, and code security. It provides visibility, monitoring, and alerting for security issues in multi-cloud environments. 

    The solution is user-friendly, easy to set up, and integrates with SIEM for generating alerts and reports. Its most valuable features include security features, monitoring capabilities, reporting, compliance monitoring, vulnerability dashboard, data security features, and multi-cloud capabilities. Prisma Cloud has helped organizations by providing comprehensive protection, automating workflows, simplifying troubleshooting, and improving collaboration between SecOps and DevOps.

    Prisma Cloud Features

    Prisma Cloud offers comprehensive security coverage in all areas of the cloud development lifecycle:

    • Code security: Protect configurations, scan code before it enters production, and integrate with other tools.

    • Security posture management: Monitor posture, identify and remove threats, and provide compliance across public clouds.

    • Workload protection: Secure hosts and containers across the application lifecycle.

    • Network security: Gain network visibility and enforce micro segmentation.

    • Identity security: Enforce permissions and secure identities across clouds.

    Benefits of Prisma Cloud

    • Unified management: All users use the same dashboards built via shared onboarding, allowing cloud security to be addressed from a single agent framework.

    • High-speed onboarding: Multiple cloud accounts and users are onboarded within seconds, rapidly activating integrated security capabilities.

    • Multiple integration options: Prisma Cloud can integrate with widely used IDE, SCM, and CI/CD workflows early in development, enabling users to identify and fix vulnerabilities and compliance issues before they enter production. Prisma Cloud supports all major workflows, automation frameworks, and third-party tools.

    Reviews from Real Users

    Prisma Cloud stands out among its competitors for a number of reasons. Two major ones are its integration capabilities, as well as its visibility, which makes it very easy for users to get a full picture of the cloud environment.

    Alex J., an information security manager at Cobalt.io, writes, “Prisma Cloud has enabled us to take a very strong preventive approach to cloud security. One of the hardest things with cloud is getting visibility into workloads. With Prisma Cloud, you can go in and get that visibility, then set up policies to alert on risky behavior, e.g., if there are security groups or firewall ports open up. So, it is very helpful in preventing configuration errors in the cloud by having visibility. If there are issues, then you can find them and fix them.”

    Luke L., a cloud security specialist for a financial services firm, writes, “You can also integrate with Amazon Managed Services. You can also get a snapshot in time, whether that's over a 24-hour period, seven days, or a month, to determine what the estate might look like at a certain point in time and generate reports from that for vulnerability management forums.”

    Red Hat Advanced Cluster Security for Kubernetes is a Kubernetes-native container security solution that enables your organization to more securely build, deploy, and run cloud-native applications from anywhere. With its built-in security across the entire software development life cycle, you can lower your operational costs, reduce operational risk, and increase developer productivity while improving your security posture immediately. In addition, Red Hat Advanced Cluster Security integrates with security tools and DevOps in an effort to help you mitigate threats and enforce security policies that minimize operational risk to your applications. It also enables you to provide developers with actionable, context-rich guidelines integrated into existing workflows, along with tooling to support developer productivity. The solution is suitable for small, medium, and large-sized companies.

    Red Hat Advanced Cluster Security for Kubernetes Features

    Red Hat Advanced Cluster Security for Kubernetes has many valuable key features. Some of the most useful ones include:

    • Vulnerability management: With the Red Hat Advanced Cluster Security for Kubernetes solution, you gain full visibility into your entire cloud-native landscape. The solution makes it possible for your organization to identify and remediate vulnerabilities in Kubernetes configurations and container images, as well as running applications. It also enables you to provide developers with clear and prioritized guidance on fixable vulnerabilities.
    • Configuration management: The solution makes configuration management easy. To identify missed best practices, you can understand how images, containers, and deployments are configured prior to running. It also allows you to leverage Kubernetes-native capabilities - like admission controllers - to prevent misconfigured workloads from deploying or running.
    • Compliance: Using Red Hat Advanced Cluster Security for Kubernetes helps you manage compliance with standard-specific checks across CIS Benchmarks, NIST, PCI, and HIPAA, with more than 300 controls and continuous compliance assessments and one-click audit reporting.
    • Network segmentation: The solution enables you to enforce network policies by using the native capabilities in Kubernetes. You can simulate new policies, visualize existing ones, generate updated YAML files, and apply them directly to Kubernetes.
    • Multifactor risk profiling: With Red Hat Advanced Cluster Security for Kubernetes, you can use risk rankings by combining vulnerability (CVE) details with rich Kubernetes context and artifact data. This allows you to assess and prioritize risk across your entire environment. In turn, you can accelerate remediation times and productivity.
    • Threat detection and incident response: By combining custom policies, process allow lists, application and network baselines, and behavioral modeling to identify anomalous behavior, the solution enables you to protect your applications at runtime. You can then leverage Kubernetes-native enforcement capabilities to respond.

    Red Hat Advanced Cluster Security for Kubernetes Benefits

    There are many benefits to implementing Red Hat Advanced Cluster Security for Kubernetes. Some of the biggest advantages the solution offers include:

    • Increases protection, scalability, and portability.
    • Eliminates blind spots.
    • Reduces time and costs.
    • Reduces the effort needed to implement security.
    • Streamlines security analysis, investigation, and remediation by using the rich context Kubernetes provides.
    • Provides scalability and resiliency native to Kubernetes

    Reviews from Real Users

    PeerSpot user Igor K., Owner/Full Stack Software Engineer at Maraphonic, Inc., says, “The solution allows teams to create their own virtual spaces and share resources. The most valuable feature is the ability to share resources.”

    Sample Customers
    Information Not Available
    Amgen, Genpact, Western Asset, Zipongo, Proofpoint, NerdWallet, Axfood, 21st Century Fox, Veeva Systems, Reinsurance Group of America
    City National Bank, U.S. Department of Homeland Security
    Top Industries
    REVIEWERS
    Computer Software Company25%
    Construction Company14%
    Financial Services Firm10%
    Insurance Company8%
    VISITORS READING REVIEWS
    Computer Software Company21%
    Financial Services Firm15%
    Manufacturing Company10%
    Insurance Company4%
    REVIEWERS
    Computer Software Company33%
    Manufacturing Company18%
    Financial Services Firm18%
    Healthcare Company8%
    VISITORS READING REVIEWS
    Educational Organization14%
    Computer Software Company13%
    Financial Services Firm13%
    Manufacturing Company8%
    VISITORS READING REVIEWS
    Financial Services Firm21%
    Computer Software Company15%
    Government9%
    Manufacturing Company8%
    Company Size
    REVIEWERS
    Small Business38%
    Midsize Enterprise21%
    Large Enterprise41%
    VISITORS READING REVIEWS
    Small Business25%
    Midsize Enterprise13%
    Large Enterprise62%
    REVIEWERS
    Small Business28%
    Midsize Enterprise20%
    Large Enterprise52%
    VISITORS READING REVIEWS
    Small Business17%
    Midsize Enterprise22%
    Large Enterprise61%
    REVIEWERS
    Small Business40%
    Midsize Enterprise20%
    Large Enterprise40%
    VISITORS READING REVIEWS
    Small Business16%
    Midsize Enterprise12%
    Large Enterprise72%
    Buyer's Guide
    Prisma Cloud by Palo Alto Networks vs. Red Hat Advanced Cluster Security for Kubernetes
    May 2024
    Free Report: Prisma Cloud by Palo Alto Networks vs. Red Hat Advanced Cluster Security for Kubernetes
    Find out what your peers are saying about Prisma Cloud by Palo Alto Networks vs. Red Hat Advanced Cluster Security for Kubernetes and other solutions. Updated: May 2024.
    DOWNLOAD NOW
    771,212 professionals have used our research since 2012.

    Prisma Cloud by Palo Alto Networks is ranked 1st in Container Security with 82 reviews while Red Hat Advanced Cluster Security for Kubernetes is ranked 16th in Container Security with 10 reviews. Prisma Cloud by Palo Alto Networks is rated 8.4, while Red Hat Advanced Cluster Security for Kubernetes is rated 8.4. The top reviewer of Prisma Cloud by Palo Alto Networks writes "The dashboard is very user-friendly and can be used to generate custom RQL based on user requirements". On the other hand, the top reviewer of Red Hat Advanced Cluster Security for Kubernetes writes "Provides network mapping feature for visualizing container communication but complex setup ". Prisma Cloud by Palo Alto Networks is most compared with Wiz, Microsoft Defender for Cloud, Aqua Cloud Security Platform, AWS Security Hub and Orca Security, whereas Red Hat Advanced Cluster Security for Kubernetes is most compared with Aqua Cloud Security Platform, SUSE NeuVector, CrowdStrike Falcon Cloud Security, Sysdig Secure and Qualys VMDR. See our Prisma Cloud by Palo Alto Networks vs. Red Hat Advanced Cluster Security for Kubernetes report.

    See our list of best Container Security vendors.

    We monitor all Container Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.