What is our primary use case?
We have a very large public cloud estate. We have nearly 300 public cloud accounts, with almost a million things deployed. It's pretty much impossible to track all of the security and the compliance issues using anything that would remotely be considered homegrown—scripts, or something that isn't fully automated and supported. We don't have the time, or necessarily even the desire, to build these things ourselves. So we use it to track compliance across all of the various accounts and to manage remediation.
We also have 393 applications in the cloud, all of which are part of various suites, which means there are at least 393 teams or groups of people who need to be held accountable for what they have deployed and what they wish to do.
It's such a large undertaking that automating it is the only option. To bring it all together, we use it to ensure that we can measure and track and identify the remediation of all of our public cloud issues.
How has it helped my organization?
The solution provides risk clarity at runtime and across the entire pipeline, showing issues as they are discovered during the build phases. Our developers are able to correct them using the tools they use to code. It gives our developers a point to work towards. If the information provided by this didn't exist, then we wouldn't be able to give our developers the direction that they need to go and fix the issues. It comes back to ownership. If we can give full ownership of the issues to a team, they will go fix them. Honestly, I don't care how they fix them. I don't really mind what tools they use.
It is reducing run-time alerts. It's still in the process of working on those, but we have already seen a significant decrease, absolutely.
What is most valuable?
The entire concept is the right thing for us. It's what we need. The application is the feature, so to speak it. What it does is what we want it for: looking across the various cloud estates and providing us with information about what's going on in our cloud, where it is, when it happened. The product is the most valuable feature. It's not a do-all and end-all product. That doesn't exist. But it's a product with a very specific purpose. And we bought it for that very specific purpose.
When it comes to protecting the full cloud native stack—the pure cloud component of the stack—it is very good.
One of the main reasons we like Prisma Cloud so much is that they also provide an API. You can't expect to give someone an account on Prisma Cloud, or on any tool for that matter, and say, "Go find your things and fix them." It doesn't work like that. We've got to be able to clearly identify who owns what in our organization so that we can say, "Here's a report for your things and this is what you must go and fix." We pull down the information from the API that Prisma Cloud provides, which is multi-cloud, multi-account—hundreds and hundreds of different types of alerts graded by severity—and then we can clearly identify that these alerts belong to these people, and they're the people who must remediate them. That's our most important use case, because if you can't identify users, you can't remediate. No user is going to sit there going through over a million deployed things in the public cloud and say, "That one's mine, that one's not, that's mine, that's not." It's both the technology that Prisma Cloud provides and the ability to identify things distinctly, that comprise our use case.
It also provides the visibility and control we need, regardless of how complex or distributed our cloud environments become. It doesn't care about the complexity of our environment. It gives us the visibility we need to have confidence in our compliance. Without it, we would have no confidence at all.
It is also part of our DevOps processes and we have integrated security into our CI/CD pipeline. To be honest, those touchpoints are not as seamless as they could be because our processes do rely on multiple tools and multiple teams. But it is one of the key requirements in our DevOps life cycle for the compliance component to be monitored by this. It's a 100 percent requirement. The teams must use it all the time and be compliant before they move on to the next stage in each release. It is a bit manual for us, but that's because of our environment. It's given our SecOps teams the visibility they need to do their jobs. There's absolutely no chance that those teams would have any visibility, on a normal, day-to-day basis, simply because the SecOps teams are very small, and having to deal with hundreds of other development teams would be impossible for them on a normal basis.
What needs improvement?
Based on my experience, the customization—especially the interface and some of the product identification components—is not as customizable as it could be. But it makes up for that with the fact that we can access the API and then build our own systems to read the data and then process and parse it and hand it to our teams. At that point, we realized, "Okay, we're not never going to have it fully customizable," because no team can expect a product, off-the-shelf, to fit itself to the needs of any organization. That's just impossible.
So customization from our perspective comes through the API, and that's the best we can do because there is no other sensible way of doing it. The customization is exactly evident inside the API, because that's what you end up using.
In terms of the product having room for improvement, I don't see any product being perfect, so I'm not worried about that aspect. The RedLock team is very responsive to our requirements when we do point out issues, and when we do point out stuff that we would like to see fixed, but the product direction itself is not a big concern for us.
For how long have I used the solution?
We've been using it since before it was called Prisma Cloud. We're getting on towards two years since we first purchased it.
What do I think about the stability of the solution?
The stability of Prisma Cloud is very good. I have no complaints along those lines. It seems to fit the requirements and it doesn't go down. Being a SaaS product, I would expect that. I haven't experienced any instability, and that's a good thing.
What do I think about the scalability of the solution?
Again, as a SaaS product, I would expect it to just scale.
How are customer service and technical support?
We regularly use Palo Alto technical support for the solution. I give it a top rating. They're very good. They have a very good customer success team. We've never had any issues. All our questions have been answered. It has been very positive.
Which solution did I use previously and why did I switch?
We did not have a previous solution.
How was the initial setup?
The initial setup was very straightforward. It's a SaaS product. All you have to do is configure your end, which isn't very hard. You just have to create a role for the product and, from there on, it just works, as long as the role is created correctly. Everything else you do after that is managed for you.
We have continuously been deploying it on new accounts as we spin them up. Our deployment has been going on since year one, but we've expanded. Two years ago we probably had about 40 or 50 cloud accounts. Now, we have 270 cloud accounts.
We have a team that is dedicated to managing our security tools. Something this big will always require some maintenance from our side: new accounts, and talking to internal teams. But this is as much about management of the actual alerts and issues than it is anything else. It's no longer about whether the tool is being maintained. We don't maintain it. But what we do is maintain our interaction with the tool. We have two people, security engineers, who work with the tool on a regular basis.
What was our ROI?
It's a non-functional ROI. This isn't a direct-ROI kind of tool. The return is in understanding our security postures. That's incredibly important and that's why we bought it and that's what we need from it. It doesn't create funds; it is a control. But it certainly does stop issues, and how do you quantify that?
What's my experience with pricing, setup cost, and licensing?
Pricing wasn't a big consideration for us. Compared to the work that we do, and the other costs, this was one of the regular costs. We were more interested in the features than we were in the price.
If a competitor came along and said, "We'll give you half the price," that doesn't necessarily mean that's the right answer, at all. We wouldn't necessarily entertain it that way. Does it do what we need it to do? Does it work with the things that we want it to work with? That is the important part for us. Pricing wasn't the big consideration it might be in some organizations. We spend millions on public cloud. In that context, it would not make sense to worry about the small price differences that you get between the products. They all seem to pitch it at roughly the same price.
Which other solutions did I evaluate?
Before the implementation of Prisma Cloud, there were only two solutions in the market. The other one was Dome9. We did an evaluation and we chose this one, and they were both very new. This is a very new concept. It pretty much didn't exist until Prisma Cloud came along.
The Prisma Cloud solution was chosen because of the way it helped integrate with our operations people, and our operations people were very happy with it. That was one of the main concerns.
Both solutions are very good at what they do. They approach the same problem from different directions. It was this direction that worked for us. Having said that, certain elements of Prisma Cloud were definitely more attractive to us because they matched up with some of our requirements. I'm very loath to say one product is better than the other, because it does depend on your requirements. It does depend on how you intend to use it and what it is, exactly, that you're looking for.
What other advice do I have?
You need to identify how you'll be using it and what your use cases are. If you don't have a mature enough organizational posture, you're not going to use it to actually fix the issues because you won't have the teams ready to consume its information. You need to build that and that needs to be built into the thinking around that product. There's no point having information if you're not going to act on it. So understand who is going to act on it, and how, and then you've got a much better path to understanding your use for this. There's no point in buying a product for the sake of the product. You need the processes and the workflows that go with it and you need to build those. It's not good enough to just hope that they will happen.
The solution doesn't secure the entire spectrum of compute options because there are other Palo Alto products that secure containers, for example. This is very specifically focused on the configuration of the public cloud instances. It doesn't look inside those instances. You would need something else for that. You don't want to be using other products to do this. You don't want to mistake this for something that does everything. It doesn't. It is a very specific product and it is amazingly good at what it does.
We do integrate it with our workflow as part of the process of getting an application onto the internet. It does integrate with our workflow, giving us a posture as part of the workflow. But it is not a workflow tool.
It definitely does multi-cloud. It does the three major ones plus Alibaba Cloud. It doesn't reach into hybrid cloud, in the sense that it doesn't understand anything non-cloud. We don't use it to provide security, although it is very good for that. We already have an advanced security provision posture, because we are a very large organization. We just use it to inform us of security issues that are outside our other controls.
Prisma Cloud doesn't provide us with a single tool to protect all of our cloud resources and applications in terms of security and compliance reports because we have non-cloud-related tools being folded into the reports as well. Even though it works on the cloud, and is excellent at what it does, we integrate it with our Qualys reports, for example, which is the scanning on our hosts. Those hosts are in the cloud, but this doesn't touch them. There's no such thing as a single security tool, frankly. It's basically part of our portfolio and it's part of what every organization needs, in my opinion, to be able to manage their cloud security postures. Otherwise, it would just never work.