Prisma Cloud Enterprise Edition vs Compute Edition

This article describes the key differences between Compute in Prisma Cloud Enterprise Edition and Prisma Cloud Compute Edition. Use this guide to determine which option is right for you.

How is Compute delivered?

Compute is delivered in one of two packages:
  • Prisma Cloud Enterprise Edition (SaaS)
     — Single pane of glass for both CSPM (Cloud Security Posture Management) & CWPP (Cloud Workload Protection Platform). Compute (formerly Twistlock, a CWPP solution) is delivered as part of the larger Prisma Cloud system. Palo Alto Networks runs, manages, and updates Compute Console for you. You deploy and manage Defenders in your environment. You access the Compute Console from a tab within the Prisma Cloud user interface.
  • Prisma Cloud Compute Edition (self-hosted)
     — Stand-alone, self-operated version of Compute (formerly Twistlock). Download the entire software suite, and run it in any environment. You deploy and manage both Console and Defenders.

What are the similarities between editions?

Both Enterprise Edition (SaaS) and Compute Edition (self-hosted) are built on the same source base. The Console container image we run for you in Enterprise Edition is the exact same container image we give to you in Compute Edition to run in your environment. We are committed to supporting and developing both versions without any feature divergence.

When should you use Enterprise Edition?

Prisma Cloud Enterprise Edition is a good choice when:
  • You want a single platform that protects both the service plane (public cloud resource configuration) and the compute plane.
  • You want convenience. We manage your Console for you. We update it for you. You get a 99.9% uptime SLA.

When should you use Compute Edition?

Prisma Cloud Compute Edition is a good choice when:
  • You want full control over your data.
  • You’re operating in an air-gapped environment.
  • You want to implement enterprise-grade multi-tenancy with one Console per tenant. For multi-tenancy, Compute Edition offers a feature called Projects.

What advantages does Prisma Cloud Enterprise Edition offer over Compute Edition?

When the Prisma Cloud CSPM and CWPP tools work together, Palo Alto Networks can offer economies of scale by sharing data (so called "data overlays"). The Prisma Cloud CSPM tool has always offered the ability to integrate with third party scanners, such as Tenable, to supplement configuration assessments with host vulnerability data. Starting with the Nov 2019 release of Enterprise Edition, the CSPM tool can utilize the host vulnerability data Compute Defender collects as part of its regular scans. Customers that have already licensed one workload for a host can leverage that single workload for configuration assessments by the CSPM tool, host vulnerability scanning (via Compute Defender), and host runtime protection (via Compute Defender).
Customers can expect additional "data overlays" in future releases, including better ways to gauge security posture with combined dashboards.

What are the differences between Prisma Cloud Enterprise Edition and Compute Edition?

There are a handful of differences between Enterprise Edition and Compute Edition. Consider these differences when deciding which edition is right for you.
Projects:
  • No support for Compute Projects in the Prisma Cloud Enterprise Edition. Common use cases for Compute Projects:
    • Use Case - Isolation (1 Console per team so teams can’t see each other’s data) (Prisma Cloud EE supports this use case if customers are ok with multiple Prisma Cloud tenants, 1 per team, and 1 Compute SaaS Console per tenant. Customers can contact Customer Success to create multiple tenants. Note that the license count shown in the Prisma Cloud UI is per tenant, not the aggregate across multiple tenants.) If you want to control customer tenant deployments yourself, use Compute Edition.
    • Use Case - Centralized policies/Scale Project (1 Supervisor Compute Console to push the same set of policies to all sub Consoles): No support in Prisma Cloud EE. If you need this, use Compute Edition.
    • Use Case - Scale (Lots of Defenders): Dec. 2019 PCEE release supports 5K Defenders per SaaS Compute Console. Future releases will support more. If you need more now, use Compute Edition.
Syslog:
  • Prisma Cloud Enterprise Edition Consoles do not emit syslog events for customer consumption. Since we operate the Console service for you, we monitor Console on your behalf.
  • Prisma Cloud Enterprise Edition Defenders still emit syslog events that you can ingest. Syslog messages from Defender cover runtime and firewall events.
User management:
  • In Prisma Cloud Enterprise Edition, user and group management, as well as auth, is handled by the outer Prisma Cloud app in Enterprise Edition.
  • As such, Compute Console in SaaS mode disables AD, OpenLDAP, and SAML integration.
RBAC:
  • The following limitations will be addressed in the next release (H1 2020).
  • Only Prisma Cloud System Admin can access the Compute tab. All other Prisma Cloud roles are denied access to the Compute tab
  • No account-based RBAC in Compute tab. Can’t scope which Prisma Cloud users can see what inside Compute tab by cloud account
  • For the CI/CD use case (i.e. using the Jenkins plugin or twistcli to scan images in the CI/CD pipeline), you can create a low privilege access key. See https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/access_control/access_keys.html
Assigned Collections:
  • The following limitation will be addressed in a future release.
  • Enforcing views of resource subsets as defined by filters (collections) by user or group isn’t currently supported in Prisma Cloud Enterprise Edition (SaaS).

How do Defender upgrades work?

Upgrades work a little differently in each edition.
  • Prisma Cloud Enterprise Edition (SaaS)
     — You control the timing of the upgrade process. When an upgrade is available, a button appears in the Compute UI. When you click it, your tenant’s version of Console is upgraded. The process takes about 10 seconds. After Console is upgraded, you must take action to upgrade all of their deployed Defenders. Some Defenders can be upgraded directly from the Compute UI. Others must be manually upgraded.
  • Prisma Cloud Compute Edition (self-hosted)
     — You fully control the upgrade process. When an upgrade is available, customers are notified via the bell icon in Console. Clicking on it directs you to the latest software download. Deploy the new version of Console first, then upgrade your Defenders.
In the 1H20 release, Prisma Cloud will introduce a mechanism for automatic Defender upgrades. A new Defender image architecture will enable automatic in-place upgrades (no manual operator intervention or redeployments required), which can be optionally enabled or disabled.

Can you migrate from Compute Edition to Enterprise Edition (SaaS)?

Not right now. We plan to provide a process and/or mechanism for migrating to SaaS. When there are more details to share, we’ll update our roadmap.
To be clear, no one will be forced, or even encouraged, to migrate from Compute Edition to SaaS. Compute Edition will always be available for customers that choose to download and run the software themselves, anywhere. Compute and SaaS literally run the exact same bits, so customers have the flexibility to decide which deployment option makes sense for them.

Summary

The following table summarizes the key differences between Enterprise Edition (SaaS) and Compute Edition (self-hosted). For gaps, we provide a date we intend to deliver a solution.
Capability
Notes
Delivery Date
Projects
If you need Projects, use Compute Edition. Projects will not be ported to Prisma Cloud Enterprise Edition.
-
Syslog
Collecting customer requirements
TBD
User management
There’s no gap in functionality. No work to be done.
-
RBAC
Committed
H12020
Assigned collections
This page will be updated when there’s a date to share.
TBD
Defender upgrade
Committed.
H12020
Compute Edition to Enterprise Edition migration
In planning. This page will be updated when there’s a date to share.
TBD

Recommended For You