Prisma Cloud is a collaborative tool.
You’re going to get the most value when representatives from Development, DevOps, and Security actively participate in planning and operations.
When teams work in silos, the CI/CD pipeline will be disjointed and exasperating.
When they are aligned, your CI/CD pipeline will be fluid and frictionless, with security controls transparently governing the flow.
The participants in this story are:
Has the expertise and authority to sign off on policy decisions.
Understands policy structure.
Explicitly ignores or alerts on specific CVEs.
Analyzes and interprets audit data.
Understands the infrastructure.
Understands the environment’s topology.
Installs Prisma Cloud.
Configures integration with the registry, Jenkins, and so on.
Understands the apps that run in your environment.
Understands app composition, package manifests, and relationships between components.
Fixes security issues that stall the CI/CD pipeline.
Helps Security tune the models that protect running software.
Helps remediate runtime security issues.
Typically, one group "owns" the Prisma Cloud tool, and it tends to be Security.
You’ll need a staff of one to two Security people and one to two DevOps people to man the Prisma Cloud tool.
Developers are rarely granted elevated access to Prisma Cloud Console (the central dashboard).
Rather, they should be granted read-only access to vulnerability reports and tools.
Prisma Cloud provides a number of roles that provide different levels of access to Prisma Cloud.
Since DevOps and Security start working with the tool from day zero, they’re the first to grasp concepts and workflows.
Don’t leave Development in the dark.
The deeper Development integrates Prisma Cloud into their own workflow, the better your results will be, with faster time to mitigation and shorter service interruptions.
Schedule regular meetings with Development to discuss expectations, demonstrate how Prisma Cloud works, and how it fits into their workflow.
We don’t know how many times developers actively seek us out an the tradeshow floor to get a demo because no has ever shown them the big picture.