[New book] Add Prisma Cloud Adoption Guide

adoption-guide/README.md

@@ -0,0 +1,8 @@
+This book has tabbed content. To build the book:
+
+1. Open a terminal window, and go to the Adoption Guide book dir: `cd prisma-cloud-docs/adoption-guide`
+2. Run `panconv book.yml`
+3. Run `./build-tabs.sh`
+4. Upload the book with panup
+
+Contact iansk if you need to add new tabs or refactor existing tabs.

adoption-guide/_adoption-guide.ditamap

@@ -0,0 +1,117 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE map PUBLIC "-//OASIS//DTD DITA Map//EN" "technicalContent/dtd/map.dtd" [
+]>
+
+<map xmlns:ditaarch = "http://dita.oasis-open.org/architecture/2005/">
+    <title>Adoption Guide</title>
+    <topicmeta>
+        <author></author>
+        <critdates>
+            <created date = "2022-11-10"/>
+            <revised modified = "2022-11-10"/>
+        </critdates>
+    </topicmeta>
+
+    <topicref href = "adoption-guide.xml" type = "concept">
+        <topicmeta>
+            <navtitle>Adoption Guide</navtitle>
+        </topicmeta>
+
+
+        <topicref href = "code-build-deploy-run.xml" type = "concept">
+            <topicmeta>
+                <navtitle>Code Build, Deploy, and Run</navtitle>
+            </topicmeta>
+        </topicref>
+
+        <topicref href = "foundational-intermediate-advanced.xml" type = "concept">
+            <topicmeta>
+                <navtitle>Foundational, Intermediate, and Advanced</navtitle>
+            </topicmeta>
+        </topicref>
+
+        <topicref href = "code-build.xml" type = "concept">
+            <topicmeta>
+                <navtitle>Code Build</navtitle>
+            </topicmeta>
+
+            <topicref href = "code-build-foundational.xml" type = "concept" scope = "peer">
+                <topicmeta>
+                    <navtitle>Foundational</navtitle>
+                </topicmeta>
+            </topicref>
+
+            <topicref href = "code-build-intermediate.xml" type = "concept" scope = "peer">
+                <topicmeta>
+                    <navtitle>Intermediate</navtitle>
+                </topicmeta>
+            </topicref>
+
+            <topicref href = "code-build-advanced.xml" type = "concept" scope = "peer">
+                <topicmeta>
+                    <navtitle>Advanced</navtitle>
+                </topicmeta>
+            </topicref>
+
+        </topicref>
+
+        <topicref href = "deploy.xml" type = "concept">
+            <topicmeta>
+                <navtitle>Deploy</navtitle>
+            </topicmeta>
+
+            <topicref href = "deploy-foundational.xml" type = "concept" scope = "peer">
+                <topicmeta>
+                    <navtitle>Foundational</navtitle>
+                </topicmeta>
+            </topicref>
+
+            <topicref href = "deploy-intermediate.xml" type = "concept" scope = "peer">
+                <topicmeta>
+                    <navtitle>Intermediate</navtitle>
+                </topicmeta>
+            </topicref>
+
+            <topicref href = "deploy-advanced.xml" type = "concept" scope = "peer">
+                <topicmeta>
+                    <navtitle>Advanced</navtitle>
+                </topicmeta>
+            </topicref>
+
+        </topicref>
+
+        <topicref href = "run.xml" type = "concept">
+            <topicmeta>
+                <navtitle>Run</navtitle>
+            </topicmeta>
+
+            <topicref href = "run-foundational.xml" type = "concept" scope = "peer">
+                <topicmeta>
+                    <navtitle>Foundational</navtitle>
+                </topicmeta>
+            </topicref>
+
+            <topicref href = "run-intermediate.xml" type = "concept" scope = "peer">
+                <topicmeta>
+                    <navtitle>Intermediate</navtitle>
+                </topicmeta>
+            </topicref>
+
+            <topicref href = "run-advanced.xml" type = "concept" scope = "peer">
+                <topicmeta>
+                    <navtitle>Advanced</navtitle>
+                </topicmeta>
+            </topicref>
+
+        </topicref>
+
+        <topicref href = "continued-reading.xml" type = "concept">
+            <topicmeta>
+                <navtitle>Get Help</navtitle>
+            </topicmeta>
+        </topicref>
+
+
+    </topicref>
+
+</map>

adoption-guide/adoption-guide/adoption-guide.adoc

@@ -0,0 +1,10 @@
+== Adoption Guide
+
+This guide provides Prisma Cloud customers with a framework that establishes the pillars of security within their cloud journey.
+It focuses on the Prisma Cloud Enterprise software-as-a-service (SaaS) suite of capabilities.
+Prisma Cloud Enterprise is a Cloud Native Application Protection Platform (CNAPP) that incorporates all the various cloud security disciplines (e.g., multi-cloud posture management, workload protection, micro segmentation, identity and access management, data security, etc.) into a unified, holistic service for the protection of your cloud resources.
+
+The major cloud service providers (CSPs) each publish a cloud adoption framework (https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/[Azure], https://cloud.google.com/adoption-framework[GCP], https://aws.amazon.com/professional-services/CAF/[AWS]).
+"Securing the cloud" is a pillar in each of these frameworks, and Prisma Cloud is a perfect fit for this pillar.
+It is a multi- and hybrid-cloud solution that provides visibility and control across CSPs’ cloud-based services (code, VM, containers, serverless functions, identity, etc.).
+Use Prisma Cloud to securely accelerate your organization’s cloud transformation journey.

adoption-guide/adoption-guide/code-build-advanced.adoc

@@ -0,0 +1,8 @@
+[#_cb_advanced]
+== Advanced
+
+* *Identify supply chain dependencies.*
+The supply chain capability on Code Security is a code-centric view of infrastructure and application security that visualizes a supply chain graph, starting with the IaC templates, the services, deployed cloud workload resources (including associated permissions), and the runtime configuration on these resources. Prisma Cloud’s supply chain graph is a real-time auto-discovery of potentially misconfigured infrastructure and application files, sorted into a concise data model that you can use to prioritize and search. The graph identifies infrastructure, image, open source, and secrets, and combines that data to identify risk chains. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-code-security/scan-monitor/supply-chain-security[Learn more about supply chain security].
+
+* *Trace a deployment of a cloud resource with tags.*
+Do you ever wonder which Infrastructure as Code template was used to deploy a cloud resource? Tags can help you trace the link for your resources deployed from code-to-cloud infrastructure. Detect drift within your code base and locate the specific resource within a commit that identifies teams and resource owners to help triage a fix in the most timely and cost-effective way. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-code-security/scan-monitor/iac-tag-and-trace[Learn more about IaC Tag and Trace].

adoption-guide/adoption-guide/code-build-deploy-run.adoc

@@ -0,0 +1,7 @@
+== Code Build, Deploy, and Run
+
+In this guide, we segment the cloud application’s lifecycle into the following categories:
+
+* *Code & Build* – The CSPs provide the ability to codify the deployment, maintenance, and removal of cloud services (e.g., VMs, storage buckets, etc.). This is commonly referred to as infrastructure as code (IaC). You are responsible for the secure operation of your cloud services. Continuous Integration (CI) is a development lifecycle practice that has expanded with the growth of the cloud. CI provides your organization with the ability to rapidly and continuously develop, update, and maintain your cloud-based applications. The assembly and testing of your code into usable software packages are automated by CI systems (e.g., Jenkins, CircleCI, CloudBees) that integrate with the different code repositories and package management systems. These CI systems produce deployable artifacts, such as IaC, VM images, Docker images, Serverless Images, etc., that are consumed by the release processes to drive frequent deployments. Prisma Cloud provides visibility and control within your Code & Build processes to identify vulnerabilities and compliance violations before progressing to the next phase of the application’s lifecycle.
+* *Deploy* – Continuous deployment (CD) provides the automation of testing and deployment of applications within your clouds’ runtime environments. With modern automation, cloud applications are in a continuous cycle of development, testing, and release. This notion of continuous change is a fundamental challenge in managing cloud applications. Prisma Cloud identifies vulnerability and compliance issues within applications that are staged for deployment. With Prisma Cloud, you can enforce policies to ensure that only trusted applications are allowed to launch within the cloud runtime environment.
+* *Run* – Applications run across the cloud workload continuum. Regardless of where they are deployed (IaaS, PaaS, SaaS, etc.), the application’s runtime actions should be monitored for abnormal behaviors. Overly permissive cloud access roles present opportunities for attackers. Prisma Cloud quickly identifies expected behaviors and prevents anomalous behavior. It secures runtime environments using predictive and threat-based protections.

adoption-guide/adoption-guide/code-build-foundational.adoc

@@ -0,0 +1,8 @@
+[#_cb_foundational]
+== Foundational
+
+* *Identify misconfigured infrastructure as code that leads to insecure runtime cloud services.*
+Insecure IAC directives can ultimately manifest as misconfigured and vulnerable runtime cloud services. Identify common coding mistakes within the code repository. Find secret keys, passphrases, insecure configurations, and more. You need to identify these insecure codified cloud service directives before they get deployed as running services. Prisma Cloud Code Security scans code repositories that generate fully contextualized results. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-code-security/get-started/connect-your-repositories[Learn how to configure Code Security to protect your IaC code].
+
+* *Identify misconfigurations before you commit your code.*
+Prisma Cloud Code Security makes it possible for you to identify misconfigurations before developers commit their code. Avoid pull requests that will cause builds to fail due to undetected misconfigurations. Use the code analysis tool to scan IaC files from frameworks such as Terraform plan, CloudFormation, Azure Resource Manager (ARM), Secrets, Serverless, Dockerfile (only code), and Kubernetes. The integration of Code Security within IDE tools gives you immediate detection of misconfigurations and inline code fixes. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-code-security/get-started/connect-your-repositories/connect-vscode[Learn how to integrate Code Security within your IDE tools].

adoption-guide/adoption-guide/code-build-intermediate.adoc

@@ -0,0 +1,17 @@
+[#_cb_intermediate]
+== Intermediate
+
+* *Integrate vulnerability and compliance checks within your CI tools.*
+Scanning VMs, container images, and serverless functions in their earliest stage will allow you to fix issues before they are running in production. Use the Prisma Cloud CI plugin within the developers’ automation tools to scan for vulnerability and compliance issues. For example, developers can scan the packages and binaries that are compiled into the container images and immediately get detailed reports within their build pipelines, thus increasing your developers' security awareness. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/continuous_integration[Learn more about continuous integration with Prisma Cloud].
+
+* *Detect drift within Infrastructure as Code cloud deployments.*
+Drifts are inconsistencies in configuration that occur when resources are modified locally or manually using the CLI or console, and these divergences from the code are not recorded or tracked. The inconsistencies in code configuration can either be an addition or deletion of values from the template configuration in the source code. Code Security periodically scans your repositories to identify drifts that may occur between the build and deploy phases and enables you with corrective solutions to handle traceable configuration changes. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-code-security/scan-monitor/drift-detection[Learn more about drift detection].
+
+* *Prevent developers from committing hardcoded secrets.*
+Prisma Cloud detects when secrets are committed from developers’ machines, branches, and build jobs. Your code is analyzed using prebuilt secrets detectors, built to identify the API keys, tokens, and passwords developers may be using when developing a cloud-native app. Enforce policy by halting a build process when a secret is found to ensure secrets have not been committed downstream in your CI/CD process and assess if the secret was compromised. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-code-security/scan-monitor/monitor-fix-issues-in-scan[Learn how to monitor and fix issues in your scan].
+
+* *Define your own vulnerability and compliance policies.*
+Prisma Cloud includes out-of-the-box policies that enable you to detect misconfigurations and provide automated fixes for security issues across your integrated code repositories. You also have the flexibility to add new custom policies for your repositories and pipelines. As soon as you connect Code Security to your repositories, both out-of-the-box and custom policies are used to scan for potential issues. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-code-security/scan-monitor/custom-build-policies[Learn more about how to create your own custom policies].
+
+* *Analyze the runtime behavior of images before running in development and production environments.*
+You are going to deploy an image into your environment, and you want to ensure that the image’s resulting container will not exhibit malicious behavior. With Prisma Cloud’s twistcli plugin, you can validate an image’s runtime behaviors within a sandboxed environment. Have confidence that your images will not exhibit malicious runtime behaviors before leaving the build phase. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/runtime_defense/image_analysis_sandbox[Learn more about Image Sandbox Analysis].

adoption-guide/adoption-guide/code-build.adoc

@@ -0,0 +1,16 @@
+[#tabs-code-build]
+== Code Build
+
+image::code-and-build.png[]
+
+The cloud has changed how applications are collaboratively developed. The use of version control systems (e.g., GitHub, GitLab, Bitbucket, Azure Repos, etc.) has grown exponentially. The CSPs provide customers with the ability to deploy and maintain their cloud services using scripting languages such as Terraform. These coding technologies and disciplines have introduced the “learn how to configure code security” feature to protect your IaC code opportunity of identifying vulnerabilities and misconfigurations before they are compiled into applications or deployed as insecure cloud services. This approach to securing the development of code is frequently called “shifting left.” The building of cloud resources involves various technologies that span computational environments, such as virtual machine images, container images, and continuous integration build tools (e.g., Jenkins, CircleCI, CloudBees, etc.). Prisma Cloud provides DevSecOps stakeholders with the ability to securely build and maintain their cloud-based environments.
+
+Implement the following Prisma Cloud capabilities to provide visibility and control within your organization's cloud coding and building practices:
+
+++++
+<ul outputclass="nav">
+  <li><xref href="code-build-foundational.xml#_cb_foundational" format="dita" scope="local" /></li>
+  <li><xref href="code-build-intermediate.xml#_cb_intermediate" format="dita" scope="local" /></li>
+  <li><xref href="code-build-advanced.xml#_cb_advanced" format="dita" scope="local" /></li>
+</ul>
+++++

adoption-guide/adoption-guide/continued-reading.adoc

@@ -0,0 +1,4 @@
+== Get Help
+
+This guide’s goal is to help you and your organization capitalize on the industry-leading Cloud Native Application Protection Platform capabilities of Prisma Cloud Enterprise. We encourage you to engage with your Palo Alto Networks support team to start the journey of protecting your organization with Prisma Cloud Enterprise.
+

adoption-guide/adoption-guide/deploy-advanced.adoc

@@ -0,0 +1,8 @@
+[#_deploy_advanced]
+== Advanced
+
+* *Enforce Kubernetes operational policies.*
+Prisma Cloud provides a dynamic admission controller for Kubernetes and OpenShift that is built on the Open Policy Agent (OPA). Prisma Cloud disseminates your policies to Defenders deployed within a Kubernetes cluster. With OPA rules, you can control the creation, maintenance, and deletion operations within your Kubernetes clusters. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/access_control/open_policy_agent[Learn more about simplified policy enforcement with managed OPA].
+
+* *Deploy only trusted containers.*
+Modern development has made it easy to reuse open source software. Pulling images from public registries is easy, fast, and convenient. However, it is a practice that is not allowed by most organizations. You should maintain a set of trusted images and registries to ensure that only these images are allowed to be deployed within the runtime environment. You can define the trusted images and registries to ensure that only these images are allowed to run in your environment. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/compliance/trusted_images[Learn more about trusted images].

adoption-guide/adoption-guide/deploy-foundational.adoc

@@ -0,0 +1,8 @@
+[#_deploy_foundational]
+== Foundational
+
+* *Discover compliance issues and vulnerabilities on your deployed containers.*
+To affect deployment policies with your environments, you will need to deploy Prisma Cloud Defenders. A Defender is the component that performs registry vulnerability and compliance scanning, Kubernetes policy enforcement, etc. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/install_defender/install_cluster_container_defender[Learn more about how to deploy container Defenders].
+
+* *Scan images stored within container image registries.*
+To identify vulnerabilities and compliance issues in images stored within your registries, first deploy container Defenders, then configure registry scanning. Prisma Cloud scans images for vulnerabilities and configuration compliance via a schedule or a webhook. New vulnerabilities are automatically updated within Prisma Cloud via the Intelligence Stream service. Prisma Cloud will automatically identify these new vulnerabilities within hosts, images, containers, and serverless functions throughout your environment. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/vulnerability_management/registry_scanning[Learn more about how to scan your container image registries].

adoption-guide/adoption-guide/deploy-intermediate.adoc

@@ -0,0 +1,5 @@
+[#_deploy_intermediate]
+== Intermediate
+
+* *Enforce vulnerability and compliance policies.*
+Prisma Cloud container Defenders enforce your organization’s policies to ensure non-compliant images are not allowed to instantiate as running containers. You can create policies to block specific vulnerabilities and/or compliance findings. You can allow exceptions and grace periods for findings that are migrated through other controls. Enforce your organization’s vulnerability and compliance policies ensuring the secure operations of your services. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/vulnerability_management/vuln_management_rules[Learn more about policy enforcement].