Comparing Container Image Scanning Solutions based on APRA regulatory requirements

Container image scanning is crucial for identifying vulnerabilities and ensuring the security of containerised applications. This blog compares three prominent solutions: AWS inbuilt services (including AWS Config, AWS Step Functions, AWS CloudWatch, ECR, and AWS Security Hub), Prisma Cloud, and Sysdig. We will evaluate these solutions, giving significant weight to their alignment with the stringent APRA regulatory requirements and costs, pros, cons, and use-case scenarios. 

APRA Regulatory Requirements

Before diving into the comparing container scanning solutions, let’s understand why financial institutes are considering compliance of their AWS infrastructure with Australian Prudential Regulation Authority (APRA). 

The APRA requires organisations to manage information security risks and ensure adequate security controls. This involves identifying and managing vulnerabilities in software and maintaining robust security measures, including: 

  1. Regular Vulnerability Assessments: Regular scanning and assessment of vulnerabilities in all systems. 
  2. Incident Response: Capabilities to detect, respond, and recover from security incidents. 
  3. CIS Docker Benchmarks: The Centre for Internet Security (CIS) Docker Benchmarks provide a set of best practices for securing Docker containers. These benchmarks help organisations ensure that their Docker containers are configured securely to protect against vulnerabilities and attacks. The key areas covered by the CIS Docker Benchmarks include:
    1. Container Runtime Security: Ensuring the Docker daemon and containers are configured securely.
    2. Container Images: Using secure, verified, and up-to-date images.
    3. Container Lifecycle Management: Best practices for the entire container lifecycle, from development to decommissioning.
    4. Network Configuration: Securely configuring network settings to protect containers from unauthorised access. 
  4. CPS 234: CPS 234, or Prudential Standard CPS 234, is an APRA regulation focused on information security. It aims to ensure that APRA-regulated entities take measures to protect their information assets and critical systems from cyber threats. Essential requirements of CPS 234 include: 
    1. Information Security Capability: Ensuring that entities maintain information security capabilities commensurate with the size and extent of threats to their information assets. 
    2. Implementation of Controls: Establishing and maintaining controls to protect information assets. 
    3. Incident Management: Effective management of information security incidents, including timely notification to APRA. 
    4. Testing and Assurance: Regular testing and assurance activities to evaluate the effectiveness of information security controls. 
    5. Service Provider Management: Ensuring service providers adhere to the same security standards. 

Compare Container image scanning solutions

In the blog, we discuss three solutions from AWS inbuilt solution, Prisma Cloud from Pala Alto Networks, and Sysdig: 

1. AWS Container Image Scanning Solutions

AWS services are designed to meet APRA’s stringent requirements. Integrated tools like AWS Config for compliance monitoring and Amazon ECR’s inbuilt automated scanning of container images ensure that all photos are free from known vulnerabilities, thereby maintaining compliance. 

AWS offers a comprehensive suite of tools for container image scanning:
  1. Amazon Elastic Container Registry (ECR)
    1. Image Scanning: When pushed to the registry or on-demand via API, container images are automatically scanned for vulnerabilities using integrated scanners.
    2. Integration: ECR integrates seamlessly with other AWS services like AWS Security Hub, AWS CloudWatch, and AWS Lambda for automated responses and alerts (Image Scanning for Amazon ECR). 
  2. AWS Security Hub 
    1. Centralised Management: This feature aggregates security findings from ECR, Inspector, and other AWS services, providing a unified dashboard for monitoring and compliance (Automating image compliance for Amazon ECS and Amazon EKS using Amazon Elastic Container Registry (ECR) and AWS Security Hub). 

For more information, visit: 

Costs:

The costs for AWS inbuilt services depend on the specific services and their usage. Usually it is pay-as-you-go approach for pricing. Here is an estimated breakdown that includes Amazon Inspector costs, ECR costs, CloudWatch costs, and AWS Config costs, giving you a comprehensive view of the financial implications: 

  1. Small to Medium Enterprises (SMEs): Minimal additional costs if already using AWS. 
    1. Small Organisation: Approximately $200 – $500 per month
    2. Medium Organisation: Approximately $1,000 – $2,500 per month 
  2. Large Organisations: Scales with usage are potentially high for extensive environments but offset by integrated management capabilities. 
    1. Large Organisation: Approximately $5,000 – $10,000 per month 
APRA Compliance with AWS Services:
  1. AWS Security Hub: Centralised monitoring and reporting aid in compliance. 
  2. Amazon Inspector: Regular vulnerability assessments integrated into CI/CD pipelines. 
When to use AWS Inbuilt Solutions for Container Image Scanning Solutions:
  1. AWS Ecosystems: This solution is ideal for organisations already heavily invested in the AWS ecosystem looking for tightly integrated security and compliance solutions. It is also suitable for businesses of all sizes, especially those that need scalability and seamless integration with AWS services. 
  1. Existing AWS Users: Organisations heavily invested in AWS infrastructure will benefit from integrated services. 
  1. Cost-Conscious SMEs: SMEs already using AWS can leverage these tools with minimal additional cost.

2. Prisma Cloud by Palo Alto Networks

Prisma Cloud by Palo Alto Networks offers a robust security platform for containerised applications: 

  1. Comprehensive Coverage
    1. Vulnerability Management: Scans container images in registries, during CI/CD processes, and running containers.
    2. Runtime Protection: Monitors and protects running containers against threats. 
  2. Integration and Compliance 
    1. Multi-Cloud Support: Supports AWS, Azure, Google Cloud, and on-premises environments. 
    2. Compliance: Provide detailed compliance reports and continuous monitoring to help meet various regulatory requirements, such as PCI-DSS, GDPR, and APRA. 
Costs:

Prisma Cloud’s pricing is subscription-based and varies based on the number of workloads and features required. Prisma Cloud offers tiered pricing based on the number of assets and environments monitored: 

  1. Small to Medium Enterprises (SMEs): Higher initial costs but offer comprehensive security features.
    1. Small Organisation: Approximately $300 – $600 per month
    2. Medium Organisation: Approximately $2,000 – $4,000 per month 
  1. Large Organisations: Cost-effective for extensive, multi-cloud environments needing advanced security and compliance features. 
    1. Large Organisation: Approximately $10,000 – $20,000 per month 

Note: The above pricing numbers are just an assumption. For detailed quote, we must request Prisma Cloud for Licence pricing. 

For detailed pricing, visit: 

APRA Compliance with Prisma Cloud by Palo Alto Networks:
  1. Continuous Monitoring: Provides detailed compliance reports and real-time monitoring, ensuring adherence to APRA requirements. 
When to Use Prisma Cloud by Palo Alto Networks for Container Image Scanning Solutions:

This is best for organisations that require comprehensive security across multiple cloud environments. It is also ideal for medium to large enterprises that need detailed compliance reporting and robust security features. 

  1. Multi-Cloud Environments: Organisations operating across multiple cloud providers. 
  2. Advanced Security Needs: Enterprises requiring deep visibility and advanced security features. 

3. Sysdig

Sysdig Secure offers detailed compliance dashboards and automated checks against regulatory frameworks like APRA. Its deep visibility into container activity helps maintain compliance by identifying and managing real-time vulnerabilities. 

Sysdig provides container security with a focus on runtime protection and visibility: 

  1. Vulnerability Management
    1. Image Scanning: Scans container images in registries and during CI/CD processes for vulnerabilities.
    2. Runtime Security: Monitors and secures running containers, detecting and responding to real-time threats. 
  2. Integration and Compliance
    1. Multi-Cloud Integration: Compatible with AWS, Azure, Google Cloud, and on-premises environments.
    2. Compliance: Provides tools and reports to help meet compliance requirements like PCI-DSS, GDPR, and APRA.

For more information, visit: 

Costs

Sysdig Secure follows a similar subscription model, with costs depending on the number of nodes and the level of monitoring. Sysdig provides pricing based on the number of nodes, with additional costs for premium features: 

  1. Small to Medium Enterprises (SMEs): Higher costs may be prohibitive, but they offer robust security features.
    1. Small Organisation: Approximately $250 – $500 per month
    2. Medium Organisation: Approximately $1,500 – $3,000 per month 
  1. Large Organisations: Cost-effective for organisations requiring advanced runtime security and compliance across multi-cloud environments.
    1. Large Organisation: Approximately $8,000 – $15,000 per month 

Note: The above pricing numbers are just an assumption. For detailed quote, we must request sysdig for a price quote.

For detailed pricing, visit: 

APRA Compliance with Sysdig:
  1. Comprehensive Reporting: Offers compliance reporting and monitoring for regulatory requirements. 
APRA Compliance with Sysdig:

Suitable for organisations needing deep visibility and real-time monitoring of containerised applications. Excellent for companies focusing on container security with a need for detailed insights and compliance management. 

  1. Focus on Runtime Security: Businesses need robust protection and monitoring of running containers. 
  2. Flexible Deployment: Suitable for organisations with diverse cloud and on-premises environments. 

Comparison of Container Image Scanning Solutions

 

Feature 

AWS Container Image Scanning Solutions 

Prisma Cloud by Palo Alto Networks 

Sysdig 

Integrated Ecosystem 

Native integration with AWS services 

Comprehensive security across multiple environments (cloud, on-prem, hybrid) 

Deep visibility into runtime security across multiple environments (cloud, on-prem, hybrid) 

Automation 

Automated scanning during image build and deployment 

Automated anomaly detection 

 

Automation support focuses on Kubernetes and containers 

CI/CD 

Seamless CI/CD pipeline integration with AWS Developer Tools 

Integrates with a variety of CI/CD tools  

 

 

Integrates with a variety of CI/CD tools 

 

Complexity 

– Primarily focused on AWS environments. Hence simple to setup and manage 

 

– Limited support for non-AWS environments 

The steeper learning curve for new users 

 

– Can be complex to set up and manage 

 

– Requires significant resources for full deployment 

Cost 

– Leveraging existing AWS services can reduce additional costs 

 

– Pay-as-you-go pricing model 

 

Higher cost compared to AWS 

– This can be expensive, particularly for smaller organisations.  

 

– It can be costly for large deployments. 

 

– Cost can escalate with additional features 

Target Customers

AWS Container Image Scanning Solutions:
  • Small to Medium-Sized Businesses: This option is ideal for businesses that primarily use AWS services and seek a native, integrated solution for their container image scanning needs. 
  • Startups: Those leveraging AWS for rapid development and deployment will find the seamless integration with AWS’s CI/CD pipeline and other services to be a significant facilitator in their operations. 
Prisma Cloud by Palo Alto Networks:
  • Large Enterprises: Prisma Cloud by Palo Alto Networks is a solution that provides comprehensive security coverage, reassuring large organisations with complex, multi-cloud and hybrid environments. 
  • Security-Focused Businesses: Prisma Cloud by Palo Alto Networks is designed for organisations that need advanced threat intelligence, compliance, and governance features, providing a high level of security and peace of mind. 
Sysdig:
  • Medium to Large Enterprises: Companies with substantial containerised environments need deep visibility and runtime security. 
  • DevOps-Centric Organisations: Businesses with strong DevOps practices seek integrated monitoring and security across their container and Kubernetes deployments. 
  • Open-Source Enthusiasts: Companies that value open-source solutions require the flexibility and community support offered by Sysdig’s open-source core. 

Conclusion

Choosing the right container image scanning solution depends on your organisation’s specific needs, existing infrastructure, and budget. AWS inbuilt services offer seamless integration and scalability for AWS-centric environments. Prisma Cloud provides extensive security features and multi-cloud support, making it ideal for complex environments. Sysdig offers deep visibility and real-time monitoring, which is perfect for organisations focusing on container security. 

Each solution has strengths and weaknesses; the right choice will depend on your unique requirements and constraints. To make an informed decision, evaluate each solution based on your specific use case.  

For example, assuming all our assets and resources are within AWS ecosystems: 

Choosing Prisma Cloud would not be the right fit. Since Prisma Cloud enforces several policies for AWS cloud resources (most of these policies and rules are like rebuilding some of the available rules within AWS Config or adding new policies). Those policies are monitored, and tickets and alerts are created if any are violated. We have a similar architecture to AWS that complies with Cloud Security Posture Management (CSPM): 

  • Monitor posture. 
  • Detect and respond to threats. 
  • Maintain compliance across public clouds. 
 

We can continuously monitor existing containers and automate these with the incident response of AWS Config, Security Hub, and SSM Document automation. AWS solutions would be the right fit if our scope is only within AWS ecosystems. 

Additional Resources

Enjoyed this blog?

Share it with your network!

Move faster with confidence