1. Overview

This article describes the key differences between Compute in Prisma Cloud Enterprise Edition and Prisma Cloud Compute Edition. Use this guide to determine which option is right for you.

pcee vs pcce overview

2. How is Compute delivered?

Compute is delivered in one of two packages:

  • Prisma Cloud Enterprise Edition (SaaS) — Single pane of glass for both CSPM (Cloud Security Posture Management) & CWPP (Cloud Workload Protection Platform). Compute (formerly Twistlock, a CWPP solution) is delivered as part of the larger Prisma Cloud system. Palo Alto Networks runs, manages, and updates Compute Console for you. You deploy and manage Defenders in your environment. You access the Compute Console from a tab within the Prisma Cloud user interface.

  • Prisma Cloud Compute Edition (self-hosted) — Stand-alone, self-operated version of Compute (formerly Twistlock). Download the entire software suite, and run it in any environment. You deploy and manage both Console and Defenders.

3. What are the similarities between editions?

Both Enterprise Edition (SaaS) and Compute Edition (self-hosted) are built on the same source base. The Console container image we run for you in Enterprise Edition is the exact same container image we give to you in Compute Edition to run in your environment. We are committed to supporting and developing both versions without any feature divergence.

4. When should you use Enterprise Edition?

Prisma Cloud Enterprise Edition is a good choice when:

  • You want a single platform that protects both the service plane (public cloud resource configuration) and the compute plane.

  • You want convenience. We manage your Console for you. We update it for you. You get a 99.9% uptime SLA.

5. When should you use Compute Edition?

Prisma Cloud Compute Edition is a good choice when:

  • You want full control over your data.

  • You’re operating in an air-gapped environment.

  • You want to implement enterprise-grade multi-tenancy with one Console per tenant. For multi-tenancy, Compute Edition offers a feature called Projects.

6. What advantages does Prisma Cloud Enterprise Edition offer over Compute Edition?

When the Prisma Cloud CSPM and CWPP tools work together, Palo Alto Networks can offer economies of scale by sharing data (so called "data overlays"). The Prisma Cloud CSPM tool has always offered the ability to integrate with third party scanners, such as Tenable, to supplement configuration assessments with host vulnerability data. Starting with the Nov 2019 release of Enterprise Edition, the CSPM tool can utilize the host vulnerability data Compute Defender collects as part of its regular scans. Customers that have already licensed one workload for a host can leverage that single workload for configuration assessments by the CSPM tool, host vulnerability scanning (via Compute Defender), and host runtime protection (via Compute Defender).

Customers can expect additional "data overlays" in future releases, including better ways to gauge security posture with combined dashboards.

7. What are the differences between Prisma Cloud Enterprise Edition and Compute Edition?

There are a handful of differences between Enterprise Edition and Compute Edition. Consider these differences when deciding which edition is right for you.

Projects:

There is no support for Compute Projects in the Prisma Cloud Enterprise Edition (PCEE). However, Enterprise Edition (EE) does offer alternatives that support Project’s primary use cases. The common use cases for Projects are:

  • Isolation: Each team has a dedicated Console so that other teams can’t see each other’s data. Prisma Cloud EE supports isolation with multiple Prisma Cloud tenants, one per team, with one Compute Console per tenant. Within a single PCEE tenant, Compute Console also offers isolation to data access based on cloud account filtering. Contact Customer Success to create multiple tenants. Note that the license count shown in the Prisma Cloud UI is per tenant, not the aggregate across multiple tenants. If you want to control customer tenant deployments yourself, use Compute Edition.

  • Centralized policies in scale Projects. A central Compute Console pushes the same set of policies to all sub-Consoles. This setup isn’t supported in Prisma Cloud EE. If you need it, use Compute Edition.

  • Scale. Visibility from more than 5k Defenders in a single Compute Console. Compute supports 5K Defenders per Compute Console. Future releases will support more. If you need more Defender support, Prisma Cloud EE supports scale with multiple Prisma Cloud tenants, one per team, with one Compute Console per tenant. However, if you need to see all data in all tenants in a single Console, use Compute Edition.

Syslog:

  • Prisma Cloud Enterprise Edition Consoles do not emit syslog events for customer consumption. Since we operate the Console service for you, we monitor Console on your behalf.

  • Prisma Cloud Enterprise Edition Defenders still emit syslog events that you can ingest. Syslog messages from Defender cover runtime and firewall events. For more details, see the article on logging.

User management:

  • In Prisma Cloud Enterprise Edition, user and group management, as well as auth, is handled by the outer Prisma Cloud app in Enterprise Edition.

  • As such, Compute Console in SaaS mode disables AD, OpenLDAP, and SAML integration in the Compute tab.

RBAC:

  • In Prisma Cloud Enterprise Edition, you can assign roles to users to control their level of access to Prisma Cloud. These roles are mapped to Compute roles internally.

  • With this integration, users can scope what Prisma Cloud users can see in the Compute tab by cloud account.

  • For the CI/CD use case (i.e. using the Jenkins plugin or twistcli to scan images in the CI/CD pipeline), there’s a new permission group called "Build and Deploy Security". For more information about user role mapping in Prisma Cloud Enterprise Edition, see Prisma Cloud User Roles

Assigned Collections:

  • Enforcing views of resource subsets for read-only users, as defined by filters (collections), is controlled by the cloud accounts assigned to users in Prisma Cloud. Manual collection assignment is not supported in PCEE.

8. How do Defender upgrades work?

Upgrades work a little differently in each edition.

  • Prisma Cloud Enterprise Edition (SaaS) — When an upgrade is available, a button appears in the Compute UI. When you click it, your tenant’s version of Console is upgraded. The process takes about 10 seconds. After Console is upgraded, you must take action to manually upgrade all of your deployed Defenders.

    To minimize the manual effort required to maintain PCEE, the 20.04 release added support for automatically upgrading deployed Defenders Starting in June 2020, Palo Alto Networks will start automatically upgrading PCEE Compute Consoles.

With the introduction of the Defender auto-upgrade feature in 20.04, Palo Alto Networks will start automatically upgrading PCEE Compute Consoles in June, 2020. to avoid manual efforts in Console management.

  • Prisma Cloud Compute Edition (self-hosted) — You fully control the upgrade process. When an upgrade is available, customers are notified via the bell icon in Console. Clicking on it directs you to the latest software download. Deploy the new version of Console first, then manually upgrade all of your deployed Defenders.

After fully upgrading to Compute 20.04 (both Console and Defenders), you’ll no longer need to manually upgrade Defenders. For all subsequent upgrades, Compute Console will manage Defender upgrades for you. The Prisma Cloud Compute architecture now supports automatic in-place upgrades of Defender (no manual operator intervention or redeployment is required). Automatic Defender upgrades are triggered as soon as Console is upgraded. The auto-upgrade mechanism is enabled by default, but it can be disabled if you want more control over the upgrade process.

You must still manually upgrade App-Embedded Defenders.

9. Can you migrate from Compute Edition to Enterprise Edition (SaaS)?

We are working on an automated migration plan. In the meantime, if you have an Enterprise Edition license, you can still manually export policies from your self-hosted Console and import them into the SaaS Console. Then redeploy your Defenders and CI plugins to point to the SaaS Console, and start using the new SaaS Console. If you have any questions, contact the Customer Success team for assistance.

To be clear, no one will be forced to migrate from Compute Edition to SaaS. Compute Edition will always be available for customers that choose to download and run the software themselves, anywhere. Compute and SaaS literally run the exact same bits, so customers have the flexibility to decide which deployment option makes sense for them.

10. Summary

The following table summarizes the key differences between Enterprise Edition (SaaS) and Compute Edition (self-hosted). For gaps, we provide a date we intend to deliver a solution.

Capability Notes Delivery Date

Projects

If you need Projects, use Compute Edition. Projects will not be ported to Prisma Cloud Enterprise Edition.

-

Syslog

Collecting customer requirements

TBD

User management

There’s no gap in functionality. No work to be done.

-

RBAC

Available via role mapping in Prisma Cloud Enterprise Edition. No work to be done.

-

Assigned collections

Available via role mapping in Prisma Cloud Enterprise Edition. No work to be done.

-

Defender auto upgrade

Available as an option. No work to be done.

-

Compute Edition to Enterprise Edition migration

In planning. This page will be updated when there’s a date to share.

TBD