1. Overview

This article describes the key differences between Compute in Prisma Cloud Enterprise Edition and Prisma Cloud Compute Edition. Use this guide to determine which option is right for you.

pcee vs pcce overview

2. How is Compute delivered?

Compute is delivered in one of two packages:

  • Prisma Cloud Enterprise Edition (SaaS) — Single pane of glass for both CSPM (Cloud Security Posture Management) & CWPP (Cloud Workload Protection Platform). Compute (formerly Twistlock, a CWPP solution) is delivered as part of the larger Prisma Cloud system. Palo Alto Networks runs, manages, and updates Compute Console for you. You deploy and manage Defenders in your environment. You access the Compute Console from a tab within the Prisma Cloud user interface.

  • Prisma Cloud Compute Edition (self-hosted) — Stand-alone, self-operated version of Compute (formerly Twistlock). Download the entire software suite, and run it in any environment. You deploy and manage both Console and Defenders.

3. What are the similarities between editions?

Both Enterprise Edition (SaaS) and Compute Edition (self-hosted) are built on the same source base. The Console container image we run for you in Enterprise Edition is the exact same container image we give to you in Compute Edition to run in your environment. We are committed to supporting and developing both versions without any feature divergence.

4. When should you use Enterprise Edition?

Prisma Cloud Enterprise Edition is a good choice when:

  • You want a single platform that protects both the service plane (public cloud resource configuration) and the compute plane.

  • You want convenience. We manage your Console for you. We update it for you. You get a 99.9% uptime SLA.

5. When should you use Compute Edition?

Prisma Cloud Compute Edition is a good choice when:

  • You want full control over your data.

  • You’re operating in an air-gapped environment.

  • You want to implement enterprise-grade multi-tenancy with one Console per tenant. For multi-tenancy, Compute Edition offers a feature called Projects.

6. What advantages does Prisma Cloud Enterprise Edition offer over Compute Edition?

When the Prisma Cloud CSPM and CWPP tools work together, Palo Alto Networks can offer economies of scale by sharing data (so called "data overlays"). The Prisma Cloud CSPM tool has always offered the ability to integrate with third party scanners, such as Tenable, to supplement configuration assessments with host vulnerability data. Starting with the Nov 2019 release of Enterprise Edition, the CSPM tool can utilize the host vulnerability data Compute Defender collects as part of its regular scans. Customers that have already licensed one workload for a host can leverage that single workload for configuration assessments by the CSPM tool, host vulnerability scanning (via Compute Defender), and host runtime protection (via Compute Defender).

Customers can expect additional "data overlays" in future releases, including better ways to gauge security posture with combined dashboards.

7. What are the differences between Prisma Cloud Enterprise Edition and Compute Edition?

There are a handful of differences between Enterprise Edition and Compute Edition. Consider these differences when deciding which edition is right for you.

Projects:

There is no support for Compute projects in the Prisma Cloud Enterprise Edition (PCEE). However, Enterprise Edition (EE) does offer alternatives that support Project’s primary use cases.

The use case for projects is isolation, where each team has a dedicated Console so that other teams can’t see each other’s data. Prisma Cloud EE supports isolation with multiple independent Prisma Cloud tenants, one per team, with one Compute Console per tenant. Within a single PCEE tenant, Compute Console also offers isolation to data access based on cloud account filtering.

Contact Customer Success to create multiple tenants. Note that the license count shown in the Prisma Cloud UI is per tenant, not the aggregate across multiple tenants.

If you want to control tenant deployments yourself, use Compute Edition.

Syslog:

  • Prisma Cloud Enterprise Edition Consoles do not emit syslog events for customer consumption. Since we operate the Console service for you, we monitor Console on your behalf.

  • Prisma Cloud Enterprise Edition Defenders still emit syslog events that you can ingest. Syslog messages from Defender cover runtime and firewall events. For more details, see the article on logging.

User management:

  • In Prisma Cloud Enterprise Edition, user and group management, as well as auth, is handled by the outer Prisma Cloud app in Enterprise Edition.

  • As such, Compute Console in SaaS mode disables AD, OpenLDAP, and SAML integration in the Compute tab.

RBAC:

  • In Prisma Cloud Enterprise Edition, you can assign roles to users to control their level of access to Prisma Cloud. These roles are mapped to Compute roles internally.

  • With this integration, users can scope what Prisma Cloud users can see in the Compute tab by cloud account.

  • For the CI/CD use case (i.e. using the Jenkins plugin or twistcli to scan images in the CI/CD pipeline), there’s a new permission group called "Build and Deploy Security". For more information about user role mapping in Prisma Cloud Enterprise Edition, see Prisma Cloud User Roles

Assigned Collections:

  • Enforcing views of resource subsets for read-only users, as defined by filters (collections), is controlled by the cloud accounts assigned to users in Prisma Cloud. Manual collection assignment is not supported in PCEE.

8. How do Defender upgrades work?

Upgrades work a little differently in each edition.

  • Prisma Cloud Enterprise Edition (SaaS) — Consoles are automatically upgraded by PANW with notification posted in our status page atleast 2 weeks in advance of upgrade. For more details, please refer to this article: https://docs.twistlock.com/docs/enterprise_edition/upgrade/upgrade_process_saas.html Auto-upgrade function for Defenders is always turned ON ensuring that Defenders stay compatible with Console in each release.

  • Prisma Cloud Compute Edition (self-hosted) — You fully control the upgrade process. When an upgrade is available, customers are notified via the bell icon in Console. Clicking on it directs you to the latest software download. Deploy the new version of Console first, then manually upgrade all of your deployed Defenders.

9. Can you migrate from Compute Edition to Enterprise Edition (SaaS)?

Yes. You would need to work with you Customer Success team to perform a backup restore from your On-prem Console to SaaS Console. Then redeploy your Defenders and CI plugins to point to the SaaS Console, and start using the new SaaS Console.

10. Summary

The following table summarizes the key differences between Enterprise Edition (SaaS) and Compute Edition (self-hosted). For gaps, we provide a date we intend to deliver a solution.

Capability Compute SaaS support

Projects

If you need Projects, use Compute Edition. Projects will not be ported to Prisma Cloud Enterprise Edition.

Syslog

Supported for Defenders only.

User management

Available centrally in the platform for Prisma Cloud Enterprise Edition.

Assigned collections

Coming in 1H21 for Read-Only users

Defender auto upgrade

Always ON.

Compute Edition to Enterprise Edition migration

Available - Must go through Customer Success team.