How to increase the security of container-based application architectures

Modern applications based on microservices are increasingly widespread and containers are an interesting building block for the creation of agile application architectures, scalable and efficient. Microservices offer great benefits, thanks to the presence of well-known and proven software design models that can be applied, but they also generate new challenges. One of these is certainly linked to the security of these architectures, which require the adoption of cutting-edge solutions to achieve a high level of protection. In this article is reported as the cloud-native solution for container security, called Microsoft Defender for Containers, is able to guarantee the protection of container-based application architectures, offering advanced capabilities for detecting and responding to security threats.

Functionality offered by the solution

Thanks to Microsoft Defender for Containers it is possible to improve, monitor and maintain the security of clusters, of containers and related applications. Indeed, this plan allows you to obtain the following benefits:

  • Hardening of the environment
  • Vulnerability Scanning
  • Run-time threat protection for the cluster environment and for the nodes

The benefits listed above are detailed in the following paragraphs.

Hardening of the environment

Through a continuous assessment of cluster environments, Defender for Containers provides complete visibility into any misconfigurations and compliance with guidelines. By generating recommendations it helps mitigate potential security threats.

Furthermore, thanks to the use of Kubernetes admission control it is possible ensure that all configurations are done in accordance with security best practices. Indeed, adopting the Azure Policy for Kubernetes you have a bundle of useful recommendations to protect the Kubernetes container workloads. By default, enabling Defender for Containers, these policies are automatically provisioned. In this way, every request to the Kubernetes API server will be monitored against the predefined set of best practices, before being made effective on the cluster environment. You can therefore use this method to apply best practices and enforce them for new workloads that will be activated.

Vulnerability Scanning

Defender for Containers includes an integrated vulnerability scanner for analyzing the images present in Azure Container Registry (ACR). Defender for Containers includes an integrated vulnerability scanner for analyzing the images present in:

  • In case of push: each time an image is sent to the ACR, scan is automatically performed.
  • In case of recent extraction: because new vulnerabilities are discovered every day, comes analyzes, on a weekly basis, Defender for Containers includes an integrated vulnerability scanner for analyzing the images present in 30 days.
  • When importing: Azure Container Registry has import tools to merge images from Docker Hub into it, Microsoft Container Registry or other ACR. All imported images are readily analyzed by the solution.

If vulnerabilities are detected, a notification will be generated in the Microsoft Defender for Cloud dashboard. This alert will be accompanied by a severity classification and practical guidance on how to correct the specific vulnerabilities found in each image.

Furthermore, Defender for Containers expands these scanning capabilities by introducing the ability to get visibility into running images. Through the new recommendation, called “Vulnerabilities in running images should be remediated (powered by Qualys)", groups running images that have vulnerabilities, providing details on the problems found and how to fix them.

Run-time threat protection for the cluster environment and for the nodes

Microsoft Defender for Containers provides real-time threat protection for containerized environments and generates alerts if threats or malicious activity are detected, both at the host level and at the AKS cluster level.

Protection from security threats occurs at several levels:

  • Cluster level: at the cluster level, threat protection is based on the analysis of Kubernetes audit logs. It is a monitor that allows you to generate alerts, monitoring AKS managed services, such as the presence of exposed Kubernetes dashboards and the creation of roles with elevated privileges. To see the complete list of alerts generated by this protection, you can access this link.
  • Host level: with over sixty types of analyzes, through artificial intelligence algorithms and with the detection of anomalies on running workloads, the solution is able to detect suspicious activities. A team of Microsoft security researchers constantly monitors the threat landscape and container-specific alerts and vulnerabilities are added as they are discovered. Furthermore, this solution monitors the growing attack surface of multi-cloud Kubernetes deployments and tracks the matrix MITRE ATT&CK for container, a framework developed by the Center for Threat-Informed Defense in close collaboration with Microsoft and others.

The complete list of alerts that can be obtained by enabling this protection can be consulted in this document.

Architectures for the different Kubernetes environments

Defender for Containers can protect Kubernetes clusters regardless of whether they are running on Azure Kubernetes Service, Kubernetes on-premise / IaaS oppure Amazon EKS.

Azure Kubernetes Service (AKS) Cluster

When enabling Defender for Cloud for clusters activated through Azure Kubernetes Service (AKS), audit log collection takes place without having to install agents. The Defender profile, distributed on each node, provides runtime protection and collects signals from nodes using the eBPF technology. The Azure Policy add-on for Kubernetes component collects cluster and workload configurations, as explained in the previous paragraphs.

Figure 1 - Defender for Cloud architecture for AKS clusters

Azure Arc-enabled Kubernetes

For all clusters hosted outside Azure it is necessary to adopt the Azure Arc-enabled Kubernetes solution to connect the clusters to Azure and provide the related services, come Defender for Containers. By connecting Kubernetes clusters to Azure, an Arc extension collects Kubernetes audit logs from all cluster control plane nodes and sends them in the cloud to the back-end of Microsoft Defender for Cloud for further analysis. The extension is registered with a Log Analytics workspace used as a data pipeline, but the audit data is not stored in Log Analytics. Information about workload configurations is managed by the Azure Policy Add-on.

Figure 2 – Defender for Cloud architecture for Arc-enabled Kubernetes clusters

Amazon Elastic Kubernetes Service (Amazon EKS)

Also for this type of cluster, activated in the AWS environment, it is necessary to adopt Azure Arc-enabled Kubernetes to be able to project them in the Azure environment. Furthermore, you must connect the AWS account to Microsoft Defender for Cloud. Plans needed are Defender for Containers and CSPM (for the configuration monitor and for recommendations).

A cluster based on EKS, Arc and the Defender extension are the components needed for:

  • collect policy and configuration data from cluster nodes;
  • get runtime protection.

Azure Policy add-on for Kubernetes collects the configurations of the cluster environment and workloads to ensure that all configurations are respected. Furthermore, the AWS CloudWatch solution is used to collect log data from the Control plane.

Figure 3 – Defender for Cloud architecture for AWS EKS clusters

Solution upgrade and costs

This Microsoft Defender plan merges and replaces two existing plans, “Defend for Kubernetes” and “Defender for Container Registries“, providing new and improved features, without deprecating any of the features of those plans. Subscriptions on which previous plans have been activated do not need to be upgraded to the new plan Microsoft Defender for Containers. However, to take advantage of new and improved features, must be updated and to do so you can use the update icon displayed next to them in the Azure portal.

The activation of these protection plans are subject to specific costs that can be calculated using the tool Azure Pricing calculator. In particular, the cost of Microsoft Defender for Containers is calculated on the number of cores of the VMs that make up the AKS cluster. This price also includes 20 free scans for vCore, and the calculation will be based on the consumption of the previous month. Each additional scan has a charge, but most customers should not incur any additional cost for scanning images.

Conclusions

Microservices-based architectures allow you to easily scale and develop applications faster and easier, allowing to promote innovation and accelerate the time-to-market of new features. The presence of a solution such as Microsoft Defender for Containers is essential to enable an adequate level of protection with regards to security threats, more and more advanced to attack these types of application architectures.

Please follow and like us: