Microsoft announced this week that the Azure Security Center management portal now works with the Azure Kubernetes Service (AKS) to ensure the security of Docker containers running on Linux systems or virtual machines.
Containers are an operating system virtualization approach, developed by Docker, that are advantageous for hosted applications because the possibility of application and configuration conflicts gets removed. AKS is Microsoft’s service for container orchestration on datacenter clusters, based on the Google-fostered Kubernetes datacenter solution. Azure Security Center is a software dashboard for monitoring the security of public cloud services, on-premises workloads and so-called “hybrid” or mixed scenarios.
Container security might not be top of mind for organizations, but Microsoft contends that “defending the attack surfaces of a containerized application requires expertise to ensuring the infrastructure is configured securely and constantly monitored for potential threats.”
To that end, Azure Security Center offers runtime protection for containers, vulnerability management and environmental hardening, according to a Microsoft document on “Container Security in Security Center.”
Containers get scanned for vulnerabilities using Qualys’ scanning service. It happens when a new container image gets pushed. The images are run and get scanned in an “isolated sandbox.”
“When a new image is pushed, Security Center scans the image using a scanner from the industry-leading vulnerability scanning vendor, Qualys,” the “Container Security” document explained.
The Azure Security Center also checks the configuration of containers by comparing them against the “Center for Internet Security (CIS) Docker Benchmark.” However, these benchmark checks “will not run on AKS-managed instances or Databricks-managed VMs,” Microsoft explained in a footnote.
To use Azure Security Center for AKS-managed containers, organizations will need to have the “Standard Tier” Azure Security Center licensing, which adds vulnerability scanning.
Users of the integrated solution get both container hosting alerts and AKS alerts in Azure Security Center. More details are described in Microsoft’s “Azure Kubernetes Services Integration with Security Center” document landing page.