Implementing Host Security
Configuring Container Security
The course is part of this learning path
This course focuses on implementing security controls, maintaining the security posture of an Azure environment, and protecting data, applications, and networks, showing you how to configure security for your containers and virtual machines.
The content of this course is ideally suited to those looking to become certified Azure security engineers.
For any feedback, queries, or suggestions relating to this course, please contact us at email@example.com.
- Understand how to configure VM security including VM endpoints and system updates
- Configure baselines
- Understand key Azure networking components
- Configure AKS security
- Obtain a basic understanding of Azure Container Registry and how to create registries in Azure
- Manage vulnerabilities in Azure
This course is intended for people who want to become Microsoft certified Azure security engineers, or those who are tasked with implementing security controls, maintaining the security posture of an Azure environment, or protecting data, applications, and networks.
To get the most from this course, you should have a moderate understanding of Microsoft Azure and of basic security principles.
Hi there. Welcome to "Implementing Vulnerability Management." In this lecture, I want to talk a little bit about security measures that you can take to manage vulnerabilities.
To ensure effective vulnerability management, you need to secure and protect your container ecosystem, from build to run. You need to protect against vulnerabilities throughout the entire container lifecycle, from development to production deployment. You also need to ensure that you protect all container orchestrators, hosts, and platforms.
An effective vulnerability management plan that's implemented throughout the entire container development lifecycle makes it more likely that you'll be able to identify and resolve security concerns before they become a serious problem.
There are several steps you should take when implementing vulnerability management. These include scanning for vulnerabilities, mapping image vulnerabilities to running containers, and ensuring that only approved images are used in the environment. You also want to allow only approved registries and ensure the integrity of your images throughout the lifecycle.
Other steps that you can take to manage vulnerabilities include the enforcement of least privileges in runtime and the removal of unneeded privileges, which reduces the container attack surface. You can also whitelist files and executables that each container is allowed to access or run.
Some other best practices for managing vulnerabilities include network segmentation of running containers, monitoring container activity user access, and container resource activity. Logging container administrative access for auditing purposes is also, of course, a best practice.
Because new vulnerabilities are constantly discovered, scanning for them and identifying related vulnerabilities needs to be performed on a continuous basis. That being the case, you really need to incorporate vulnerability scanning that is threaded throughout the entire container lifecycle.
To ensure security issues can be more easily mitigated, you need to ensure that you're mapping vulnerabilities that are identified in container images to running containers.
Speaking of images, you need to ensure that you only allow approved container images. You need to have tools and processes in place that you can rely on to monitor for, and prevent, the use of unapproved container images. You can leverage image signing or fingerprinting to create a chain of custody that you can rely on to verify the integrity of your containers.
In addition to only allowing approved images, you should also ensure that you use only approved container registries. This is important because requiring the use of approved container registries only reduces exposure to risks by limiting the possibility of introducing unknown vulnerabilities or security issues.
Managing vulnerabilities throughout the container lifecycle requires you to ensure the integrity of your container images in the registry and whenever those images are altered or deployed.
The best way to do this is to periodically audit any images deployed in production to identify images that are out of date.
The concept of least privileges is a widely-accepted security best practice that applies to all sorts of resources. It also applies to containers. Generally speaking, whenever a vulnerability is exploited, the attacker often assumes access and privileges that are equal to that of the compromised application or process. By locking things down with least privileges, your containers will operate with the lowest privileges and access required to get the job done. This obviously limits exposure.
Removing unused and unneeded processes or privileges from the container runtime reduces the container attack surface.
To maintain a stable environment, you should ensure that your containers can access or run only pre-approved or whitelisted files and executables. Not only does this help you maintain a stable container environment, but it also limits your exposure to risk.
Enforcing network segmentation helps protect containers in one subnet from any potential security risks in another subnet.
I should also mention that, as is the case with any other IT environment, you always need to be consistently monitoring activity and user access to your container ecosystem. This allows you to quickly identify suspicious activity. You can use Azure Monitor for Containers and the Azure Container Monitoring Solution, both of which are Azure solutions, to perform this monitoring.
Monitoring resource activity and consumption helps you not only manage performance but it also serves as a helpful security measure. You can use Azure Monitor's activity log to see what new resources are created or modified.
Maintaining an accurate audit trail of administrative access to your container ecosystem is critical. It's most useful when you need to dig up forensic evidence after a security incident. The Azure Container Monitoring Solution can be used to perform this auditing.
As you can see, there are quite a few pieces to a solid vulnerability management implementation, but by leveraging them all you can ensure a secure environment.
Introduction - Configuring Endpoint Security within VMs - Configuring and Monitoring Antimalmare for VMs - Configuring Virtual Machine Security - Hardening Virtual Machines - Configuring System Updates for Virtual Machines - Starting a Runbook from the Azure Portal - Configuring Baselines - Azure Networking - Configuring Authentication - Container Isolation - AKS Security - Azure Container Registry - Creating a Container Registry - Conclusion
About the Author
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.