This blog post has been co-authored by Microsoft and David Okeyode from Palo Alto Networks
As more organizations move towards cloud-native development, they face the challenge of securing their applications and data across the entire development lifecycle. For organizations looking to modernize critical Windows applications built on the .NET Framework, Windows containers are a popular choice. However, securing these containers presents unique challenges compared to their Linux counterparts. The security tooling ecosystem for Windows containers has been ramping up to meet the same level of functionality as their Linux counterparts to include critical capabilities that are required for business assurance.
To address these challenges, Prisma Cloud offers a comprehensive code-to-cloud security solution for cloud-native applications, including capabilities that are tailored towards securing Windows containers on Azure Kubernetes Service (AKS). With Prisma Cloud, organizations can achieve continuous, real-time visibility into their Windows container environments, assess and assure compliance of AKS clusters, nodes, and pod configurations, and apply required runtime defense for zero-trust architectures. This document will explore the unique challenges of securing Windows containers and how Prisma Cloud helps organizations overcome them to unlock new possibilities for their cloud-native applications.
Prisma Cloud overview
Prisma Cloud is a comprehensive cloud-native application protection platform (CNAPP) that enables organizations to protect cloud native workloads throughout the application lifecycle (Figure 1). Prisma Cloud solves several technical and business problems including the following:
- Security from code to cloud: Prisma Cloud provides security at every stage of the development lifecycle, from code to build, deploy, and run, ensuring that applications are protected throughout their entire journey.
- Continuous, real-time visibility: The platform uses real-time and contextual security analysis of cloud environments to help prevent misconfigurations, vulnerabilities, and threats. This approach ensures that organizations always have complete visibility into their environments.
- Prevention-first protection: Prisma Cloud is designed to prevent attacks and defend against zero-day vulnerabilities, driving down mean time to remediation. This principle ensures that organizations can quickly address security issues and minimize potential damage.
- Choice for every cloud journey: The platform aligns security needs with current and future cloud priorities by supporting a wide range of cloud service providers, workload architectures, CI/CD pipelines, IDEs, and repositories with a unified platform. This flexibility enables organizations to choose the tools and technologies that best meet their needs.
- Cloud-scale security: Prisma Cloud provides consistent security for applications as cloud environments scale. This approach ensures that security remains a top priority as organizations grow and expand their cloud-based infrastructure.
- Vulnerability management: Prisma Cloud provides vulnerability management for Windows containers running on AKS by continuously monitoring for vulnerabilities and identifying them in real-time. This approach enables organizations to quickly address security issues and minimize potential damage.
- Compliance management: The platform also offers compliance management, enabling organizations to enforce regulatory and security policies across their Windows on AKS environment. This approach ensures that organizations remain compliant with industry standards and regulations.
- Runtime defense: Prisma Cloud offers a set of runtime defense features that provide both predictive and threat-based active protection for running Windows containers in AKS. This includes the ability to detect when a container runs a process that is not included in the original image, helping to prevent unauthorized access and reduce the risk of security breaches.
- Integration with CICD pipelines: Prisma Cloud integrates with a wide range of CICD pipelines, including GitHub Repos, GitHub Actions, Azure Repos, and Azure Pipelines. This enables organizations to assess security and compliance of Windows containers before they are pushed into the container registry, ensuring that only validated images are allowed into production.
Let us examine how the security capabilities of Prisma Cloud can be applied to Windows container workloads on Azure Kubernetes Service (AKS).
Prisma Cloud + Windows Containers on Azure Kubernetes Service
The containerization process consists of THREE primary stages (Figure 2). The first stage is building container images, which is known as BUILD TIME. This can happen on a developer’s system with an IDE like Visual Studio Code (VS Code), in cloud-hosted development environments like GitHub CodeSpaces or Microsoft DevBox. The second stage involves storing the images in a distribution location – this is referred to as SHIP TIME. Images can be stored and distributed from an Azure Service like the Azure Container Registry (ACR) or GitHub packages. The third stage involves running the container images in a runtime environment - this is called the RUNTIME. Azure offers multiple services for running containerized workloads including a managed Kubernetes service called Azure Kubernetes Service (AKS).
For security to scale in a cloud native workflow (as illustrated in the above diagram), risk management can no longer be only through locking down and monitoring the production/runtime environments. Modern security teams need to address potential exploits and vulnerabilities earlier in the application lifecycle. This is known as Shift left security. But, shifting left alone isn’t sufficient. It can significantly increase efficiency at reducing risk. However, vigilance is required at all stages of the application lifecycle. The Prisma Cloud platform offers security capabilities that integrates into all three phases of the containerization process. Let us review some of these briefly starting with the BUILD TIME.
Prisma Cloud Build Time Security for Windows Containers
In addition, Prisma Cloud provides marketplace extensions for various CICD platforms and services, such as GitHub Repos, GitHub Actions, Azure Repos and Azure Pipelines, enabling security and compliance assessments of Windows containers before they are pushed into the container registry. By adopting this approach, organizations can ensure that only validated and authorized images are permitted into the registry, from which production images are pulled.
Prisma Cloud also offers Twistcli - a command-line interface (CLI) tool that can be used for scanning Windows container images for vulnerabilities and misconfigurations, as well as for checking compliance against industry standards such as CIS benchmarks and NIST guidelines. This allows developers and security teams to quickly scan and assess container images for potential security risks during the development and deployment stages of the software development lifecycle. Twistcli provides detailed reports on vulnerabilities, compliance issues, and other potential security risks, enabling teams to remediate these issues before they can be exploited in production environments.
Additionally, Twistcli supports integration with various CI/CD pipelines, making it possible to automate the scanning and assessment of container images as part of the continuous integration and delivery process. This approach ensures that container images are checked for security risks at every stage of the software development lifecycle, allowing teams to address vulnerabilities and misconfigurations as soon as they are identified.
Prisma Cloud Ship Time Security for Windows Containers
Prisma Cloud offers Ship Time Security for Windows Containers, which enables integration with Azure Container Registry (ACR) and other container registry services that comply with the Docker Registry version 2 API, such as Docker Hub. This integration allows for the scanning of Windows container images for both vulnerabilities and compliance issues.
The scanning frequency can be configured according to the needs of the organization, and can also be triggered on-demand via an API. This ensures that container images are continuously scanned for vulnerabilities and compliance issues, and any potential risks are identified and addressed before the images are deployed into production.
By integrating with ACR and other container registry services, Prisma Cloud helps organizations maintain the security and compliance of their Windows containers throughout the development lifecycle, from code to production.
The data is correlated throughout the entire application lifecycle to provide visibility and trend analysis across the entire environment (Figure 5).
Prisma Cloud Runtime Security for Windows Containers
Prisma Cloud can secure Windows containers running on Windows Server 2019 and Windows Server 2022 hosts in an AKS cluster. Information on threat intelligence and vulnerability data on Prisma Cloud is available through the Prisma Cloud Intelligence Stream (IS) feed which includes vulnerability data from Microsoft, so as new CVEs are reported, Prisma Cloud can detect them in your Windows container images.
This vulnerability management capability combines vulnerability detection with runtime environment knowledge to prioritize risks specifically for your environment. By doing so, the tool can help you to better understand and manage the risks to your environment and prioritize remediation efforts.
The solution also offers runtime compliance management, enabling organizations to analyze and enforce regulatory policies across their Windows on AKS environment. This approach ensures that organizations remain compliant with industry standards and regulations.
In addition to vulnerability and compliance management, Prisma Cloud offers a set of runtime defense features that provide both predictive and threat-based active protection for running Windows containers in AKS. For example, the solution includes runtime sensors for process activity to detect when a container runs a process that is not included in the original image (learned using an AI model) or defined in a rule. Actions can then be taken to raise an alert for further investigation or to block the process.
Prisma Cloud runtime security for Windows containers is supported for all AKS implementation scenarios including public and private AKS clusters in the Azure cloud and AKS hybrid options.
Getting started
To get started, you will need access to either a Prisma Cloud Compute edition environment or a Prisma Cloud Enterprise edition environment. You can follow our workshops that includes security for Windows containers to get a hands on experience.
Conclusion
In summary, Prisma Cloud offers comprehensive security capabilities for Windows containers in Azure Kubernetes Service (AKS). Prisma Cloud provides Build Time Security by integrating with various CICD platforms and services, marketplace extensions for scanning container images for vulnerabilities and compliance issues, and Twistcli - a command-line interface tool for scanning container images for security risks. Ship Time Security enables scanning of Windows container images for vulnerabilities and compliance issues before they are deployed into production, by integrating with Azure Container Registry and other container registry services. Run Time Security offers vulnerability and compliance management, runtime defense features, and runtime sensors for process activity to detect and block malicious processes.
Prisma Cloud’s security capabilities enable developers to identify potential security risks early in the development lifecycle, allowing teams to address vulnerabilities and misconfigurations before they can be exploited in production environments. The solution provides runtime defense features and compliance management, enabling organizations to analyze and enforce regulatory policies across their Windows on AKS environment, and remain compliant with industry standards and regulations. Prisma Cloud supports all AKS implementation scenarios, including public and private AKS clusters in the Azure cloud and AKS hybrid options. Please refer to our documentation for further information on Prisma Cloud solutions.
