In this guest blog post, Tracy Walker, Senior Security Engineer for NeuVector by SUSE, explores how to implement additional security layers for Azure Kubernetes Service using SUSE’s Rancher Prime and NeuVector Prime.

Experienced users of Microsoft Azure or other public cloud services are likely familiar with the shared-responsibility model and the anxiety of determining where “shared responsibility” stops and “It’s my responsibility” starts. Add an unexpected security event, and you can find yourself searching for additional layers that work with your existing security and let you maintain independent control. In this brief blog, let’s detail exactly how you can quickly add additional security layers to Azure Kubernetes Service (AKS) using SUSE’s Rancher Prime and NeuVector Prime.

Understanding the threats to containerized environments

Before we get into the details of security layers for AKS clusters, let’s address two common questions that will help us get straight to the point:

1. How can you presume my existing security is not good enough for container security? You have no idea what I’m doing for container security.

Simply, let’s say you are not using SUSE NeuVector or NeuVector Prime but are using an eBPF-centric solution or virtual machine security. You do not have complete network visibility east-west inside your Kubernetes cluster. Allow me to explain: The trade-off from gaining Kubernetes automated networking is losing full visibility of network payload and protocol east-west within the cluster, specifically layers 5-7 of the network OSI model (session layer, presentation layer, and application layer). VM security tools or kernel-centric tools that use popular eBPF technology can identify only layer 3 network and layer 4 transport protocols and cannot “see” network payloads potentially carrying live attacks. Your cluster network remains an entry point to zero-day exploits, remote privilege escalation, or code executions that cannot be mitigated by common vulnerabilities and exposures (CVE) remediation or eBPF system call filtering.

NeuVector detects your workload’s unique network traffic to define security policies specific to your unique workload network behavior, creating Zero Trust microsegmentation that allows only known network traffic and can alert or block any traffic unknown to your workload. Unlike eBPF, NeuVector can identify threats in network traffic earlier in the kill chain, and before they reach the kernel.

In other words, neither virtual machines nor eBPF security layers can inspect full network traffic through layer 7 inside Kubernetes. This creates a security blind spot. NeuVector uses patented open-source technology to add multiple network-centric security layers to mitigate this blind spot.

2. Isn’t AKS already protecting me?

Azure’s shared-responsibility model makes clear that users of AKS PaaS are responsible for network controls, application security, and identity management. SUSE recommends security layers, such as Microsoft Defender for Containers, as well as adding security layers provided by Rancher and NeuVector for security threats not mitigated by your cloud provider. For example, NeuVector provides network threat detection and layer 7 protocol identification and validation for all network traffic where Microsoft Defender does not have such visibility.

As an independent source of truth for network activity, NeuVector complements Microsoft Defender for Containers by creating security policies directly from the unique workload network patterns that NeuVector detects, and it can then alert or block any anomalous behavior at runtime — including zero-day attacks — as well as automatically packet-capture the attack for post-event forensics. One example of how multiple security layers from NeuVector could be used against the recent XZ Backdoor attack is detailed here in this blog.

2 Rancher security layers

Rancher simplifies the management of Kubernetes clusters by providing a centralized platform for deploying, scaling, and monitoring containerized applications. With Rancher, you can easily provision AKS clusters on Azure and automate day-to-day operations such as upgrades and maintenance tasks.

For security, Rancher provides two foundational security layers for role-based access control (RBAC) and network policy enforcement. Users can deploy both of these layers to control access to clusters and prevent unauthorized actions.

Configure 6 NeuVector security layers in under 15 minutes

NeuVector complements Kubernetes and AKS security with up to eight security layers that include real-time network threat detection, Zero Trust security policies for both network traffic and container/node processes, scanning for vulnerabilities and security misconfigurations, and data leak prevention. Because NeuVector is Kubernetes-native, you can deploy using a HELM chart, directly using Rancher, or automatically from the Azure Marketplace.

Enable the following NeuVector security layers for your AKS cluster to mitigate specific threats with very little time or effort:

Layers 1 and 2: Automated CVE and security configuration scanning: Enabling NeuVector’s Auto Scan will immediately inspect and report on all nodes, your orchestrator platform, and containers to detect both known CVE exploits and security misconfigurations as compared to recommended CIS Benchmarks for Kubernetes and Docker.
Configuration time: 10 seconds.

Layers 3 and 4: Zero Trust runtime network and process security: Achieve full network and process microsegmentation. Because NeuVector defaults to Discover Mode upon installation, your workload network and process behaviors are automatically “learned” and defined as security policies to allow those behaviors in a Zero Trust cluster. Configure the Service Group Mode Automation in NeuVector’s settings to automatically enable Monitor or Protect enforcement modes, thus enabling Zero Trust segmentation between known and unknown network or process behaviors for all pods and nodes. NeuVector’s runtime layers are effective detecting any anomalous behavior, zero-day attack, internal actor, or attempted exploit of unpatched CVE because it derives the security policies directly from workload behavior. Bonus: Both network and process runtime policies can be exported as security-policy-as-code YAML, so your security can automatically be deployed to any cluster with your workloads.
Configuration time: 20 seconds.

Layer 5: Live network threat detection: The only security layer that is 100 percent automatic and requires no setup or configuration. NeuVector uses its patented Deep Packet Inspection to detect and block more than 24 known network threats as they occur, and also perform an automatic packet capture of what triggered the violation.
Configuration time: Automatic (zero seconds).

Layer 6: NeuVector admission controller: NeuVector’s admission controller gives you 31 prebuilt policies that are CVE- and compliance-aware when using registry scanning.
Configuration time: Two minutes per rule.

Extra: Layers 7 and 8: Data leak prevention (DLP) and ingress WAF sensors: These advanced security layers focus on egress or ingress traffic, but are a little more advanced in their setup and use. DLP and WAF sensors can be completely customized to your specific environment, so SUSE recommends using these security layers after the other six layers are in place, perhaps in conjunction with NeuVector Prime support.
Configuration time: Varies: See NeuVector Prime.

Conclusion

Securing Azure Kubernetes Service necessitates multiple security layers using tools like Rancher and NeuVector by SUSE to eliminate blind spots. By deploying these tools and implementing the security layers recommended, you can rapidly mature your security posture and mitigate known or unknown risks associated with your AKS environments.

Securing any Kubernetes cluster should always be understood as an ongoing process that requires vigilance and reviews to identify new or unmitigated threats. With SUSE tools and security best practices in place, you can confidently secure any Kubernetes cluster using multiple automated security layers while minimizing management overhead.

​Microsoft Tech Community – Latest Blogs –Read More