Insights

Azure Arc and Azure Security Centre

16 Mar 2021, MOQdigital

Azure hubspot size

Following on from our previous Azure Arc blog post, the second article in this series focuses on the interaction between Azure Arc and Azure Security Centre to both highlight potential security risks and vulnerabilities, and the options to remediate these risks from within these environments.

Multi-cloud and hybrid-cloud 

To highlight the value of Arc, it is worth mentioning that Azure Arc and Azure Security Centre (the latter using Azure Defender on the client) will integrate with Windows and Linux VM’s, Kubernetes Clusters and Azure Data Services (the latter two are still in Preview) to provide visibility and remediation services across clouds (Azure, AWS and GCP) and on-premises infrastructure. 

In this world, Azure Arc manages policy compliance and, using AWS as an example, the AWS management console would be used to manage the VM’s. Azure Security Centre provides the overarching monitoring and analysis for each Defender capability, and Defender provides both the visibility and controls on the instance being protected. 

Infrastructure Protection 

Within Linux and Windows environments with Azure Security Centre, the Qualys-based vulnerability scanner collects information about these environments and provides recommendations back to Security Centre for reporting and actioning. Should a vulnerability be detected, ASC provides relevant information (within the ASC console) about the CVE, remediation steps and any other relevant references which could be used by an administrator to better understand the risk and potential mitigation strategies. At this point, findings can be disabled (should the risk be acceptable or potential alternate mitigations being available) or remediated. 

Additional Protection 

Azure Defender is also available for applications, storage, data services, Key Vault, Resource Manager, DNS and of course Kubernetes and container registries, and can detail security alerts including suspicious processes and the MITRE ATT&CK tactic used. ASC also includes Just In Time (JIT) access and adaptive application controls for whitelisting known and safe applications within a VM. 

Kubernetes and Containers 

In addition to host-level protection using Azure Defender for Servers, Azure Defender for Kubernetes provides cluster level threat protection in your environment to better understand and monitor threats which are specific to the Kubernetes environment. Similarly, Azure Defender for container registries provides vulnerability assessment and management of your registry’s images by running the image within an isolated sandbox. This will detect and alert on (for example) detection of digital currency mining, detection of an exposed dashboard, service or pen test tool, and the review of privileged roles within the environment. 

Remediation 

An organisations processes for responding to an incident may include notifications, launching a change management process and applying remediation steps – automating these within Azure Arc and Azure Security Centre aims to reduce management overhead, ensuring processes are following consistently, and that they are addressed within the required timeframe. Logic Apps form the basis of the flows and can be templated for repetition, use the supplied policies for Azure, or have custom events created to assist with the automation. These recommendations can also be manually run if desired. 

Remediation options within ASC frequently include a quick fix option which explains the implications of the fix and allows you to select which resources to apply the fix to. These quick fixes may include the installation of the monitoring agent, mandating HTTPS connections to web apps, or enabling diagnostic logs or vulnerability assessments. 

Summary 

Together, the use of Azure Arc and Azure Security Centre to identify risk and create actionable recommendations across hybrid and multi-cloud environments helps ensure compliance with industry and security best-practices, highlight potential threats and activity within your environment, and provide a consistent management platform regardless of the cloud or infrastructure you want to secure.