Securing the Cloud Native Transition for Windows Applications on AKS

Securing the Cloud Native Transition for Windows Applications on AKS

As a critical next step in securing Microsoft Windows containers running on Azure Kubernetes Service (AKS), Aqua Security has worked with Microsoft to make it easy for customers to deploy, upgrade, and auto scale deployment of cloud runtime security, assurance enforcement, networking segmentation and monitoring for AKS Windows nodes running on containerd.

The newly launched containerd support to deploy the Aqua Windows Enforcers through an allowlisting on AKS Windows nodes provides a critical security component to facilitate the transition from the deprecated Dockershim by moving Windows containers to new containerd node pools.

At the same time that Microsoft customers are working through the container runtime transition, there is also a groundswell to migrate existing Windows workloads to AKS for standardized tooling as well as containerize Windows applications to take advantage of cloud native benefits.

Across these scenarios, Aqua provides the security, assurance, and automated runtime threat prevention capabilities to address the risk and compliance concerns that can hold back adoption and automation of application delivery through a managed Kubernetes service like AKS.

Alongside container runtime security, Aqua’s comprehensive cloud native application protection platform enables developers to detect and better manage risk in their Azure DevOps pipeline. It allows them to assess and assure compliance of AKS cluster, node, and pod configurations, identify elevated risks across their clusters, and apply Kubernetes application-scoped, multi-cluster role-based access controls for zero trust architectures.

The path to Windows on AKS

Containerd support is a next step in securing Windows containers for Aqua, extending our cloud-native security, protection, and monitoring capabilities launched for Windows containers first introduced in 2016.

With the latest release incorporating containerd support, Aqua Windows Enforcers now provide security capabilities to protect both Docker and containerd Windows workloads running on AKS Windows. With the general availability release of Kubernetes 1.23 on AKS, containerd will be the default for new Windows containers as well as for Linux.

The transition to containerd as the AKS container run time for Windows Server 2019/Windows 10 1809 workloads has coincided with a broader set of dynamics for adoption of Windows containers – and appeal of AKS as the container orchestration service of choice.

Even as customers engage in the practical steps towards moving their Windows (and Linux containers) to containerd node pools, there is a much larger structural shift going on.

For some customers who have already made investments in cloud native infrastructure, there may be movement from Azure Service Fabric to AKS because of the momentum and support building for Kubernetes as a de facto industry standard.

In addition, there are many other customers that are still embarking on the path to application modernization and want to take advantage of a managed Kubernetes service to reduce operational overhead and accelerate the path to automation and agility.

How It Works

As a managed Kubernetes service, AKS is designed to be highly available and secure with Azure taking responsibility for ensuring the security of the master components as well as security updates for nodes. However, customers are responsible for securing the infrastructure configurations, Kubernetes assurance policies, role-based access controls, and the applications that run on AKS.

Since AKS clusters are managed clusters, Aqua has worked with Microsoft to provide a path for customers to deploy the Aqua Windows Enforcers as part of the deployment process. Using a VMSS Extension, customers can configure Aqua Enforcers to be automatically installed as part of the deployment on Azure VMSS VMs, which are part of an AKS cluster.

Using this deployment method to bootstrap any new worker node with the Aqua Enforcer, Aqua Enforcers can now be installed on every new Windows node within an AKS cluster without manual intervention and addressing customer cloud native security needs from Day 0.

For instance, for customers migrating from Azure Service Fabric using older versions of Windows, the Aqua Enforcer can provide for workload networking segmentation and container to host isolation. The Enforcers can also block any executables that are not explicitly authorized and prevent the container from reading, writing, or executing specifically named files or directories.

Securing cloud native Windows applications with Aqua

With the allowlisting and deployment methodology, Aqua Windows Enforcers support and secure Windows workloads running on both Docker and containerd runtimes. No matter where you are running your applications, Aqua provides a single Windows Enforcer for runtime security, policy enforcement, and monitoring across both runtimes.

Runtime security to prevent attacks is a key element of the Aqua Cloud Native Application Protection Platform (CNAPP) that encompasses supply chain security, centralized risk visibility, assurance policies, and monitoring of container activity.

Alongside Windows Enforcer capabilities, Aqua delivers vulnerability and secrets scanning capabilities for Windows container images and hosts as well as configuration assessment, assurance policy enforcement, and risk-based visibility across AKS clusters based on policy violations, misconfigurations, and vulnerability severity. Security teams can define access and audit application scopes for cross-functional teams to extend native Kubernetes controls based on zero trust principles.

In tandem, these capabilities can help cross-functional teams manage the attack surface, better detect and manage risk, and prevent attacks before they happen.

Aqua’s Windows Enforcers can specifically prevent unvetted containers from running and enforce image assurance policies for Windows base images – and preventing any version mismatch issues. Additional Aqua Windows Enforcer runtime security policies that can be deployed out of the box to enable customers secure their Windows applications at runtime include:

  • Block Container Exec: Prevents users from exec'ing (running a new command) in a running container
  • Real-time Malware Protection: Monitoring or restricting the execution of malware with the option to alert, block or delete
  • File Integrity Monitoring: Log and audit creation, reading, modification, deletion, as well as any change to the permissions of directories and/or files to address compliance requirements
  • Block access to Read-Only Directories and Files: Prevents write access to selected files and directories
  • Volumes Blocked: Prevents the container from mounting specifically named volumes

Looking Ahead

With the transition to containerd well under way, Aqua can now fully support customers who are moving their Windows workloads in response to the deprecation of Dockershim. Through the work done with Microsoft, Aqua can provide customers with security and monitoring for Windows containers as an automated deployment configuration for AKS nodes running on containerd – extending the investments we have made in both runtime cloud native security as well as integrations for Azure services and tools.

As more customers adopt Windows containers and look to containerize their Windows applications, Aqua will continue to deepen our capabilities to quickly identify risk and prevent attacks on these environments as well as streamline automated deployment.


Steve Coplan

Steve is the Director of Product Marketing for Strategic Partners at Aqua. His experience spans industry research and analysis, corporate strategy and product marketing in data security and privacy. Steve especially enjoys being at the forefront of innovation and collaborating with partners to help customers adopt pioneering technology through new approaches to managing risk and security.