Aqua Blog

Aqua CSP Globally Whitelisted for ARO: Red Hat OpenShift on Azure

Aqua CSP Globally Whitelisted for ARO: Red Hat OpenShift on Azure

To harness the power of a secure and mature Kubernetes platform, to increase their development teams’ productivity, and to lower costs, organizations choose to use Red Hat OpenShift. To achieve these goals, many deploy Red Hat OpenShift on-premise, which requires allocating resources to manage the infrastructure and the environments. To free up resources that allow organizations to focus on cloud native application development, Microsoft partnered with Red Hat to deliver Azure Red Hat OpenShift (ARO)—a fully managed service of Red Hat OpenShift platform on Microsoft’s public cloud infrastructure – Azure.

Microsoft and Red Hat now offer Aqua Cloud-Native Security Platform (CSP) to secure the cloud native application lifecycle from development to run time for dedicated Azure Red Hat OpenShift environments.

As organizations embark on their digital transformation journey and adopt modern DevOps practices, many are discovering that running business critical applications in the cloud is a complicated business. With the adoption rates of public cloud exponentially growing, enterprises are using a growing number of services from public cloud providers, relying on mature public cloud providers such as Microsoft Azure to host their applications, and manage the network and physical infrastructure on their behalf.

Many organizations are finding that they lack the skillsets and expertise to successfully develop, ship, and manage highly distributed applications in the cloud, especially cloud native applications that are running on a container orchestration platform, such as Kubernetes.

To simplify, automate and expedite adoption of modern DevOps practices, to lower operational costs, and leverage the advantages Kubernetes offers, organizations turn to fully managed Kubernetes container orchestration solutions.

The Azure Red Hat OpenShift platform makes it easy for organizations to shift their business-critical applications to the cloud, by merging two of the best-of-breed solutions to provide a secure infrastructure and container orchestration platform. Organizations are now free to focus on the applications development lifecycle, and ship applications faster than ever before.

Your Responsibility: Managing Application Security in ARO

ARO is a highly secured platform that enforces security at every level of the cloud-native stack. However, the security shared responsibility model places the management of the application security within the customer realm of responsibilities. Customers are tasked with handling vulnerability management, compliance, and runtime security of the applications they deploy to ARO.

The Security Shared Responsibility Model

The Solution: Aqua Cloud Native Security Platform

Enter Aqua CSP, the most robust cloud native security platform on the market today. Aqua CSP augments the already hardened ARO platform and enhances the security framework by adding critical security controls to protect applications on ARO.

The following are the core security capabilities that Aqua CSP offers:

  • Container image scanning for malware, secrets, and vulnerabilities in the CI/CD pipeline. Aqua CSP integrates with CI/CD tools such as Jenkins, GoCD, Azure DevOps, GitLab and others.
  • Integrates with all common registries, such as Red Hat Quay, ACR (Microsoft Container Registry), JFrog, Artifactory and Harbor.
  • Image assurance policies that only permit scanned and approved images to run in the cluster
  • Real-time container image scanning for risks and vulnerabilities
  • Drift detection and prevention for running container images, ensuring container immutability
  • Behavioral whitelisting for running container images
  • Containers firewalling and micro-segmentation discovers network connections and automatically suggests service identify-based firewall rules to whitelist permitted connections between containers, functions, and VMs.
  • Automatic detection in runtime and access blocking to vulnerable components in containers

Streamline Security into the Development Pipeline

Security is a requirement but can be an inhibitor in the application deployment lifecycle. Aqua CSP streamlines security into the development and deployment pipelines, fully securing the process without impacting velocity. Aqua CSP integrates automated security controls that scan images for vulnerabilities, preventing risky artifacts from getting to the registries and into the runtime environment. Aqua CSP controls which images are permitted to run in the cluster, therefore preventing noncompliant images from running in the production environment. Aqua CSP seamlessly integrates with the ARO platform and ecosystem.

Red Hat and Microsoft Chose Aqua CSP to Secure Workloads in ARO

Implementing an effective security framework on ARO requires deploying privileged agents to monitor and enforce policies on all the applications that are running on the platform. Due to ARO’s hardened configurations, arbitrary privileged containers are blocked from running on the clusters by default.

To allow runtime container scanning, and enforce security policies and controls, Red Hat and Microsoft have whitelisted Aqua CSP to exclusively enable the Aqua CSP containers, known as Enforcers, to run as privileged containers. By whitelisting the Aqua Enforcers, ARO enables Aqua CSP to provide granular visibility into their container network as well as the enforcement capabilities required to enforce security policies and secure the workloads running in ARO.

Learn more
Microsoft Azure Documentation

Amir Gabrieli
Amir Gabrieli is the Principal Integrations Architect at Aqua Security. Amir, CISSP, is an experienced security consultant who has worked for cyber-security startups, as well as global corporations like Microsoft, where he consulted global 2000 companies on strategic cyber-security initiatives. As a security architect at Aqua, Amir helps organizations in building their security strategy for modern containerized and cloud-native applications.