You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security-center/release-notes.md
+34-17Lines changed: 34 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,12 +25,12 @@ To learn about *planned* changes that are coming soon to Security Center, see [I
25
25
26
26
Updates in April include:
27
27
-[Recently pulled container registry images are now rescanned weekly (General Availability)](#recently-pulled-container-registry-images-are-now-rescanned-weekly-general-availability)
28
-
-[Four new recommendations related to guest configuration (preview)](#four-new-recommendations-related-to-guest-configuration-preview)
29
28
-[Use Azure Defender for Kubernetes to protect hybrid and multi-cloud Kubernetes deployments (preview)](#use-azure-defender-for-kubernetes-to-protect-hybrid-and-multi-cloud-kubernetes-deployments-preview)
29
+
-[Four new recommendations related to guest configuration (preview)](#four-new-recommendations-related-to-guest-configuration-preview)
30
+
-[CMK recommendations moved to best practices security control](#cmk-recommendations-moved-to-best-practices-security-control)
-[Two recommendations from "Apply system updates" security control were deprecated](#two-recommendations-from-apply-system-updates-security-control-were-deprecated)
32
33
33
-
34
34
### Recently pulled container registry images are now rescanned weekly (General Availability)
35
35
36
36
Azure Defender for container registries includes a built-in vulnerability scanner. This scanner immediately scans any image you push to your registry and any image pulled within the last 30 days.
@@ -42,6 +42,26 @@ Scanning is charged on a per image basis, so there's no additional charge for th
42
42
Learn more about this scanner in [Use Azure Defender for container registries to scan your images for vulnerabilities](defender-for-container-registries-usage.md).
43
43
44
44
45
+
### Use Azure Defender for Kubernetes to protect hybrid and multi-cloud Kubernetes deployments (preview)
46
+
47
+
Azure Defender for Kubernetes is expanding its threat protection capabilities to defend your clusters wherever they're deployed. This has been enabled by integrating with [Azure Arc enabled Kubernetes](../azure-arc/kubernetes/overview.md) and its new [extensions capabilities](../azure-arc/kubernetes/extensions.md).
48
+
49
+
When you've enabled Azure Arc on your non-Azure Kubernetes clusters, a new recommendation from Azure Security Center offers to deploy the Azure Defender extension to them with only a few clicks.
50
+
51
+
Use the recommendation (**Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed**) and the extension to protect Kubernetes clusters deployed in other cloud providers, although not on their managed Kubernetes services.
52
+
53
+
This integration between Azure Security Center, Azure Defender, and Azure Arc enabled Kubernetes brings:
54
+
55
+
- Easy provisioning of the Azure Defender extension to unprotected Azure Arc enabled Kubernetes clusters (manually and at-scale)
56
+
- Monitoring of the Azure Defender extension and its provisioning state from the Azure Arc Portal
57
+
- Security recommendations from Security Center are reported in the new Security page of the Azure Arc Portal
58
+
- Identified security threats from Azure Defender are reported in the new Security page of the Azure Arc Portal
59
+
- Azure Arc enabled Kubernetes clusters are integrated into the Azure Security Center platform and experience
60
+
61
+
Learn more in [Use Azure Defender for Kubernetes with your on-premises and multi-cloud Kubernetes clusters](defender-for-kubernetes-azure-arc.md).
62
+
63
+
:::image type="content" source="media/defender-for-kubernetes-azure-arc/extension-recommendation.png" alt-text="Azure Security Center's recommendation for deploying the Azure Defender extension for Azure Arc enabled Kubernetes clusters." lightbox="media/defender-for-kubernetes-azure-arc/extension-recommendation.png":::
64
+
45
65
### Four new recommendations related to guest configuration (preview)
46
66
47
67
Azure's [Guest Configuration extension](../governance/policy/concepts/guest-configuration.md) reports to Security Center to help ensure your virtual machines' in-guest settings are hardened. The extension isn't required for Arc enabled servers because it's included in the Arc Connected Machine agent. The extension requires a system-managed identity on the machine.
@@ -58,26 +78,23 @@ We've added four new recommendations to Security Center to make the most of this
58
78
59
79
Learn more in [Understand Azure Policy's Guest Configuration](../governance/policy/concepts/guest-configuration.md).
60
80
81
+
### CMK recommendations moved to best practices security control
61
82
62
-
### Use Azure Defender for Kubernetes to protect hybrid and multi-cloud Kubernetes deployments (preview)
63
-
64
-
Azure Defender for Kubernetes is expanding its threat protection capabilities to defend your clusters wherever they're deployed. This has been enabled by integrating with [Azure Arc enabled Kubernetes](../azure-arc/kubernetes/overview.md) and its new [extensions capabilities](../azure-arc/kubernetes/extensions.md).
83
+
Every organization's security program includes data encryption requirements. By default, Azure customers' data is encrypted at rest with service-managed keys. However, customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs let you encrypt your data with an [Azure Key Vault](../key-vault/general/overview.md) key created and owned by you. This gives you full control and responsibility for the key lifecycle, including rotation and management.
65
84
66
-
When you've enabled Azure Arc on your non-Azure Kubernetes clusters, a new recommendation from Azure Security Center offers to deploy the Azure Defender extension to them with only a few clicks.
85
+
Azure Security Center's security controls are logical groups of related security recommendations, and reflect your vulnerable attack surfaces. Each control has a maximum number of points you can add to your secure score if you remediate all of the recommendations listed in the control, for all of your resources. The **Implement security best practices** security control is worth zero points. So recommendations in this control don't affect your secure score.
67
86
68
-
Use the recommendation (**Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed**) and the extension to protect Kubernetes clusters deployed in other cloud providers, although not on their managed Kubernetes services.
87
+
The recommendations listed below are being moved to the **Implement security best practices** security control to better reflect their optional nature. This move ensures that these recommendations are in the most appropriate control to meet their objective.
69
88
70
-
This integration between Azure Security Center, Azure Defender, and Azure Arc enabled Kubernetes brings:
89
+
- Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
90
+
- Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)
91
+
- Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)
92
+
- Container registries should be encrypted with a customer-managed key (CMK)
93
+
- SQL managed instances should use customer-managed keys to encrypt data at rest
94
+
- SQL servers should use customer-managed keys to encrypt data at rest
95
+
- Storage accounts should use customer-managed key (CMK) for encryption
71
96
72
-
- Easy provisioning of the Azure Defender extension to unprotected Azure Arc enabled Kubernetes clusters (manually and at-scale)
73
-
- Monitoring of the Azure Defender extension and its provisioning state from the Azure Arc Portal
74
-
- Security recommendations from Security Center are reported in the new Security page of the Azure Arc Portal
75
-
- Identified security threats from Azure Defender are reported in the new Security page of the Azure Arc Portal
76
-
- Azure Arc enabled Kubernetes clusters are integrated into the Azure Security Center platform and experience
77
-
78
-
Learn more in [Use Azure Defender for Kubernetes with your on-premises and multi-cloud Kubernetes clusters](defender-for-kubernetes-azure-arc.md).
79
-
80
-
:::image type="content" source="media/defender-for-kubernetes-azure-arc/extension-recommendation.png" alt-text="Azure Security Center's recommendation for deploying the Azure Defender extension for Azure Arc enabled Kubernetes clusters." lightbox="media/defender-for-kubernetes-azure-arc/extension-recommendation.png":::
97
+
Learn which recommendations are in each security control in [Security controls and their recommendations](secure-score-security-controls.md#security-controls-and-their-recommendations).
0 commit comments