The adoption of infrastructures and services in cloud environments, useful for businesses to accelerate the digital transformation process, it requires us to adapt the solutions as well, the processes and practices that are adopted to ensure and maintain a high degree of security of IT resources. Everything must be done independently of the deployment models used, strengthening the overall security posture of your environment and providing advanced threat protection for all workloads, wherever they reside. This article reports how the Defender for Cloud solution is able to control and improve the security aspects of the IT environment where resources are used in the public cloud, in hybrid and multi-cloud environments.
The challenges of security in modern infrastructures
Among the main challenges that must be faced in the security field by adopting modern infrastructures that use components in the cloud we find:
- Rapid and constantly evolving workload. This aspect is certainly a double-edged sword of the cloud in that, on the one hand, end users have the ability to get more from solutions in cloud environments, on the other hand, it becomes complex to ensure that rapidly and constantly evolving services are always up to their standards and that they follow all security best practices.
- Increasingly sophisticated security attacks. Regardless of where your workloads are running, security attacks adopt sophisticated and advanced techniques that require reliable protections to be implemented to counter their effectiveness.
- Resources and expertise in the field of security not always up to par to intervene in the face of security alerts and to ensure that the environments are adequately protected. In fact,, IT security is an ever-changing front and staying up-to-date is a constant and difficult challenge to achieve.
The pillars of security covered by Microsoft Defender for Cloud
The capabilities of Microsoft Defender for Cloud are able to contemplate two great pillars of security for modern architectures that adopt cloud components: Cloud Security Posture Management (CSPM) e Cloud workload protection (CWP).
Figure 1 – The pillars of security covered by Microsoft Defender for Cloud
Cloud Security Posture Management (CSPM)
In the field of Cloud Security Posture Management (CSPM) Defender for Cloud can provide the following features:
-
- Visibility: to assess the current security situation.
- Hardening Guide: to be able to improve security efficiently and effectively
Thanks to a continuous assessment, Defender for Cloud is able to continuously discover new resources that are distributed and evaluate if they are configured according to security best practices. If not,, the resources are flagged and you get a priority list of advice related to what should be corrected to improve their protection. This list of recommendations is taken and supported by Azure Security Benchmark, the Azure-specific set of guidelines created by Microsoft, this contains security and compliance best practices based on common frameworks, with a focus on cloud-centric security. This benchmark may cover the controls of the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) and it can be customized according to the standards to be respected.
Figure 2 - Examples of recommendations
Defender for Cloud assigns a global score to the environment, defined Secure Score, which allows you to evaluate the risk profile (the higher the score, the lower the level of risk identified) and to take action to take remediation actions.
Figure 3 - Secure score example
Cloud workload protection (CWP)
Regarding this area, Defender for Cloud delivers security alerts based on Microsoft Threat Intelligence. Furthermore, includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the subscriptions and in hybrid and multi-cloud environments:
- Microsoft Defender for Servers
- Microsoft Defender for Storage
- Microsoft Defender for SQL
- Microsoft Defender for Containers
- Microsoft Defender for App Service
- Microsoft Defender for Key Vault
- Microsoft Defender for Resource Manager
- Microsoft Defender for DNS
- Microsoft Defender for open-source relational databases
- Microsoft Defender for Azure Cosmos DB (Preview)
Figure 4 – Workloads protected by Defender for Cloud
Defender for Cloud therefore allows you to meet the following three needs, considered essential when managing the security of resources and workloads residing in the cloud and in on-premises environments:
Figure 5 - Security needs covered by Microsoft Defender for Cloud
Defender for Cloud also includes, as part of the advanced security features, vulnerability assessment solutions for virtual machines, container registry and SQL server. Some scans are done using the Qualys solution, that can be used without specific licenses and without dedicated accounts, but everything is included and managed through Defender for Cloud.
Which environments can be protected with Defender for Cloud?
Defender for Cloud is an Azure native service, which allows you to protect not only the resources present in Azure, but also hybrid and multi-cloud environments.
Figure 6 - Cross protection on different environments
Azure environment protection
- Azure IaaS and services Azure PaaS: Defender for Cloud can detect threats targeting virtual machines and services in Azure, including Azure App Service, Azure SQL, Azure Storage Account, and others. Furthermore, allows you to detect anomalies in Azure activity logs (Azure activity logs) through native integration with Microsoft Defender for Cloud Apps (known as Microsoft Cloud App Security).
- Azure data services: Defender for Cloud includes features that allow you to automatically classify data in Azure SQL. Furthermore, it is possible to carry out assessments to detect potential vulnerabilities in Azure SQL and Storage services, accompanied by recommendations on how to mitigate them.
- Network: the application of the Network Security Group (NSG) to filter the traffic to and from the resources attested on the Azure virtual networks, is essential to guarantee network security. However, there may be some cases where the actual traffic passing through the NSGs affects only a subset of the defined NSG rules. In these cases, the functionality of Adaptive network hardening allows to further improve the security posture by strengthening the NSG rules. Using a machine learning algorithm that takes into account actual traffic, the configuration, threat intelligence and other indicators of compromise, is able to provide advice to adjust the configuration of the NSG to allow only the strictly necessary traffic.
Hybrid Environment Protection
In addition to protecting the Azure environment, Defender for Cloud functionality can also be extended to hybrid environments to protect in particular servers that do not reside on Azure. Through Azure Arc Microsoft Defender plans can be extended to non-Azure machines.
Protection of resources running on other public clouds
Microsoft Defender for Cloud may also include resources present in Amazon Web Services (AWS) and Google Cloud Platform (GCP). To protect resources on other public clouds with this solution, a new native mechanism and, through an approach agentless, allows you to connect to AWS and GCP environments. This new method of interfacing take advantage of the AWS and GCP APIs and it has no dependence on other solutions, for example AWS Security Hub.
Real case of protection with Defender for Cloud
Assuming a customer environment with resources located in Azure, on-premises and in AWS, with Defender for Cloud you can extend protection to all resources, independently of where they reside.
In fact,, by connecting an Amazon Web Services account (AWS) to an Azure subscription, it is possible to enable the following protections:
- The functionalities CSPM di Defender for Cloud are also extended to AWS resources, allowing you to evaluate the resources present in the Amazon cloud, according to AWS specific security recommendations. Furthermore, resources are evaluated for compliance with AWS specific standards such as: AWS CIS, AWS PCI DSS e AWS Foundational Security Best Practices. All of this is considered by influencing the overall security score.
- Microsoft Defender for Servers offers threat detection and enables advanced defenses for EC2 Windows and Linux instances as well.
- Microsoft Defender for Kubernetes extends advanced defenses to Amazon EKS Linux clusters and enables the detection of threats on containers present in those infrastructures.
These protections will be added to the features listed above available for Azure environments and for resources residing on-premises.
Conclusions
Defender for Cloud is able to respond effectively to challenges, in the security field, given by the adoption of modern infrastructures. In fact, thanks to the use of Microsoft Defender for Cloud, you have a solution capable of identifying the weaknesses in the security field in cloud configurations, strengthen the overall security posture of the environment and protect workloads in hybrid and multi-cloud environments.
