Defender for Cloud was a rebranding of Azure Security Center and is the premier offering from Microsoft Azure as a control plane for security and visibility in Azure.
While this is a small view of the dashboard you can see the experience has changed in Azure, AWS and GCP as of recently you can now onboard your subscriptions/projects into this portal for visibility of your workloads across other clouds.
While Cloud Workload Protection Platforms exists this operates on the Pay-as-you-go model as I’ll show you on the next screenshot.
As you can see you can use this as your viewing of estimating the costs per workload as they are different for each service you have the option at the top of “Enable All” as a option to protect all services.
The only difference in pricing breaks down for Defender for Servers which is noted as Plan 1 and Plan 2.
While this is a more expensive plan you can see the features available if your organization doesn’t own these solutions or want this visibility.
Another economical choice would be the Defender for Servers Plan 1 but you do lose some services or have trade-offs.
When we are thinking of Defense in Depth approach just like a castle has many layers of protection prior to entrance start strategizing how you want to position your workloads that are front-facing and as always asset management is key.
If you click Security Posture on the left hand navigation your view will expand to your environment with options to switch in-between GCP and AWS as well.
While we aren’t diving deep into the recommendations that are provided for the subscription as this is more of an overview to show the capabilities of this offering and what it provides. Next we will navigate to Regulatory Compliance this will house the compliance that is enabled throughout out tenant.
Azure Security Benchmark is now in version three this encompasses a conical amount of controls including PCI-DSS, NIST 800-53 R4, CIS V8. They are organized in similar fashion for naming conventions as you can see NS for Network Security and you have a option to have these expanded.
DevOps Security is noted as DS as technology is starting to evolve or rapidly iterate you can expect more controls to be added. Defender for Cloud does provide protection for AKS and Azure Container Registery as well.
While you’ve might not be aware of some of these controls they are in the system and you can assign other compliance needs to your subscription that your organization follows. Additionally, ASB is for the entire platform while other services such as Azure Synapse, Azure Cosmos DB will have a security baseline that can be utilized to follow best practices and security.
This is just scratching the surface much more is to explore on this topic this is a quick overview on the evolving nature of security in Azure I’ve had countless customers who work in Azure and are still finding out the full capabilities of this particular service and felt a overview is always welcomed.