ELL 887 - CLOUD COMPUTING

Azure Identity, Access & Security

 2

Outline
• Azure directory services
• Azure authentication methods
• Azure external identities
• Azure conditional access
• Azure role-based access control
• Zero trust model
• Defense-in-depth
• Microsoft Defender for Cloud
 3

Outline
• Azure directory services
• Azure authentication methods
• Azure external identities
• Azure conditional access
• Azure role-based access control
• Zero trust model
• Defense-in-depth
• Microsoft Defender for Cloud
 4

Azure Directory Services

 A directory service or name service maps the names of network resources to their respective
network addresses.
• It is a shared information infrastructure for locating, managing, administering and organizing everyday
items and network resources, which can include volumes, folders, files, printers, users, groups, devices,
telephone numbers and other objects.
• A directory server or name server is a server which provides such a service.
• Each resource on the network is considered an object by the directory server. Information about a
particular resource is stored as a collection of attributes associated with that resource or object.
 Active Directory (AD) is a directory service developed by Microsoft for Windows domain
networks. Windows Server operating systems include it as a set of processes and services
 Microsoft Entra ID is a directory service that enables an user to sign in and access both
Microsoft cloud applications and cloud applications that users develop.
• Microsoft Entra ID can also help users maintain their on-premises Active Directory deployment.
• For on-premises environments, Active Directory running on Windows Server provides an identity and
access management service that's managed by the user organization.
• Microsoft Entra ID is Microsoft's cloud-based identity and access management service.
• With Microsoft Entra ID, the organization control the identity accounts, but Microsoft ensures that the
service is available globally.
• When identities are secured on-premises with Active Directory, Microsoft doesn't monitor sign-in
attempts.
• When Active Directory is connected with Microsoft Entra ID, Microsoft can help protect by detecting
suspicious sign-in attempts at no extra cost
 5

Services provider by Microsoft Entra Id

 Authentication:
• This includes verifying identity to access applications and resources.
• It also includes providing functionality such as self-service password reset, multifactor
authentication, a custom list of banned passwords, and smart lockout services.
 Single sign-on:
• Single sign-on (SSO) enables an user to remember only one username and one password
to access multiple applications.
• A single identity is tied to a user, which simplifies the security model.
• As users change roles or leave an organization, access modifications are tied to that
identity, which greatly reduces the effort needed to change or disable accounts.
 Application management:
• Users can manage cloud and on-premises apps by using Microsoft Entra ID.
• Features like Application Proxy, SaaS apps, the My Apps portal, and single sign-on provide
a better user experience.
 Device management:
• Along with accounts for individual people, Microsoft Entra ID supports the registration of
devices.
• It allows for device-based Conditional Access policies to restrict access attempts to only
those coming from known devices, regardless of the requesting user account.
 6

Who uses Microsoft Entra Id

• IT administrators. Administrators can use Microsoft Entra ID to control access to
applications and resources based on their business requirements.
• App developers. Developers can use Microsoft Entra ID to provide a standards-
based approach for adding functionality to applications that they build, such as
adding SSO functionality to an app or enabling an app to work with a user's
existing credentials.
• Users. Users can manage their identities and take maintenance actions like self-
service password reset.
• Online service subscribers. Microsoft 365, Microsoft Office 365, Azure, and
Microsoft Dynamics CRM Online subscribers are already using Microsoft Entra ID to
authenticate into their account.
 7

Microsoft Entra Domain Services

 Microsoft Entra Domain Services is a service that provides managed domain services such as lightweight
directory access protocol (LDAP), and Kerberos authentication.
 With Microsoft Entra Domain Services, you get the benefit of domain services without the need to deploy,
manage, and patch domain controllers (DCs) in the cloud.
 A Microsoft Entra Domain Services managed domain lets you run legacy applications in the cloud that
can't use modern authentication methods, or where you don't want directory lookups to always go back to
an on-premises AD DS environment.
 You can lift and shift those legacy applications from your on-premises environment into a managed
domain, without needing to manage the AD DS environment in the cloud.
 Microsoft Entra Domain Services integrates with existing Microsoft Entra tenant.
• This integration lets users sign into services and applications connected to the managed domain using their existing
credentials.
• Existing groups and user accounts can be used to secure access to resources.
• These features provide a smoother lift-and-shift of on-premises resources to Azure.
 When a Microsoft Entra Domain Services managed domain is created, a unique namespace is defined.
• This namespace is the domain name.
• Two Windows Server domain controllers are then deployed into the selected Azure region.
• This deployment of DCs is known as a replica set.
• The Azure platform handles the DCs as part of the managed domain, including backups and encryption at rest using
Azure Disk Encryption.
 8

Microsoft Entra Domain Services

 A managed domain is configured to perform a one-way
synchronization from Microsoft Entra ID to Microsoft Entra Domain
Services.
 One can create resources directly in the managed domain, but they
aren't synchronized back to Microsoft Entra ID.
 In a hybrid environment with an on-premises AD DS environment,
Microsoft Entra Connect synchronizes identity information with
Microsoft Entra ID, which is then synchronized to the managed
domain.
 9

Outline
• Azure directory services
• Azure authentication methods
• Azure external identities
• Azure conditional access
• Azure role-based access control
• Zero trust model
• Defense-in-depth
• Microsoft Defender for Cloud
 10

Authentication
• Authentication is the process of establishing the identity of a person, service, or
device.
• It requires the person, service, or device to provide some type of credential to
prove who they are.
• Azure supports multiple authentication methods, including standard passwords,
single sign-on (SSO), multifactor authentication (MFA), and passwordless.
• For the longest time, security and convenience seemed to be at odds with each
other.
• Thankfully, new authentication solutions provide both security and convenience.
 11

Single Sign-on
 Single sign-on (SSO) enables a user to sign in one time and use that credential to access
multiple resources and applications from different providers.
 For SSO to work, the different applications and providers must trust the initial
authenticator.
 More identities mean more passwords to remember and change. Password policies can
vary among applications.
• As complexity requirements increase, it becomes increasingly difficult for users to remember them.
• The more passwords a user has to manage, the greater the risk of a credential-related security
incident.
 Consider the process of managing all those identities.
• More strain is placed on help desks as they deal with account lockouts and password reset
requests.
• If a user leaves an organization, tracking down all those identities and ensuring they're disabled
can be challenging.
• If an identity is overlooked, this might allow access when it should have been eliminated.
 With SSO, an user need to remember only one ID and one password.
• Access across applications is granted to a single identity that's tied to the user, which simplifies the
security model.
• As users change roles or leave an organization, access is tied to a single identity.
• This change greatly reduces the effort needed to change or disable accounts.
• Using SSO for accounts makes it easier for users to manage their identities and for IT to manage
users.
 12

Multifactor Authentication
 Multifactor authentication is the process of prompting a user for an extra form (or factor) of
identification during the sign-in process.
 MFA helps protect against a password compromise in situations where the password was
compromised but the second factor wasn't.
 Multifactor authentication provides additional security for identities by requiring two or
more elements to fully authenticate.
 These elements fall into three categories:
• Something the user knows – this might be a challenge question.
• Something the user has – this might be a code that's sent to the user's mobile phone.
• Something the user is – this is typically some sort of biometric property, such as a fingerprint or face
scan.
 Multifactor authentication increases identity security by limiting the impact of credential
exposure (for example, stolen usernames and passwords).
 With multifactor authentication enabled, an attacker who has a user's password would also
need to have possession of their phone or their fingerprint to fully authenticate.
 Multifactor authentication should be enabled wherever possible because it adds enormous
benefits to security.
 Microsoft Entra multifactor authentication is a Microsoft service that provides multifactor
authentication capabilities.
• Microsoft Entra multifactor authentication enables users to choose an additional form of
authentication during sign-in, such as a phone call or mobile app notification.
 13

Passwordless Authentication
 Features like MFA are a great way to secure an organization, but users often get
frustrated with the additional security layer on top of having to remember their
passwords.
• People are more likely to comply when it's easy and convenient to do so. Passwordless
authentication methods are more convenient because the password is removed and
replaced with something the user have, plus something the user is, or something the
user knows.
 Passwordless authentication needs to be set up on a device before it can work.
• For example, a computer is something an user has.
• Once it’s been registered or enrolled, Azure now knows that it’s associated with the user.
• Now that the computer is known, once the usesr provide something they know or are
(such as a PIN or fingerprint), you can be authenticated without using a password.
 Each organization has different needs when it comes to authentication.
 Microsoft global Azure and Azure Government offer the following three
passwordless authentication options that integrate with Microsoft Entra ID:
• Windows Hello for Business
• Microsoft Authenticator app
• FIDO2 security keys
 14

Passwordless Authentication
 Windows Hello for Business
• Windows Hello for Business is ideal for information workers that have their own designated Windows PC.
• The biometric and PIN credentials are directly tied to the user's PC, which prevents access from anyone
other than the owner.
• Windows Hello for Business provides a convenient method for seamlessly accessing corporate resources
on-premises and in the cloud.
• Microsoft Authenticator App
• The Authenticator App turns any iOS or Android phone into a strong, passwordless credential.
• Users can sign-in to any platform or browser by getting a notification to their phone, matching a number
displayed on the screen to the one on their phone, and then using their biometric (touch or face) or PIN
to confirm.
 FIDO2 security keys
• The FIDO (Fast IDentity Online) Alliance helps to promote open authentication standards and reduce the
use of passwords as a form of authentication.
• FIDO2 is the latest standard that incorporates the web authentication (WebAuthn) standard.
• FIDO2 security keys are an unphishable standards-based passwordless authentication method that can
come in any form factor.
• Fast Identity Online (FIDO) is an open standard for passwordless authentication.
− FIDO allows users and organizations to leverage the standard to sign-in to their resources without a username or
password by using an external security key or a platform key built into a device.
 Users can register and then select a FIDO2 security key at the sign-in interface as their main means of
authentication.
− These FIDO2 security keys are typically USB devices, but could also use Bluetooth or NFC.
− With a hardware device that handles the authentication, the security of an account is increased as there's no password
that could be exposed or guessed.
 15

Outline
• Azure directory services
• Azure authentication methods
• Azure external identities
• Azure conditional access
• Azure role-based access control
• Zero trust model
• Defense-in-depth
• Microsoft Defender for Cloud
 16

Azure External Identities

 An external identity is a person, device, service, etc. that is outside your
organization.
 Microsoft Entra External ID refers to all the ways you can securely interact with
users outside of your organization.
 If you want to collaborate with partners, distributors, suppliers, or vendors,
you can share your resources and define how your internal users can access
external organizations.
 If you're a developer creating consumer-facing apps, you can manage your
customers' identity experiences.
 With External Identities, external users can "bring their own identities."
• Whether they have a corporate or government-issued digital identity, or an
unmanaged social identity like Google or Facebook, they can use their own
credentials to sign in.
• The external user’s identity provider manages their identity, and you manage access
to your apps with Microsoft Entra ID or Azure AD B2C to keep your resources
protected.
 17

Azure External Identities

 18

Azure External Identities Capabilities

 Business to business (B2B) collaboration
• Collaborate with external users by letting them use their preferred identity to sign-in to your
Microsoft applications or other enterprise applications (SaaS apps, custom-developed apps,
etc.).
• B2B collaboration users are represented in your directory, typically as guest users.
 B2B direct connect
• Establish a mutual, two-way trust with another Microsoft Entra organization for seamless
collaboration. B2B direct connect currently supports Teams shared channels, enabling external
users to access your resources from within their home instances of Teams.
• B2B direct connect users aren't represented in your directory, but they're visible from within the
Teams shared channel and can be monitored in Teams admin center reports.
 Microsoft Azure Active Directory business to customer (B2C)
• Publish modern SaaS apps or custom-developed apps (excluding Microsoft apps) to consumers
and customers, while using Azure AD B2C for identity and access management.
 Depending on how you want to interact with external organizations and the types of resources you
need to share, you can use a combination of these capabilities.
 19

Outline
• Azure directory services
• Azure authentication methods
• Azure external identities
• Azure conditional access
• Azure role-based access control
• Zero trust model
• Defense-in-depth
• Microsoft Defender for Cloud
 20

Azure Conditional Access

 Conditional Access is a tool that Microsoft Entra ID uses to allow (or deny) access to
resources based on identity signals.
• These signals include who the user is, where the user is, and what device the user is requesting
access from.
 Conditional Access helps IT administrators:
• Empower users to be productive wherever and whenever.
• Protect the organization's assets.
 Conditional Access also provides a more granular multifactor authentication experience
for users.
• For example, a user might not be challenged for second authentication factor if they're at a
known location.
• However, they might be challenged for a second authentication factor if their sign-in signals are
unusual or they're at an unexpected location.
 During sign-in, Conditional Access collects signals from the user, makes decisions based
on those signals, and then enforces that decision by allowing or denying the access
request or challenging for a multifactor authentication response.
 21

Azure Conditional Access

 The signal might be the user's location, the user's device, or the application that the
user is trying to access.
 Based on these signals, the decision might be to allow full access if the user is signing in
from their usual location.
 If the user is signing in from an unusual location or a location that's marked as high risk,
then access might be blocked entirely or possibly granted after the user provides a
second form of authentication.
 Enforcement is the action that carries out the decision.
• For example, the action is to allow access or require the user to provide a second form of
authentication.
 22

Azure Conditional Access – When to use?

 Require multifactor authentication (MFA) to access an application depending
on the requester’s role, location, or network.
• For example, you could require MFA for administrators but not regular users.
 Require access to services only through approved client applications.
• For example, you could limit which email applications are able to connect to your
email service.
• Require users to access your application only from managed devices.
• A managed device is a device that meets your standards for security and compliance.
 Block access from untrusted sources, such as access from unknown or
unexpected locations.
 .
 23

Outline
• Azure directory services
• Azure authentication methods
• Azure external identities
• Azure conditional access
• Azure role-based access control
• Zero trust model
• Defense-in-depth
• Microsoft Defender for Cloud
 24

Role-based Access Control

 When an organization has multiple IT and engineering teams, one needs to control what
access different users have to the resources in the cloud environment.
 A good security practice - the principle of least privilege says access should be granted up
to the level needed to complete a task.
• If an user only need read access to a storage blob, then she should only be granted read access to
that storage blob.
• Write access to that blob shouldn’t be granted, nor should read access to other storage blobs.
 However, managing that level of permissions for an entire team would become tedious.
 Instead of defining the detailed access requirements for each individual, and then updating
access requirements when new resources are created or new people join the team, Azure
enables the control of access through Azure role-based access control (Azure RBAC).
 Azure provides built-in roles that describe common access rules for cloud resources.
 An organization can also define their own roles.
 Each role has an associated set of access permissions that relate to that role.
 When individuals or groups are assigned to one or more roles, they receive all the associated
access permissions.
• So, if a new engineer is hired and added to the Azure RBAC group for engineers, she automatically get
the same access as the other engineers in the same Azure RBAC group.
 25

How is RBAC applied to a resource

 Role-based access control is applied to a scope, which is a resource or set of resources
that this access applies to.
 The diagram shows the relationship between roles and scopes.
 A management group, subscription, or resource group might be given the role of owner,
so they have increased control and authority.
 An observer, who isn't expected to make any updates, might be given a role of Reader for
the same scope, enabling them to review or observe the management group,
subscription, or resource group.
 26

How is RBAC applied to a resource

 Scopes include:
• A management group (a collection of multiple subscriptions).
• A single subscription.
• A resource group.
• A single resource.
 Azure RBAC is hierarchical, in that when access is granted at a parent scope,
those permissions are inherited by all child scopes.
 For example:
• When Owner role is assigned to a user at the management group scope, that user
can manage everything in all subscriptions within the management group.
• When the Reader role is assigned to a group at the subscription scope, the members
of that group can view every resource group and resource within the subscription.
 27

How is Azure RBAC enforced

 Azure RBAC is enforced on any action that's initiated against an Azure
resource that passes through Azure Resource Manager.
• Resource Manager is a management service that provides a way to organize and
secure cloud resources.
 Resource Manager can be accessed from the Azure portal, Azure Cloud Shell,
Azure PowerShell, and the Azure CLI.
 Azure RBAC doesn't enforce access permissions at the application or data
level.
 Application security must be handled by the application.
 Azure RBAC uses an allow model.
• When an user assigned a role, Azure RBAC allows the user to perform actions within
the scope of that role.
• If one role assignment grants an user read permissions to a resource group and a
different role assignment grants the user write permissions to the same resource
group, the user has both read and write permissions on that resource group.

•
 28

Outline
• Azure directory services
• Azure authentication methods
• Azure external identities
• Azure conditional access
• Azure role-based access control
• Zero trust model
• Defense-in-depth
• Microsoft Defender for Cloud
 29

Zero trust model

 Zero Trust is a security model that assumes the worst case scenario and
protects resources with that expectation.
 Zero Trust assumes breach at the outset, and then verifies each request as
though it originated from an uncontrolled network.
 Today, organizations need a new security model that effectively adapts to the
complexity of the modern environment; embraces the mobile workforce: and
protects people, devices, applications, and data wherever they're located.
 To address this new world of computing, Microsoft highly recommends the
Zero Trust security model, which is based on these guiding principles:
• Verify explicitly - Always authenticate and authorize based on all available data
points.
• Use least privilege access - Limit user access with Just-In-Time and Just-Enough-
Access (JIT/JEA), risk-based adaptive policies, and data protection.
• Assume breach -
− Verify end-to-end encryption.
− Use analytics to get visibility, drive threat detection, and improve defenses.
 30

Zero trust model

 Traditionally, corporate networks were restricted, protected, and generally
assumed safe.
• Only managed computers could join the network, VPN access was tightly
controlled, and personal devices were frequently restricted or blocked.
 The Zero Trust model flips that scenario.
• Instead of assuming that a device is safe because it’s within the corporate
network, it requires everyone to authenticate.
• Then grants access based on authentication rather than location.
 31

Outline
• Azure directory services
• Azure authentication methods
• Azure external identities
• Azure conditional access
• Azure role-based access control
• Zero trust model
• Defense-in-depth
• Microsoft Defender for Cloud
 32

Defense-in-depth
 The objective of defense-in-depth is to protect
information and prevent it from being stolen by those
who aren't authorized to access it.
 A defense-in-depth strategy uses a series of mechanisms
to slow the advance of an attack that aims at acquiring
unauthorized access to data.
 You can visualize defense-in-depth as a set of layers, with
the data to be secured at the center and all the other
layers functioning to protect that central data layer.
• Each layer provides protection so that if one layer is
breached, a subsequent layer is already in place to prevent
further exposure.
• This approach removes reliance on any single layer of
protection.
• It slows down an attack and provides alert information that
security teams can act upon, either automatically or manually.
• Azure provides security tools and features at every level
of the defense-in-depth concept.
 33

Physical Security
• Physically securing access to buildings and controlling access to
computing hardware within the datacenter are the first line of
defense.
• With physical security, the intent is to provide physical safeguards
against access to assets.
• These safeguards ensure that other layers can't be bypassed, and loss
or theft is handled appropriately.
• Microsoft uses various physical security mechanisms in its cloud
datacenters
 34

Identity & Access

 The identity and access layer controls access to infrastructure and
change control.
 The identity and access layer is about ensuring that identities are
secure, that access is granted only to what's needed, and that sign-in
events and changes are logged.
 At this layer, it's important to:
• Control access to infrastructure and change control.
• Use single sign-on (SSO) and multifactor authentication.
• Audit events and changes.
 35

Perimeter
 The perimeter layer uses distributed denial of service (DDoS)
protection to filter large-scale attacks before they can cause a denial
of service for users.
 The network perimeter protects from network-based attacks against
resources.
 Identifying these attacks, eliminating their impact, and alerting when
they happen are important ways to keep the network secure.
 At this layer, it's important to:
• Use DDoS protection to filter large-scale attacks before they can affect the
availability of a system for users.
• Use perimeter firewalls to identify and alert on malicious attacks against
the network.
 36

Network
 The network layer limits communication between resources through
segmentation and access controls.
 At this layer, the focus is on limiting the network connectivity across
all user resources to allow only what's required.
 By limiting this communication, the risk of an attack spreading to
other systems in the network is reduced.
 At this layer, it's important to:
• Limit communication between resources.
• Deny by default.
• Restrict inbound internet access and limit outbound access where
appropriate.
• Implement secure connectivity to on-premises networks.
 37

Compute
 The compute layer secures access to virtual machines.
 Malware, unpatched systems, and improperly secured systems open
the environment to attacks.
 The focus in this layer is on making sure that the compute resources
are secure and that there is proper controls in place to minimize
security issues.
 At this layer, it's important to:
• Secure access to virtual machines.
• Implement endpoint protection on devices and keep systems patched and
current.
 38

Application
 The application layer helps ensure that applications are secure and
free of security vulnerabilities.
 Integrating security into the application development lifecycle helps
reduce the number of vulnerabilities introduced in code.
 Every development team should ensure that its applications are
secure by default.
 At this layer, it's important to:
• Ensure that applications are secure and free of vulnerabilities.
• Store sensitive application secrets in a secure storage medium.
• Make security a design requirement for all application development.
 39

Data
 The data layer controls access to business and customer data that
needs to be protected.
 Those who store and control access to data are responsible for
ensuring that it's properly secured.
 Often, regulatory requirements dictate the controls and processes
that must be in place to ensure the confidentiality, integrity, and
availability of the data.
 In almost all cases, attackers are after data:
• Stored in a database.
• Stored on disk inside virtual machines.
• Stored in software as a service (SaaS) applications, such as Office 365.
• Managed through cloud storage.
 40

Outline
• Azure directory services
• Azure authentication methods
• Azure external identities
• Azure conditional access
• Azure role-based access control
• Zero trust model
• Defense-in-depth
• Microsoft Defender for Cloud
 41

Defender for Cloud

 Defender for Cloud is a monitoring tool for security posture management and threat
protection.
 It monitors cloud, on-premises, hybrid, and multi-cloud environments to provide guidance and
notifications aimed at strengthening your security posture.
 Defender for Cloud provides the tools needed to harden resources, track security posture,
protect against cyber attacks, and streamline security management.
 Deployment of Defender for Cloud is easy, it’s already natively integrated to Azure.
 Because Defender for Cloud is an Azure-native service, many Azure services are monitored
and protected without needing any deployment.
• However, if the user also has an on-premises datacenter or are also operating in another cloud
environment, monitoring of Azure services may not give the complete picture of the security situation.
 One of Microsoft Defender for Cloud's main pillars is cloud security posture management
(CSPM).
• CSPM provides detailed visibility into the security state of your assets and workloads, and provides
hardening guidance to help you efficiently and effectively improve your security posture.
 When necessary, Defender for Cloud can automatically deploy a Log Analytics agent to gather
security-related data.
• For Azure machines, deployment is handled directly.
• For hybrid and multi-cloud environments, Microsoft Defender plans are extended to non Azure
machines with the help of Azure Arc.
• Cloud security posture management (CSPM) features are extended to multi-cloud machines without the
need for any agents.
 42

Azure Native Protections

 Azure PaaS services
• Detect threats targeting Azure services including Azure App Service, Azure SQL, Azure
Storage Account, and more data services.
• Perform anomaly detection on Azure activity logs using the native integration with
Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security).
 Azure data services
• Defender for Cloud includes capabilities that help automatically classify data in Azure
SQL.
• Also get assessments for potential vulnerabilities across Azure SQL and Storage services,
and recommendations for how to mitigate them.
 Networks
• Defender for Cloud helps you limit exposure to brute force attacks. By reducing access
to virtual machine ports, using the just-in-time VM access, you can harden your network
by preventing unnecessary access. You can set secure access policies on selected ports,
for only authorized users, allowed source IP address ranges or IP addresses, and for a
limited amount of time.
 43

Defend Hybrid Resources

 In addition to defending Azure environment, one can add Defender
for Cloud capabilities to hybrid cloud environment to protect non-
Azure servers.
 To help focus on what matters the most, customized threat
intelligence and prioritized alerts are generated according to the
specific environment.
 To extend protection to on-premises machines, deploy Azure Arc and
enable Defender for Cloud's enhanced security features.
 44

Defend resources running on other clouds

 Defender for Cloud can also protect resources in other clouds (such as AWS
and GCP).
 For example, if an Amazon Web Services (AWS) account is connected to an
Azure subscription, any of these protections can be enabled:
• Defender for Cloud's CSPM features extend to AWS resources.
− This agentless plan assesses user’s AWS resources according to AWS-specific security
recommendations and includes the results in the secure score.
− The resources will also be assessed for compliance with built-in standards specific to AWS
(AWS CIS, AWS PCI DSS, and AWS Foundational Security Best Practices).
− Defender for Cloud's asset inventory page is a multi-cloud enabled feature helping manage
AWS resources alongside Azure resources.
• Microsoft Defender for Containers extends its container threat detection and
advanced defenses to Amazon EKS Linux clusters.
• Microsoft Defender for Servers brings threat detection and advanced defenses to
Windows and Linux EC2 instances.
 45

Assess, Secure & Defend

 Defender for Cloud fills three vital needs as you manage the security
of your resources and workloads in the cloud and on-premises:
• Continuously assess – Know security posture. Identify and track
vulnerabilities.
• Secure – Harden resources and services with Azure Security Benchmark.
• Defend – Detect and resolve threats to resources, workloads, and services.
 46

Continually Assess
 Defender for cloud continuously assess the user environment.
• Defender for Cloud includes vulnerability assessment solutions for virtual
machines, container registries, and SQL servers.
 Microsoft Defender for servers includes automatic, native integration
with Microsoft Defender for Endpoint.
• With this integration enabled, user will have access to the vulnerability
findings from Microsoft threat and vulnerability management.
 Between these assessment tools there will be regular, detailed
vulnerability scans that cover compute, data, and infrastructure.
• User can review and respond to the results of these scans all from within
Defender for Cloud.
 47

Secure
 From authentication methods to access control to the concept of Zero Trust, security in the cloud
is an essential basic that must be done right.
 In order to be secure in the cloud, users have to ensure their workloads are secure.
• To secure workloads, security policies are needed that are tailored to the environment and situation.
• Because policies in Defender for Cloud are built on top of Azure Policy controls, user is getting the full
range and flexibility of a world-class policy solution.
• In Defender for Cloud, user can set policies to run on management groups, across subscriptions, and even
for a whole tenant.
 One of the benefits of moving to the cloud is the ability to grow and scale as needed, adding
new services and resources as necessary.
• Defender for Cloud is constantly monitoring for new resources being deployed across your workloads.
• Defender for Cloud assesses if new resources are configured according to security best practices.
• If not, they're flagged and user get a prioritized list of recommendations for what needs to be need to be
fixed
• Recommendations help reduce the attack surface across each of the resources.
 The list of recommendations is enabled and supported by the Azure Security Benchmark.
• This Microsoft-authored, Azure-specific, benchmark provides a set of guidelines for security and
compliance best practices based on common compliance frameworks.
 In this way, Defender for Cloud enables user not just to set security policies, but to apply secure
configuration standards across resources.
 48

Secure
• To help users understand how important each recommendation is to the overall security
posture, Defender for Cloud groups the recommendations into security controls and adds
a secure score value to each control.
• The secure score gives u an at-a-glance indicator of the health of the security posture,
while the controls give you a working list of things to consider to improve security score
and the overall security posture.
 49

Defend
 Defender for Cloud also helps defend anenvironment by providing security alerts and
advanced threat protection features.
 When Defender for Cloud detects a threat in any area of your environment, it generates
a security alerts which:
• Describe details of the affected resources
• Suggest remediation steps
• Provide, in some cases, an option to trigger a logic app in response
 Defender for Cloud's threat protection includes fusion kill-chain analysis, which
automatically correlates alerts in an environment based on cyber kill-chain analysis, to
help the user better understand the full story of an attack campaign, where it started,
and what kind of impact it had on resources.
 Defender for cloud provides advanced threat protection features for many of the
deployed resources, including virtual machines, SQL databases, containers, web
applications, and network.
• Protections include securing the management ports of VMs with just-in-time access, and
adaptive application controls to create allowlists for what apps should and shouldn't run on
machines.