Security Overview
This section covers Azure security services and best practices for securing your cloud infrastructure.
What is Microsoft Defender for Cloud?
Microsoft Defender for Cloud (formerly Azure Security Center) is a unified infrastructure security management system that helps you prevent, detect, and respond to threats with increased visibility and control over the security of your Azure resources.
Key Services
| Service | Purpose | Team Owner |
|---|---|---|
| Microsoft Defender for Cloud | Unified security management & threat protection | Security Team |
| Microsoft Sentinel | Cloud-native SIEM & SOAR solution | Security Team |
| Azure Key Vault | Secrets, keys, and certificate management | Security Team |
| Azure Policy | Governance and compliance enforcement | Security & Governance Teams |
Core Capabilities
Security Posture Management
- Secure Score: Get a centralized view of your security posture with actionable recommendations
- Microsoft Cloud Security Benchmark (MCSB): Automatically assigned to all subscriptions
- Regulatory Compliance Dashboard: Monitor compliance with industry standards (ISO 27001, PCI DSS, SOC 2, HIPAA)
Workload Protection
- Defender for Servers: Advanced threat protection for VMs
- Defender for Containers: Security for Kubernetes and container registries
- Defender for Storage: Protect against malicious uploads and suspicious access
- Defender for Databases: SQL injection detection and vulnerability assessment
Quick Start Guide
1. Enable Microsoft Defender for Cloud
# Enable Defender for Cloud on subscription
az security pricing create \
--name VirtualMachines \
--tier standard
# Enable all Defender plans
az security pricing create \
--name VirtualMachines,SqlServers,AppServices,StorageAccounts,KubernetesService \
--tier standard
2. Review Security Recommendations
- Navigate to Microsoft Defender for Cloud in Azure Portal
- Check your Secure Score on the overview page
- Review Recommendations prioritized by potential impact
- Implement high-priority items first
3. Configure Security Policies
# Assign a built-in policy initiative
az policy assignment create \
--name 'ASC Default' \
--policy-set-definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8' \
--scope /subscriptions/{subscription-id}
Best Practices
Security First
Always follow the principle of least privilege and Zero Trust when configuring access controls.
Enable All Defender Plans
Enable Microsoft Defender plans for comprehensive protection across all resource types. The free tier provides limited security, while enhanced security features include:
- Just-in-time VM access
- Adaptive application controls
- File integrity monitoring
- Threat detection and alerts
Automate Security Responses
- Workflow Automation: Use Logic Apps to automate responses to security alerts
- Security Alerts Integration: Export to SIEM tools or ticketing systems
- Continuous Compliance: Automate remediation tasks for non-compliant resources
Regular Security Assessments
- Review Secure Score weekly
- Investigate all high and critical severity alerts within 24 hours
- Conduct monthly compliance audits
- Update security policies as threats evolve
Network Security
- Deploy Azure Firewall for centralized network protection
- Use Network Security Groups (NSGs) on all subnets
- Enable DDoS Protection for internet-facing applications
- Implement Web Application Firewall (WAF) for web apps
CI/CD Integration
GitHub Actions Example
name: Security Scan
on: [push]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Microsoft Defender for Cloud scan
uses: azure/defender-for-cloud-action@v1
with:
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Upload security results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: security-results.sarif
Azure DevOps Pipeline
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: AzureCLI@2
displayName: 'Check Security Compliance'
inputs:
azureSubscription: 'your-connection'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
# Get compliance status
az security assessment list --output table
Common Pitfalls to Avoid
❌ Don't:
- Leave Defender for Cloud in free tier for production workloads
- Ignore medium-severity recommendations
- Disable automatic provisioning of agents
- Grant overly permissive access to Security Admin role
- Use outdated OS images without patching
✅ Do:
- Enable all relevant Defender plans for your workloads
- Regularly review and act on recommendations
- Use just-in-time VM access instead of opening RDP/SSH permanently
- Integrate with Microsoft Sentinel for advanced threat hunting
- Automate remediation where possible
Zero Trust Implementation
Microsoft Defender for Cloud supports Zero Trust principles:
- Verify explicitly: Continuous posture assessment and compliance validation
- Use least privilege access: Just-in-time VM access and RBAC recommendations
- Assume breach: Threat detection and incident response capabilities
Compliance & Regulatory Standards
Defender for Cloud helps meet compliance requirements:
- HIPAA: Health Insurance Portability and Accountability Act
- PCI DSS: Payment Card Industry Data Security Standard
- SOC 2: Service Organization Control 2
- ISO 27001: Information Security Management
- NIST SP 800-53: Security controls for federal information systems
- CIS: Center for Internet Security benchmarks
Monitoring & Alerting
Configure Alert Notifications
# Create action group for security alerts
az monitor action-group create \
--name SecurityTeam \
--resource-group rg-security \
--short-name SecTeam \
--email-receiver name=SecurityTeam email=security@company.com
Key Metrics to Track
- Secure Score trend (target: >80%)
- Number of unhealthy resources
- Mean time to remediate (MTTR) critical findings
- Percentage of resources with vulnerability scans enabled
Related Resources
- Microsoft Defender for Cloud Documentation
- Azure Security Best Practices
- Microsoft Cloud Security Benchmark
- Zero Trust Security Model
Next Steps
- Configure Microsoft Sentinel for SIEM capabilities
- Set up Azure Key Vault for secrets management
- Implement Azure Policy for compliance enforcement