Defender for cloud provides a list of security recommendations which can make your environment more secure, and make compliance easier to maintain. Policies on which Defender for cloud is basing its recommendations are prebuilt for you. They are grouped together into initiative of Azure Security Benchmark and assigned to every subscription by default. You can view recommendations for your environment in couple of places.
- Azure Advisor -> Security
- Defender for cloud -> Recommendations
- “Security” or “Microsoft Defender for cloud” blade of a resource like a VM, Storage Account etc. or Resource Group and Subscription
Step-by-step guides for Microsoft Defender for cloud recommendations:
- FIX: Managed Identity should be used in Function Apps
- FIX: Web Application should only be accessible over HTTPS
- FIX: FTPS should be required in web apps
- FIX: Function App should only be accessible over HTTPS
- FIX: FTPS should be required in function apps
- FIX: FTPS should be required in API apps
- FIX: API App should only be accessible over HTTPS
Secure Score in Microsoft Defender for cloud
Security Score is a metric that represents how many recommendations you have already implemented. Note that recommendations are only valid to the resources which you have deployed in your subscription. If you do not have any SQL database in your environment – you will not get SQL related recommendations. And so – you will not have to pass them. As they are not “required” for you – they will neither grow your Secure score, nor lower it. As long as you do not introduce such resources – recommendations for given resources don’t impact your Secure Score, as they are just irrelevant at that point.
Understanding the above is crucial to keeping your Secure Score high. Notice that introducing a new resource (or type of resource) into your subscriptions unleashes a completely new set of security requirements. And those unfulfilled recommendations will impact your security score negatively.
Growing your Secure Score is not a one way street. You need to constantly monitor your environment for changes and possible improvements. In this approach Secure Score does provide a quick way of determining the level of care and diligence put into security efforts. Puts focus on securing every possible attack surface and either setting up the proper guide-rails for creation of future resources or proactive hardening being part of changing configurations. Preferably both.
Azure Security Center vs Microsoft Defender for cloud
What is the difference between the two? The short answer would be: this is the same thing, only the “Azure Security Center” name got abandoned and now it is called “Microsoft Defender for cloud”.
When getting into details – it wasn’t just a simple name change. Microsoft Azure, as all public clouds, is constantly evolving. The whole idea behind shared computing is still quite new. And no-one has a crystal ball on what the “final product” will look like. The services portfolio within Azure is constantly changing – features come and go. And when more features come than go, and when those features look very similar at first glance – that abundance of services, features, packages and tiers – starts to be a little overwhelming.
When it comes to security – Azure had a service for security posture management: “Azure Security Center”, and a set of services protecting the workloads on various resources: “Azure Defender”. On November 2021 Microsoft decided to bring all of this under one umbrella. From this point the central hub for security posture management, security recommendations and alerts is called “Microsoft Defender for cloud”, and subsequent plans for different resources is called “Microsoft Defender for containers”, “Microsoft Defender for servers” etc.
Microsoft Defender for cloud free tier
The free tier is enabled for all subscriptions and it includes continuous assessment, Microsoft Defender for cloud recommendations and Security Score ratings.
Note also that currently Microsoft Defender for cloud offers a free trial for 30 days, allowing you to test plans like “Microsoft Defender for storage” etc. without paying for the first month.
Defender for cloud pricing
The above screenshot was taken at the beginning of year 2022, so slight changes in pricing might have appeared. Check the latest pricing straight from Microsoft.
In most cases the pricing of a plan is depending on the number of covered resources. What’s important is that the prices “per month” are provided for simplicity – the actual calculation happens on a “per hour” basis. You will not have to pay for the full month of “Defender for servers” if your VM was running for just a few hours.