|
1 | | -While cloud security posture management identifies misconfigurations before attackers exploit them, cloud workload protection (CWP) detects and responds to active threats against running workloads. As a security architect, you design a workload protection strategy that provides appropriate coverage without creating operational burden or unnecessary cost. |
| 1 | +While cloud security posture management identifies misconfigurations before attackers exploit them, cloud workload protection (CWP) detects and responds to active threats against running workloads. As a security architect, you select the right combination of workload protection plans in Microsoft Defender for Cloud to provide appropriate coverage across your hybrid and multicloud environment without creating unnecessary cost or operational burden. |
2 | 2 |
|
3 | | -## Understanding workload protection in Defender for Cloud |
| 3 | +## How workload protection complements posture management |
4 | 4 |
|
5 | | -Defender for Cloud provides workload protection through plans targeting specific resource types. Unlike CSPM, which assesses configuration state, these plans monitor runtime behavior to detect threats like malware execution, suspicious network connections, and exploitation attempts. |
| 5 | +Defender for Cloud provides workload protection through plans targeting specific resource types. Unlike CSPM, which assesses configuration state, these plans monitor runtime behavior to detect threats like malware execution, suspicious network connections, and exploitation attempts. Together, CSPM and CWP create defense in depth: posture management reduces the attack surface by fixing misconfigurations, while workload protection detects and responds when attackers exploit remaining vulnerabilities. |
6 | 6 |
|
7 | | -The key design principle: enable protection plans based on workloads present in your environment and their risk profile. Not every workload requires every protection. |
| 7 | +The key selection principle: enable protection plans based on the workloads present in your environment and their risk profile. Not every workload requires every protection plan. |
8 | 8 |
|
9 | | -## Mapping protection plans to workloads |
| 9 | +## Available workload protection plans |
10 | 10 |
|
11 | | -| Workload type | Defender plan | What it protects | |
12 | | -|--------------|---------------|------------------| |
13 | | -| Virtual machines and servers | Defender for Servers | Windows and Linux machines in Azure, AWS, GCP, and on-premises via Azure Arc | |
14 | | -| Containers | Defender for Containers | Kubernetes clusters, container registries, images, and cluster nodes | |
15 | | -| SQL databases | Defender for SQL | Azure SQL Database, SQL Managed Instance, and SQL Server on machines | |
| 11 | +Defender for Cloud offers plans for the following workload types. Each plan is enabled independently, allowing you to tailor protection to your environment. |
| 12 | + |
| 13 | +| Workload type | Defender plan | Multicloud coverage | |
| 14 | +|--------------|---------------|---------------------| |
| 15 | +| Virtual machines and servers | Defender for Servers (Plan 1 or Plan 2) | Azure, AWS, GCP, on-premises via Azure Arc | |
| 16 | +| Containers | Defender for Containers | Azure AKS, AWS EKS, GCP GKE, Arc-enabled clusters | |
| 17 | +| SQL databases | Defender for SQL | Azure SQL, SQL Managed Instance, SQL Server on machines (including Arc-enabled) | |
16 | 18 | | Open-source databases | Defender for open-source relational databases | Azure Database for PostgreSQL, MySQL, and MariaDB | |
17 | 19 | | Azure Cosmos DB | Defender for Azure Cosmos DB | Azure Cosmos DB accounts | |
18 | | -| Storage accounts | Defender for Storage | Blob storage, Azure Files, and Azure Data Lake Storage Gen2 | |
19 | | -| App Service | Defender for App Service | Web apps, API apps, and function apps | |
| 20 | +| Storage accounts | Defender for Storage | Blob storage, Azure Files, Azure Data Lake Storage Gen2 | |
| 21 | +| App Service | Defender for App Service | Azure App Service web apps, API apps, function apps | |
20 | 22 | | APIs | Defender for APIs | APIs published in Azure API Management | |
21 | | -| Key Vault | Defender for Key Vault | Azure Key Vault secrets, keys, and certificates | |
22 | | -| Resource Manager | Defender for Resource Manager | Azure Resource Manager control plane activity | |
23 | | -| AI workloads | Defender for AI Services | AI workloads, including Azure OpenAI Service and Microsoft Foundry | |
24 | | - |
25 | | -## Designing server protection |
26 | | - |
27 | | -Server protection requires the most architectural decisions. Defender for Servers offers two plans: |
28 | | - |
29 | | -| Capability | Plan 1 | Plan 2 | |
30 | | -|-----------|--------|--------| |
31 | | -| Defender for Endpoint integration (EDR) | Yes | Yes | |
32 | | -| Defender for Endpoint license included | Yes | Yes | |
33 | | -| Vulnerability assessment (agent-based) | Yes | Yes | |
34 | | -| Agentless scanning (vulnerabilities, secrets, malware) | No | Yes | |
35 | | -| Just-in-time VM access | No | Yes | |
36 | | -| File integrity monitoring | No | Yes | |
37 | | -| OS configuration assessment (MCSB baselines) | No | Yes | |
38 | | -| OS system updates assessment | No | Yes | |
39 | | -| Defender for DNS alerts | No | Yes | |
40 | | -| Premium Defender Vulnerability Management features | No | Yes | |
41 | | - |
42 | | -**Plan selection**: Choose Plan 1 for EDR integration and agent-based vulnerability scanning. Choose Plan 2 for agentless scanning, just-in-time access, file integrity monitoring, or premium vulnerability management features. Consider Plan 2 for production servers and Plan 1 for development environments. |
43 | | - |
44 | | -**Coverage scope**: Enable at the subscription level to automatically protect all servers in that subscription. This is the simplest approach. Plan 1 allows you to selectively enable protection on individual VMs/servers rather than the whole subscription—useful when you only want to protect specific machines. Plan 2 can only be enabled at the subscription level—you can't pick and choose individual resources. For servers outside Azure (on-premises, AWS, GCP), you need to onboard them via Azure Arc first so Defender for Cloud can manage and protect them. |
45 | | - |
46 | | -## Designing container protection |
47 | | - |
48 | | -Container protection addresses security across five domains: posture management (agentless cluster discovery and configuration assessment), vulnerability assessment (image scanning in registries and running containers), runtime threat protection (60+ Kubernetes-aware analytics mapped to MITRE ATT&CK), software supply chain protection (gated deployment blocking risky images), and deployment monitoring. |
| 23 | +| Key Vault | Defender for Key Vault | Azure Key Vault | |
| 24 | +| Resource Manager | Defender for Resource Manager | Azure Resource Manager control plane | |
| 25 | +| AI workloads | Defender for AI Services | Azure OpenAI Service and Microsoft Foundry | |
49 | 26 |
|
50 | | -**Design consideration**: Agentless capabilities provide discovery and vulnerability assessment without components. The Defender sensor (a DaemonSet on Kubernetes nodes) enables runtime threat protection. Plan sensor deployment alongside Arc onboarding for clusters outside Azure. |
| 27 | +> [!NOTE] |
| 28 | +> Other modules cover workload-specific security design in depth—including server endpoint protection, data security for SQL and Storage, container security requirements, and application security. This unit focuses on **selecting** the right plans as part of your overall hybrid and multicloud posture management strategy. |
51 | 29 |
|
52 | | -## Designing database protection |
| 30 | +## Selection criteria for workload protection plans |
53 | 31 |
|
54 | | -Database protection monitors queries and access patterns without impacting performance. |
| 32 | +Use the following criteria when deciding which plans to enable and where: |
55 | 33 |
|
56 | | -**Defender for SQL** detects anomalous query patterns, SQL injection attacks, brute force attempts, and unusual access locations. Protection covers Azure SQL Database, SQL Managed Instance, and SQL Server virtual machines. For SQL Server outside Azure, deploy Azure Arc-enabled SQL Server for full integration. |
| 34 | +### Workload presence and environment scope |
57 | 35 |
|
58 | | -**Defender for open-source relational databases** monitors PostgreSQL, MySQL, and MariaDB workloads. **Defender for Azure Cosmos DB** detects SQL injection, known malicious actors, and suspicious access patterns. |
| 36 | +Inventory the workload types across your Azure subscriptions, AWS accounts, GCP projects, and on-premises environments. Enable plans only where the corresponding workloads exist. For example, if a subscription contains no storage accounts, there's no reason to enable Defender for Storage on it. |
59 | 37 |
|
60 | | -**Design consideration**: For SQL Server running on-premises or in other clouds, plan Azure Arc deployment as a prerequisite for Defender for SQL integration. Azure-native databases require no additional components. |
| 38 | +For plans that support subscription-level enablement (most plans do), enabling at the subscription level automatically protects new resources of that type as they're deployed. This is the recommended approach for production subscriptions to avoid protection gaps. |
61 | 39 |
|
62 | | -## Designing storage protection |
| 40 | +### Multicloud and hybrid reach |
63 | 41 |
|
64 | | -Defender for Storage provides activity monitoring (detecting unusual access patterns and data exfiltration), malware scanning (near real-time scanning of uploaded files), and sensitive data threat detection (monitoring for breach attempts on sensitive data). |
| 42 | +Not all plans have equal reach across clouds. When selecting plans for a hybrid or multicloud environment, consider: |
65 | 43 |
|
66 | | -**Design consideration**: Pricing is per storage account plus per-gigabyte for malware scanning. Configure scanning caps to control costs. Enable at subscription level to automatically cover new storage accounts. |
| 44 | +- **Cross-cloud plans**: Defender for Servers and Defender for Containers extend to AWS, GCP, and on-premises resources through Azure Arc and cloud connectors. These are critical selections for organizations with multicloud compute workloads. |
| 45 | +- **Azure-native plans**: Plans like Defender for Storage, Defender for App Service, Defender for Key Vault, and Defender for Resource Manager protect Azure-native services only. Select these based on your Azure workload footprint. |
| 46 | +- **Arc dependency**: Workloads outside Azure—on-premises servers, SQL Server instances, and Kubernetes clusters in other clouds—require Azure Arc onboarding before Defender for Cloud can protect them. Factor Arc deployment as a prerequisite when selecting plans for non-Azure workloads. |
67 | 47 |
|
68 | | -## Designing application and infrastructure protection |
| 48 | +### Plans with tier choices |
69 | 49 |
|
70 | | -**Defender for App Service** monitors web applications for attacks including vulnerability scanning attempts, malicious IP connections, and suspicious execution patterns. Enable for all production web applications exposed to the internet. |
| 50 | +Some plans offer multiple tiers. Selection should align with the level of protection needed: |
71 | 51 |
|
72 | | -**Defender for APIs** protects APIs in Azure API Management, identifying posture issues like unauthenticated endpoints and detecting suspicious usage patterns. Prioritize APIs handling sensitive data. |
| 52 | +- **Defender for Servers**: Plan 1 provides endpoint detection and response (EDR) through Microsoft Defender for Endpoint integration and agent-based vulnerability scanning. Plan 2 adds agentless scanning, just-in-time VM access, file integrity monitoring, and OS baseline assessment. A common approach is Plan 2 for production and Plan 1 for development. |
| 53 | +- **Defender CSPM versus Foundational CSPM**: While CSPM tiers were covered in the previous unit, your CSPM tier choice also affects workload protection—Defender CSPM's agentless scanning capabilities complement CWP plans by providing vulnerability discovery without additional agents. |
73 | 54 |
|
74 | | -**Defender for Key Vault** detects unusual access attempts to secrets, keys, and certificates. Compromised vaults can enable broader breaches. |
| 55 | +### Foundational versus workload-specific plans |
75 | 56 |
|
76 | | -**Defender for Resource Manager** monitors control plane operations for suspicious activity like persistence techniques or lateral movement. Both Key Vault and Resource Manager protection operate at subscription level with no additional configuration. |
| 57 | +Some plans protect infrastructure that spans all workloads rather than targeting specific resource types: |
77 | 58 |
|
78 | | -**Defender for AI Services** protects AI workloads, including Azure OpenAI Service and Microsoft Foundry, detecting prompt injection attacks and unusual usage patterns. Enable for subscriptions with AI deployments processing sensitive data. |
| 59 | +- **Defender for Resource Manager** monitors control plane operations for suspicious activity and persistence techniques across the entire Azure subscription. |
| 60 | +- **Defender for Key Vault** detects unusual access to secrets, keys, and certificates—compromised vaults can enable broader breaches across many workloads. |
79 | 61 |
|
80 | | -**Design consideration**: Key Vault and Resource Manager protection are foundational controls with minimal overhead - consider enabling these broadly across all production subscriptions. App Service, APIs, and AI Services protection should align with where those workloads exist. |
| 62 | +These plans operate at subscription level with minimal configuration overhead. Consider enabling them broadly across all production subscriptions as foundational controls, regardless of which workload-specific plans you select. |
81 | 63 |
|
82 | | -## Prioritizing protection based on risk |
| 64 | +## Prioritizing plan enablement |
83 | 65 |
|
84 | | -**High priority** - Enable full protection for: |
85 | | -- Production servers processing customer data |
86 | | -- Databases containing personal data |
87 | | -- Customer-facing containers and applications |
88 | | -- Storage accounts receiving external uploads |
89 | | -- Workloads subject to compliance requirements |
| 66 | +When budgets or operational capacity require phased rollout, prioritize plan selection using risk: |
90 | 67 |
|
91 | | -**Medium priority**: Internal business applications, development environments with production data copies, shared infrastructure. |
| 68 | +| Priority | Selection criteria | Examples | |
| 69 | +|----------|-------------------|----------| |
| 70 | +| **High** | Workloads processing customer or regulated data; internet-facing resources; environments subject to compliance mandates | Production servers, customer-facing containers, databases with personal data, storage receiving external uploads | |
| 71 | +| **Medium** | Internal business workloads; shared infrastructure; environments with copies of production data | Internal applications, development environments with production data copies | |
| 72 | +| **Lower** | Isolated environments with test data or no sensitive data; temporary resources; workloads with existing protection | Test environments, ephemeral build agents, resources covered by separate tooling | |
92 | 73 |
|
93 | | -**Lower priority**: Isolated test environments with synthetic data, temporary workloads, resources with existing protection tools. |
| 74 | +Use Defender for Cloud's coverage dashboard to visualize which subscriptions and resource types have protection plans enabled and identify gaps. This dashboard maps directly to your selection decisions and helps track plan rollout across your multicloud environment. |
94 | 75 |
|
95 | | -## Integration with security operations |
| 76 | +## Integrating workload protection alerts into operations |
96 | 77 |
|
97 | | -Your design must address how alerts flow to security operations: |
| 78 | +Selecting plans is only effective if the resulting alerts reach security operations teams: |
98 | 79 |
|
99 | | -- **Alert routing**: Defender for Cloud integrates with Microsoft Defender XDR for unified incident management |
100 | | -- **SIEM integration**: Export alerts to Microsoft Sentinel, Event Hubs, or Log Analytics |
101 | | -- **Workflow automation**: Use Logic Apps for immediate responses like VM isolation or credential rotation |
102 | | -- **Suppression rules**: Create rules for known false positives to reduce alert fatigue |
| 80 | +- **Unified incident management**: Defender for Cloud integrates with Microsoft Defender XDR, surfacing CWP alerts alongside endpoint, identity, and application alerts in a single incident queue. |
| 81 | +- **SIEM integration**: Export alerts to Microsoft Sentinel, Event Hubs, or Log Analytics for correlation with other security data sources across your hybrid environment. |
| 82 | +- **Workflow automation**: Configure Logic Apps to trigger automated responses—such as isolating a compromised VM or rotating credentials—based on specific alert types. |
| 83 | +- **Suppression rules**: Create rules for known false positives to reduce alert fatigue and keep security teams focused on genuine threats. |
103 | 84 |
|
104 | | -The combination of CSPM and workload protection creates defense in depth: posture management reduces attack surface by fixing misconfigurations, while workload protection detects and responds when attackers exploit remaining vulnerabilities. |
| 85 | +When designing alert routing, ensure coverage for alerts from all clouds. Workload protection alerts from AWS and GCP connectors flow through the same Defender for Cloud pipeline as Azure alerts, providing a single pane for multicloud threat detection. |
0 commit comments