Azure Security Center
Securing cloud resources is not a one-time task — it requires continuous monitoring, assessment, and response. Azure Security Center, now rebranded as Microsoft Defender for Cloud, is a unified cloud security posture management (CSPM) and threat protection platform that helps find security weaknesses, enforce best practices, and detect and respond to threats across Azure, on-premises, and multi-cloud environments.
What is Microsoft Defender for Cloud?
Defender for Cloud continuously assesses the security configuration of all Azure resources and compares it against industry security benchmarks. It identifies misconfigurations (like a storage account with public access enabled), detects active threats (like a VM being accessed from a suspicious location), and provides actionable recommendations to improve security.
Two Core Pillars
Microsoft Defender for Cloud
│
├── CSPM (Cloud Security Posture Management)
│ "Are my resources configured securely?"
│ │
│ ├── Secure Score — overall security health rating (0-100%)
│ ├── Security Recommendations — specific fixes to improve score
│ ├── Regulatory Compliance — check against PCI DSS, ISO 27001, GDPR, etc.
│ └── Asset Inventory — security view of all resources
│
└── CWP (Cloud Workload Protection)
"Is something actively attacking my resources?"
│
├── Threat Detection — real-time alerts on suspicious activity
├── Defender Plans — advanced protection per resource type
└── Security Alerts — detailed incident information with remediation steps
Secure Score
The Secure Score is a numeric percentage that represents the overall security health of the Azure environment. A score of 100% means all security recommendations have been implemented. A low score indicates there are unaddressed security risks.
How Secure Score Works
Each security recommendation has a "max score" contribution. Completing a recommendation increases the score. Example: ┌────────────────────────────────────────────────────────┐ │ Current Secure Score: 62% │ │ │ │ Top Recommendations to Improve Score: │ │ ┌──────────────────────────────────────────┬────────┐ │ │ │ Recommendation │ Points │ │ │ ├──────────────────────────────────────────┼────────┤ │ │ │ Enable MFA for all subscription owners │ +8pts │ │ │ │ Restrict RDP access on VMs │ +5pts │ │ │ │ Enable disk encryption on VMs │ +4pts │ │ │ │ Apply system updates on machines │ +3pts │ │ │ └──────────────────────────────────────────┴────────┘ │ └────────────────────────────────────────────────────────┘
Security Recommendations
Defender for Cloud continuously scans resources and generates specific, actionable recommendations. Each recommendation explains the risk, shows which resources are affected, and provides step-by-step remediation instructions. Some recommendations even offer a Quick Fix button that applies the fix automatically with one click.
Example Recommendations
| Recommendation | Risk Level | Affected Resource |
|---|---|---|
| MFA should be enabled on accounts with owner permissions on subscriptions | High | Subscription / Azure AD |
| Management ports of virtual machines should be protected with just-in-time network access control | High | Virtual Machines |
| Storage accounts should restrict network access | Medium | Storage Accounts |
| SQL servers should have an Azure AD administrator provisioned | Medium | Azure SQL |
| Transparent data encryption on SQL databases should be enabled | Low | Azure SQL |
Microsoft Defender Plans (Workload Protection)
The basic Defender for Cloud features (CSPM, Secure Score, recommendations) are free. Advanced threat detection requires enabling paid Defender plans for specific resource types:
| Defender Plan | Protects | Example Threats Detected |
|---|---|---|
| Defender for Servers | Azure VMs and on-premises servers | Malware execution, brute force attacks, fileless attacks |
| Defender for SQL | Azure SQL, SQL on VMs, Synapse | SQL injection attempts, unusual data access patterns |
| Defender for Storage | Azure Storage Accounts | Access from Tor exit nodes, malware uploads, unusual data exfiltration |
| Defender for Containers | AKS, container registries | Exposed Kubernetes dashboard, privilege escalation, crypto-mining |
| Defender for Key Vault | Azure Key Vault | Access from suspicious IPs, unusual access volume, ransomware patterns |
| Defender for App Service | Azure App Service | Web shell attacks, suspicious outbound connections, dangling DNS |
Just-in-Time (JIT) VM Access
Management ports like RDP (3389) and SSH (22) are prime targets for brute force attacks. Leaving them open permanently is a significant security risk. JIT VM Access closes these ports by default. When a developer needs to connect, they request access for a specified time window (e.g., 2 hours). Defender for Cloud opens the port only for that IP address and only for the requested duration. After the time expires, the port closes automatically.
JIT Access Workflow
Normal State: Port 3389 (RDP) is BLOCKED on VM's NSG
├── Developer requests JIT access for 2 hours from IP 203.0.1.10
│
├── Request is approved (automatically or by an approver)
│
├── Defender for Cloud adds NSG rule:
│ Allow TCP 3389 from 203.0.1.10 for 2 hours
│
├── Developer connects via RDP successfully
│
└── After 2 hours: NSG rule is automatically removed
Port 3389 returns to BLOCKED state
Regulatory Compliance Dashboard
The Regulatory Compliance dashboard shows how the Azure environment measures up against industry compliance frameworks. Defender for Cloud automatically maps its security controls to the requirements of standards like PCI DSS, ISO 27001, SOC 2, GDPR, HIPAA, and the Azure Security Benchmark. Each control shows which resources are compliant and which need attention.
Security Alerts
When Defender for Cloud detects a threat, it generates a Security Alert with details including:
- What was detected (e.g., "Suspicious PowerShell activity detected")
- Which resource was targeted
- The severity level (Informational / Low / Medium / High)
- The time of the event
- Detailed description of the attack technique (mapped to MITRE ATT&CK framework)
- Recommended remediation steps
Multi-Cloud and Hybrid Support
Defender for Cloud is not limited to Azure. By connecting AWS accounts and Google Cloud projects, the same security posture management and threat detection capabilities extend across all cloud environments. On-premises servers can also be protected by installing the Azure Monitor Agent and connecting to a Log Analytics Workspace.
Key Takeaways
- Microsoft Defender for Cloud provides security posture management (CSPM) and threat protection (CWP) for Azure and beyond.
- The Secure Score measures overall security health — higher score means fewer risks.
- Security recommendations are specific, actionable steps to fix identified misconfigurations and reduce the attack surface.
- Defender Plans provide advanced threat detection for specific resource types: VMs, SQL, Storage, Containers, Key Vault, and more.
- Just-in-Time VM Access eliminates permanently open management ports by granting access only when needed and only for a defined window.
- The Regulatory Compliance dashboard tracks compliance against standards like PCI DSS, ISO 27001, and HIPAA.