Determine multicloud dependencies

This article is one of a series providing guidance as you design a cloud security posture management (CSPM) and cloud workload protection (CWP) solution across multicloud resources with Microsoft Defender for Cloud.

Goal

Figure out dependencies that might influence your multicloud design.

Get started

As you design your multicloud solution, it’s important to have a clear picture of the components needed to enjoy all multicloud features in Defender for Cloud.

CSPM

Defender for Cloud provides Cloud Security Posture Management (CSPM) features for your AWS and GCP workloads.

  • After you onboard AWS and GCP, Defender for Cloud starts assessing your multicloud workloads against industry standards, and reports on your security posture.
  • CSPM features are agentless and don’t rely on any other components except for successful onboarding of AWS/GCP connectors.
  • It’s important to note that the Security Posture Management plan is turned on by default and can’t be turned off.
  • Learn about the IAM permissions needed to discover AWS resources for CSPM.

CWPP

In Defender for Cloud, you enable specific plans to get Cloud Workload Platform Protection (CWPP) features. Plans to protect multicloud resources include:

What agent do I need?

The following table summarizes agent requirements for CWPP.

Agent Defender for Servers Defender for Containers Defender fo SQL on Machines
Azure Arc Agent
Microsoft Defender for Endpoint extension
Vulnerability assessment
Log Analytics or Azure Monitor Agent (preview) extension
Defender profile
Azure policy extension
Kubernetes audit log data
SQL servers on machines
Automatic SQL server discovery and registration

Defender for Servers

Enabling Defender for Servers on your AWS or GCP connector allows Defender for Cloud to provide server protection to your Google Compute Engine VMs and AWS EC2 instances.

Review plans

Defender for Servers offers two different plans:

  • Plan 1:

  • Plan 2: Includes all the components of Plan 1 along with additional capabilities such as File Integrity Monitoring (FIM), Just-in-time (JIT) VM access, and more.

    Review the features of each plan before onboarding to Defender for Servers.

Review components

The following components and requirements are needed to receive full protection from the Defender for Servers plan:

  • Azure Arc agent: AWS and GCP machines connect to Azure using Azure Arc. The Azure Arc agent connects them.
    • The Azure Arc agent is needed to read security information on the host level and allow Defender for Cloud to deploy the agents/extensions required for complete protection. To auto-provision the Azure Arc agent, the OS configuration agent on GCP VM instances and the AWS Systems Manager (SSM) agent for AWS EC2 instances must be configured. Learn more about the agent.
  • Defender for Endpoint capabilities: The Microsoft Defender for Endpoint agent provides comprehensive endpoint detection and response (EDR) capabilities.
  • Vulnerability assessment: Using either the integrated Qualys vulnerability scanner, or the Microsoft threat and vulnerability management solution.
  • Log Analytics agent/Azure Monitor Agent (AMA) (in preview): Collects security-related configuration information and event logs from machines.

Check networking requirements

Machines must meet network requirements before onboarding the agents. Auto-provisioning is enabled by default.

Defender for Containers

Enabling Defender for Containers provides GKE and EKS clusters and underlying hosts with threat detection capabilities that include:

  • Kubernetes behavioral analytics
  • Anomaly detection
  • Security best practices
  • Built-in admission control policies and more

Review components-Defender for Containers

The required components are as follows:

  • Azure Arc Agent: Connects your GKE and EKS clusters to Azure, and onboards the Defender Profile.
  • Defender Profile: Provides host-level runtime threat protection.
  • Azure Policy extension: Extends the Gatekeeper v3 to monitor every request to the Kubernetes API server, and ensures that security best practices are being followed on clusters and workloads.
  • Kubernetes audit logs: Audit logs from the API server allow Defender for Containers to identify suspicious activity within your multicloud servers, and provide deeper insights while investigating alerts. Sending of the “Kubernetes audit logs” needs to be enabled on the connector level.

Check networking requirements-Defender for Containers

Make sure to check that your clusters meet network requirements so that the Defender Profile can connect with Defender for Cloud.

Defender for SQL

Defender for SQL provides threat detection for the GCP Compute Engine and AWS. The Defender for SQL Server on Machines plan must be enabled on the subscription where the connector is located.

Review components-Defender for SQL

To receive the full benefits of Defender for SQL on your multicloud workload, you need these components:

  • Azure Arc agent: AWS and GCP machines connect to Azure using Azure Arc. The Azure Arc agent connects them.
    • The Azure Arc agent is needed to read security information on the host level and allow Defender for Cloud to deploy the agents/extensions required for complete protection.
    • To auto-provision the Azure Arc agent, the OS configuration agent on GCP VM instances and the AWS Systems Manager (SSM) agent for AWS EC2 instances must be configured. Learn more about the agent.
  • Log Analytics agent/Azure Monitor Agent (AMA) (in preview): Collects security-related configuration information and event logs from machines
  • Automatic SQL server discovery and registration: Supports automatic discovery and registration of SQL servers

Next steps

In this article, you have learned how to determine multicloud dependencies when designing a multicloud security solution. Continue with the next step to automate connector deployment.