Infrastructure comprises the hardware, software, micro-services, networking infrastructure, and facilities required to support IT services for an organization. Zero Trust infrastructure solutions assess, monitor, and prevent security threats to these services.
Zero Trust infrastructure solutions support the principles of Zero Trust by ensuring that access to infrastructure resources is verified explicitly, access is granted using principles of least privilege access, and mechanisms are in place that assume breach and look for and remediate security threats in infrastructure.
This guidance is for software providers and technology partners who want to enhance their infrastructure security solutions by integrating with Microsoft products.
Zero Trust integration for Infrastructure guide
This integration guide includes strategy and instructions for integrating with Microsoft Defender for Cloud and its integrated cloud workload protection plans, Microsoft Defender for ... (Servers, Containers, Databases, Storage, App Services, and more).
The guidance includes integrations with the most popular Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), Endpoint Detection and Response (EDR), and IT Service Management (ITSM) solutions.
Assigning security initiatives to subscriptions, and reviewing the secure score, leads you to the hardening recommendations built into Defender for Cloud. Defender for Cloud periodically analyzes the compliance status of resources to identify potential security misconfigurations and weaknesses. It then provides recommendations on how to remediate those issues.
Defender for Cloud offers integrated cloud workload protection plans, for threat detection and response. The plans provide advanced, intelligent, protection of Azure, hybrid, and multicloud resources and workloads. One of the Microsoft Defender plans, Defender for servers, includes a native integration with Microsoft Defender for Endpoint. Learn more in Introduction to Microsoft Defender for Cloud.
Automatically block suspicious behavior
Many of the hardening recommendations in Defender for Cloud offer a deny option. This feature lets you prevent the creation of resources that don't satisfy defined hardening criteria. Learn more in Prevent misconfigurations with Enforce/Deny recommendations.
Automatically flag suspicious behavior
Microsoft Defender for Cloud's security alerts are triggered by advanced detections. Defender for Cloud prioritizes and lists the alerts, along with the information needed for you to quickly investigate the problem. Defender for Cloud also provides detailed steps to help you remediate attacks. For a full list of the available alerts, see Security alerts - a reference guide.
Protect your Azure PaaS services with Defender for Cloud
With Defender for Cloud enabled on your subscription, and the Defender workload protection plans enabled for all available resource types, you'll have a layer of intelligent threat protection - powered by Microsoft Threat Intelligence - protecting resources in Azure Key Vault, Azure Storage, Azure DNS, and other Azure PaaS services. For a full list, see the PaaS services listed in the Support matrix.
Azure Logic Apps
Use Azure Logic Apps to build automated scalable workflows, business processes, and enterprise orchestrations to integrate your apps and data across cloud services and on-premises systems.
Defender for Cloud's workflow automation feature lets you automate responses to Defender for Cloud triggers.
This is great way to define and respond in an automated, consistent manner when threats are discovered. For example, to notify relevant stakeholders, launch a change management process, and apply specific remediation steps when a threat is detected.
Integrate Defender for Cloud with your SIEM, SOAR, and ITSM solutions
Microsoft Defender for Cloud can stream your security alerts into the most popular Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), and IT Service Management (ITSM) solutions.
There are Azure-native tools for ensuring you can view your alert data in all of the most popular solutions in use today, including:
Microsoft Sentinel
Splunk Enterprise and Splunk Cloud
IBM's QRadar
ServiceNow
ArcSight
Power BI
Palo Alto Networks
Microsoft Sentinel
Defender for Cloud natively integrates with Microsoft Sentinel, Microsoft's cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.
There are two approaches to ensuring your Defender for Cloud data is represented in Microsoft Sentinel:
Sentinel connectors - Microsoft Sentinel includes built-in connectors for Microsoft Defender for Cloud at the subscription and tenant levels:
Stream your audit logs - An alternative way to investigate Defender for Cloud alerts in Microsoft Sentinel is to stream your audit logs into Microsoft Sentinel:
Defender for Cloud has out-of-the-box integration with Microsoft Graph Security API. No configuration is required and there are no additional costs.
You can use this API to stream alerts from the entire tenant (and data from many other Microsoft Security products) into third-party SIEMs and other popular platforms:
Use Defender for Cloud's continuous export feature to connect Defender for Cloud with Azure monitor via Azure Event Hubs and stream alerts into ArcSight, SumoLogic, Syslog servers, LogRhythm, Logz.io Cloud Observability Platform, and other monitoring solutions.
When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown in Defender for Cloud and you can pivot to the Defender for Endpoint console to perform a detailed investigation and uncover the scope of the attack. Learn more about Microsoft Defender for Endpoint.
There are two recommendations in Defender for Cloud to ensure you've enabled endpoint protection and it's running well. These recommendations are checking for the presence and operational health of EDR solutions from:
Apply your Zero Trust strategy to hybrid and multi cloud scenarios
With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same.
Microsoft Defender for Cloud protects workloads wherever they're running: in Azure, on-premises, Amazon Web Services (AWS), or Google Cloud Platform (GCP).
Integrate Defender for Cloud with on-premises machines
To secure hybrid cloud workloads, you can extend Defender for Cloud's protections by connecting on-premises machines to Azure Arc enabled servers.
Integrate Defender for Cloud with other cloud environments
To view the security posture of Amazon Web Services machines in Defender for Cloud, onboard AWS accounts into Defender for Cloud. This will integrate AWS Security Hub and Microsoft Defender for Cloud for a unified view of Defender for Cloud recommendations and AWS Security Hub findings and provide a range of benefits as described in Connect your AWS accounts to Microsoft Defender for Cloud.
To view the security posture of Google Cloud Platform machines in Defender for Cloud, onboard GCP accounts into Defender for Cloud. This will integrate GCP Security Command and Microsoft Defender for Cloud for a unified view of Defender for Cloud recommendations and GCP Security Command Center findings and provide a range of benefits as described in Connect your GCP accounts to Microsoft Defender for Cloud.