This article is intended to summarize the security services and tools provided by Microsoft for Azure cloud. We will also explore the value add Sysdig can provide when used in conjunction with the default Azure services for security.
Sharing the responsibility for Security
Microsoft Azure’s security model for the cloud divides the responsibility between Microsoft and customers based on the following principles:
- Microsoft protects the underlying infrastructure
- Customers put the practices, protocols and tooling in place to protect the workloads
The nuances of the shared responsibilities have been illustrated in detail for SaaS, PaaS, IaaS and On-Prem in the below diagram that can be found in this Microsoft article.
CNAPP with Microsoft Azure
The responsibility of securing the cloud workloads, applications and services on Microsoft Azure lies with the customer. Microsoft however provides a handy set of tools that can help with CNAPP (cloud-native application platform protection) and also related (CWPP – cloud workload protection, CSPM – cloud security posture management) use cases that can smooth the journey of cloud adoption and operations for the customers.
For a detailed explanation of these terms please read this article. Below is a list of solutions and services that many Microsoft Azure customers commonly leverage as an à la carte collection of monthly subscriptions:
Microsoft Defender for Cloud
Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure resources and now is also offering some multi-cloud capabilities dependent on Azure Arc.
Microsoft Defender for Containers
Microsoft Defender for Containers is an agent-based solution for securing your containers and maintaining the security of your clusters, containers, and their applications. This is a separate subscription from Defender for Cloud.
Microsoft Defender Advanced Threat Protection
This service helps to identify unexpected and potentially unauthorized or malicious activities like Malware, crypto mining or attacks. ATP is a preventative and post-detection, investigative response feature of Microsoft Defender. ATP’s features are standard in many high-end anti-malware packages.
Microsoft Azure Policy
Azure Policy is used to enforce organizational standards and assess compliance. It is a compliance dashboard that helps evaluate the overall state of the environment. It also helps in the enforcement of remediations.
Microsoft Azure Activity Logs
These allow monitoring deployments in the cloud by getting a history of activity for your account subscription, including API calls, SDKs, the command line tools, and Azure services. Sysdig consumes this service (amongst others) as a part of cloud security and compliance continuous feedback.
Microsoft Azure AD and RBAC
Security in the cloud begins with the foundation of Identity. Active Directory (AD) and Role-based Access Control services provide fine-grained access control policies.
Microsoft Azure Purview
This provides a unified data governance solution to govern on-premises, multi-cloud, and software-as-a-service (SaaS) data and allows data consumers to access valuable, trustworthy data management. Combined with other tools, it can help to meet regulations like HIPAA, GDPR, etc.
Microsoft Sentinel
Although as a SIEM from Microsoft, Sentinel itself is not a part of CNAPP, it offers a near runtime threat detection capability that works hand in hand with cloud workload protection.
Sysdig’s value add for Microsoft Azure
Depending on the use case, Sysdig has add-on and complementary features to Azure security services, aimed at the overall strengthening of your cloud security posture on Azure. Here are some scenarios where Sysdig is a solution to consider:
Hybrid-cloud or Multi-cloud scenarios:
You can use Azure Arc to extend Microsoft Defender’s capabilities to GCP or AWS but the implementation itself has added complexity. If you want to simplify and standardize the operations between the (various) cloud and the on-prem infrastructure of your company, a platform like Sysdig that allows for consolidation is a great choice.
Reduction of associated latency and storage costs with SIEM:
Sysdig leverages the open source Falco project for runtime threat detection. This not only leads to earlier detection of threats, but also you can configure Falco rules within Sysdig to send only certain suspicious event feeds to the SIEM. This reduces the ingestion and storage costs associated with your SIEM implementation.
Reduction of dependency on custom features:
Microsoft’s security services are best suited for Azure as they have multiple custom features that are built with Azure in mind. Sysdig’s solution has been used and tested by multiple clients across a variety of cloud platforms – and it has features which can work with different cloud platforms as required.
Continuous compliance:
This use case involves following established and industry-led guidelines or specifications. The main service that relates to compliance in Azure is Microsoft Defender for Cloud. But there are other services needed to achieve full compliance in Azure: Azure Policy, Microsoft Azure Purview and so on. By utilizing Sysdig with Azure, you can have all your compliance controls in one place – be it any control framework such as SOC2, PCI, NIST, ISO-27001, HiTrust, HIPAA, FedRAMP, GDPR or any best practices that come from the CIS Benchmarks and suggested by the cloud provider.
Mix of traditional and container-based infrastructure:
While Microsoft Defender for cloud does a very good job providing security findings regarding the configuration of your cloud account and services, it lacks visibility into container workloads. For inspecting container workloads, you would need to use Microsoft Defender for Containers service. Sysdig provides an overview of your security posture in both worlds, containers and cloud. Similarly, Advanced Threat Protection combined with Microsoft Sentinel does a good job detecting anomalies involving Azure resources like IAM access keys, compute instances, blob storages, and Azure AKS resources. However, these are additional subscriptions that you have to account for in your cloud budget.
With Sysdig you have all the security use cases with one subscription – leveraging the open-source Falco project for the runtime detection capabilities around workload protection, and cloud security monitoring. Sysdig threat detection capabilities detect not only cloud events, but also those that exist on the container workload side like spawning of a shell in a container, modification within sensitive folders, deletion of bash history, etc.
Sysdig Secure thus strengthens Microsoft Azure and multi-cloud security by providing a powerful but simple unified experience with a predictable cost model, covering:
- IaC code scanning threat detection and drift control.
- Vulnerability management.
- Runtime security for cloud, hosts, and containers.
- CSPM
- Incident response and forensics procedures.
Summary table
Below is a summary table of the value add by Sysdig for each of Microsoft Azure tools:
|
Use Case |
Category |
Microsoft Azure’s Service(s) |
Sysdig’s value add |
|
Configuration and vulnerability scanning for VMs and Containers. |
CWPP, CSPM |
Microsoft’s Defender for Containers Microsoft’s Defender for Cloud integrates with Rapid7 or Qualys Scanners Note – there are additional licensing requirements from either Qualys or Rapid7 for cloud. |
Extends vulnerability scanning capabilities for host instances and images also applying runtime intelligence to provide risk spotlight. Extends CSPM and Compliance features by combining dynamic and static checks into a unified experience. One single subscription for protecting both VMs and Containers. Out-of-the-box multi-cloud support. |
|
Cloud Security Monitoring and intelligent threat detection |
CWPP, and also CSPM |
Advanced Threat Protection Microsoft Sentinel |
Leverage the power of the Falco open source project within Sysdig. Rich out-of-the-box set of rules for CWPP and cloud security monitoring. Deep runtime detection for workloads and cloud. Reduce your SIEM costs by filtering what events get reported to the Sentinel SIEM. |
|
Audit Logging |
Not a core security category, but supplemental |
Activity Logs |
Native integration with Activity logs. |
|
Compliance and Data Security Detection, Configuration Drifts and Data Protection |
CSPM, Standardization, React/Alert |
Microsoft’s Defender for Cloud |
Sysdig unifies Continuous Compliance for cloud and workloads with remediation capabilities. Detect runtime threats and vulnerabilities leading to reaction, remediation and forensic analysis |
|
Monitor sensitive Data |
Data related CSPM |
Azure Purview |
Sysdig reinforces security posture and compliance related to data like GDPR and HITRUST |
Conclusion
You can check off 101 boxes for cloud and container security by using default Azure tools, and to be wholly protected you need a platform like Sysdig that can:
- Help you protect your multi-cloud and hybrid cloud infrastructure
- Provide runtime threat detection for workloads and go beyond a “static” security mindset
- Deliver a control plane that helps you establish a comprehensive implementation of best practices and compliance frameworks
- Enable multiple checkpoints to ensure build-time security and stop vulnerable images from being deployed