The Evolution from Azure Security Center to Microsoft Defender for Cloud
If you are looking for Azure Security Center, it was rebranded in November 2021. Microsoft merged Azure Security Center and Azure Defender into one product.
This new product is called Microsoft Defender for Cloud.
This change was more than just a name update. It represented a major shift from an Azure-only security tool to a full cloud-native application protection platform (CNAPP). This platform supports:
- Enhanced security across various cloud environments
- Integration with multiple development tools
- Comprehensive protection for applications and data
- Hybrid environments
- Multi-cloud environments
Understanding this evolution is important. Many enterprise organizations still mention Azure Security Center in their security architecture documents, compliance frameworks, and operational runbooks.
When you see Azure Security Center in:
- Microsoft documentation
- Industry reports
- Vendor comparisons
it refers to what is now Microsoft Defender for Cloud.
The capabilities expanded significantly with the rebrand. What was once limited to Azure resource security is now a unified platform. It includes:
- Azure-native resource security posture and workload protection
- On-premises server protection via Azure Arc integration
- AWS workload protection through native cloud connectors
- GCP workload protection through native cloud connectors
- DevOps security through integration with GitHub and Azure DevOps
Core Capabilities: CSPM vs CWP
Microsoft Defender for Cloud delivers two complementary security capabilities that address different aspects of cloud security. Understanding the distinction is essential for designing your enterprise Azure security architecture.
Cloud Security Posture Management (CSPM)
CSPM serves as a preventive layer for your cloud security. It continuously checks your cloud resource settings against security best practices. This helps identify misconfigurations before they turn into vulnerabilities.
You can think of CSPM as a security audit that runs 24/7 across all resources in your environment.
Defender for Cloud offers two CSPM tiers:
Foundational CSPM (Free): This tier is automatically enabled on all Azure subscriptions. It offers:
- Continuous security assessment
- Secure score calculation
- Security recommendations based on the Azure Security Benchmark
- Basic asset inventory
This tier is suitable for development and test subscriptions, as well as organizations starting their cloud security journey.
Defender CSPM (Paid): Offers advanced features to enhance your security. These include:
- Agentless scanning: Evaluates resource configurations without needing to install agents.
- Attack path analysis: Identifies exploitable paths within your environment.
- Cloud security graph: Maps relationships between resources to highlight risks.
- Governance rules: Assigns remediation recommendations to specific teams with SLA tracking.
- External attack surface management: Discovers internet-facing assets visible to attackers.
For enterprise organizations with production workloads in Azure, Defender CSPM is highly recommended. It offers valuable attack path analysis. This feature identifies complex, multi-step attack scenarios that manual security reviews often miss.
Cloud Workload Protection (CWP)
CWP serves as the detective and responsive layer. It monitors active workloads for threats, suspicious actions, and known attack patterns.
While CSPM asks, “Is this configured securely?”, CWP focuses on “Is this being attacked right now?”
Defender for Cloud provides workload protection through individual Defender plans, each tailored to a specific resource type:
| Defender Plan | Protects | Key Capabilities |
|---|---|---|
| Defender for Servers | VMs, Azure Arc servers | EDR (MDE integration), vulnerability assessment, file integrity monitoring, adaptive application controls, JIT VM access |
| Defender for Databases | Azure SQL, Cosmos DB, PostgreSQL, MariaDB, MySQL, SQL on VMs | Anomalous access detection, SQL injection alerts, vulnerability assessment, data classification |
| Defender for Containers | AKS, Azure Container Registry, Kubernetes | Image vulnerability scanning, runtime protection, Kubernetes admission control, network segmentation monitoring |
| Defender for Storage | Blob, Files, Data Lake | Malware scanning, sensitive data discovery, anomalous access patterns, hash reputation analysis |
| Defender for Key Vault | Azure Key Vault | Unusual access patterns, suspicious secret operations, high-volume operations |
| Defender for App Service | Azure App Service | Web app attack detection, dangling DNS, management plane anomalies |
| Defender for DNS | Azure DNS | DNS tunneling, communication with malicious domains, domain generation algorithms |
| Defender for Resource Manager | ARM operations | Suspicious management operations, lateral movement patterns, exploitation toolkits |
Enterprise organizations should enable all relevant Defender plans for production subscriptions. The cost per resource is low when compared to the detection capabilities provided.
Furthermore, integrating with Microsoft Defender for Endpoint (MDE) for servers creates a unified security approach for both endpoints and the cloud.
Secure Score: Measuring and Improving Your Security Posture
Secure score is the most practical metric in Microsoft Defender for Cloud. It evaluates your cloud security posture on a scale from 0% to 100%. This score is determined by comparing your resources to security controls and recommendations.
How Secure Score Is Calculated
The secure score algorithm assesses your resources through security controls. These controls come with related security recommendations. Each control has a maximum score value that depends on its severity and the number of resources it impacts.
Your score for each control reflects the percentage of recommendations you have addressed within that control.
For example, the "Enable MFA" control is worth 10 points and includes 5 recommendations. Your score depends on how many recommendations you have completed.
If you have remediated 4 out of 5, your score for that control is 8 points.
The total secure score is calculated by adding all control scores and dividing by the maximum possible score.
Enterprise Secure Score Benchmarks
Based on our experience across hundreds of enterprise Azure environments, here are realistic secure score benchmarks:
- Below 40%: Critical risk. Indicates minimal security configuration and likely exposure to common attack vectors. Requires immediate remediation of high-severity findings.
- 40-60%: Below average. Basic security controls are in place but significant gaps remain. Common in organizations that have adopted Azure without a security-first approach.
- 60-75%: Average enterprise. Fundamental security controls are implemented. Focus shifts to advanced controls like Just-In-Time access, adaptive application controls, and network segmentation.
- 75-85%: Strong posture. Most security controls are implemented. Remaining recommendations typically involve edge cases, legacy workloads, or controls that require organizational policy changes.
- 85%+: Excellent. Achievable for greenfield environments or organizations with mature cloud governance. Some recommendations may be exempted with documented business justification.
Secure Score Optimization Strategy
Do not attempt to remediate every recommendation simultaneously. Prioritize based on the following framework:
- Quick wins: Recommendations that can be remediated with a single configuration change and affect many resources. Examples include enabling diagnostic logging, enforcing HTTPS, and configuring backup policies.
- High-severity findings: Recommendations rated as "High" severity that address known attack vectors, particularly those related to identity (MFA enforcement), network exposure (open management ports), and data protection (encryption at rest).
- Controls with highest point value: Focus on completing entire controls rather than partial remediation across many controls, as the score rewards complete control coverage.
- Exemptions for false positives: Some recommendations may not apply to your environment. Use the "Exempt" feature with documented business justification rather than leaving them unaddressed, as exemptions do not penalize your score.
Regulatory Compliance Dashboard
For organizations in regulated industries, the regulatory compliance dashboard is a vital feature of Defender for Cloud. It compares your Azure resource settings to various regulatory frameworks. This tool provides continuous compliance assessments, eliminating the need for manual audits.
Built-In Compliance Standards
Defender for Cloud includes built-in assessments for Azure Security Benchmark (default, always enabled), NIST SP 800-53 (critical for government organizations), PCI DSS 4.0 (payment card industry), SOC 2 Type 2 (service organization controls), HIPAA HITRUST (healthcare organizations), ISO 27001/27002, CIS Benchmarks for Azure, FedRAMP High and Moderate, and CMMC Level 2 and 3.
Each standard links specific Defender for Cloud recommendations to regulatory controls. For example, HIPAA HITRUST control 0805.01m1Organizational.12 matches the recommendation:
- Storage accounts should use customer-managed key for encryption.
The dashboard displays your compliance percentage for each standard. It also highlights which specific controls have gaps.
Custom Compliance Initiatives
Azure Policy definitions allow you to create custom compliance initiatives. This feature is beneficial for organizations with internal security standards that go beyond regulatory requirements.
Custom initiatives are displayed alongside built-in standards in the compliance dashboard. This setup offers a clear view of both regulatory and organizational compliance.
Hybrid and Multi-Cloud Security
Modern enterprises rarely operate in a single cloud. Defender for Cloud's expansion beyond Azure is one of its most significant advantages over competing CSPM solutions.
Azure Arc Integration for Hybrid Environments
Azure Arc enhances Azure management and security for on-premises servers, Kubernetes clusters, and SQL Server instances. By connecting on-premises servers to Azure Arc, you can:
- Apply Defender for Servers protection to physical servers and non-Azure VMs.
- Include on-premises resources in your secure score calculation.
- Use Azure Policy compliance assessments for hybrid infrastructure.
- Utilize Just-In-Time VM access for on-premises servers through Azure Arc.
The Azure Arc agent is lightweight, which means it uses minimal resources. It communicates outbound over HTTPS and does not require any inbound firewall rules.
For large-scale deployments, follow these steps:
- Use the Azure Arc deployment script.
- Utilize Group Policy or SCCM.
- Automate onboarding across hundreds of servers.
AWS and GCP Connector Configuration
To connect AWS accounts to Defender for Cloud, you must use a native connector. This connector will:
- Deploy a CloudFormation stack in your AWS account.
- Create the IAM roles needed by Defender for Cloud.
- Set permissions for assessing your AWS resources.
After the connection is established, you will receive:
- CSPM recommendations based on AWS security best practices
- Defender for Servers protection for EC2 instances through the MDE agent
- Container security for EKS clusters
- A unified security posture view that spans Azure and AWS
GCP connectivity uses GCP service accounts and Workload Identity Federation. Defender for Cloud evaluates GCP resources based on CIS GCP Benchmarks. It also offers workload protection for:
- Compute Engine instances
- GKE clusters
Security Alerts and Incident Response
When Defender plans detect suspicious activity, they generate security alerts that appear in the Defender for Cloud portal and can be routed to your SIEM, SOAR, or notification systems.
Alert Severity and Triage
Alerts are classified into four categories:
- High: Active attacks or critical vulnerabilities needing immediate response.
- Medium: Suspicious activities that may suggest reconnaissance or lateral movement.
- Low: Informational findings indicating policy violations or minor anomalies.
- Informational: Audit events for compliance tracking.
Enterprise SOC teams need to automate alert routing. This ensures efficient incident management based on alert severity.
- High alerts: Trigger immediate incidents in PagerDuty or ServiceNow.
- Medium alerts: Create tickets for investigation the next business day.
- Low and Informational alerts: Group for a weekly security review.
Integration with Microsoft Sentinel
For enterprise SIEM capabilities, Defender for Cloud integrates natively with Microsoft Sentinel. The Defender for Cloud data connector streams all alerts and recommendations to your Sentinel workspace, enabling correlation with other security data sources, automated investigation with Sentinel playbooks, custom detection rules using KQL queries against Defender for Cloud data, and unified incident management across cloud security, identity, and endpoint signals.
Implementation Roadmap for Enterprise Organizations
Deploying Defender for Cloud effectively in an enterprise environment requires a structured approach. Attempting to enable everything simultaneously overwhelms security teams and generates alert fatigue.
Phase 1: Foundation (Weeks 1-2)
Enable foundational CSPM on all Azure subscriptions automatically. Assign the Security Reader role to security team members. Designate security administrators with the Security Admin role.
Next, review the initial secure score. Identify the top 10 quick-win recommendations. Finally, enable email notifications for high-severity alerts to the security team distribution list.
Phase 2: Production Protection (Weeks 3-6)
Enable Defender for Servers Plan 2 on all production subscriptions that have virtual machines. Enable Defender for Databases on subscriptions with Azure SQL, Cosmos DB, or other database services.
- Enable Defender for Storage on subscriptions with storage accounts that contain sensitive data.
- Enable Defender for Key Vault on all subscriptions that use Key Vault for secrets management.
- Configure auto-provisioning of the Log Analytics agent and MDE agent for new VMs.
Phase 3: Advanced Posture (Weeks 7-10)
Enable Defender CSPM for attack path analysis and governance rules. You can add compliance standards that fit your industry. Configure governance rules to:
- Assign remediation recommendations to specific teams
- Set SLA targets for those teams
- Connect AWS and GCP accounts if you operate in a multi-cloud environment.
- Onboard on-premises servers using Azure Arc.
Phase 4: Operational Maturity (Weeks 11+)
Integrate Defender for Cloud with Microsoft Sentinel to achieve a unified SIEM experience. You can create custom workbooks for executive security reporting.
Furthermore, you can implement automated remediation for specific recommendation types. This can be done using Azure Policy DeployIfNotExists effects.
Establish a monthly secure score review cadence with remediation sprints. Also, configure continuous export of alerts and recommendations to external systems as needed.
Cost Optimization Strategies
Defender for Cloud costs can rise quickly in large environments if not managed well. Here are some effective cost optimization strategies:
- Tier Defender plans by subscription criticality. Use full protection for production subscriptions and free CSPM for development subscriptions.
- Use Defender for Servers Plan 1 instead of Plan 2 for non-critical servers to save about 50% per server.
- Leverage the 500 MB per day free data ingestion for Defender for Servers logs.
- Right-size Log Analytics workspace retention to 90 days for operational data. Use the archive tier for long-term compliance retention.
Frequently Asked Questions
What is the difference between Azure Security Center and Microsoft Defender for Cloud?
Microsoft Defender for Cloud is the rebranded and expanded version of Azure Security Center. In November 2021, Microsoft unified Azure Security Center and Azure Defender under the single name Microsoft Defender for Cloud. All the capabilities of Azure Security Center are now part of Defender for Cloud, including secure score, security recommendations, and the regulatory compliance dashboard. Additionally, Defender for Cloud has expanded beyond Azure to support hybrid environments (on-premises servers) and multi-cloud deployments (AWS and GCP), making it a comprehensive cloud-native application protection platform (CNAPP).
Is Microsoft Defender for Cloud free or does it require a paid plan?
Microsoft Defender for Cloud has two tiers. The free tier (Foundational CSPM) is automatically enabled on all Azure subscriptions and provides continuous security assessment, secure score, and basic security recommendations at no cost. The paid tier (Defender CSPM and individual Defender plans) adds advanced capabilities including agentless scanning, attack path analysis, cloud workload protection for specific resource types (servers, databases, containers, storage, Key Vault, DNS, Resource Manager, App Service), and regulatory compliance assessments beyond the default Azure Security Benchmark. Pricing varies by resource type, starting at approximately $15 per server per month for Defender for Servers Plan 2.
How does secure score work in Microsoft Defender for Cloud?
Secure score is a numerical representation (0-100%) of your cloud security posture calculated by evaluating your Azure resources against security best practices and compliance controls. Each recommendation has a severity weight, and your score increases as you remediate findings. The score is calculated per subscription and can be aggregated across multiple subscriptions. Recommendations are grouped into security controls such as Enable MFA, Encrypt data in transit, and Apply system updates. Completing all recommendations within a control earns the full points for that control. Organizations should target a secure score of 70% or higher, with critical production subscriptions targeting 80%+.
Can Microsoft Defender for Cloud protect AWS and GCP environments?
Yes, Microsoft Defender for Cloud provides multi-cloud security coverage for AWS and GCP alongside Azure. For AWS, you connect your AWS account through a native connector that uses AWS CloudFormation to deploy the required roles and permissions. For GCP, a similar connector uses GCP service accounts. Once connected, Defender for Cloud provides CSPM recommendations based on AWS and GCP security best practices (CIS Benchmarks), workload protection for EC2 instances and GKE clusters, and a unified security posture view across all three cloud providers. This makes Defender for Cloud a viable single-pane-of-glass security solution for multi-cloud enterprises.
How long does it take to implement Microsoft Defender for Cloud in an enterprise?
A typical enterprise implementation of Microsoft Defender for Cloud takes 4 to 12 weeks depending on environment complexity. The free CSPM tier activates immediately on Azure subscriptions with no deployment required. Enabling Defender plans for specific workloads (servers, databases, containers) takes 1-2 weeks including agent deployment and policy configuration. Connecting hybrid on-premises servers via Azure Arc takes 2-4 weeks for large environments. Connecting AWS and GCP accounts takes 1-2 weeks per cloud provider. Tuning recommendations, configuring custom policies, and establishing operational workflows for alert triage typically takes an additional 4-6 weeks. EPC Group recommends a phased rollout starting with production subscriptions containing the most sensitive workloads.
Strengthen Your Azure Security Posture
EPC Group has successfully implemented Microsoft Defender for Cloud in hundreds of enterprise Azure environments. Our clients include those in healthcare, financial services, and government.
We bring 29 years of Microsoft security expertise to every project. This experience covers:
- Initial deployment
- Operational maturity
Errin O'Connor
CEO & Chief AI Architect at EPC Group with 29 years of experience in Microsoft enterprise solutions. Bestselling Microsoft Press author specializing in SharePoint, Power BI, Azure, and large-scale cloud migrations for Fortune 500 organizations.