Integration Azure Defender with Google Cloud and AWS and Cloud Security Posture Management systems

During Ignite Microsoft released a new set of Cloud integrations from Azure Defender to AWS and Google Cloud. This provides the following advantages when connecting Azure Defender to the different cloud providers.

  • Automatic agent provisioning (Defender uses Azure Arc to deploy the Log Analytics agent to your AWS instances) (NOT Supported for Google Cloud yet)
  • Policy management (OS-based management)
  • Vulnerability management (OS-based management)
  • Embedded Endpoint Detection and Response (EDR)
  • Detection of security misconfigurations
  • AWS: (Uses AWS Security Hub Integration)
  • A view showing Security Center recommendations and AWS Security Hub findings
  • Incorporation of AWS resources into Security Center’s secure score calculations
  • Regulatory compliance assessments of AWS resources

Essentially providing recommendation and feedback from Security Hub (Thanks to @azureandbeyond

GCP: (Uses Google Cloud Security Command Center integration)
  • A view showing Security Center recommendations and GCP Security Command Center findings
  • Incorporation of GCP resources into Security Center’s secure score calculations
  • Integration of GCP Security Command Center recommendations based on the CIS standard into the Security Center’s regulatory compliance dashboard

After they are connected you will in the Azure Defender dashboard get an overview of your different AWS Accounts and GCP projects which are part of your GCP organization.

This essentially provides you with a multi-cloud security exposure system as part of Azure Defender. In combination with this will use Azure Arc to integrate with server management to provide EDR functionality for infrastructure that is running there (for supported OS’es). Microsoft is not trying to replace the different security services that GCP and AWS have but just collecting the data from those services into a centralized log and SIEM Solution (Sentinel)

Now this is an interesting approach from Microsoft, since they have for some time been focusing more and more and multi-cloud support (Azure AD integration with Google, AWS) and also with Cost Management which now supports AWS as well. Providing more capabilities for multi-cloud management.

There are already a lot of vendors in the market that provide somewhat similiar Cloud Security Posture Management (CSMP) solution which also integrates with all the major cloud providers. Such as

  • CheckPoint Dome9 (CloudGuard Cloud Security Posture Management)
  • VMware CloudHealth
  • Palo Alto Prisma Cloud

And also a other providers such as Zscaler and CipherCloud. Many of these CSMP solutions replace some of the built-in functionality the cloud providers have, which is to essentially scan your current enviroment according to best-pratices and try to provide a unified set of baseline security best pratices across the different cloud providers.

The problem I have with most of these vendors is that they try to unify the security across multi-cloud platform but not doing it properly. Let’s take a look at one example, within the different cloud providers you have a set of different security posture management services they provide

  • Microsoft Azure Defender
  • Google Cloud Security Command Center
  • AWS Security Hub

In addition to this you have different log sources collected from different activities such as the underlying identity services, automation API’s, and services with their log sources (network, IaaS) now some of these vendors listed above try to collect some of these logs but not all. Meaning that you will get some holes in the different security products when trying to integrate. The last part is innovation. Microsoft, Google and AWS will constantly push out updates, while the vendors will try to incorperate those changes it will take some time. Which means that you either need to wait or that you need to solve security in another manner until the vendor provides support.

I always recommend that you treat each cloud provider as its own ecosystem and always try to use the built-in security features and not rely on third party integrations or solutions. Sure having an alterting or ITSM system or log collection feature makes sense as long as it does not prohibit you to start use new features or services that providers are pushing out.


Leave a Reply

Scroll to Top