Sitecore Managed Cloud Standard – PaaS 2.0. Azure Defender for Cloud Implementation Guide


Table of Contents

 

Overview

This article describes the scope of services and support available when requesting assistance implementing Azure Defender for Cloud with your Managed Cloud PaaS 2.0 Deployment.

Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) that is made up of security measures and practices that are designed to protect cloud-based applications from various cyber threats and vulnerabilities.

Microsoft Defender for Cloud helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your resources. It provides integrated security monitoring and policy management across your subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

Defender for Cloud combines the capabilities of:

* Azure Policies for Azure Defender for Cloud are not included, configured or enabled for Azure Defender for Cloud on MCS PaaS 2.0.

 

Available Azure Defender for Cloud Capabilities on MCS PaaS 2.0

Sitecore Managed Cloud Standard – PaaS 2.0 includes the option to provision Azure Defender for Cloud CPSM and Workload protection.

Review the official Microsoft Azure Defender for Cloud documentation for a comprehensive overview of the features and services when deploying Azure Defender for Cloud.

 

Azure Services

Sitecore will deploy the Azure Services required to implement Azure Defender for Cloud while provisioning your Primary Hub Environment. If your Hub Environment has already been deployed, Azure Defender for Cloud can be requested via the Sitecore Managed Cloud Customer Service Portal (CSM).

Customers looking to apply Azure Defender for Cloud on non-production environments may additionally request this via the Sitecore Managed Cloud Customer Service Portal (CSM).

Review the following article for further details on the Azure Services included in your Hub Environment:

Sitecore Managed Cloud Standard - PaaS 2.0. Topologies and tiers for Sitecore XP 10.3.1 and higher

 

Protected Resources

Note that not all Azure Resources are eligible for Defender Workload protection. Upon deployment, Sitecore will enable Defender for Cloud Workload protection on the following resource types.

* Resource deployed within the PaaS 2.0 Spoke Environment ** Resource deployed within the PaaS 2.0 Hub Environment.

 

Azure Defender for Cloud Implementation Process

  1. Deployment of the Sitecore Advanced Hub Environment *
  2. Azure Defender workload protection added to Protected Resources within the Production Spoke and Primary Hub – See the Protected Resources section above for further details

Azure Defender for Cloud RACI

The charts on the following pages use the coding system outlined below:

High-Level Azure Defender for Cloud Implementation Steps for PaaS 2.0

RACI Description  Customer/Partner  Sitecore

 Customer to request Basic or Advanced Hub:

  • Basic Hub does not include Azure Defender 
  • Advanced Hub included Defender 
 R, A  C, I 
 Sitecore Managed Cloud Operations team to deploy Azure Defender Workload Protection  C, I  R, A 
 Azure Defender Logging enabled within Customers Log Analytics Workspace  C, I  R, A 
 Ongoing Monitoring of Cloud Defender Logs and recommendations  R, A   C, I 

* All Virtual Networks will be created by Sitecore during the initial Sitecore Environment provisioning process (spoke).

 

PaaS 2.0 Azure Defender for Cloud Implementation RACI – Initial Setup

Production Spoke Implementation Actions Customer/Partner  Sitecore
 Azure Defender for Cloud Workload Protection for App Services Enabled  C, I  R, A 
 Azure Defender for Cloud Workload Protection for SQL Server Enabled  C, I  R, A 
 Azure Defender for Cloud Workload Protection for Storage Accounts Enabled  C, I  R, A 

 

Primary Hub Implementation Actions Customer/Partner  Sitecore
 Azure Defender for Cloud Workload Protection for Virtual Machines Enabled  C, I  R, A 
 Azure Defender for Cloud Workload Protection for KeyVault Enabled  C, I  R, A 
 Azure Defender for Cloud Workload Protection for Storage Accounts Enabled  C, I  R, A 

 

PaaS 2.0 Azure Defender for Cloud Implementation RACI – Ongoing

Sitecore Hub Environment – Provisioning Customer/Partner  Sitecore
 Review of Azure Defender for Cloud Logs and Recommendations R, A  C, I 
 Ingestion of Azure Defender for Cloud Logs into Customer defined SIEM  R, A  C, I 

 

PaaS 2.0 Reference Architecture with Azure Defender Workload Protection

A screenshot of a computerDescription automatically generated

 

Scenario 1: Defender Enabled without Disaster Recovery Enabled

The image below shows a typical Sitecore Managed Cloud: PaaS 2.0 deployment with Azure Defender enabled, where Disaster Recovery Services are not included.

Protected Resource within the Production Spoke:

Protected Resource within the Primary Hub:

Customers opting for the Advance Hub will automatically benefit from Azure Defender Workload Protection for the Production Spoke and Primary Hub.

Customers opting for the Basic Hub can still benefit from Azure Defender Workload Protection. However, this will require an additional add-on purchase and should be requested via the Sitecore Managed Cloud Ticketing System.

A diagram of a cloudDescription automatically generated

 

Scenario 2: Defender Enabled with Disaster Recovery Enabled

The image below shows a typical Sitecore Managed Cloud: PaaS 2.0 deployment with Azure Defender enabled, where Disaster Recovery Services are included.

Protected Resource within the Production Spoke:

Protected Resources within the Primary and Secondary Hubs:

Customers opting for the Advance Hub with Disaster Recovery included will automatically benefit from Azure Defender Workload Protection for the Production Spoke, Primary and Secondary Hubs.

Customers opting for the Basic Hub can still benefit from Azure Defender Workload Protection. However, this will require an additional add-on purchase and should be requested via the Sitecore Managed Cloud Ticketing System.

 

Disaster Recovery Status = Protected

Azure Defender for Cloud Workload Protection is intentionally not applied to the DR Spoke. Refer to the section below for further details on how Azure Defender for Cloud Workload protection is applied in the event Disaster Recovery is invoked.

A screenshot of a computer program

 

Disaster Recovery Status = Failed Over

Azure Defender for Cloud Workload Protection will be added to the DR Spoke resources when DR is failed over. To ensure adequate protection for the resources with the Production resources, the DR Failover process will NOT attempt to remove workload protection from either the Production Spoke or the Primary Hub.

A screenshot of a computerDescription automatically generated

 

Disaster Recovery Status = Failed Back / Re-protected

Azure Defender for Cloud Workload Protection will be removed from the DR Spoke resources when DR Spoke is failed back and re-protected.

A screenshot of a computer programDescription automatically generated

 

Microsoft Documentation

Refer to the following links provided by Microsoft for a definitive guide to implementing Microsoft Azure Defender for Cloud:

 

Azure Defender for Cloud: Customer Considerations and Frequently Asked Questions

Is Azure Defender for Cloud included for all Managed Cloud Customers?
No. Defender for Cloud is available as an add-on service for PaaS 2.0 Customers only. Customers opting for the PaaS 2.0 Advanced Hub will benefit from Workload Protection for their Production Spoke and Primary Hub Resources.


When opting for the Paas 2.0 Advanced hub, which Azure Defender for Cloud Workload Protection services is included with Managed Cloud?
Sitecore Managed Cloud Standard – PaaS 2.0 includes enabling Azure Defender for Cloud.  Where requested, the following resources will benefit from Workload Protection:

* Resource deployed within the PaaS 2.0 Spoke Environment** Resource deployed within the PaaS 2.0 Hub Environment

The services noted above are automatically protected after executing the Defender for Cloud deployment pipeline.


Is Azure Defender available for DR and Non-Production Environments?
Yes. Customers may request that Azure Defender Workload Protection be deployed into their PaaS 2.0 Non-Production and DR Environments. Note that by design, workload protection is included only in the Production Spoke and Primary Hub when purchasing the Advanced Hub. 


What happens in the event of a DR failover? Will Defender be enabled as part of the failover?
During a DR failover (primary to secondary), Sitecore will check if the primary region has Defender Workload Protection. If the Primary Region has Azure Defender Workload Protection, then as part of the failover process Sitecore will add the same level of protection to the associated DR SKUS.


If Azure Defender for Cloud is customized in the Primary Region, will these customizations be replicated to the DR Region when the service is enabled post-DR failover?
Sitecore will only persist the top-level Azure Defender for Cloud properties that control which services are protected by default. Any further configuration or logging customizations will not be replicated to the DR site. Customers should ensure any post-deployment configuration to Azure Defender is well documented so that these settings can be reapplied in the event of DR failover. 


Is Sitecore Actively Analyzing the Defender for Cloud Findings and Recommendations:
Sitecore will not provide ongoing analysis of the Defender for Cloud findings and recommendations. The service intends to give the customers out-of-the-box protection as developed by Microsoft.


Is this service intended to replace my existing SIEM:
No. Customers should not see this as a replacement for any existing SIEM tooling already in place. The recommendation is for customers to extend the logging provided by Azure Defender for Cloud into their existing log management and SIEM tools.