According to Gartner, Cloud Security Posture Management (CSPM) tools are fundamental to cloud security. Gartner states that “Cloud Security Providers (CSP) concentrates on security assessment and compliance monitoring, primarily across the IaaS cloud stack”. CSPM typically involves leveraging API integrations with one or more cloud providers in order to automatically discover cloud assets and their associated risks.
Cloud Workload Protection Platforms (CWPPs) are software platforms designed for monitoring and protecting cloud workloads. While such “workload-centric” solutions are usually agent-based, the focus should be on the workload – not the agent. An ideal CWPP would offer agentless and agent-based approaches to protecting workloads of different types in the traditional datacenter, public-cloud and private-cloud environments – including workload-centric security protections for bare-metal servers, SQL servers, storage accounts, orchestrated containers, serverless “functions” and virtual machines (VMs).
Within this realm of SIEM, Security Center, Azure Defender, and Sentinel, I often get asked by customers the following common question: we have already Azure Sentinel, do we need Azure Security Center as well?
In this quick article, I will clarify this frequent question and share with you why you need to have Azure Sentinel and Security Center/Azure Defender to protect your cloud workloads end-to-end and be proactive instead of reactive.
Azure Security Center
Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two mains value proposition:
- Cloud Security Posture Management (CSPM) – Helps you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
- Azure Defender, formerly known as Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or in other clouds such as Amazon AWS or Google GCP, in addition to cloud-native PaaS workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.
Azure Security Center is meant to be that one tool that gives you a unified overview of your hybrid cloud environment’s current security configuration and informs you about current threats and attacks against your workloads and services.
Azure Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
As I mentioned earlier, Security Center is around Cloud Security Posture Management (CSPM), and Cloud Workload Protection Platform (CWPP) scenarios while Azure Sentinel covers SIEM/SOAR scenarios that sit on top of other Microsoft security solutions. Azure Sentinel will do all the data ingestion and not only from the Security Center perspective but also for third-party and other Microsoft products.
The following diagram illustrates where each product fits in the realm of Microsoft Security solutions.
~Image courtesy of Microsoft~
The data ingestion is done by Sentinel which will be the one that does data correlation, think of each one of those products as a data source that feeds Sentinel, and once Sentinel gets the data, you can do the data correlation across all those data sources.
Do I need Security Center?
The short answer is, yes of course!
Azure Sentinel and Azure Security Center are completely two different products covering two different scenarios.
The following diagram should give you enough information and show how Azure Sentinel and Security Center complement each other to strengthen your Security Operations Center (SOC) Team.
~Image courtesy of Microsoft~
The Cloud Security Posture Management (CSPM) and Azure Defender are two different platforms since Azure Security Center is the only solution in Microsoft (secure package) to address those scenarios. If you want CSPM and Azure Defender, then you need Azure Security Center. And you can take advantage of all the Threat Detection and Advanced Workload Protection in Azure Security Center which is part of Azure Defender’s capability to feed into Azure Sentinel.
The threat intelligence from Security Center is very unique, the threat detection from SQL ATP, Azure Defender for Storage, Azure Defender for Key Vault, Azure Defender for Servers, and all those detection and protection capabilities Sentinel does NOT have awareness at all if not ingested via Security Center connector. So, Azure Security Center and Azure Sentinel are complementary to that aspect.
Azure Sentinel and Azure Security Center are completely two different products covering two different scenarios, by connecting Azure Security Center to Azure Sentinel will give you more insight into your organization’s network and system by view dashboards, you can create custom alerts, run automated playbooks and further investigate any suspicious activity.
To learn more about Azure Security Center, check the official documentation from Microsoft.
The power of Azure Sentinel comes from the ability to detect, investigate, and remediate threats. To do this, you must first ingest data in the form of alerts from different security providers, such as Azure Security Center or other Microsoft solutions, as well as other third-party solutions.
To learn more about Azure Sentinel, check the official documentation from Microsoft.
I hope this article gave you a clear picture of how Azure Security Center is essential for Azure Sentinel to protect your workloads across public and hybrid clouds.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.