During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.
As of April 2022, Microsoft renamed Azure Purview, and now it’s called Microsoft Purview. Microsoft Purview—a comprehensive set of solutions from Microsoft to help you govern, protect, and manage your entire data estate.
In this article, we will share with you how to integrate Azure Purview with Microsoft Defender for Cloud to help prioritize security actions by data sensitivity.
Table of Contents
Microsoft Defender for Cloud gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two main value propositions:
1) Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS). CSPM in Security Center is available for free to all Azure users.
2) Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or different clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts. CWPP is part of the Azure Defender (formerly known as the Standard Tier plan in Azure Security Center).
Microsoft Defender for Cloud is an evolution of the threat-protection technologies in Security Center, protecting Azure and hybrid environments. When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:
- Azure Defender for servers
- Azure Defender for App Service
- Azure Defender for Storage
- Azure Defender for SQL
- Azure Defender for Kubernetes
- Azure Defender for container registries
- Azure Defender for Key Vault
- Azure Defender for Azure DNS
During Microsoft Ignite in November 2021, Microsoft announced Microsoft Purview integration with Microsoft Defender for Cloud (public preview), to identify, prioritize, and secure sensitive data resources across multi-cloud environments. Azure Purview is a unified data governance service that provides rich insights into the sensitivity of your data within multi-cloud and on-premises workloads.
The integration with Azure Purview extends your security visibility in Defender for Cloud from infrastructure resources down into your data, enabling an entirely new way to prioritize resources for security teams.
Azure Purview is a unified data governance service that helps you manage and govern your on-premises, multi-cloud, and software-as-a-service (SaaS) data. Easily create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage. Empower data consumers to find valuable, trustworthy data. Check the official documentation to learn more about Azure Purview.
To follow this article, you need to have the following:
1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
2) Microsoft Defender for Cloud without enhanced security or Microsoft Defender for Cloud plan enabled. The free option is enough to leverage Azure Purview integration. So why not use the free plan for all your Azure resources to get rich insights into the sensitivity of your data.
3) You’ll need an Azure Purview account to create the data sensitivity classifications – If you don’t have an Azure Purview account, you can create one by following the quick start guide. Any new purview account will be provisioned with 1 Capacity Unit (CU) with autoscale capabilities.
Updated – 17/12/2021 – Microsoft is increasing the included metadata storage in 1 capacity unit from 2 GB to 10 GB starting on 17 December 2021. Consumption throughput of up to 25 data map operations per second per capacity unit will remain the same. With this change, you’ll be able to store 5x the amount of assets, relationships, and classifications in a searchable form for the same price!
If your data map is larger than 2 GB, you’ll see a reduction in your Azure Purview bill going forward. No action is required on your part. You can find the metadata storage used by your Azure Purview account from the Azure Portal. For more information please read, Elastic data map – Azure Purview | Microsoft Docs.
4) You also will need to be a Data Source Administrator and Data Reader to register a source and manage it in the Purview Studio. Please check the Azure Purview Permissions page for details.
5) Register Sources in Azure Purview (more on this in the next section).
6) Scan Resources in Azure Purview (more on this in the next section).
Register Sources with Azure Purview
After your Azure Purview account is created, you’ll use the Purview Studio to access and manage it. There are two ways to open Purview Studio:
1) Open your Purview account in the Azure Portal. Select the “Open Purview Studio” tile on the overview page as shown in the figure below.
2) Alternatively, you can directly browse to https://web.purview.azure.com, select your Purview account, and then sign in to your workspace.
It is important to register the data source in Azure Purview prior to setting up a scan for the data source.
Once you are on the purview studio home page, select the “Data map” blade on the left-hand side, and then select “Collections” as shown in the figure below.
Add and create the desired collection(s) first to organize the registered sources. In this example, we have the root collection called “Azure-Purview-MDC“, and then “Azure Storage Accounts“, and underneath, we have “Azure Blob Storage” and “Azure Files“.
Collections are organized-defined groupings of assets, terms, annotations, and sources. Learn more about collections.
Next, select “Sources” and then click “Register” as shown in the figure below.
Next, you can choose between different sources such as Azure, AWS account, Amazon S3, Azure Synapse Analytics, etc. For the entire list of what you can register, check the supported data stores here. In this example, we will register Azure Blob Storage and Azure Files. Select the desired source that you want to register, and then click Continue as shown in the figure below.
In the Register sources (Azure Files) page, enter a descriptive “Name“, select the desired “Azure subscription” and the desired “Storage account name“, then select the desired “collection” that you created earlier as shown in the figure below. In this case, all assets discovered under this source will belong to the collection you select. Click Register to continue.
The Azure Blob storage account and Azure Files will be shown under the selected Collection as shown in the figure below:
You need to repeat the same steps described above to register all the intended sources that you want to bring to Azure Purview.
Scan Resources with Azure Purview
Once you registered one or more sources in Azure Purview, you need to scan the data source. In order to have access to scan the data source, an authentication method in the Azure Blob Storage account needs to be configured.
The following four options are the supported authentication method for Azure Blob Storage:
> System-assigned managed identity (Recommended).
> User-assigned managed identity.
> Storage Account Access Keys.
> Service Principal.
For the purpose of this example, we will use the recommended option (System-assigned managed identity) to authenticate to Azure Blob Storage.
At the time of this writing, there’s only one way to set up authentication for Azure file shares (Storage Account Access Keys). You need to get your access key and store it in Azure Key Vault. We hope Microsoft will include System/User-assigned managed identity for Azure Files as well.
As soon as the Azure Purview Account is created, a system-assigned managed identity (SAMI) is created automatically in the Azure AD tenant. Depending on the type of resource, specific RBAC role assignments are required for the Azure Purview SAMI to perform the scans.
It is important to give your Purview account permission to scan the Azure Blob data source. You can add access for the SAMI or UAMI at the Subscription, Resource Group, or Resource level, depending on what level scan permission is needed.
As a side note, if you have a firewall enabled for the storage account, then you must use managed identity authentication method when setting up a scan.
You need to be an owner of the subscription to be able to add a managed identity on an Azure resource. Take now the following steps:
1) From the Azure portal, find either the subscription, resource group, or resource (in this example, an Azure Blob storage account, and Azure Files) that you would like to allow the catalog to scan.
2) Select Access Control (IAM) in the left navigation and then select + Add –> Add role assignment as shown in the figure below.
3) Set the Role to Storage Blob Data Reader for Azure Blob Storage source, then enter your Azure Purview account name under the Select input box as shown in the figure below. Then, click Select to give this role assigned to your Purview account.
4) Switch to your Purview account and select the Open Purview Studio at https://web.purview.azure.com.
5) Navigate to the Data map –> Sources to view the collection hierarchy.
6) Select the New Scan icon under the Azure Blob Storage and Azure Files data sources that you registered earlier as shown in the figure below.
7) Provide a Name for the scan, select the Purview accounts Managed Identity (MSI) under Credential, choose the appropriate collection for the scan, and then select Test Connection as shown in the figure below. On a successful connection, select Continue.
Please note that for Azure Files, you need to create a new credential using the storage account access key stored in Azure Key Vault to set up your scan.
8) Next, you can scope your scan to specific folders and subfolders by choosing the appropriate items in the list as shown in the figure below. On selecting the appropriate items, click Continue.
9) Select a scan rule set. You can choose between the system default (AzureStorage), existing custom rule sets, or create a new rule set inline. If creating a new scan rule set, select the file types to be included in the scan rule. Select Continue.
The Microsoft default scan rule set includes all supported file types for schema extraction and classification and all supported system classification rules. The file types for schema extraction and classification are: CSV, JSON, PSV, SSV, TSV, GZIP, TXT, XML, PARQUET, AVRO, ORC, DOC, DOCM, DOCX, DOT, ODP, ODS, ODT, PDF, POT, PPS, PPSX, PPT, PPTM, PPTX, XLC, XLS, XLSB, XLSM, XLSX, XLT.
10) Choose and set your scan trigger. You can set up a recurring schedule or run the scan once. Select Continue.
11) Finally, review your scan and then select Save and run.
You need to repeat the same steps described above to scan all the intended resources in Azure Purview.
12) To view a scan, navigate to the data source in the Collection and select View Details to check the status of the scan. The scan details indicate the progress of the scan in the Last run status and the number of assets scanned and classified.
13) The Last run status will be updated to In progress and then Completed once the entire scan has run successfully as shown in the figure below.
Azure Purview can scan and classify a broad range of file and resource types including Word, PPT, CSV, JSON, and PDF documents in Azure Blob storage, SQL Servers hosted inside and outside of Azure, Azure Data Lake Storage Gen2 account (ADLS), and AWS S3, and more.
Discover resources with sensitive data
Switching now to Microsoft Defender for Cloud. To provide vital information about discovered sensitive data, and help ensure you have that information when you need it, Defender for Cloud displays information from Azure Purview in multiple locations.
Please note that if a resource is scanned by multiple Azure Purview accounts, the information shown in Defender for Cloud relates to the most recent scan.
When you’re reviewing a security recommendation or investigating a security alert, the information about any potentially sensitive and classified data involved is included on the Recommendations and Security alerts page. This vital additional layer of metadata helps solve the triage challenge and ensures your security team can focus its attention on the threats to sensitive data.
The asset inventory page in Microsoft Defender for Cloud has a collection of powerful filters to group your resources with outstanding alerts and recommendations according to the criteria relevant for any scenario. These filters include Data sensitivity classifications and Data sensitivity labels as shown in the figure below. You can use these filters to evaluate the security posture of resources on which Purview has discovered sensitive data.
When you select a single resource – whether from a security alert, recommendation, or the inventory page – you reach a detailed health page showing a resource-centric view with the important security information related to that resource.
When reviewing the health of a specific resource as shown in the figure below, you’ll see the Purview information on this page and can use it to determine what data has been discovered on this resource alongside the Purview account used to scan the resource.
And to make access simple and give security teams at-scale insights into the resources that are being scanned by Azure Purview, Microsoft added a dedicated Information protection tile to the Microsoft Defender for Cloud dashboard as shown in the figure below.
The tile shows your current scan coverage, as well as a graph with the number of recommendations and alerts by classified resource types. The tile also includes a link to the Azure Purview account so you can scan additional resources. You can select the tile to see classified resources in Defender for Cloud’s asset inventory page.
That’s it there you have it!
In this article, we showed you how to integrate Azure Purview with Microsoft Defender for Cloud to help prioritize security actions by data sensitivity.
Azure Purview, provides rich insights into the sensitivity of your data. With automated data discovery, sensitive data classification, and end-to-end data lineage, Purview helps organizations manage and govern data in hybrid and multi-cloud environments.
Security teams regularly face the challenge of how to triage incoming security issues. You’d want to focus the security team’s efforts on risks to the organization’s data. If two recommendations have an equal impact on your secure score, or two security alerts have an equal severity impact on your resources, but one relates to a resource with sensitive data, ideally you’d include that knowledge when determining prioritization. Azure Purview’s data sensitivity classifications and data sensitivity labels provide that knowledge.
The integration with Azure Purview enriches Microsoft Defender for Cloud’s alerts, recommendations, and resources with sensitive information, giving you a high-level overview and the ability to manage resources more easily that contain sensitive data.
Learn how to use Azure Purview so your organization can find, understand, govern, and consume data sources.
Learn how to prioritize security actions by data sensitivity with Microsoft Defender for Cloud.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.