If you want to protect your servers from cyber threats, you may be relying on Defender for Servers from Microsoft, a leader in the Gartner Magic Quadrant. Microsoft has now announced the direct onboarding of Defender for Servers without Azure Arc and is now officially available. Direct onboarding is a new feature that allows you to add the servers you want to protect to Defender for Servers without needing Azure Arc for Servers. In this blog post, I'll explain what this means, the benefits of this option, and who can benefit from it. I will also compare the new option with Azure Arc for Servers.
Defender for Servers
Defender for Servers is a cloud-based service that provides threat detection and response capabilities for Windows and Linux servers. Defender for Servers helps you monitor your servers for malicious activity, detect and block attacks, investigate incidents, and respond to alerts - whether Windows or Linux. Defender for Servers is part of Microsoft Defender for Cloud (formerly Azure Security Center), which also includes Defender for Kubernetes, Defender for SQL, and Defender for IoT.
To use Defender for Servers, the servers to be protected must be included in Defender for Cloud. This means that an agent must be installed on the servers to connect them to Defender for Cloud. Previously, this required Azure Arc for Servers, a service that extends Azure management and security to any server as an extension of Azure Resource Manager (ARM). With Azure Arc for Servers, you can manage your servers as if they were Azure resources, regardless of location or platform.
However, some customers do not want to use Azure Arc for Servers for their server management. This can be for a variety of reasons, such as they already have other tools or processes in place that they don't want to replace. Or they have compliance or regulatory requirements that prevent them from using Azure Arc for Servers. With this latest announcement, Microsoft has listened and responded to varied customer feedback. For those customers who don't want to use Azure Arc, Microsoft has introduced a new option: Defender for Servers direct Onboarding. With this option, on-premises or multi-cloud servers can be directly onboarded without requiring Azure Arc for Servers. The previous unconditional dependency on Azure Arc has thus been removed. But what are actually the effective benefits from this new option?
Advantages of direct onboarding without Azure Arc
The main advantage of this option is probably obvious. It is that the onboarding process is simplified and the dependencies and prerequisites are reduced. You don't need to install and configure the Azure Arc for Servers agent on the servers, which saves you time and resources. You therefore don't need to create and manage Azure resource groups or tags for your servers. In general, you don't have to deal with your Azure governance, or at least not as much, and therefore you don't have to prepare as much structure for successful onboarding.
Another advantage of direct onboarding is that you have more flexibility and choice in how you manage and secure your servers. This is because you can use Defender for Servers with direct onboarding in conjunction with other Microsoft or third-party tools or services. For example, you can continue to use System Center Configuration Manager (SCCM) or Windows Server Update Services (WSUS) to patch servers, while Defender for Servers handles threat protection. Onboarding via Azure Arc also allowed this flexibility, but the tool had to be configured unconditionally as the basis for onboarding to Defender for Servers. So here again we have to refer to the first, the main advantage.
The official announcement from Microsoft can be found at this link.
But how does the direct onboarding of Defender for Servers without Azure Arc compare to Azure Arc for Servers?
Comparison to onboarding with Azure Arc
While direct onboarding of Defender for Servers without Azure Arc is a convenient and flexible option, it clearly does not provide the same management and security capabilities that Azure Arc for Servers does. Indeed, with Azure Arc for Servers, cloud-native tools and management capabilities can be deployed through the Azure Arc resource (server) available in the Azure portal. This includes features such as update management, inventory, configuration deviations and Azure Policies to ensure compliance regulations. These features help you ensure that servers are configured correctly, patched regularly and comply with corporate policies and standards. Cloud-native tools also help you reduce costs and risks by optimizing and automating server performance and security.
Darüber hinaus kannst du mit Azure Arc for Servers Azure-Dienste nutzen, die eine Azure-Ressourcenidentität und -Metadaten erfordern. So kannst du beispielsweise Metriken und Protokolle von deinen Servern analysieren und mit Azure Monitor überwachen. Der Defender for Cloud liefert dir dann zudem Vorschläge zur Verbesserung der Systemsicherheit, sowie Warnungen zu Fehlkonfigurationen. Mit Azure Backup schützt du zudem ganz einfach deine Server und Daten, und automatisierst Verwaltungsaufgaben mit Azure Automation, Logic Apps & Azure Functions. All diese Funktionen bleiben dir mit dem direct onboarding vorenthalten, aufgrund der fehlenden Azure Ressource.
Onboarding via Azure Arc is therefore still the preferred variant for me, as it brings with it many advantages and possibilities. I prefer this variant, even if an organization does not yet want to use these advantages. However, the basis for this has already been created via Arc onboarding.
So for whom is direct onboarding of Defender for Servers without Azure Arc appropriate?
Scenarios for direct onboarding without Azure Arc
The direct onboarding option without Azure Arc can be beneficial for organizations that find themselves in any of the following:
- The organization has only a small number of servers that it wants to protect with Defender for Servers, but does not want to benefit from additional cloud-native services.
- The organization already has existing tools and corresponding processes for managing the servers. These tools and processes are of strategic relevance and are not to be replaced in the future.
- The organization has compliance or regulatory requirements with which Azure Arc for Servers is not compliant, preventing deployment.
- The organization wants to try out and test Defender for Servers, but doesn't want to deal with Azure Arc for Servers yet.
- The organization has strategically decided against using cloud platforms like Azure, but still wants to use Defender for Server to protect its servers.
Conclusion
Defender for Servers direct onboarding without Azure Arc is a new feature from Microsoft that lets you onboard your servers into Defender for Servers without using Azure Arc for Servers. This option simplifies the onboarding process and gives you more flexibility and choice in how you manage and secure your servers. However, Microsoft's newly released option doesn't offer the same level of management and security features as Azure Arc for Servers, which I still consider the recommended method for managing and securing your hybrid and multi-cloud servers.