Microsoft Defender for Cloud: CSPM for Small Businesses in Berlin
When your infrastructure moves to Azure, the security boundary moves with it. On-premises security tools monitor what happens inside the corporate perimeter; once workloads run in the cloud, a new category of risk emerges: misconfiguration. An Azure storage account with public access enabled, a virtual machine without endpoint protection, a SQL database without transparent data encryption, a network security group allowing inbound traffic from the internet on port 22 — these are the configuration gaps that attackers systematically probe. Microsoft Defender for Cloud is the Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) built into Azure that continuously assesses these configurations and gives you a prioritised remediation roadmap.
This guide explains how Defender for Cloud’s CSPM recommendations work, what the Defender plans protect at the workload level, how the regulatory compliance dashboard maps to GDPR and ISO 27001, and how Berlin businesses can use it to maintain a hardened Azure environment without a dedicated cloud security team.
What Is Microsoft Defender for Cloud?
Microsoft Defender for Cloud is Microsoft’s integrated cloud security management service. It has two distinct capability sets:
- CSPM (Cloud Security Posture Management): continuous assessment of your Azure resource configurations against security best practices, with scored recommendations and one-click remediation where available. The foundational CSPM tier (CSPM Free) is included with every Azure subscription at no cost
- CWPP (Cloud Workload Protection Platform): runtime threat detection for specific workload types. Individual Defender plans cover VMs (Defender for Servers), databases (Defender for SQL, Defender for Open-Source RDBs), containers (Defender for Containers), storage accounts (Defender for Storage), Key Vault (Defender for Key Vault), and App Service (Defender for App Service). Each plan is priced and enabled independently
The Secure Score: Your CSPM Dashboard
The centrepiece of Defender for Cloud’s CSPM capability is the Secure Score — a percentage that represents how much of the Azure Security Benchmark your environment satisfies. Each recommendation in Defender for Cloud contributes a number of points. Remediating recommendations increases your score; new resources with misconfigurations reduce it.
Recommendations are grouped into security controls, each with a maximum point value:
| Security Control | Example Recommendations | Max Points |
|---|---|---|
| Enable MFA | MFA should be enabled for all subscription owners | 10 |
| Restrict unauthorised network access | Management ports should be closed on VMs; internet-facing VMs should have NSG protection | 8 |
| Enable endpoint protection | Endpoint protection should be installed on machines | 2 |
| Enable encryption at rest | Disk encryption should be applied to VMs; SQL databases should have TDE enabled | 4 |
| Manage access and permissions | Subscriptions should have more than one owner; deprecated accounts should be removed | 6 |
| Apply system updates | Machines should have vulnerability findings resolved | 6 |
The Defender for Cloud recommendations engine integrates directly with Microsoft Secure Score in the Microsoft 365 Defender portal: Azure infrastructure recommendations from Defender for Cloud and Microsoft 365 identity/endpoint recommendations from the M365 Secure Score feed into a combined security posture view.
Recommendations: Continuous Assessment and Remediation
Defender for Cloud continuously scans all resources in your subscription and generates recommendations for every configuration gap. Each recommendation includes:
- Severity: High, Medium, or Low — based on exploitability and potential impact
- Affected resources: the specific VMs, databases, storage accounts, or other resources with the misconfiguration
- Remediation steps: step-by-step instructions for manual remediation in the Azure portal
- Quick Fix: for many recommendations, a single click applies the remediation to all affected resources simultaneously — no manual per-resource action required
- Exemptions: for accepted risks or workloads where the recommendation is not applicable, exemptions suppress the recommendation from the score without hiding it from audit logs
High-priority recommendations for Berlin small businesses to address first: ensure MFA is enforced on all Azure subscription owners (directly addresses account takeover risk), close management ports (SSH port 22, RDP port 3389) on internet-facing VMs via Network Security Group rules, enable Just-in-Time VM access (replaces always-on management port exposure with time-limited, approved access), and enable Azure Defender for Key Vault on any vault storing production secrets.
Defender Plans: Workload-Level Threat Detection
The paid Defender plans add runtime threat detection on top of the free CSPM recommendations. Each plan covers a specific Azure resource type:
| Defender Plan | Coverage | Key Detections |
|---|---|---|
| Defender for Servers P1 | Azure and on-premises VMs | File integrity monitoring, adaptive application controls, vulnerability assessment |
| Defender for Servers P2 | Azure and on-premises VMs | All P1 + EDR via Microsoft Defender for Endpoint integration |
| Defender for SQL | Azure SQL, SQL on VMs, SQL Managed Instance | SQL injection detection, anomalous access patterns, brute-force attempts |
| Defender for Storage | Azure Blob, File, Queue, Table | Malware scanning on upload, sensitive data discovery, anomalous access |
| Defender for Key Vault | Azure Key Vault | Access from anonymous IPs, high volume of operations, unusual geolocation |
| Defender for App Service | Azure App Service web apps | Dangling DNS, suspicious process execution, connection to C2 infrastructure |
For a Berlin small business running a WordPress site on an Azure App Service with an Azure SQL backend and secrets in Key Vault, the minimum viable Defender plan set is: Defender for App Service, Defender for SQL, and Defender for Key Vault — covering the three most likely attack vectors against that architecture.
Regulatory Compliance Dashboard
Defender for Cloud’s regulatory compliance dashboard maps your Azure resource configurations against the controls in specific regulatory frameworks, showing what percentage of each framework’s controls your environment satisfies:
- Azure Security Benchmark (Microsoft’s baseline — enabled by default)
- GDPR: Article-level control mapping to Azure configuration recommendations
- ISO 27001:2013: Annex A control mapping
- SOC 2 Type 2: Trust Service Criteria mapping
- BSI C5: German Federal Office for Information Security cloud criteria mapping
- NIS2: EU Network and Information Security Directive 2 control mapping
The GDPR and BSI C5 templates are particularly relevant for Berlin businesses. The BSI C5 framework was developed specifically for cloud services used by German organisations and is referenced in procurement requirements for public sector work and financial services.
Integration with Microsoft Sentinel
Defender for Cloud security alerts — generated by the paid Defender plans when runtime threats are detected — flow directly into Microsoft Sentinel via the Defender for Cloud data connector. This means a SQL injection attempt on an Azure SQL database generates an alert in Defender for Cloud, which appears as an incident in Sentinel, which can trigger a playbook to notify the security team and create a ServiceNow ticket — all automatically, within minutes of detection.
GDPR Compliance Posture
Defender for Cloud’s CSPM recommendations directly support GDPR Article 32 (security of processing): the obligation to implement appropriate technical measures for data protection. Each remediated Defender for Cloud recommendation — enabling encryption at rest, closing management ports, enforcing MFA on subscription owners, enabling audit logging — is a documented technical security measure that can be presented to supervisory authorities (such as the Berlin Commissioner for Data Protection and Freedom of Information) as evidence of Article 32 compliance.
The regulatory compliance dashboard generates exportable compliance reports suitable for inclusion in GDPR Article 30 records of processing activities or audit files maintained under ISO 27001 certification programmes.
Cost
The foundational CSPM tier (free Secure Score and recommendations) is included with every Azure subscription. Paid Defender plans are per-resource per-month:
- Defender for Servers P1: ~€3.00 per VM per month
- Defender for Servers P2: ~€14.60 per VM per month (includes MDE)
- Defender for SQL: ~€13.00 per SQL instance per month
- Defender for Storage: ~€10.00 per storage account per month
- Defender for Key Vault: ~€0.02 per 10,000 transactions
- Defender for App Service: ~€14.60 per App Service plan per month
For a small business running one App Service, one SQL database, and two Key Vaults, the full Defender plan set for those resources costs approximately €40–50/month — providing continuous threat detection across the entire application stack.
Deployment Steps for Berlin Small Businesses
- Azure portal → Microsoft Defender for Cloud → Overview → review current Secure Score and top recommendations
- Environment settings → select your subscription → enable the Defender plans relevant to your deployed resources (App Service, SQL, Key Vault as a minimum)
- Recommendations → filter by Severity: High → work through all High-severity recommendations using Quick Fix where available
- Regulatory compliance → Add standard → add GDPR and BSI C5 → review control coverage and remediate failing controls
- Workload protections → enable Just-in-Time VM access for any VMs with management ports — this alone eliminates a significant proportion of brute-force attempts against Azure VMs
- Defender for Cloud → Security alerts → connect to Sentinel (Defender for Cloud data connector) for SIEM-level alert management
Defender for Cloud provides the Azure infrastructure security assessment layer that complements Microsoft 365-focused tools like Microsoft Secure Score and identity-focused tools like Zero Trust enforcement. Together they cover every layer of a Berlin small business’s Microsoft cloud footprint: identity, endpoints, cloud applications, and Azure infrastructure.