メインコンテンツへスキップ

Plan a Lifecycle Strategy

Implementation Effort: Medium — Planning a lifecycle strategy involves aligning security operations with resource provisioning, monitoring, and decommissioning processes across multiple teams.

User Impact: Low — Lifecycle strategies are implemented by security and platform teams and do not require direct user interaction.

Overview

A lifecycle strategy in Microsoft Defender for Cloud ensures that security protections for services like App Service, Key Vault, and Resource Manager are consistently applied from deployment through retirement. This approach helps maintain a strong security posture, reduce misconfigurations, and support compliance goals.

Key Lifecycle Phases

1. Provisioning

  • App Service: Ensure Defender for App Service is enabled during deployment. Use templates or policies to enforce HTTPS, authentication, and diagnostic logging 1 2.
  • Key Vault: Enable Defender for Key Vault and configure RBAC, private endpoints, and logging at creation 3.
  • Resource Manager: Apply policies to enforce secure configurations and enable Defender for Resource Manager at the subscription level.

2. Monitoring & Maintenance

  • Continuously monitor alerts and recommendations from Defender for Cloud.
  • Use Cloud Security Explorer and Attack Path Analysis to identify evolving risks.
  • Automate remediation using Logic Apps or workflow automation.

3. Decommissioning

  • Revoke access and remove secrets from Key Vaults before deletion.
  • Disable App Services and remove public endpoints.
  • Audit and clean up role assignments and custom policies in Resource Manager.

Benefits

  • Reduces risk of misconfiguration and drift.
  • Ensures consistent application of Zero Trust principles across the resource lifecycle.
  • Supports compliance with internal and external security standards.

This strategy aligns with all three Zero Trust principles:

  • Verify Explicitly: Enforce secure defaults at provisioning.
  • Use Least Privilege Access: Apply RBAC and access reviews.
  • Assume Breach: Monitor continuously and automate response.

Reference