Cloud security posture management in Azure: what is it, why do you need it and how do you get started?
Cloud security posture management (CSPM) is no longer just an add-on tool, but plays a vital role in cloud adoption. It allows us to monitor and secure the environment, which helps us to stay one step ahead of security. In this article, we will see what service cloud security posture management in Azure will provide.
Tomas Nejtek
The IT world (and beyond) is increasingly turning to the cloud, which is bringing about a lot of changes in thinking, technology and processes. The last two years (and especially the last few months) have seen this change accelerated even further by AI. In fact, it can convince even companies that would not otherwise go to the cloud that it makes sense to build their projects on AI.
Naturally, this raises questions Cloud, AI, endpoint, network security and a much greater focus on identity protectionthat did not need to be addressed so much in the past. In short, we need insight into the whole environment in order to keep it secure.
With this comes tools to automatically identify resources, assess configuration and security status, and recommend and remediate findings.
What is cloud security posture management
Cloud security posture management (CSPM) is a technology that automatically scans the entire IT environment, evaluates its security status, looks for misconfigurations and suggests corrective measures. It translates into English as e.g. cloud security status management.
The CSPM is used by organisations to meeting various regulatory requirements (ISO 27001, DORA, NIS2). It examines what, where and how things are actually running, helping to secure the environment and detecting potential loopholes before any real damage is done.
How do the different parts of the CSPM solution work?
Show more...
- Discovery/Inventory
The basis of CSPM is continuous automatic scanning, identification and tracking of assets v the environment. Nothing needs to be configured, everything can be automatically scanned and put into inventory - whether it is storage account, a virtual machine or a network component. This will significantly improve the insight into the entire environment, and without the need for manual list maintenance what, when, how and why keep watch. - Configuration
It consists in comparison of the settings of the given resources with best practices i s individual benchmarksto detect misconfigurations, vulnerable settings or risky properties of the resources. Common findings include:- open access from Internet,
- use of shared keys or weak ciphers,
- missing logging settings and monitoring,
- the use of vulnerable libraries and applications that are installed on the VM or used in containers.
- Recommendations
Based on the identified findings, the CSPM advises whether to address the deficiencies reconfiguration or any major intervention, a suggests a specific course of action or straight away automated fix. Responsible people will thus be able to they don't have to track down the details of the finding or figure out how to fix it. - Remedy
One of the options are manual configuration adjustmentswhich, however, depends on whether and when the administrator makes them. More advanced options are automatic repairs (often on a click or fully automated), where the the existence of the misconfiguration will not even be known. - Compliance
When managing an IT environment, we need to know, what part of it is unsecuredwhat types of resources are involved and how, for example, such security evolves in time. K that's what compliance is for. This part can also check the environment against defined benchmarks (known as CIS benchmarks) or evaluate how the environment is performing against strict requirements of NIS2, ISO27001, PCI-DSS, etc.
Why address cloud security posture management at all?
The environment in cloud is and always will be different than on-premise. It's not just the technical side of things, but more importantly of a different mindset - the way IT works, where it is going and how to learn to adapt to it.
While in on-premise, exposing a site or application is a process that requires administrator intervention, in the cloud the direction is reversed: by default and after creating resources, much of it is automatically publicly available.
It is therefore assumed that someone must explicitly disable access from the Internet. This of course sooner or later leads to the fact that there is no way of knowing which resources will be publicly available. So their creation needs to be approached differently.
In large part, it can help us creation by code (IaC)where it is easier to monitor how resources are generated. The second the CSPM solution is a helpthat blocks or reports the creation of a vulnerable resource immediately.
When CSPM is missing
Let's illustrate this with a simple example from our customer:
„In our Azure environment, we have an application for automatic invoice processing that uses as one of its components storage account. This is unconfigured, however, allowing access from Internet, and In addition, it also allows SAS key authentication.
If there is a data leak from one of the administrators who had the key stored, an attacker can use the key. A since the storage account is publicly available, it is to him and he'll download the data.
In this case, the attacker has already ...without anyone knowing."
The problem has two main levels. The first is that it was possible to create such an insecure storage account in the first place. The second level is the lack of monitoring and logging, or the lack of access analysis, which means that nobody may know about any possible abuse.
Cloud security posture management from Azure
Microsoft, as part of its Azure cloud offers basic free CSPM and a paid version with advanced features.
In the framework of basic version we get an inventory of our resources that are in Azure or in a connected environment (AWS, GCP, partially on-premise), along with findings and recommendations for mitigating them. Based on the created secure score we get an idea of the state of our environment.
The basic version is based on Microsoft Cloud Security Benchmark, while in the paid version we get the possibility to use other baselines (DORA, PCI-DSS, etc.). This gives us an overview of our environment, how it is set up and secured.
Cloud security posture management in Azure also includes a tool Azure Policy. It not only monitors the IT environment to see if it meets the conditions, but also blocks the creation of inappropriate or misconfigured resources. Remediation then allows some resources to be automatically reconfigured or modified.
Policies exist for most common sources and are still expanding. Although each company is unique, a good basis can be used as a Microsoft Cloud Security Benchmark set policy that covers most of the current funds.
CSPM policies in Azure
Show more...
- Agentless scanning
Applies to both VMs and containers. CSPM continuously scans for vulnerabilities and misconfigurations - without the need to install an agent or otherwise intervene inside the OS or container. - Attack paths
It visualizes the pathways to get in and how much impact a vulnerability can have. Unlike the "we have a vulnerable VM" information, this adds the full path of what the vulnerability can do (where to connect from that VM and what other resources may be at risk). - EASM (External attack surface management)
The function applies not only to the cloud environment, but to all publicly available resources that the service finds thanks to the parameters we specify - i.e. certificates, domains, IP addresses and more. For these, it gives us information that something has expired, that weak encryption is used somewhere, or that there is a service running that is not secure. - DevOps
It also focuses on the nowadays more and more popular IaC. CSPM scans the code, looking for misconfigurations, use of secrets within the code, use of vulnerable components or e.g. deployment of resources that violate the organization's rules. This helps us prevent the creation of vulnerable resources. - Regulatory compliance
Specific benchmarks and policies help us to maintain an environment that complies with NIS2, ISO27001, etc. They show us where we are "compliant", where we are not and what we could do to improve the situation. - AI security posture management
AI has earned its own security posture management. That is, a place where we can see the AI assets created, their security, recommendations for their configuration, and vulnerabilities found in libraries commonly used within AI (LangChain, PyTorch). All of this is then supplemented with Defender for AI.
Microsoft also offers a range of products Defender for Cloud to protect specific types of resources (Defender for AI, Defender for Database...). With their help, we can cover the entire cloud world and get an even greater level of protection.
Why cloud security posture management from Tenable
In addition to Microsoft solutions, there are of course alternatives in the form of third-party products. One of them is Tenable with his cloud security suite of products including CSPM.
Tenable's CSPM is not just about scanning and recommending what to fix and how to fix it. It brings a number of other interesting features in the areas of identity and rights, data security and AI or integration to DevSecOpswhich is a hot topic these days. They will also be interested in automatic policies and options remediation - and the ability to apply changes and resolve vulnerabilities directly from the Tenable portal.
There may be several motivations for using a solution other than Microsoft's. For some customers, it is important to use Microsoft to analyze and protect our IT environment another independent vendor.
For some, they may be the reason better licensing terms or a more interesting composition of functions in a given plan. This applies to customers with Tenable Onewho are only able to include part of cloud security as part of their licence, some of whom may not even know they are entitled to use cloud protection.
For another customer, the added value may be that they are already using Tenable. So they don't need to integrate another product, they just expand the portfolio of services they protect with Tenable. You can't generally say which solution is better. It always depends on the customer, the environment and the specific requirements. However, it's definitely worth looking at other alternatives when choosing your CSPM.
Practical tips for implementing cloud security posture management in Azure
What should we look out for, what should we avoid and what is easily hidden but still worth it?
- Let's not rely to the CSPM and only the CSPM.
We can think of him as a versatile and very capable helper. But we still have to take into account that sometimes we need to add exceptions, set individual remediations or adjust what and how it scans. - Don't use different products for different clouds
It may seem like a good idea at first, but over time it becomes a nightmare - more consoles means more reports and different behaviours. So, if we can get away with it, one product for all clouds will save us a lot of trouble. - Safety already in IaC
Let's not address security based on recommendations after the IT environment is standing still. Let's think about it from the beginning, during the design and implementation phase. - Start small
It is not wise to embark headlong on a full-scale implementation of CSPM. It is often better to start with cloud security posture management on a small scale, where settings and behaviors are fine-tuned. - Owners of individual areas
Determine who will be responsible for the findings and exceptions in a particular environment. Also determine who will look after the CSPM tool itself - who will develop it, maintain it, create it, and modify the processes around it to keep it useful. - Don't underestimate education and training
Like any new system, CSPM needs to be touched and learned to work with beforehand. There is nothing worse than a deployed system that nobody looks at and nobody knows.
Ensuring security in the cloud is a continuous, never-ending process. It is important not to rely only on the cloud provider during the processthat only takes care of certain parts of the environment. To avoid risking financial or reputational damage, it is wiser to take the help of someone who has experience with the operation and security of IT environments. Our experts are backed by certifications, continuing education and hundreds of projects across Europe. So if you're considering whether to deploy cloud security posture management in Azure, contact us - we're happy to help.
