Microsoft is rounding out the cloud security posture management (CSPM) capability it recently added to Microsoft Defender for Cloud with support for Google Cloud Platform (GCP). For some in the industry, Microsoft’s move feels overdue.
While new to Microsoft Defender for Cloud, CSPM has become integral to cloud-native application protection platforms (CNAPPs). CSPM provides automated monitoring to offer near real-time visibility into hybrid and multicloud infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) environments to ensure their configurations map with their organizations’ risk and compliance requirements.
Defender CSPM, which applies agentless scanning and contextual attack path analysis of hybrid cloud environments, including AWS and Azure, will include GCP starting Aug. 15, Microsoft said on Wednesday.
The updated release will give Microsoft Defender for Cloud administrators views of misconfigurations and other risks to their entire AWS, Azure, and GCP environments and their on-premises compute resources. Microsoft introduced CSPM as a Defender for Cloud feature, with AWS support, in 2021 and released the first iteration in April.
Microsoft is entering a crowded field of security vendors that offer multicloud CSPM capabilities, including Check Point, Cisco, CrowdStrike, IBM, Orca, Palo Alto Networks, Qualys, Skyhawk, Sysdig, Trellix, Trend Micro, VMware, Wiz, and Zscaler. Despite operating one of the three largest public clouds, Microsoft is touting its multicloud approach to CSPM.
But Mike DeNapoli, director and cybersecurity architect at Cymulate, questions why a GCP shop would turn to Microsoft for cloud security.
“Whether you decide to use it only for Azure or use it for all of your cloud infrastructure as they support additional cloud platforms, it’s still just CSPM,” he says. “And alone it’s still not giving you the full picture of resiliency.”
Normalizing Risk From Multiple Clouds
Microsoft acknowledges that 90% of enterprises now have multicloud environments, citing a survey from IT tools management provider Flexera. Because each cloud has unique architectures, there isn’t a common approach to monitoring workloads across environments, says Enterprise Strategy Group senior analyst Melinda Marks.
“A key part of CSPM capabilities is to collect the data from the CSPs, normalize, and then compare it,” Marks says, adding that organizations have relied on third-party security providers in multicloud environments. “Microsoft Defender is from Microsoft, but they have designed it to support multiple cloud environments, and this could help their customers not be as dependent in needing a CSPM from a security vendor. So for CSPM providers, Microsoft Defender could be seen as a competitor.”
Chen Burshan, CEO of Skyhawk Security, says, “I think that the platforms should have this functionality since they have the infrastructure.” He doesn’t see the new move from Microsoft as competitive because CSPM is now simply expected.
Skyhawk, a security company spun out of Radware last year, detects exploitations as they occur in near real time, and CSPM is a component of that, Burshan says. “We give our CSPM for free,” he says. “We think it’s a commodity today.”
Cymulate’s DeNapoli anticipated Microsoft’s move into CSPM. “It’s encouraging to see that they are doing it,” he says. Cymulate expanded its Exposure Management and Security Platform for AWS, Azure, and GCP on Tuesday.
Microsoft Cloud Security Graph
Vasu Jakkal, Microsoft’s corporate VP for security, compliance, identity, and management, stated in a blog post announcing the forthcoming GCP support that “Defender CSPM provides advanced posture management capabilities with full visibility across cloud and hybrid resources from agentless scanning, integrated contextual insights from code, identities, data, internet exposure, compliance, attack path analysis, and more, to prioritize your most critical risks.”
Defender CSPM uses Microsoft’s cloud security graph to provide attack path analyses, he added, allowing security professionals to prioritize potential risks. Raviv Tamir, Microsoft’s chief of security product strategy, says Microsoft has populated the graph database across all three clouds.
“Essentially, it’s a really nice graph database that understands relationships that enables you to ask risk-related questions,” Tamir says. “If I am looking at one asset, I can ask what it means to the other assets that I have.”
Tamir explains that the first layer provides a way for administrators to query the graph through Microsoft’s interface or via APIs. “So you can formulate any kind of query that you want to understand the relationship between the different assets that you have,” he says.
Microsoft is enhancing the graph database to accept data from its new Microsoft Vulnerability Management (MVM) offering, enabling CSPM to mark external assets, he adds. “If you have assets that are externally facing the Internet, then that data also is accrued to the graph,” Tamir says. “Things that come in from the other defenders also get through to the graph.”
Besides scanning compute instances, Microsoft has expanded Defender CSPM’s data discovery capabilities with GCP Cloud Storage. Jakkal’s blog noted that this will enable security administrators to identify over 100 types of sensitive information via the cloud security graph to analyze attack paths.
Microsoft is adding multicloud policy monitoring for free via its Microsoft cloud security benchmark (MCSP). Microsoft describes MCSP as a cloud-based control framework mapped to compliance standards, such as CIS, PCI, and NIST. MCSP support is generally available in AWS and Azure and in preview in GCP via the regulatory compliance dashboard in Microsoft Defender for Cloud.
Last month, Microsoft announced that it would expand free access to cloud logs using Microsoft Purview Audit, in response to complaints that its fee structure for logging hindered organizations’ investigations into an ongoing attack from a Chinese APT group. According to Microsoft, Purview Audit records and retains thousands of user and administrator operations across various Microsoft 365 offerings.