Protecting Your Azure Key Vault: Why Azure RBAC Is Critical for Security
Introduction In today’s cloud-centric landscape, misconfigured access controls remain one of the most critical weaknesses in the cyber kill chain. When access policies are overly permissive, they create opportunities for adversaries to gain unauthorized access to sensitive secrets, keys, and certificates. These credentials can be leveraged for lateral movement, privilege escalation, and establishing persistent footholds across cloud environments. A compromised Azure Key Vault doesn’t just expose isolated assets it can act as a pivot point to breach broader Azure resources, potentially leading to widespread security incidents, data exfiltration, and regulatory compliance failures. Without granular permissioning and centralized access governance, organizations face elevated risks of supply chain compromise, ransomware propagation, and significant operational disruption. The Role of Azure Key Vault in Security Azure Key Vault plays a crucial role in securely storing and managing sensitive information, making it a prime target for attackers. Effective access control is essential to prevent unauthorized access, maintain compliance, and ensure operational efficiency. Historically, Azure Key Vault used Access Policies for managing permissions. However, Azure Role-Based Access Control (RBAC) has emerged as the recommended and more secure approach. RBAC provides granular permissions, centralized management, and improved security, significantly reducing risks associated with misconfigurations and privilege misuse. In this blog, we’ll highlight the security risks of a misconfigured key vault, explain why RBAC is superior to legacy Access Policies and provide RBAC best practices, and how to migrate from access policies to RBAC. Security Risks of Misconfigured Azure Key Vault Access Overexposed Key Vaults create significant security vulnerabilities, including: Unauthorized access to API tokens, database credentials, and encryption keys. Compromise of dependent Azure services such as Virtual Machines, App Services, Storage Accounts, and Azure SQL databases. Privilege escalation via managed identity tokens, enabling further attacks within your environment. Indirect permission inheritance through Azure AD (AAD) group memberships, making it harder to track and control access. Nested AAD group access, which increases the risk of unintended privilege propagation and complicates auditing and governance. Consider this real-world example of the risks posed by overly permissive access policies: A global fintech company suffered a severe breach due to an overly permissive Key Vault configuration, including public network access and excessive permissions via legacy access policies. Attackers accessed sensitive Azure SQL databases, achieved lateral movement across resources, and escalated privileges using embedded tokens. The critical lesson: protect Key Vaults using strict RBAC permissions, network restrictions, and continuous security monitoring. Why Azure RBAC is Superior to Legacy Access Policies Azure RBAC enables centralized, scalable, and auditable access management. It integrates with Microsoft Entra, supports hierarchical role assignments, and works seamlessly with advanced security controls like Conditional Access and Defender for Cloud. Access Policies, on the other hand, were designed for simpler, resource-specific use cases and lack the flexibility and control required for modern cloud environments. For a deeper comparison, see Azure RBAC vs. access policies. Best Practices for Implementing Azure RBAC with Azure Key Vault To effectively secure your Key Vault, follow these RBAC best practices: Use Managed Identities: Eliminate secrets by authenticating applications through Microsoft Entra. Enforce Least Privilege: Precisely control permissions, granting each user or application only minimal required access. Centralize and Scale Role Management: Assign roles at subscription or resource group levels to reduce complexity and improve manageability. Leverage Privileged Identity Management (PIM): Implement just-in-time, temporary access for high-privilege roles. Regularly Audit Permissions: Periodically review and prune RBAC role assignments. Detailed Microsoft Entra logging enhances auditability and simplifies compliance reporting. Integrate Security Controls: Strengthen RBAC by integrating with Microsoft Entra Conditional Access, Defender for Cloud, and Azure Policy. For more on the Azure RBAC features specific to AKV, see the Azure Key Vault RBAC Guide. For a comprehensive security checklist, see Secure your Azure Key Vault. Migrating from Access Policies to RBAC To transition your Key Vault from legacy access policies to RBAC, follow these steps: Prepare: Confirm you have the necessary administrative permissions and gather an inventory of applications and users accessing the vault. Conduct inventory: Document all current access policies, including the specific permissions granted to each identity. Assign RBAC Roles: Map each identity to an appropriate RBAC role (e.g., Reader, Contributor, Administrator) based on the principle of least privilege. Enable RBAC: Switch the Key Vault to the RBAC authorization model. Validate: Test all application and user access paths to ensure nothing is inadvertently broken. Monitor: Implement monitoring and alerting to detect and respond to access issues or misconfigurations. For detailed, step-by-step instructions—including examples in CLI and PowerShell—see Migrate from access policies to RBAC. Conclusion Now is the time to modernize access control strategies. Adopting Role-Based Access Control (RBAC) not only eliminates configuration drift and overly broad permissions but also enhances operational efficiency and strengthens your defense against evolving threat landscapes. Transitioning to RBAC is a proactive step toward building a resilient and future-ready security framework for your Azure environment. Overexposed Azure Key Vaults aren’t just isolated risks — they act as breach multipliers. Treat them as Tier-0 assets, on par with domain controllers and enterprise credential stores. Protecting them requires the same level of rigor and strategic prioritization. By enforcing network segmentation, applying least-privilege access through RBAC, and integrating continuous monitoring, organizations can dramatically reduce the blast radius of a potential compromise and ensure stronger containment in the face of advanced threats. Want to learn more? Explore Microsoft's RBAC Documentation for additional details.
New innovations to protect custom AI applications with Defender for Cloud
Today’s blog post introduced new capabilities to enhance AI security and governance across multi-model and multi-cloud environments. This follow-on blog post dives deeper into how Microsoft Defender for Cloud can help organizations protect their custom-built AI applications. The AI revolution has been transformative for organizations, driving them to integrate sophisticated AI features and products into their existing systems to maintain a competitive edge. However, this rapid development often outpaces their ability to establish adequate security measures for these advanced applications. Moreover, traditional security teams frequently lack the visibility and actionable insights needed, leaving organizations vulnerable to increasingly sophisticated attacks and struggling to protect their AI resources. To address these challenges, we are excited to announce the general availability (GA) of threat protection for AI services, a capability that enhances threat protection in Microsoft Defender for Cloud. Starting May 1, 2025, the new Defender for AI Services plan will support models in Azure AI and Azure OpenAI Services. Note: Effective May 1, 2025, the price for Defender for AI Services will change to $0.002 per 1,000 tokens per month (USD – list price). “Security is paramount at Icertis. That’s why we've partnered with Microsoft to host our Contract Intelligence platform on Azure, fortified by Microsoft Defender for Cloud. As large language models (LLMs) became mainstream, our Icertis ExploreAI Service leveraged generative AI and proprietary models to transform contract management and create value for our customers. Microsoft Defender for Cloud emerged as our natural choice for the first line of defense against AI-related threats. It meticulously evaluates the security of our Azure OpenAI deployments, monitors usage patterns, and promptly alerts us to potential threats. These capabilities empower our Security Operations Center (SOC) teams to make more informed decisions based on AI detections, ensuring that our AI-driven contract management remains secure, reliable, and ahead of emerging threats.” Subodh Patil, Principal Cyber Security Architect at Icertis With these new threat protection capabilities, security teams can: Monitor suspicious activity in Azure AI resources, abiding by security frameworks like the OWASP Top 10 threats for LLM applications to defend against attacks on AI applications, such as direct and indirect prompt injections, wallet abuse, suspicious access to AI resources, and more. Triage and act on detections using contextual and insightful evidence, including prompt and response evidence, application and user context, grounding data origin breadcrumbs, and Microsoft Threat Intelligence details. Gain visibility from cloud to code (right to left) for better posture discovery and remediation by translating runtime findings into posture insights, like smart discovery of grounding data sources. Requires Defender CSPM posture plan to be fully utilized. Leverage frictionless onboarding with one-click, agentless enablement on Azure resources. This includes native integrations to Defender XDR, enabling advanced hunting and incident correlation capabilities. Detect and protect against AI threats Defender for Cloud helps organizations secure their AI applications from the latest threats. It identifies vulnerabilities and protects against sophisticated attacks, such as jailbreaks, invisible encodings, malicious URLs, and sensitive data exposure. It also protects against novel threats like ASCII smuggling, which could otherwise compromise the integrity of their AI applications. Defender for Cloud helps ensure the safety and reliability of critical AI resources by leveraging signals from prompt shields, AI analysis, and Microsoft Threat Intelligence. This provides comprehensive visibility and context, enabling security teams to quickly detect and respond to suspicious activities. Prompt analysis-based detections aren’t the full story. Detections are also designed to analyze the application and user behavior to detect anomalies and suspicious behavior patterns. Analysts can leverage insights into user context, application context, access patterns, and use Microsoft Threat Intelligence tools to uncover complex attacks or threats that escape prompt-based content filtering detectors. For example, wallet attacks are a common threat where attackers aim to cause financial damage by abusing resource capacity. These attacks often appear innocent because the prompts' content looks harmless. However, the attacker's intention is to exploit the resource capacity when left unconstrained. While these prompts might go unnoticed as they don't contain suspicious content, examining the application's historical behavior patterns can reveal anomalies and lead to detection. Respond and act on AI detections effectively The lack of visibility into AI applications is a real struggle for security teams. The detections contain evidence that is hard or impossible for most SOC analysts to access. For example, in the below credential exposure detection, the user was able to solicit secrets from the organizational data connected to the Contoso Outdoors chatbot app. How would the analyst go about understanding this detection? The detection evidence shows the user prompt and the model response (secrets are redacted). The evidence also explicitly calls out what kind of secret was exposed. The prompt evidence of this suspicious interaction is rarely stored, logged, or accessible anywhere outside the detection. The prompt analysis engine also tied the user request to the model response, making sense of the interaction. What is most helpful in this specific detection is the application and user context. The application name instantly assists the SOC in determining if this is a valid scenario for this application. Contoso Outdoors chatbot is not supposed to access organizational secrets, so this is worrisome. Next, the user context reveals who was exposed to the data, through what IP (internal or external) and their supposed intention. Most AI applications are built behind AI gateways, proxies, or Azure API Management (APIM) instances, making it challenging for SOC analysts to obtain these details through conventional logging methods or network solutions. Defender for Cloud addresses this issue by using a straightforward approach that fetches these details directly from the application’s API request to Azure AI. Now, the analyst can reach out to the user (internal) or block (external) the identity or the IP. t about Contoso Outdoors AI application, showing user context details of IP and identity. Finally, to resolve this incident, the SOC analyst intends to remove and decommission the secret to mitigate the impact of the exposure. The final piece of evidence presented reveals the origin of the exposed data. This evidence substantiates the fact that the leak is genuine and originates from internal organizational data. It also provides the analyst with a critical breadcrumb trail to successfully remove the secret from the data store and communicate with the owner on next steps. Trace the invisible lines between your AI application and the grounding sources Defender for Cloud excels in continuous feedback throughout the application lifecycle. While posture capabilities help triage detections, runtime protection provides crucial insights from traffic analysis, such as discovering data stores used for grounding AI applications. The AI application's connection to these stores is often hidden from current control or data plane tools. The credential leak example provided a real-world connection that was then integrated into our resource graph, uncovering previously overlooked data stores. Tagging these stores improves attack path and risk factor identification during posture scanning, ensuring safe configuration. This approach reinforces the feedback loop between runtime protection and posture assessment, maximizing cloud-native application protection platform (CNAPP) effectiveness. Align with AI security frameworks Our guiding principle is widely recognized by OWASP Top 10 for LLMs. By combining our posture capabilities with runtime monitoring, we can comprehensively address a wide range of threats, enabling us to proactively prepare for and detect AI-specific breaches with Defender for Cloud. As the industry evolves and new regulations emerge, frameworks such as OWASP, the EU AI Act, and NIST 600-1 are shaping security expectations. Our detections are aligned with these frameworks as well as the MITRE ATLAS framework, ensuring that organizations stay compliant and are prepared for future regulations and standards. Get started with threat protection for AI services To get started with threat protection capabilities in Defender for Cloud, it’s as simple as one-click to enable it on your relevant subscription in Azure. The integration is agentless and requires zero intervention in the application dev lifecycle. More importantly, the native integration directly inside Azure AI pipeline does not entail scale or performance degradation in the application runtime. Consuming the detections is easy, it appears in Defender for Cloud’s portal, but is also seamlessly connected to Defender XDR and Sentinel, leveraging the existing connectors. SOC analysts can leverage the correlation and analysis capabilities of Defender XDR from day one. Explore these capabilities today with a free 30-day trial*. You can leverage your existing AI application and simply enable the “AI workloads” plan on your chosen subscription to start detecting and responding to AI threats. *Trial free period is limited to up to 75B tokens scanned. Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. Explore additional resources Learn more about Runtime protection Learn more about Posture capabilities Watch the Defender for Cloud in the Field episode on securing AI applications Get started with Defender for CloudValidating Microsoft Defender for Resource Manager Alerts
This document is provided “as is.” MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. As announced at Ignite 2021, Microsoft Defender for Resource Manager plan provides threat detection against malicious usage of Azure Resource Management Layer (Portal, Rest, API, PowerShell). To learn more about Azure Defender for ARM, read our official documentation. You can enable Microsoft Defender for Resource Manager on your subscription via environment settings, select the subscription, change the plan to ON (as shown below) and click Save to commit the change. Now that you have this plan set to ON, you can use the steps below to validate this threat detection. First, make sure that you The script must be executed by a cloud user with read permissions on the subscription. you need to have the Az PowerShell module installed before running the script. It can be installed using: "Install-Module -Name Az". After ensuring those two items are done, run the script below: # Script to alert ARM_MicroBurst.AzDomainInfo alert Import-Module Az # Login to the Azure account and get a random Resource group $accountContext = Connect-AzAccount $subscriptionId = $accountContext.Context.Subscription.Name $resourceGroup = Get-AzResourceGroup | Get-Random $rg = $resourceGroup.ResourceGroupName Write-Output "[*] Dumping information`nSubscription: $subscriptionId`nResource group: $rg." Write-Output "[*] Scanning Storage Accounts..." $storageAccountLists = Get-AzStorageAccount -ResourceGroupName $rg | select StorageAccountName,ResourceGroupName Write-Output "[*] Scanning Azure Resource Groups..." $resourceGroups = Get-AzResourceGroup Write-Output "[*] Scanning Azure Resources..." $resourceLists = Get-AzResource Write-Output "[*] Scanning AzureSQL Resources..." $azureSQLServers = Get-AzResource | where {$_.ResourceType -Like "Microsoft.Sql/servers"} Write-Output "[*] Scanning Azure App Services..." $appServs = Get-AzWebApp -ResourceGroupName $rg Write-Output "[*] Scanning Azure App Services #2..." $appServs = Get-AzWebApp -ResourceGroupName $rg Write-Output "[*] Scanning Azure Disks..." $disks = (Get-AzDisk | select ResourceGroupName, ManagedBy, Zones, TimeCreated, OsType, HyperVGeneration, DiskSizeGB, DiskSizeBytes, UniqueId, EncryptionSettingsCollection, ProvisioningState, DiskIOPSReadWrite, DiskMBpsReadWrite, DiskIOPSReadOnly, DiskMBpsReadOnly, DiskState, MaxShares, Id, Name, Location -ExpandProperty Encryption) Write-Output "[*] Scanning Azure Deployments and Parameters..." $idk = Get-AzResourceGroupDeployment -ResourceGroupName $rg Write-Output "[*] Scanning Virtual Machines..." $VMList = Get-AzVM Write-Output "[*] Scanning Virtual Machine Scale Sets..." $scaleSets = Get-AzVmss Write-Output "[*] Scanning Network Interfaces..." $NICList = Get-AzNetworkInterface Write-Output "[*] Scanning Public IPs for each Network Interface..." $pubIPs = Get-AzPublicIpAddress | select Name,IpAddress,PublicIpAllocationMethod,ResourceGroupName Write-Output "[*] Scanning Network Security Groups..." $NSGList = Get-AzNetworkSecurityGroup | select Name, ResourceGroupName, Location, SecurityRules, DefaultSecurityRules Write-Output "[*] Scanning RBAC Users and Roles..." $roleAssignment = Get-AzRoleAssignment Write-Output "[*] Scanning Roles Definitions..." $roles = Get-AzRoleDefinition Write-Output "[*] Scanning Automation Account Runbooks and Variables..." $autoAccounts = Get-AzAutomationAccount Write-Output "[*] Scanning Tenant Information..." $tenantID = Get-AzTenant | select TenantId Write-Output "[!] Done Running." There may be a delay of up to 60 minutes between script completion and the alert appearing in the client environment (With an average of 45 min). An example of this alert is shown below: Reviewers Dick Lake, Senior Product Manager Script by Yuval Barak, Security Researcher
DevOps Security: MDC-ADO integration through Service account
Hi All, Is it possible to integrate MDC-ADO Integration with Service Account? When I attempted to authorize ADO in MDC during the integration process, it appears to only accept individual accounts. Does anyone have insights on how to utilize a Service Account for this integration?Become a Microsoft Defender for Cloud Ninja
[Last update: 04/08/2025] All content was reviewed and updated for the month of April 2025. This blog post has a curation of many Microsoft Defender for Cloud (formerly known as Azure Security Center and Azure Defender) resources, organized in a format that can help you to go from absolutely no knowledge in Microsoft Defender for Cloud, to design and implement different scenarios. You can use this blog post as a training roadmap to learn more about Microsoft Defender for Cloud. On November 2nd, at Microsoft Ignite 2021, Microsoft announced the rebrand of Azure Security Center and Azure Defender for Microsoft Defender for Cloud. To learn more about this change, read this article. Every month we are adding new updates to this article, and you can track it by checking the red date besides the topic. If you already study all the modules and you are ready for the knowledge check, follow the procedures below: To obtain the Defender for Cloud Ninja Certificate 1. Take this knowledge check here, where you will find questions about different areas and plans available in Defender for Cloud. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. To obtain the Defender for Servers Ninja Certificate (Introduced in 08/2023) 1. Take this knowledge check here, where you will find only questions related to Defender for Servers. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Modules To become an Microsoft Defender for Cloud Ninja, you will need to complete each module. The content of each module will vary, refer to the legend to understand the type of content before clicking in the topic’s hyperlink. The table below summarizes the content of each module: Module Description 0 - CNAPP In this module you will familiarize yourself with the concepts of CNAPP and how to plan Defender for Cloud deployment as a CNAPP solution. 1 – Introducing Microsoft Defender for Cloud and Microsoft Defender Cloud plans In this module you will familiarize yourself with Microsoft Defender for Cloud and understand the use case scenarios. You will also learn about Microsoft Defender for Cloud and Microsoft Defender Cloud plans pricing and overall architecture data flow. 2 – Planning Microsoft Defender for Cloud In this module you will learn the main considerations to correctly plan Microsoft Defender for Cloud deployment. From supported platforms to best practices implementation. 3 – Enhance your Cloud Security Posture In this module you will learn how to leverage Cloud Security Posture management capabilities, such as Secure Score and Attack Path to continuous improvement of your cloud security posture. This module includes automation samples that can be used to facilitate secure score adoption and operations. 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud In this module you will learn how to use the cloud security posture management capabilities available in Microsoft Defender for Cloud, which includes vulnerability assessment, inventory, workflow automation and custom dashboards with workbooks. 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud In this module you will learn about the regulatory compliance dashboard in Microsoft Defender for Cloud and give you insights on how to include additional standards. In this module you will also familiarize yourself with Azure Blueprints for regulatory standards. 6 – Cloud Workload Protection Platform Capabilities in Azure Defender In this module you will learn how the advanced cloud capabilities in Microsoft Defender for Cloud work, which includes JIT, File Integrity Monitoring and Adaptive Application Control. This module also covers how threat protection works in Microsoft Defender for Cloud, the different categories of detections, and how to simulate alerts. 7 – Streaming Alerts and Recommendations to a SIEM Solution In this module you will learn how to use native Microsoft Defender for Cloud capabilities to stream recommendations and alerts to different platforms. You will also learn more about Azure Sentinel native connectivity with Microsoft Defender for Cloud. Lastly, you will learn how to leverage Graph Security API to stream alerts from Microsoft Defender for Cloud to Splunk. 8 – Integrations and APIs In this module you will learn about the different integration capabilities in Microsoft Defender for Cloud, how to connect Tenable to Microsoft Defender for Cloud, and how other supported solutions can be integrated with Microsoft Defender for Cloud. 9 - DevOps Security In this module you will learn more about DevOps Security capabilities in Defender for Cloud. You will be able to follow the interactive guide to understand the core capabilities and how to navigate through the product. 10 - Defender for APIs In this module you will learn more about the new plan announced at RSA 2023. You will be able to follow the steps to onboard the plan and validate the threat detection capability. 11 - AI Posture Management and Workload Protection In this module you will learn more about the risks of Gen AI and how Defender for Cloud can help improve your AI posture management and detect threats against your Gen AI apps. Module 0 - Cloud Native Application Protection Platform (CNAPP) Improving Your Multi-Cloud Security with a CNAPP - a vendor agnostic approach Microsoft CNAPP Solution Planning and Operationalizing Microsoft CNAPP Understanding Cloud Native Application Protection Platforms (CNAPP) Cloud Native Applications Protection Platform (CNAPP) Microsoft CNAPP eBook Understanding CNAPP Module 1 - Introducing Microsoft Defender for Cloud What is Microsoft Defender for Cloud? A New Approach to Get Your Cloud Risks Under Control Getting Started with Microsoft Defender for Cloud Implementing a CNAPP Strategy to Embed Security From Code to Cloud Boost multicloud security with a comprehensive code to cloud strategy A new name for multi-cloud security: Microsoft Defender for Cloud Common questions about Defender for Cloud MDC Cost Calculator Module 2 – Planning Microsoft Defender for Cloud Features for IaaS workloads Features for PaaS workloads Built-in RBAC Roles in Microsoft Defender for Cloud Enterprise Onboarding Guide Assigning Permissions in Microsoft Defender for Cloud Design Considerations for Log Analytics Workspace Onboarding on-premises machines using Windows Admin Center Understanding Security Policies in Microsoft Defender for Cloud Creating Custom Policies Centralized Policy Management in Microsoft Defender for Cloud using Management Groups Planning Data Collection for IaaS VMs Microsoft Defender for Cloud PoC Series – Microsoft Defender for Resource Manager Microsoft Defender for Cloud PoC Series – Microsoft Defender for Storage How to Effectively Perform an Microsoft Defender for Cloud PoC Microsoft Defender for Cloud PoC Series – Microsoft Defender for App Service Considerations for Multi-Tenant Scenario Microsoft Defender for Cloud PoC Series – Microsoft Defender CSPM Microsoft Defender for DevOps GitHub Connector - Microsoft Defender for Cloud PoC Series Grant tenant-wide permissions to yourself Simplifying Onboarding to Microsoft Defender for Cloud with Terraform Module 3 – Enhance your Cloud Security Posture Azure Secure Score vs. Microsoft Secure Score How Secure Score affects your governance Enhance your Secure Score in Microsoft Defender for Cloud Security recommendations Resource exemption Customizing Endpoint Protection Recommendation in Microsoft Defender for Cloud Deliver a Security Score weekly briefing Send Microsoft Defender for Cloud Recommendations to Azure Resource Stakeholders Secure Score Reduction Alert Average Time taken to remediate resources Improved experience for managing the default Azure security policies Security Policy Enhancements in Defender for Cloud Create custom recommendations and security standards Secure Score Overtime Workbook Automation Artifacts for Secure Score Recommendations Remediation Scripts Module 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud CSPM in Defender for Cloud Take a Proactive Risk-Based Approach to Securing your Cloud Native Applications Predict future security incidents! Cloud Security Posture Management with Microsoft Defender Software inventory filters added to asset inventory Drive your organization to security actions using Governance experience Managing Asset Inventory in Microsoft Defender for Cloud Vulnerability Assessment Workbook Template Vulnerability Assessment for Containers Improvements in Continuous Export feature Implementing Workflow Automation Workflow Automation Artifacts Creating Custom Dashboard for Microsoft Defender for Cloud Using Microsoft Defender for Cloud API for Workflow Automation What you need to know when deleting and re-creating the security connector(s) in Defender for Cloud Connect AWS Account with Microsoft Defender for Cloud Video Demo - Connecting AWS accounts Microsoft Defender for Cloud PoC Series - Multi-cloud with AWS Onboarding your AWS/GCP environment to Microsoft Defender for Cloud with Terraform How to better manage cost of API calls that Defender for Cloud makes to AWS Connect GCP Account with Microsoft Defender for Cloud Protecting Containers in GCP with Defender for Containers Video Demo - Connecting GCP Accounts Microsoft Defender for Cloud PoC Series - Multicloud with GCP All You Need to Know About Microsoft Defender for Cloud Multicloud Protection Custom recommendations for AWS and GCP 31 new and enhanced multicloud regulatory standards coverage Azure Monitor Workbooks integrated into Microsoft Defender for Cloud and three templates provided How to Generate a Microsoft Defender for Cloud exemption and disable policy report Cloud security posture and contextualization across cloud boundaries from a single dashboard Best Practices to Manage and Mitigate Security Recommendations Defender CSPM Defender CSPM Plan Options Cloud Security Explorer Identify and remediate attack paths Agentless scanning for machines Cloud security explorer and Attack path analysis Governance Rules at Scale Governance Improvements Data Security Aware Posture Management A Proactive Approach to Cloud Security Posture Management with Microsoft Defender for Cloud Prioritize Risk remediation with Microsoft Defender for Cloud Attack Path Analysis Understanding data aware security posture capability Agentless Container Posture Agentless Container Posture Management Microsoft Defender for Cloud - Automate Notifications when new Attack Paths are created Proactively secure your Google Cloud Resources with Microsoft Defender for Cloud Demystifying Defender CSPM Discover and Protect Sensitive Data with Defender for Cloud Defender for cloud's Agentless secret scanning for virtual machines is now generally available! Defender CSPM Support for GCP Data Security Dashboard Agentless Container Posture Management in Multicloud Agentless malware scanning for servers Recommendation Prioritization Unified insights from Microsoft Entra Permissions Management Defender CSPM Internet Exposure Analysis Future-Proofing Cloud Security with Defender CSPM ServiceNow's integration now includes Configuration Compliance module 🚀 Suggested Labs: Improving your Secure Posture Connecting a GCP project Connecting an AWS project Defender CSPM Agentless container posture through Defender CSPM Contextual Security capabilities for AWS using Defender CSPM Module 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud Understanding Regulatory Compliance Capabilities in Microsoft Defender for Cloud Adding new regulatory compliance standards Regulatory Compliance workbook Regulatory compliance dashboard now includes Azure Audit reports Microsoft cloud security benchmark: Azure compute benchmark is now aligned with CIS! Updated naming format of Center for Internet Security (CIS) standards in regulatory compliance CIS Azure Foundations Benchmark v2.0.0 in regulatory compliance dashboard Spanish National Security Framework (Esquema Nacional de Seguridad (ENS)) added to regulatory compliance dashboard for Azure 🚀 Suggested Lab: Regulatory Compliance Module 6 – Cloud Workload Protection Platform Capabilities in Microsoft Defender for Clouds Understanding Just-in-Time VM Access Implementing JIT VM Access File Integrity Monitoring in Microsoft Defender Understanding Threat Protection in Microsoft Defender Microsoft Defender for Servers Demystifying Defender for Servers Onboarding directly (without Azure Arc) to Defender for Servers Agentless secret scanning for virtual machines in Defender for servers P2 & DCSPM Vulnerability Management in Defender for Cloud File Integrity Monitoring using Microsoft Defender for Endpoint Microsoft Defender for Containers Basics of Defender for Containers Secure your Containers from Build to Runtime AWS ECR Coverage in Defender for Containers Upgrade to Microsoft Defender Vulnerability Management End to end container security with unified SOC experience Binary drift detection episode Binary drift detection Cloud Detection Response experience Exploring the Latest Container Security Updates from Microsoft Ignite 2024 Unveiling Kubernetes lateral movement and attack paths with Microsoft Defender for Cloud Onboarding Docker Hub and JFrog Artifactory Improvements in Container’s Posture Management New AKS Security Dashboard in Defender for Cloud Microsoft Defender for Storage Protect your storage resources against blob-hunting Malware Scanning in Defender for Storage Microsoft Defender for SQL New Defender for SQL VA Microsoft Defender for SQL Anywhere New autoprovisioning process for SQL Server on machines plan Defender for Open-Source Relational Databases Multicloud Microsoft Defender for KeyVault Microsoft Defender for AppService Microsoft Defender for Resource Manager Understanding Security Incident Security Alert Correlation Alert Reference Guide 'Copy alert JSON' button added to security alert details pane Alert Suppression Simulating Alerts in Microsoft Defender for Cloud Alert validation Simulating alerts for Windows Simulating alerts for Linux Simulating alerts for Containers Simulating alerts for Storage Simulating alerts for Microsoft Key Vault Simulating alerts for Microsoft Defender for Resource Manager Integration with Microsoft Defender for Endpoint Auto-provisioning of Microsoft Defender for Endpoint unified solution Resolve security threats with Microsoft Defender for Cloud Protect your servers and VMs from brute-force and malware attacks with Microsoft Defender for Cloud Filter security alerts by IP address Alerts by resource group Defender for Servers Security Alerts Improvements 🚀 Suggested Labs: Workload Protections Agentless container vulnerability assessment scanning Microsoft Defender for Cloud database protection Protecting On-Prem Servers in Defender for Cloud Defender for Storage Module 7 – Streaming Alerts and Recommendations to a SIEM Solution Continuous Export capability in Microsoft Defender for Cloud Deploying Continuous Export using Azure Policy Connecting Microsoft Sentinel with Microsoft Defender for Cloud Closing an Incident in Azure Sentinel and Dismissing an Alert in Microsoft Defender for Cloud Microsoft Sentinel bi-directional alert synchronization 🚀 Suggested Lab: Exporting Microsoft Defender for Cloud information to a SIEM Module 8 – Integrations and APIs Integration with Tenable Integrate security solutions in Microsoft Defender for Cloud Defender for Cloud integration with Defender EASM Defender for Cloud integration with Defender TI REST APIs for Microsoft Defender for Cloud Obtaining Secure Score via REST API Using Graph Security API to Query Alerts in Microsoft Defender for Cloud Automate(d) Security with Microsoft Defender for Cloud and Logic Apps Automating Cloud Security Posture and Cloud Workload Protection Responses Module 9 – DevOps Security Overview of Microsoft Defender for Cloud DevOps Security DevOps Security Interactive Guide Configure the Microsoft Security DevOps Azure DevOps extension Configure the Microsoft Security DevOps GitHub action Automate SecOps to Developer Communication with Defender for DevOps Compliance for Exposed Secrets Discovered by DevOps Security Automate DevOps Security Recommendation Remediation DevOps Security Workbook Remediating Security Issues in Code with Pull Request Annotations Code to Cloud Security using Microsoft Defender for DevOps GitHub Advanced Security for Azure DevOps alerts in Defender for Cloud Securing your GitLab Environment with Microsoft Defender for Cloud Bridging the Gap Between Code and Cloud with Defender for Cloud Integrate Defender for Cloud CLI with CI/CD pipelines Code Reachability Analysis 🚀 Suggested Labs: Onboarding Azure DevOps to Defender for Cloud Onboarding GitHub to Defender for Cloud Module 10 – Defender for APIs What is Microsoft Defender for APIs? Onboard Defender for APIs Validating Microsoft Defender for APIs Alerts API Security with Defender for APIs Microsoft Defender for API Security Dashboard Exempt functionality now available for Defender for APIs recommendations Create sample alerts for Defender for APIs detections Defender for APIs reach GA Increasing API Security Testing Visibility Boost Security with API Security Posture Management 🚀 Suggested Lab: Defender for APIs Module 11 – AI Posture Management and Workload Protection Secure your AI applications from code to runtime with Microsoft Defender for Cloud AI security posture management AI threat protection Secure your AI applications from code to runtime Data and AI security dashboard Protecting Azure AI Workloads using Threat Protection for AI in Defender for Cloud 🚀 Suggested Lab: Security for AI workloads Are you ready to take your knowledge check? If so, click here. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Other Resources Microsoft Defender for Cloud Labs Become an Microsoft Sentinel Ninja Become an MDE Ninja Cross-product lab (Defend the Flag) Release notes (updated every month) Important upcoming changes Have a great time ramping up in Microsoft Defender for Cloud and becoming a Microsoft Defender for Cloud Ninja!! Reviewer: Tom Janetscheck, Senior PMMicrosoft Defender for Cloud Customer Newsletter
What’s new in Defender for Cloud? We're enhancing the severity levels of recommendations to improve risk assessment and prioritization. As part of this update, we reevaluated all severity classifications and introduced a new level — Critical. See this page for more info. General Availability of File Integrity Monitoring (FIM) based on Microsoft Defender for Endpoint in Azure Government File Integrity Monitoring based on Microsoft Defender for Endpoint is now GA in Azure Government (GCCH) as part of Defender for Servers Plan 2. For more details, please refer to our documentation Blog(s) of the month In March, our team published the following blog posts we would like to share: Integrating Security into DevOps Workflows with Microsoft Defender CSPM New innovations to protect custom AI applications with Defender for Cloud All Key Vaults Are Critical, But Some Are More Critical Than Others: Finding the Crown Jewels GitHub Community Learn more about code reachability in Defender for Cloud: Module 26 - Defender for Cloud Code Reachability Vulnerabilities with Endor Labs Visit our GitHub page Defender for Cloud in the field Watch the latest Defender for Cloud in the Field YouTube episode here: Unveiling Kubernetes lateral movement in Defender for Cloud Manage cloud security posture with Microsoft Defender for Cloud Visit our new YouTube page Customer journey Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Danfuss. Danfoss’s growth contrasted with inefficient manual, on-premises security solutions. It wanted a scalable security solution to defend its global data and SAP landscape while lifting security team effectiveness. Danfoss adopted Microsoft Sentinel and the Microsoft Sentinel solution for SAP applications. It ingests logs from 20 applications and thousands of devices with the connectors including Defender for Cloud. Show me more stories Security community webinars Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. Check out our upcoming webinars this month! April 15 Microsoft Defender for Cloud | Securing Custom Built AI Applications with Microsoft Defender for Cloud April 30 Microsoft Defender for Cloud | Securing Custom Built AI Applications with Microsoft Defender for Cloud We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribeThe Future of CIEM in Microsoft Defender for Cloud
Today, Microsoft announced the planned retirement of Microsoft Entra Permissions Management, targeted for October 1, 2025. As we navigate this transition, we want to reassure customers of our ongoing commitment to deliver Cloud Infrastructure Entitlement Management (CIEM) capabilities within Microsoft Defender for Cloud. Our investment in CIEM remains a strategic priority and an integral component of our comprehensive Cloud-Native Application Protection Platform (CNAPP). What Does This Mean for Your Defender for Cloud Experience? The planned changes around Microsoft Entra Permissions Management will not affect existing CIEM capabilities in Microsoft Defender for Cloud. All permissions management functionality you rely on today, including identity discovery, permissions visibility, and entitlement governance, will remain fully available in Defender CSPM, ensuring your cloud security operations continue to run smoothly without interruption. Our Long-term Investment in CIEM Capabilities CIEM is a critical component of CNAPP and is essential for addressing security risks associated with identity and permissions misconfigurations in multicloud environments. Microsoft remains committed to continuously enhancing Defender for Cloud’s CIEM capabilities, aligning closely with core CNAPP use cases, including: Centralized multicloud identity discovery: Providing visibility and analysis of cloud identities and entitlements across Azure, AWS, and GCP, enabling security teams to proactively identify and address permission-related risks across their entire cloud estate. Permissions gap analysis: Assessing assigned permissions against actual usage to highlight unnecessary entitlements, allowing organizations to significantly reduce identity-based risk and permissions sprawl. Inactive identity tracking: Identifying and managing inactive identities and unused permissions, supporting the principle of least privilege by removing unnecessary access. Our roadmap includes ongoing innovation designed to help your organization proactively manage entitlements, mitigate risks, and strengthen overall cloud security posture. Continuing Our Security Journey Together We deeply value your trust and collaboration. Our goal is to provide security teams with enhanced CIEM capabilities within Defender for Cloud that support your organization's cloud security efforts now and in the future. For guidance on enabling and optimizing CIEM capabilities within Microsoft Defender for Cloud, please visit our Microsoft Learn page.All Key Vaults Are Critical, But Some Are More Critical Than Others: Finding the Crown Jewels
Introduction A critical asset is one of substantial value, whose compromise or disruption would result in significant adverse effects on the organization. This definition lays the foundation for understanding why Azure Key Vaults often fall into this category. Azure Key Vaults are integral to cloud environments as they manage sensitive data like cryptographic keys, passwords, and certificates. Their frequent use in securing applications, managing secrets, and enabling secure operations makes them highly valuable. Given this importance, identifying which Key Vaults are critical becomes essential. Approach Our approach to identifying critical Key Vaults is based on operational activity. We classify Key Vaults using the top n percentile of operations within each tenant, ensuring that only the most active and essential Key Vaults are flagged as critical. This approach provides a fair evaluation across varying tenant sizes and ensures that thresholds dynamically adjust with data size and distribution, making the classification resilient to outliers and representative of actual operational importance. Why Focus on Key Vaults with High Operation Counts? Increased Usage Indicates High Dependency: A high volume of operations suggests that the Key Vault is heavily utilized, meaning it plays a central role in the security and operational processes within the environment. For example, it might be frequently accessed to retrieve secrets, keys, or certificates, which are essential for the functioning of various applications and services. Sensitive Data Storage: Key Vaults typically store sensitive data, such as cryptographic keys, passwords, and other secrets. A Key Vault with many operations is likely to store and manage a significant amount of this sensitive data, making it a high-value target for potential attacks. Operational Impact: If a heavily used Key Vault were compromised or became unavailable, it could disrupt multiple critical processes across the organization. This could include application outages, security breaches, or other operational failures, making the Key Vault critical to overall business continuity. Security Implications: Frequent access to a Key Vault might indicate its role in automated processes or scripts that require secure handling of credentials and keys. The more a Key Vault is accessed, the higher the potential risk if its security is breached, hence making it essential to protect and monitor it closely. Benefits of Using Percentiles in Criticality Classification In critical asset classification, the use of percentiles offers several distinct advantages over percentage-based methods: Resilience to Outliers: Percentiles rank Key Vaults without being influenced by extreme values. For instance, even if one Key Vault has an unusually high operation count, the percentile method ensures that the classification threshold remains stable. Dynamic Adaptation to Dataset Size: As the number of Key Vaults grows, percentile thresholds adjust dynamically, maintaining consistency and accuracy over time. Fair Evaluation Across Tenants: Different tenants have varying numbers of Key Vaults. Percentiles allow for a fair assessment by ensuring that each tenant’s Key Vaults are evaluated within that tenant’s dataset. This means that even smaller tenants with fewer Key Vaults can have their most active Key Vaults identified as critical without being overshadowed by the larger operation counts of bigger tenants. Percentiles rank within each tenant individually, making the classification equitable across different scales. Mathematical Rigor: Percentiles provide a statistically sound method for ranking Key Vaults, offering a reliable framework for criticality classification. Operational Relevance: By using percentiles, the classification highlights Key Vaults that are truly operationally significant within their own environment, enhancing security monitoring and response efforts. This approach ensures that critical assets are identified accurately, without the distortions caused by outliers, dataset size, or operational scale variations, making it ideal for cloud environments. Findings from Research Overall Critical Assets: Around 0.5% of total KVs were identified as critical Tenant-wise Analysis: Percentile thresholds adjusted dynamically across tenant sizes. Large tenants saw a minimal increase in critical assets, validating accuracy. Smaller tenants benefited from nuanced classification. Percentile-based classification ensures that Key Vaults with relatively high operation counts are identified, regardless of tenant size, providing a balanced approach. Figure 1: Tenant-wise Analysis Finding the Optimal Percentile Threshold The reverse elbow curve method is a data-driven approach to determine the optimal percentile threshold. Figure 2 illustrates this concept by plotting the percentage of Key Vaults classified as critical against various percentile values. As the percentile value increases from 90 to 99, the percentage of critical Key Vaults decreases, forming a clear reverse elbow shape. In this graph, the curve starts to flatten around the 95th percentile, marked as the 'Optimal Percentile Threshold.' This point represents where the rate of decrease in critical Key Vaults slows down significantly. Selecting this threshold ensures that we capture the most critical Key Vaults without unnecessarily including too many lower-priority assets. Before this point, too many Key Vaults are classified as critical, while after this point, too few Key Vaults are included. Figure 2: Identifying the optimal percentile threshold This visual example demonstrates why the reverse elbow curve method is essential for balancing coverage and precision in critical asset classification, ensuring that the most operationally significant Key Vaults are identified efficiently. Conclusion In conclusion, identifying critical Azure Key Vaults is essential for maintaining the security, availability, and operational integrity of cloud environments. By leveraging a percentile-based classification approach, we ensure that only the most active and essential Key Vaults are recognized as critical assets. The use of the reverse elbow curve method further strengthens this classification by selecting an optimal percentile threshold that balances coverage and precision. This methodology not only minimizes noise from less active Key Vaults but also ensures that highly utilized and sensitive Key Vaults receive the attention they deserve. As cloud operations continue to scale, such data-driven classification approaches are vital for effective security management and risk mitigation.Integrating Security into DevOps Workflows with Microsoft Defender CSPM
This forth article in our series builds on the main overview (“Strategy to Execution: Operationalizing Microsoft Defender CSPM”). Here, we focus on embedding security directly into DevOps workflows using Microsoft Defender for Cloud’s Cloud Security Posture Management (CSPM) capabilities. Introduction DevOps has revolutionized the way organizations build, deploy, and manage everything from applications to enterprise infrastructure, to capture the full breadth of stuff that goes into code repos, breaking down silos between development and operations teams and enabling faster software delivery, consistent and declarative infrastructure. However, increased speed often brings heightened security risks if vulnerabilities slip through the pipeline unnoticed. The antidote is to “shift security left,” weaving it throughout every stage of the software development lifecycle (SDLC). Microsoft Defender Cloud Security Posture Management (CSPM) provides the automation, continuous monitoring, and governance controls essential for implementing DevSecOps. By integrating CSPM with your CI/CD pipelines, you can detect misconfigurations and vulnerabilities early, prevent security bottlenecks, and maintain both agility and robust protection across Azure, AWS, GCP, and beyond. Below, we’ll explore the importance of aligning security practices with DevOps goals, detail how Defender CSPM supports shift-left security, and provide operational steps to incorporate automated checks and remediation into your CI/CD processes. Why Security Belongs in DevOps Reducing Security Debt Late-stage vulnerability discovery can be costly, forcing teams to revisit code or configurations after they’ve been deployed. By integrating security early, potential issues are detected and remediated when fixes are fastest and least disruptive. Maintaining DevOps Agility Security, when bolted on at the end, risks slowing down release cycles. Embedding checks and automated gating within your DevOps pipeline helps maintain velocity, ensuring security standards are met without derailing rapid deployments. Aligning Security with Development Goals Effective DevOps aims to deliver high-quality, reliable software quickly. Security shouldn’t be an afterthought; it should reinforce the same objectives, high-quality, secure software. With the right tools and processes, security becomes a natural part of the release process, not an obstacle. How Defender CSPM Enhances DevSecOps Shift-Left Security Defender CSPM scans for vulnerabilities and misconfigurations early in the SDLC, detecting issues in code or Infrastructure-as-Code (IaC) templates before they reach production. Code-to-Cloud Contextualization Security risks don't exist in isolation. Defender CSPM provides end-to-end visibility from code to cloud, tracing vulnerabilities from the development phase through deployment. For instance, if a developer introduces an insecure dependency, Defender CSPM can assess its impact on the cloud environment, enabling teams to address security risks in context. Infrastructure-as-Code (IaC) Security By analyzing Terraform, ARM, and other IaC templates, Defender CSPM helps prevent security misconfigurations before infrastructure is provisioned. If a Terraform script inadvertently exposes a storage bucket to the internet, Defender CSPM flags the issue and provides actionable remediation steps. Reachability Analysis (via Endor Labs Integration) Through integration with Endor Labs, Defender CSPM can perform advanced reachability analysis on vulnerabilities within code dependencies or container images. By identifying whether your application actually calls the affected functions or libraries, this approach helps security teams focus remediation efforts on genuinely exploitable vulnerabilities—thereby reducing noise and prioritizing the highest-impact risks. You can learn more about reachability analysis types in Endor Labs’ guide. Continuous Assessments Rather than relying on sporadic audits, Defender CSPM continuously monitors cloud resources to identify and address misconfigurations, vulnerabilities, and compliance gaps in real time. Container Image Security Defender CSPM scans container images for known vulnerabilities before deployment, alerting teams if an exploitable package is included and providing guidance for mitigation. Security as Code Security policies, governance models, and compliance requirements can be codified and enforced automatically within CI/CD pipelines, allowing teams to integrate security without disrupting delivery speed. Automated Remediation Customizable playbooks can automatically fix issues—from misconfigured IAM policies to security patches—reducing manual effort and human error. Security Gates in CI/CD Pipelines To prevent insecure deployments, Defender CSPM enforces security gates in DevOps workflows. If a high-risk vulnerability is detected during the build or deployment phase, the pipeline is halted until the issue is resolved, ensuring only secure code reaches production. Seamless Integration with DevOps Workflows Defender CSPM integrates natively into popular CI/CD solutions, enabling collaborative workflows that bring together development, security, and operations teams under a shared responsibility model. Automated Compliance Checks Defender CSPM verifies infrastructure and applications against regulatory standards (e.g., PCI-DSS, HIPAA) throughout the DevOps lifecycle. New compliance requirements (e.g., mandatory data encryption) are continuously evaluated for adherence. Continuous Visibility and Risk Prioritization Defender CSPM dynamic security posture assessment helps teams focus on high-impact risks by surfacing critical vulnerabilities with remediation guidance. Step-by-Step: Integrating Defender CSPM into DevOps Workflows Below is a practical framework combining both conceptual guidance and operational steps to help you establish DevSecOps with Defender CSPM. Step 1: Setting Up Security Gates in the CI/CD Pipeline Objective: Automate security checks at critical stages to ensure security policies are enforced before software moves to production. Define Security Policies for Development Collaborate with development and security teams to establish code-level and infrastructure-level policies (e.g., no exposed ports, mandatory encryption, disallowing vulnerable libraries). Use Defender CSPM to enforce these policies directly within the pipeline so that non-compliant code is flagged early, including the ability to trace its potential impact on cloud environments. For detailed on configuring Defender for Cloud in your pipeline, see the official CI/CD integration documentation. Configure Automated Gates Integrate Defender CSPM with Azure DevOps, GitHub Actions, or other CI/CD tools. Set up automated scans at each build or deployment step. Deployments halt if critical issues arise, such as vulnerabilities with severity above a set threshold. This ensures that only secure and compliant code is deployed to production. Read further details on how to configure the Microsoft Security DevOps (MSDO) Action. Enable Continuous Security Assessments Trigger a security scan on every code commit to catch new vulnerabilities immediately. For infrastructure, leverage Infrastructure as Code (IaC) scans before provisioning resources (e.g., checking ARM or Terraform templates against security policies). Pre-Deployment Security Testing Incorporate static (SAST) and dynamic (DAST) security testing as part of the pipeline. For instance, use SonarQube for SAST and OWASP ZAP for DAST, with Defender CSPM acting as the overarching guardrail to confirm findings and enforce organizational policies. Role-Based Access Control (RBAC) Implement RBAC so that only authorized personnel can modify security policies and configurations, preserving the integrity of security settings. Step 2: Continuous Security Assessments During the Development Lifecycle Objective: Perform ongoing, automated security checks throughout coding, testing, and release cycles. Monitor All Cloud Resources Enable continuous monitoring of dev, staging, and production environments. Defender CSPM flags issues like unencrypted data or open ports as soon as they appear, expediting remediation. Automate Security Checks on IaC Scan Infrastructure as Code (IaC) templates for security compliance before resource creation. For example, if a Terraform template lacks encryption on a storage bucket, Defender CSPM can flag or block the deployment. This proactive approach ensures that security is embedded in the infrastructure from the outset, reducing the risk of security breaches. Define Clear DevSecOps Roles Clearly define roles within the DevSecOps framework. Developers are responsible for writing secure code, DevOps teams manage secure infrastructure provisioning, and security engineers validate controls. Forming a DevSecOps council or similar forum can help ensure alignment and timely resolution of vulnerabilities. This collaborative approach fosters a culture of shared responsibility for security. Collaborative Feedback Loops Regularly review CSPM findings with both development and security teams. Integrate with ticketing systems like Service Azure Boards to track vulnerabilities and manage them as backlog items. This continuous feedback loop helps in prioritizing and addressing security issues, ensuring that they are resolved in a timely manner. Step 3: Automating Feedback Loops Between Security and DevOps Teams Objective: Ensure rapid vulnerability detection, assignment, and remediation through real-time notifications and integrated workflows. Automate Vulnerability Notifications Use Azure Logic Apps or similar tools to push alerts to communication platforms like Teams or email. These alerts should provide details on the severity of the vulnerability, affected resources, and recommended fixes so that developers can act quickly. For example, if Defender CSPM detects an unencrypted storage bucket, an alert can be sent to the relevant team with instructions on how to enable encryption. Establish a Continuous Remediation Loop Defender CSPM flags a critical issue, a playbook can automatically open a pull request with recommended configuration changes or patches. Developers can then fix the code, and the pipeline will re-run security checks before merging the changes. This ensures that vulnerabilities are addressed promptly and that the code remains secure throughout the development lifecycle. Track Vulnerability Remediation Progress Assign Service Level Agreements (SLAs) for vulnerabilities based on their severity. Regularly review CSPM dashboards to monitor the progress of vulnerability remediation and set escalation rules for overdue items via tools like ServiceNow. This helps ensure that critical vulnerabilities are addressed within the required timeframes and that any delays are promptly escalated. Automated Reporting and Metrics Generate monthly or weekly reports on the security posture, including open vulnerabilities, average remediation time, and block rates in the pipeline. Use tools like Azure Workbooks or Power BI to visualize trending data and identify areas for process improvement. These reports can help in tracking the effectiveness of security measures and in making informed decisions to enhance the overall security posture. Strategic Benefits of DevSecOps with Defender CSPM Proactive Risk Mitigation: By catching vulnerabilities early, organizations can minimize the chance of costly breaches and protect customer trust. Defender CSPM provides code-to-runtime contextualization, allowing teams to identify and address security issues from the code level to the cloud infrastructure. This proactive approach ensures that security is embedded throughout the development lifecycle, preventing issues from escalating. Faster Remediation and Reduced Security Debt: Continuous monitoring and automated fixes prevent issues from lingering or piling up, ensuring that your production environment stays clean. For example, if a misconfiguration is detected in a Terraform script, Defender CSPM can alert the team and provide guidance on how to fix it. This helps maintain a secure infrastructure from the outset, reducing the risk of security breaches. Compliance Monitoring at Runtime: Defender CSPM identifies misconfigurations and vulnerabilities against various frameworks (e.g., PCI-DSS, HIPAA) after deployment, reducing manual overhead for compliance checks. While there isn’t a direct mapping of tool findings to a specific compliance framework during the build stage, continuous runtime assessments help maintain a secure and compliant environment, ensuring that infrastructure and applications meet regulatory and security requirements once deployed. Enhanced Collaboration: Transparency and shared ownership bridge the gap between development, security, and operations teams, making security an enabler rather than a roadblock. Defender CSPM integrates seamlessly into DevOps workflows, enabling security teams to work closely with development and operations teams. This collaboration helps identify and mitigate security risks early in the development process, fostering a culture of shared responsibility for security. Consistent Scalability: As your cloud footprint expands, automated checks ensure that new resources, teams, and pipelines follow the same robust security standards. Continuous visibility into the security posture of the cloud environment helps in prioritizing risks based on their impact, ensuring that the most critical security issues are addressed promptly. Key Metrics to Track DevSecOps Success Vulnerability Detection Rate: Ensures early and frequent discovery of security issues. Deployment Block Rate: Indicates how often releases are halted due to security violations. A high block rate may mean teams need additional training or improved processes. Mean Time to Detect (MTTD): Tracks the average time taken to detect a security issue from the moment it occurs. Shorter detection times reflect the effectiveness of continuous monitoring and automated security checks. Remediation Time (MTTR): Measures how quickly issues are resolved after detection. Shorter times reflect mature collaboration and processes. Compliance Pass Rate: Tracks how consistently code and cloud resources meet defined standards before going live. False Positive Rate: Measures the frequency of false positives in security alerts. A lower false positive rate indicates more accurate detection and reduces the burden on teams to investigate non-issues. Change Failure Rate: Indicates the percentage of changes that result in a failure or security issue. A lower change failure rate suggests that security is well-integrated into the development process and that changes are being implemented securely. Security Incident Frequency: Measures the number of security incidents over a specific period. Monitoring this metric helps in understanding the overall security posture and identifying trends or patterns in security incidents. Conclusion and Next Steps Integrating Defender CSPM into DevOps workflows is pivotal for any organization aiming to balance speed and security in the cloud. By automating security gates, shifting security checks left, and fostering real-time collaboration, you reduce the risk of late-breaking vulnerabilities and maintain a more resilient production environment. To revisit the broader context of this series and learn about our earlier topics, such as risk identification and prioritization, review the main overview article, Considerations for risk identification and prioritization in Defender for Cloud, and Strengthening Cloud Compliance and Governance with Microsoft Defender CSPM. In our next piece, we’ll explore how Defender CSPM can bolster proactive forensics and incident preparedness, equipping your organization to detect threats early and respond decisively when incidents occur. Stay tuned! Microsoft Defender for Cloud - Additional Resources Blog series main article - Strategy to Execution: Operationalizing Microsoft Defender CSPM Blog Series article - Considerations for risk identification and prioritization in Defender for Cloud Blog Series article - Strengthening Cloud Compliance and Governance with Microsoft Defender CSPM Download the new Microsoft CNAPP eBook at aka.ms/MSCNAPP Become a Defender for Cloud Ninja by taking the assessment at aka.ms/MDCNinja Reviewers Yuri Diogenes, Principal PM Manager, CxE Defender for Cloud Dick Lake, Security Product Manager, CxE Defender for Cloud
