You. Hello and welcome to the let's Talk. Azure Podcast with your hosts, Sam Foot and Alan Armstrong. If you're new here, we're a pair of Azure and Microsoft 365 focused It security professionals.
It's episode four of season four. Sam and I had a recent discussion around Cloud Security Posture Management in Microsoft Defender Cloud. We discussed why CSPM is important to an organization in highlighting risks and misconfigurations in their cloud environment. We here are some of the things we discovered. What is Cloud Security posture Management? And why is it important? What is Microsoft defender for Cloud's approach to CSPM? What is Microsoft's cloud security benchmark? And what are the pricing tiers for CSPM in Microsoft Defender Cloud? It's a really great episode. So without further delay, let's dive in.
Alan, how are you? Hey, Sam. I'm not too bad. How are you? Yeah, not too bad. Thank you. Not too bad. Another week. Another podcast episode. Yeah, it's been a very busy week with work and personal bits, so yeah, time is flying at the moment already at episode four, which is incredible. Yeah, I can't believe we've done well, we're going to do two episodes each at this point already. It's insane.
Yeah, exactly. What are we now, a fifth of the way through the season? So it feels like we've only just started almost. Yeah, you're right. And it's almost a quarter of the way through. Yeah, exactly. So cloud security. Posture management this week, Alan. Yeah, definitely a massive topic in the security space, and definitely a topic that you know pretty well, I'd say.
Yeah, well, I did my Microsoft talked an eye on it, so I thought we might as well not necessarily regurgitate, but it's definitely an important topic to talk about. And like you said, it's one of the key things that are sort of spoken about in the world at the moment. Yeah, there's some really good tooling there and some really tangible benefits. So yeah. Should we get started and crack through it? Yeah, sure.
So let's sort of take a bird's eye view of Cloud Security Posture Management. What is it and why would an organization want to adopt it?
Yeah. Okay. So Cloud Security Posture Management CSPM is a process of identifying risks and misconfigurations within cloud environments. So this is mainly around It being automatically visible and being able to identify and potentially remediate some of those misconfigurations and risks. Why is it important and why is it useful? Some organizations may not know what is in their clouds, might not know what's in Azure. It may have developers, It teams, building infrastructure, building services in there, but maybe not taking a security view of what they're deploying. Maybe it's not done by infrastructure as code. Maybe it's just manually deployed. So there is a high chance that there are misconfigurations and without going through individual workloads within those environments and understanding what's configured, which will take a lot of time, a couple of people to do that manually, at least depending on your cloud environment. So we had to find those misconfigurations if you know what you're looking for. So a cloud Security Posture Management solution, in effect automates that process and goes through your cloud environments and looks for misconfigurations and provides recommendations on how to improve the security of that workload.
Okay, so there's sort of two sort of benefits there really, from what I heard you say. Is the first part really around discovery of your cloud resources? Are we saying that organizations, especially in maybe larger organizations, maybe B, two B product companies and the like, that sort of build in Azure, do they have really struggle with discovery and understanding what is even in the environment before you even get to misconfigurations?
Yeah, that is one part of it is grabbing an asset list across all of your environments because you're right, you don't necessarily know how many virtual machines you might have overall or web services, things like that. And yeah, then the second part being your misconfigurations to highlight those risks in that environment to potential attacks. You may have a misconfiguration of a virtual machine with a public IP address that's got the management ports open.
Yeah, I'm just trying to think about some of the sort of a working scenario there. I'm just thinking you take, let's say an organization which was quite quick and adopting cloud, maybe they were early into Azure and they've been building ever since I can imagine, because with manual deployment of resources, let's just say those environments might not be documented in any sort of way. Right.
It might just be bring up a workload and then move on to the next build, build, build going forward. My assumption is, from an operational perspective, once that resource is in, those teams might move on to new projects and move forward. And it might not be misconfigured when they originally deployed it, I suppose. But as new tactics and techniques are released and more understanding or new features are released, you could potentially just naturally gain misconfigurations over time, I assume.
Yeah, you're absolutely right that new features coming out potentially could open up new misconfigurations because it hasn't been configured. Or like you said, there might be legacy configuration there that needs to be updated to meet the new standards that are out around. I'm thinking of things like TLS levels, tiers, things like that.
Yeah, I'm thinking about how best practice shifts over time. Right. It's constantly evolving. If you talk about like just in time port opening for servers and the way that you would utilize that and and maybe now you would go down like a bastion route instead of having to do that, right, to get secure access to specific servers and things like that, just as those products evolve over time. Maybe not new features like immediately dropping misconfigurations because I haven't seen that, but just best practice moving on and changing with the time, so to speak. It's like a constantly evolving problem, it feels like, to me.
Yeah, exactly. And you need to be able to monitor that change in best practice, like you said then. Yeah, and CSPM can help with that because it's continuously updated at that point.
Is it fair to say that the owner of the security aspect of a resource might be different than the owner of the person that developed or deployed that resource? Are we talking about different teams of people here in the organization? We're talking about some people just building, moving forward, and then other people sort of coming in to clean up and harden after the fact.
Yeah, I guess it's part of that process. Kind of probably talking around your we did the DevOps episode, where you're talking about the SEC DevOps or the dev SEC DevOps and dev SEC ops side of things. I got to know which way it was now. Where those that's now becoming a terminology to use. Where that code? I mean, it's necessary code, but say infrastructure in that scenario being checked and things like that, where you're right. In previous decades it may not have been checked that way. It might have been billed and then security come in later. This is kind of taking the It security side of things to look at the environment as it is and to understand the risks that are in that environment. It may be down to the owners of the resources to maybe remediate the misconfigurations or reduce the risks within that workload, because they know what they've built and why it's built that way, kind of thing. There may be a reason for it. So they may need to maybe make changes to their solution to remove that risk.
Yeah, definitely. And I think because it's an automated tool, you've effectively got that constant checking, haven't you? You've got that sort of Big Brother effect, looking at those resources in near real time. Right. So the feedback loop is very efficient because those teams can be alerted of those remediations relatively quickly.
Yeah. And I guess if you don't have a CSPM today, then that initial discovery will be potentially big. It might be a lot of recommendations, but once you've gone through that initial discovery remediated and that then your continuous like you said, the continuous viewing of it, new resource being built, et cetera, you'll be able to see that change in the posture instantly and you'll be able to remediate quicker because hopefully resources when they're being built aren't going to production straight away which means you've got the time to make those changes where when you first start you might have hundreds, thousands of resources in production that you are more difficult they're more difficult to make those changes to.
Yeah, and I think that first sort of scan of a you know you know, an environment can be quite overwhelming, you know, when it comes back, because, you know, in theory, there's a lot of security debt there that maybe people don't know about because maybe they haven't had a breach or they haven't been through that process yet. It might start to show you things that resources that you never even knew existed, potentially, I'm thinking like MSDN subscriptions, things like that, but also the sort of benchmark of a resources posture for every single resource you've ever deployed. And yeah, in some large cloud environments, there can be thousands or tens of thousands of resources right. Which potentially have to be reviewed at that point. Yeah.
And I think we've seen a couple of instance where a development environment has been compromised, and that's how they've got to reduction as well, haven't we? I think there's been some high visibility, high visible ones in there. So even those environments need to be monitored, at least. Understanding that risk in those environments.
Yeah. And that blurred line. I've seen it quite a lot, the blurred line between production and development. And especially when we talk about infrastructure, I come from a software background where there is always a dev staging and production environment. I say always the majority of the time. But in infrastructure, sometimes if you don't have two Azure Ads and you integrate with it, it might be that your development environment is pointing at your production AAD. Right. And that might just be a decision from somebody previously to not roll a new tenant, having to set that up. Maybe they're pressured on a deadline, et cetera, et cetera. And because it's in a development environment, it doesn't go through change, it doesn't go through any formal process of that just kind of a Wild West at that point, isn't it? I've seen a lot of people sort of ignore development environments, like, because it's not production, there's no production data there. There's less risk, but actually, because there's less control, I'd sometimes argue actually, I would argue that there is more risk in those environments because there is less oversight and control. Right. So we've definitely had that conversation with people where it's like, should CSPM cover development environments? And what's the value of remediating development environments? But because humans control those environments, anything could happen. Right. And we're all inherently lazy. Well, we're not all inherently lazy, but a lot of people that build things are. It's their job to automate. So I think it's for the better of everybody that we've got these systems in place to nudge us in the right direction all the time. Yeah.
And I think the first stage is understanding what's there, like the discovery piece. If we're not able to do the remediations immediately, at least, you know, like you said, that risk that's there. Exactly. Yeah. Just knowing. Yeah, just knowing is critically important. Okay, so can you talk a bit more about how Microsoft Defender for Cloud approaches CSPM and sort of what features does it have?
Yeah, sure. Microsoft Defender cloud has two sort of tiers two SKUs for it. You have foundational CSPM and Microsoft and defender CSPM. And the kind of feature you get overall with both of them is that security and misconfiguration. Security misconfiguration and weaknesses, your asset infantry, your Secure Score. So a posture score for your environment, the ability to be able to visualize your data around your environments. Using the Azure workbooks, you can export that data from CSPM into other data visualization tooling. There is some automation there using logic apps. So when you see some of the misconfigurations you might be able to run a logic app to send a team's message to somebody or maybe do a PowerShell or something to remediate when it makes sense to. There are some quick wins in there for remediation. So some tools already in there built in. You gain access to the Microsoft cloud security benchmark. That's the kind of stuff you get in the Foundational. And then in Defender CSPM, you get governance, the use of regulatory compliance to benchmark your environment. The Cloud Security Graph attack path analysis agentless scanning for virtual machines and discovery within Kubernetes container registry. Vulnerability management data aware, security posture and external access. I can't remember how you say this actually ASM insights in network exposure. So that's the kind of things you cover. So it's quite a lot there just for CSPM because we just sort of talked about asset management and weaknesses at this point.
Yeah, can I sort of circle back on a couple of those bits? I think for me, Secure Score is obviously massively powerful way of representing a sort of complex view of a world, right and sort of distilling it down to a simple number that is quite easily digestible for a lot of people. So we've obviously got Microsoft secure score. Is Secure Score in defend of a cloud similar to that? Is it effectively the same controls? How does it sort of stack up.
Against so it's in effect a similar concept as the Secure Score within Microsoft three, six, five but it's all around just the the cloud environment. So it will have some subsections within the recommendation. So it'll be like identity data and transit kind of things like that. But in effect it gives you based on how many resources you have, it will give you with your recommendations, it will tell you how much you can increase your score and it's out of 100% like Secure Score is within Microsoft three, six, five and you can then improve that by remediating some of the recommendations in there. And some of those recommendations can be identified as risks within you can accept the risks. One part of it is that there may be some. So the example is multifactor authentication. So one of the recommendations is to ensure that you got multifactor authentication on owners within Azure. Now that's great if you're using Microsoft authentication because it's able to detect that and be able to tell you that you've got it enabled for your owners. But if you're using a third party as your identity provider, like Okta or Ping Identity, things like that, then it can't detect that you're doing MFA there. You might also be using Duo as your MFA and integrate it into Azure without being able to see those. Then it will always come up saying it's a requirement recommendation. So what you can do with the recommendations is go in and tell, in effect, update the risk to say, exclude this recommendation because I have a third party solution in place and remind me in a year's time to review it, or a six months time. So you can decide when you want to review that recommendation again because you might have changed technology at that point. You might be going through a process of moving to Microsoft Authenticator for your MFA. So that's quite good in there, that there may be something that you can't change in an environment because it will break your application. Maybe you need FTP instead of SFTP. Maybe as an example, you may need it so you can mitigate it against a resource or a subscription for a period of time, then review it later.
Yeah. So you can accept that risk, but then you can also put some governance around managing that risk right. Over some sort of time period, which is really powerful. Have you tried attack path analysis? Because it's relatively new and I think for me it's one of the standout features of Defender for Cloud now.
Yeah, I was part of the private preview for it before it came out and became sort of ga with the CSPM going ga in March. But it's really good. So it identifies, in effect, as it kind of sounds, the attack path from through your resources and your roles to how someone could take over a subscription or a resource. So it's very easy to see where your weak points are within your environment.
Yeah, and I think what's great is because you get a sort of a visual representation of that path right. And the points on it in which you would maybe want to remediate and plug. I think it's a really good way of prioritizing certain resources and seeing where your best sort of bang for buck remediations are, if that makes sense. Because trying to work out where you should start is always quite a complicated thing with CSPM right. Because you get a bunch of recommendations, but then it's like, what do I do with this, basically? Right, so that can really help you to visually see your most, maybe sensitive resources and protecting them.
Yeah, exactly. And to be fair, when you look at those recommendations and in general your resources, there's no way you would understand that without doing some deep analysis of all the resources, understand where your weakest resources are or how someone can jump through your system. Because you might think it's absolutely fine there's no reason why someone could jump between those resources.
Yeah, well, I suppose in a lot of organizations, I'd probably argue that a lot of those relationships between resources are not mapped or not well documented. Right. If somebody got access to this VNet, this would be their avenues to basically move throughout your resources, if that makes sense. And that, I think, is as. That mapping is done automatically for you and then linking it back into recommendations for you is really powerful.
Yeah, absolutely. And just to probably talk on the last one, which I couldn't announce, the ASM is the external attack surface management. So it's one of the other Microsoft defenders that are out there. So you can see what your attack surface is from your external side of Azure and things like that.
Okay, I think we could definitely deep dive into all of those different features. It's kind of like Defender, because this is one part of Defender for Cloud. Right? And this is the thing with Defender for Cloud, it's not really one product. It's like, what is it, like twelve products in one? And CSPM then breaks down into a bunch of different products underneath that.
I think it's kind of three areas now. You got CSPM, you've got Cloud protective Workloads, which is, I think, what you're talking about with all the other defenders that we've done, they're out there. And then I think you've got your sort of code security. So Defender for DevOps now being its own section now, I say a small section, but it's not it definitely feels like a third, at least a third of the product, if not more.
You're referring to CSPM? Yeah, definitely 100%. Okay, so lots of companies are multi Cloud. Is CSPM supported on anything other than Azure?
Yes, so it is available. So CSPM is available for AWS, GCP, and some on premise workloads. So when you're using Azure Arc well, Microsoft Defender Cloud used to connect to the other clouds, but there's a lot you had to do the other side to configure it. You had to enable and affect the security workloads in AWS and GCP to get the data to come into Defend for Cloud. But last year when Microsoft announced they were going multi Cloud and they were doing some changes with Defender Cloud, they made that connector really simple. So now all you do, in effect is for AWS, you get a cloud formation script and then you can just deploy that and it will create some im roles and then connect allow Defender Cloud to connect into it and collect the data. So you don't have to worry about configuring Async within the other environments to be able to get the data. It will go off and read it. And same thing with GCP. It's just a cloud script that you run and it creates the roles, et cetera, in it. Not all of those features I talked about earlier are on all of the clouds. Some of the newer ones are Azure and AWS. Only some of them just Azure at the moment, but they are as they come out for Azure, it seems like AWS is the next one, then GCP comes later. So they're definitely pushing hard to get those out because I think some of them came Ga in March and they're already on two of the clouds for the third one to come. So that's the clouds that they cover AWS, GCP, and Azure, of course. And like I said, some workloads are available for the on premise environments when they're configured via Azure Arc.
Yeah, and there's obviously third party CSPM products that are out there which do target multicloud, but I haven't seen a sort of I'm not aware of a CSPM product from one of the major cloud vendors that actually supports the other clouds that they're pretty insular. So it's very interesting to see Microsoft acknowledging that a lot of organizations now are multi cloud for various different reasons.
Yeah, absolutely. And they need securing. So that's kind of while CSPM is going over there and collecting the recommendations, things like that, it's also going to recommend having the protective workloads go over to them as well. Defender Server and some of the I think it's Defender for SQL and Kubernetes I think, are the ones that are going over to the other clouds at the moment.
Okay, so in that list you talked about the Microsoft cloud security benchmark. Can you just sort of explain what that is and why it's important?
Yeah, sure. So we talked about Secure Score and that's kind of like Microsoft's recommendations, best practice scenarios on how to secure the cloud. Microsoft Cloud Security benchmark is using some of the regulatory compliances out there to build a benchmark for all the clouds for AWS, GCP, and Azure. So it's a combination of the technical controls from CIS, PCI, and NIST. So the technical controls for AWS, GCP and Azure are all within that benchmark. So you can see whether your cloud environment using those three regulatory compliances meets that framework or meet that high level framework. I don't know, quite robust security framework on configuration. So you can break it down into the different sort of controls and then you can see all the recommendations within those controls. So then you can bring your so if you do need to be SAS compliant or NIST, you can use that one to get you to that level plus more because it uses some of the other ones as well. So for me, it feels like a very solid benchmark to go against and that's included in the foundational. So you get that from the start because regulatory compliance side of things is from the independent CSPM tier if you want to go against a specific regulatory compliance and version of that regulatory compliance.
Yeah. So I suppose if you're an organization that doesn't have to or hasn't yet adopted a formal certification of a regulatory compliance framework. Right. Then cloud security benchmark is going to get you a really good robust set of controls that should then the organization decide, okay, we want to go down this CIS route. Then if you've hit that benchmark, chances are, well, from a technical perspective, your controls are highly likely to be covered at that point. Obviously, regulatory compliance frameworks, only a subset of the controls are technical. Right. People and process is massive in there. But from our side, from the technical side, you can get started straight away hardening your environments. In theory. You don't need to wait, do you? Because it's included in foundational, there's kind of no reason not to use it at that point.
Yeah, exactly. As soon as you enable the CSPM foundational on one of your clouds or your accounts, et cetera, it will then start feeding into the cloud security benchmark. So you're straight away already getting that information whether you need it or not. So it is really good in that stance that you know that you're going against real controls from regulatory compliances out there without having to well, they're just there, aren't they? It's just done for you. You can just start building towards them. Like you said, if you then decide to go for NIST or CIS or PCI, you're pretty much going to be there from your technical side.
Yeah. So talking about other regulatory compliance, because sometimes if you talk to somebody in the compliance space about the cloud security benchmark, they might have ever heard of it, right? They might be an ISO practitioner, et cetera. How do other, I'll call them quotes, real regulatory compliance frameworks actually fit into that?
Yeah. So Microsoft has in effect a database of those with has a database of all the regulatory compliances. They have a good database of them and you can then apply them to your cloud environment. So you may have a subscription that is maybe your PCI subscription, maybe you're separating it via subscription, maybe you got one that needs to be ISO. You can in effect apply those regulatory compliances to those subscriptions accounts or projects within the other clouds to then see specifically those compliance frameworks. So you do have things like ISO in there. You have various NIST versions as well. Same thing with ISO. There's quite a few in there, maybe in the new one as well. And a lot of them are also available for the other clouds. There's definitely more for Azure being first party and being probably going through that process already in Azure before they move to multi cloud. So some of those other regulatory compliances are moving to CIS, sorry, CIS to Ados and GCP. You also have some of the I think Ados has a foundational benchmark as well of their own and I think Microsoft adopt that as well. So yes, you can put them in there and then you can see specifically against those record compliances, how much you comply with it, and you can generate audit reports for it. So if you need to do it for auditing, things like that, you can then generate it and see where you are. So that's quite handy as well for some of your auditing.
Large part of that compliance is sort of governance and attestation verifying what you say you're doing, you're actually doing. So what sort of, sort of governance lifecycles are in place in Defender for Cloud for managing the remediations? Yeah.
So now you can within the subscriptions, the projects, the accounts, you can now specify some governance around it, some rules, which says that you get notifications about new remediations required. So as the cloud environment changes, maybe a new resource created and then there's a new recommendation for it, but maybe you're not looking at it 24/7, looking at the recommendations all the time. Maybe it's once a month, maybe it's once every three months. You're able to then automatically assign the recommendations to users as well as just going manually and assigning the recommendations. So that's really good now. So then you can give ownership to those recommendations and give them a grace period to remediate and then they can update, say, I need more time because of this. So there's more an audit trail there then about why recommendations or risk hasn't been mitigated. So that's the kind of things that are in there now. I mean, the great thing really is that if you've got a tag within a jaw that says the email address of the owner, you can then get it to automatically say, if I see recommendations for a resource, automatically send it to the owner, which is this tag, and this is their email address. And then they automatically get assigned. So it means that any new resources coming out to get deployed and they got recommendations, they get the email straight away and then the grace period starts.
And what I like about that is and we kind of have that in DevOps and sort of the interaction around Git repositories is when we have automated tooling on pull requests and we all agree what we're going to put in, right? So if we're going to put Terra Scan in, we all agree that we're going to do Terra Scan and then that's going to run. And if you commit some changes and then that flags, then we all blame you blame yourself and you blame Terra Scan, right, for like shouting at you. And what I like about that is that Defender for Cloud is then just, we all agree that we're going to use it and this is the way that we're going to configure it. And whatever comes out of it, it's not manually assigned, is it? It's just I've deployed some resources and Defender for Cloud, which is a faceless tool, it's not a person inside the organization has then picked up that you need to make some. Changes, but also the business gets that audit trail of notified Sam on the 1 January asked Sam to remediate in 90 days. 180 days have passed and it's still not remediate already even looked at. Right. And at that point we've got an actual we. We'd hope it wouldn't get to that point. Right. But we can then start to see the lifecycle of that misconfiguration, which is really powerful.
Yeah. In effect, it does chase you in emails to tell you you've got this amount of recommendations to do, but also I think there's a report that can be generated to see which ones are close to their due date and things like that, or overdue. So then from an auditing or from that process, you can then go and start chasing in person. And that takes away a huge amount of manual intervention, doesn't it? Yeah.
Like having to set up calls with teams to talk about the remediations and to assign them to people and manage them and all of those things. It's just Defender for Cloud does all of the legwork, so to speak, of chasing people and all of that sort of stuff. Right. Yeah.
When someone gets set as an owner of an action or a mediation, they can change the owner to someone else. So maybe it goes to the owner of the product that they're working on, and then they can assign it to say, maybe a product's got VMs and SQL and things like that, and they get all of the recommendations. They can then assign the remediation tasks for SQL to the SQL devs to resolve because they've deployed it. So it doesn't necessarily have to always go directly to the individual people. It could go to a product owner scenario from your perspective, or area owner. Maybe it's like a resource group level, maybe.
Yeah, definitely. It sounds really good and well thought out of that process. Definitely. Okay, so I suppose the big question is this all sounds great and all, Alan, but how much does it cost? That's a good question. So, Foundational CSPM drum roll, it's free. Do you get really free? Really free. I suppose I'm paying for the resources, aren't I? Yeah. Okay. But yeah, to add it on top, it is included in your current usage of the Cloud environments.
But it is completely free. And did you say it's turned for Azure? It's on by default, yes.
When you go into Defender, cloud in effect will ask you to upgrade to the new versions, but I think you can just not bypass them, but not ignore them, skip them for now whilst you look at what you currently use it for. Because in effect, Microsoft are recommending that you enable all of the workloads, protect workloads, and that to secure your environment. But you may need to take that process of understanding what the problem is and how much cost is going to be on your environment.
And is that just free for Azure. What about AWS GCP and you talked about on premise with Arc, is that right? Are all the environments free for foundational? Yeah, you don't have to pay any more for them. So creating the connectors into the other clouds doesn't cost you anything to be able to collect that data. It is just the Defender CSPM that is a cost to have the you.
Pay for the resources. And Microsoft is going to give you a level of posture management with all of your resources free of charge. Yes. So like I said, you can use the Microsoft cloud security benchmark for free. Yes, exactly. And that gives you an insight into those three regulatory compliances for free.
And if it is pulling best practice from those three regulatory compliance frameworks and sort of amalgamating it into one thing, that's also pretty powerful by itself, isn't it? Considering it's no extra charge. Yeah, exactly. Like we're kind of saying, if you need to do it, if auditing for your other regulatory compliances needs to see the report specifically for CIS, et cetera, then that's when you need the other framework adding to those subscriptions.
Okay. And that next level and excuse I suppose is Defender CSPM. So that's where you get everything then. And how much does that cost?
So probably about three weeks ago, three or four weeks ago it was $15 per data per compute or data resource. So that is a storage account, SQL, virtual machine, similar things in the other clouds kind of thing. So it seemed quite expensive to run because you may have 100 virtual machines just to get that deep dive in CSPM. And that's mainly around the agentless scanning of VMs and things like that. That other capability there because you don't have to run an agent on a server and it take compute away from your you may have a critical compute sensitive resource that you now can't do scans on, so it takes that away from it. But as of like I said, two or three weeks ago, microsoft dropped it down to $5 per Compute or data resource, which I think is great. I think it's more acceptable at least.
Yeah. And I suppose what you're really paying for there is that extra intelligence that you talked about the agent of scanning there's attack path. Attack Path. But there's also the regulatory compliance angle as well for those extra frameworks and the governance as well as part of that uplift in Defender for CSPM. So you are getting, I don't know, six or eight extra features there for a one time extra $5 per month per resource. So I suppose this more stings for smaller environments, I would have thought, right, because if you've got a burstable VM instance that costs you $12 a month, then $5 a month relative to the cost of the resources going to be quite expensive. But on the other side of it, if you are an organization that requires regulatory compliance, chances are your workloads aren't even utilizing those types of resources. Right. One would think that your consumption is quite heavy in Azure for your workloads.
Yeah, you're right. And it might be also sting environments where there's a lot of compute and data as well. If you've got a lot of other resources, if you've got a lot of logic apps, for example, and Azure functions and web apps, web apps, then it's not based on that, I don't think. It's all based on compute and data resources.
Yeah. And I suppose you've got to balance that of the human cost, right, of managing these things. And I suppose Defender, Cspm's biggest competitor, is Foundational, right. Because you do get a lot in Foundational. It's quite a generous free tier. But I suppose when you're talking about maybe because realistically, to get some virtual machines could be thousands of dollars, pounds a month, right. So tacking on $5 a month relatively isn't too painful. But I suppose across a larger state, that can build up. But then to do this manually, to map across regulatory compliance frameworks and search through all of your resources, that must take a lot of human cost to make that happen.
Yeah. And I think kind of the key thing to think about is really that agent that's scanning, because in effect, it's taking a snapshot of the disk, the VHD disk, in effect in Azure and scanning it without the VM being touched. So there's no interaction with the virtual machine as it's active, reducing compute and things like that. You may have to run those scans and things like that. You may have to increase your machines. I don't think you would need to, but that might be if it's compute sensitive.
Yeah, but you've got to deploy and manage that agent, haven't you? Right. You've got to update it when there's new versions you've got and it could test the impact of it. Yeah, I was just about to say. Yeah, exactly. You don't know if it's going to cause disruption within your applications. And I'm not saying that happens a lot. Right. No.
Because generally a lot of agents that are provided for tasks are really effective and they don't have any sort of impact. But for very sensitive workloads, like compute sensitive workloads or critical systems right. That you don't want to let's say you have a highly critical system in your business and it can't be touched. Maybe it's the VM that does the batch jobs for payments overnight or something like that, I don't know, random example. But it just has to work and nobody goes near it unless there's something really going on with it. Trying to discover what's potentially the misconfigurations on that machine can be a hard risk to overcome and to battle against.
Well, and the other thing is you're changing that environment, so you may have to go through your change process to be able to deploy the agent things like that as well. And like you said, it might be that when you're patching it, it can't be on autopatch, you can't keep up to date. Maybe you can only do it once every three months to keep it up to date.
Yeah. And then I suppose you've got the cloud security team, right? If your organization is large enough to have one of those whose sole responsibility is like the posture management of their cloud environments, then they have to keep going back to those teams to get patched and to go through that process. So in some respects, the busy work of that and the risk might end up costing a lot more money than $5 a month agentless scanning that nobody except for finance have to worry about. Exactly.
I can definitely see that benefit, for sure. Yeah.
And I don't think there's a lot within here that is an enhancement to looking at all that information. Nobody really wants the job of going through all these resources and doing all of that. It's not something that is right. Okay, we got CSPM, so now we can get rid of X team kind of thing, is it at all? It's more around this is the mundane sort of tasks of getting that data, doing that analysis for you, for you to have the results, then make decisions.
Yeah, definitely 100%. So, Alan, any other parts of CSPM that you don't think we've covered that you want to call out?
No, I think we've covered quite a lot, even though there's still probably quite a lot to cover. Still probably. One thing to probably mention is that in season two, episode eight, we did a securing multi cloud environments with Microsoft Cloud. So it's probably looking more around the protective workloads. But I'm thinking that was probably last year, about the same time as now, I think.
I apologize for the production quality of season two if you go back to that. But yeah, Mike, give a bit more context of what Defender for Cloud was like back then. Yes. So Sam. What's episode five?
Okay, so episode five, I'm going to be on that one and I'm going to be talking around Azure Confidential Ledger. And I know a lot of people might not like the word blockchain, but Confidential Ledger is a blockchain technology hosted by Microsoft in Azure. So what I'm going to do is I'm going to explain what it is, the value and the features that it gives, and try to give some real world scenarios that you can apply blockchain technologies inside your business. So hopefully no fluff and blockchain buzzwords, but I think it's a really innovative product and it's got some real good applicable use cases.
Okay, great. I look forward to that episode, I think. Cool. Okay, so did you enjoy this episode? If so, please do consider leaving us a review on Apple or Spotify. This really helps us reach more people, people like you. If you have any specific feedback or suggestions, we have a link in our show notes to get in contact with us. Yeah, and if you've made it this far, thank you very much, everyone. Catch you on the next. All cheers. Thanks, Alan. Thanks. Bye bye.