Hello and welcome to the let's Talk. Azure podcast with your host, Sam Foote and Anne Armstrong. If you're new here, we're a pair of Azure and Microsoft 365 focused IT security professionals.
It's episode three of season six. Sam and I had a recent discussion around cloud security posture management in Defender for Cloud, a reporting tool to identify misconfigurations and best practice recommendations. As Microsoft has enhanced this solution over the years. A recap and update on a previous episode is long overdue.
We've noticed that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode, so let's dive in. Hey, Alan, Happy nearly the end of January. Hey, Sam. Yes. Where's that month gone? I'm not sure. It's quite long, but also quite short in the same vein, if that makes sense.
Yeah, definitely. I mean, it's been manic, to be fair. Lots of things around moving house or not moving house and let alone, you know, all the work stuff. Yeah. Have you been.
Yeah, good. Yeah, it's. The world's definitely woken up from our holiday break, which is really good. Yeah. And just good to get back into the swing of things, I think, more than anything. Yeah. And yeah, I don't know, I just. There's just always, you know, so much change, so much to continue learning and. And absorbing. So. Yeah, it's just been, yeah. A bit of a wild ride. What are we. What are we talking about this week?
So I think we're going to continue the Defend for Cloud kind of series scheme, whatever. I don't even know what to call it, but the theme, I guess is probably the word talk about the portfolio of Defend for Cloud. So Ray, to this one's going to be talking about the cloud security posture management side of it. Yeah. Did we do a previous episode on this?
We did in season four. I don't know what the episode is, but yes, some time ago and then there was lots to talk about and really we just need a recap, I think, about what you actually get that's included because to be fair, there's a lot of stuff that I think haven't really been talked about that are included that you don't necessarily pay more for for the resource itself. So I think we kind of caught that or talked about some of that last week. So it's worth. Like I said, I think last Week I said, you know, we need to recap, understand it all again try and talk about few some of the features in there. I mean it's almost like another product in its. Well, it's a product in itself but again it's. I think it's becoming a beast.
Yeah, it's like a, a product and a product, isn't it? You know, I assume when we talked about it last it probably didn't have the split instead it did did, it did. But it was pretty new I think. Or wasn't that for too long? Yeah. Right. Okay. Yeah. Okay. Well, you know, should we just, you know, for, for new listeners. Should we just, you know, start off with the basics of, you know, what is cloud security posture management and why is it important? Important?
Yeah, sure. So it's probably worth talking about the main theme that most organizations have or have been doing over the past, we'll say two or three years and that's been protecting your devices, you know, being not say being reactive but protecting after the fact. So sort of post breach protection. You know, if someone does get into a server, you know, the EDR then can kick in and you know, defender for Endpoint can kick in and stop the, the attack. You know, email security site comes in is then removed later, that kind of thing. You know, we, it's been very reactive I suppose to, you know, I'm assuming breach. So I need to protect about what happens when I do. How do I, you know, then remediate the issue or you know, shut down that attack. And that's absolutely fine, you know, because you have to have those protections in because you do have to assume breach or when you're going to be breached, you know, that kind of thing. But the other sort of side of it is actually being proactive and you know, reducing your sort of attack surface, reducing your risk, you know. So that's why we, you know, we go through, we use intune to, you know, in harden our user endpoints, you lock them down so there can't be certain things that can happen. You know, preventing something from even executing, you know, that becomes sort of your, I suppose your, your posture man, your posture, your expo. You know, if we talk, you know, briefly talk about, you know, you know, the exposure management side of things in different directs. Dr. That's bringing all that data into one place and showing you what your risks are and where you should maybe prioritize, you know, to harden yourself to reduce the risk of being compromised or having a breach breach, you know, an attack on, on an endpoint kind of thing. So sort of security posture management is that part is, is seeing your recommendations, understanding where your risks are with your configuration. Yeah it could be vulnerability, you know, vulnerabilities on an endpoint that could be misconfiguration in the cloud. In a cloud environment it could be recommended configuration to do hardening to reduce a risk, you know, enabling attack source reduction on in Defender for Endpoint as an example. So it's important to have those tools to sort of sanity check your configuration or your environment to then be able to understand where your risks are, where you need to prioritize updating configuration or improving that security element or where you can't make those changes because of software. You know, example is like old, you know, legacy software that you still need to keep to run an application. It's got loads of vulnerabilities in it. That's obviously a weak point per se. It's more around what mitigation you've got in place, what extra marketing you might monitoring you might have on that sort of area. So at least then if something does happen you see it. So that's the kind of I suppose high level sort of what posture management is. And in effect there's various, various tooling like I said that can do that. And one key area is around cloud security posture management. So how is your cloud environment and this is more around infrastructure sort of cloud environment. So example being Azure AWS GCP environments and understanding how they are configured to you know, to best practice of you know, even based on you know the, the provider's best practice recommendations on how to secure it versus what other standards there might be out there on how you should configure a Kubernetes cluster a virtual machine are back in those environments.
Yeah and I think I just want to add one bit to that is as well is where in your ecosystem and how close to the edge of your ecosystem are these resources. Right. So you know your, your user endpoints. Well traditionally would have been like on, on site, wouldn't it? You know, you might have had desktops which were in your offices that never roamed or, or anything like that. Then we had endpoints that left the organization and had had to adopt zero trust to make sure that they were as well protected as possible. You know in cloud resources a lot of them are let's say publicly accessible or close to the public edge. You know for a lot of organized. A lot of, a lot of resources aren't there's their private just workloads running you know in a in a different data center effectively. And I think that's why it's so critical and it's become such a, do we call it like a discipline or a, an area of focus of security posture management? The cloud is just so hyper connected. It's, it's easy, relatively easy to expose. So you know, these types of tools are only going to become more important. They are already important but you know, it's not going to shift away unless those workloads, you know, shift away from the cloud.
Yeah, and this is more of a, you know, you can build from, you know, secure from start. You know, someone can configure something and, or design something to be secure, but maybe the implementation missed a step maybe and things like that. You know, this isn't, this is more around understanding. It's all about understanding and your environment and getting visibility of it from a security lens in that, you know, you might have loads of stuff in Azure, you know, built by infrastructure as code, you know, with, with all the, you know, the will in the world. You know, it's, it's built to be secure but you know, environments change, tweaks are done. The, the, the services change as well to maybe add additional features that maybe you shouldn't have turned on or they're deprecated, they're recommended turn, you know, other recommendations come in. So this is just giving you that, that visibility. I suppose you could kind of say it could be removing a blind spot from your view of how it's been configured. I mean, I've been on, you know, previously, I've had a couple of engagements where you know, you didn't know what was in the cloud environment. You know, generally, you know, you, you knew they had a lot of, you know, restart. Yeah developer teams building, you know, application services, etc. But the security team have no visibility of what, how it's been configured or if there's any weak, weak points kind of thing. So being able to just visualize that, understand from a score, from whichever way you want to look at how many recommendations there are, what critical ones there are maybe or even just understanding what assets you have in a, in a list, you know, that's, that's gonna be valuable to yourself in case of a, I don't know, you know, there's a, there's a zero day for a Kubernetes cluster or something. I don't know, I'm trying to think of something but you know, just trying to understand where that, you know, where, where you may have an issue where you may need to harden that environment. Just like I said, just having that visibility is key.
Yeah, exactly. So Alan, how does Defender for Cloud CSPM help with visibility?
Okay, so Defender for Cloud, which is no, Defender for cspm is part of the Defender for Cloud portfolio. And well done. We kind of said, we said last, last week that we call Defender for Cloud a portfolio of products because it is, you know, it could be split into three sort of areas but generally it's, it's, it's, you know, there's loads of different products within that and I think we even tried to do a Defender Cloud like overview and it's like scratching the surface of it. So Defender or cspm. Defender CSPM is kind of split into two, two areas within the product. One part is called Foundational CSPM and that is in effect free. So I suppose you could say yeah, it's free, you're able to use it, it doesn't cost you anything on top of any of your other Azure spend or, or AWS or GCP spend. So kind of alluded to it already, but Defender CSPM or Foundational CSPM is available for Azure AWS and gcp. So not just Azure. So you can gain that visibility into those other clouds and you don't necessarily have to understand how those environments work. You know, if you're, if you've been using Azure and then you've acquired an organization with, you know, AWS or gcp, as long as you create those connections, you can then get the understanding of what resources are in there. So yeah, split into two. Defender CSPM is, is a paid subscription and we'll talk about how much that costs, etc. Later on, but straight out the box, you know, for free. There's quite a lot that you can get. So I'm going to run through, I'm going to say quickly but, but very high level what you get in Foundational cspm. And as I said, everything I mentioned now is also in Defender cspm. So you get security recommendations, asset inventory, secure score, data visualization and reporting with Azure workbooks. So being able to visualize that data the way you want to see it, exporting the data, the recommendations and things like that out to something else. Maybe you want to put it into log analytics or you want to export it into something like, and then be able to do a Power BI report on it, things like that, workflow, automation to be able to alert on a new recommendation or work out which team needs to be notified about a recommendation, that kind of thing. Tools for remediation. That seems very Sort of high level but in effect there are some quick wins there, quick quick fixes that allows you to remediate some of the recommendations straight out of the box and then you get Defender Cloud Security Posture Management. In effect that is a benchmark that Microsoft has that is based on cis, NIST and pcsi. The sort of what they called the technical controls that you're able to actually make changes to the resources to meet those requirements so not say the people and process part of it. So that's what you get from validational cspm which is in effect a lot of reporting kind of side of things and getting the baseline sort of recommendation. So yeah, for free you can see that. And that is all inviting, you know, all those three environments. So for Defender CSPM you then get some more enhanced reporting and other stuff. So let's go through some of those and again I will probably run through this because quite a few here, maybe we'll pick some later to maybe dive into. So we had, we, we've got a set, you know, AI Security Posture Management. So you know that's quite a new one that's sort of come in. Agentless vulnerability, you know VM vulnerability scanning Agentless VM Secret scanning Attack Path analysis Risk prioritization Risky hunting with the Security Explorer Code to cloud mapping for containers Code to cloud mapping for infrastructure as code pull requests Annotations Internet Exposed Analysis Exposure attack Service management Permissions management Regulatory compliance assessments. I mean I'm what, 2/3 of the way through this list and there's already quite a lot there. I don't know what you think, Sam. There's tons there already.
Yeah, finish, go through the list in its entirety. Let's pull out and then we'll pull out some bits. Yes, I just think, I just think the more you speak the more ridiculous it sounds. Not you. I had to take a breath. I had to take a breath really. That's what I was getting at. That's why I said take a sip. Of water and continue. Yeah.
Yes. So I think I said regulatory compliance assessments. ServiceNow integration critical asset protection Governance to drive remediation at scale Data Security Posture Management Sensitive data scanning Agent. Get my words out. Agentless Discovery for Kubernetes Custom remediations Agentless code to cloud Container Vulnerability management API Security Posture Management and Azure Kubernetes Service Security dashboard. And that is it for now.
Okay, so I think the first thing I want to just discuss with you after you've just gone through both of those lists is why do they release so much in the foundational with no cost, do you think? Is it a tease to upsell you to the Defender portion? Because it's not like. Are there any other examples of this where Microsoft will give you a completely free tier of something before you upgrade?
I guess in Azure generally there are some free tiers, aren't there? We've seen or very low cost tiers of stuff. But I think it's because it's important to understand your environment. They don't want, you know, I suppose the. They want to help customers be as secure as they can and this stuff is probably what's, you know, all this information is kind of already there, if that makes sense. It's just visualizing it or bringing it to your attention basically. I feel and you could say that as well, they want to be able to show some, not to say responsibility but showing that they're, they're caring about the security side of things and giving you some, you know, some, some of that tooling to make you secure on their plat, you know, on their platform. I mean quite a lot of the foundational stuff was probably originally part of the Defender Cloud, Azure, whatever it used to be called as your security center. Yeah, wasn't it? Yeah, security, yeah. So it used to be part of that kind of functionality and that was included, you know, from the day dot kind of thing. So I think they're just making sure they keep that same sort of functionality there and then enhancing it. I mean, I just.
Yeah, sorry, go on.
I mean this is, I mean I didn't even talk about where some of these functionality is available. I mean we'd be here for another couple of minutes. But not all of them are available on all platforms. That's fair to say most of them are aws, Azure gcp. There are some just Azure ones only as their preview, some of them. So they will sort of venture out into the other place as well. But some of those foundational ones, they are Azure AWS GCP on premise when you've got Azure ARC enabled docker hub JFrog Artifactory and I think that's it. Yeah. So they're including other guessing JFROG and that and well, Docker Hub is like container locations or container images location. That fair to say probably out of my depth here.
But you just made the exact point that I was just about to make because not only is something like Secure Score and the Microsoft Cloud Security Benchmark zero cost, it is also supported in external cloud services. Right. Platforms. So the Microsoft Cloud Security Benchmark is, is supported in Azure AWS and gcp. So it doesn't matter if you've got a, like a split cloud workload and you've got some stuff in aws, Microsoft wants you to connect to it. They want to scan the posture of it with their own benchmark and they'll let you do it for free, you know, so it's. I don't know. That's just the part of me that's just. This is why Defender CSPM is kind of at least foundational and we do say this to a lot of people. It is literally a no brainer because the time it takes to onboard it is very, very quick and the value that you get out of it for literally no cost, I mean there's not as much value as the Defender cspm. But from an inventory management perspective and security recommendations, I suppose it does align with the free Secure Score, doesn't it? I suppose, yeah. Because really what you are getting here is Secure Score and inventory for cloud in a very basic way.
At the same time, Secure Score is really Microsoft technology based. No, that is excluding your integrations with Defender cloud apps and the SaaS Security Posture Management that brings in some of the other stuff which. But then that's kind of similar to this, I guess that posture management is just enhancing it to third parties for the included cost of Defender for cloud apps.
Yes, and the included cost is a good point because I was just thinking when I said it's free, you do actually have to pay for the resources in order to benchmark them. Right. So yeah, and I, I assume you're. Paying for it somewhere. Yeah, I called that out. I think that there's no additional cost for it apart from the resources that you've got in those workloads in those, those platforms. So.
But then it does give you recommendations on free resources, doesn't it? Like yeah, resource groups as, as an example, you know, you don't pay back stuff as well. Yeah, it's not a. You could claim it's. Well, you could have a jaw on and have three free stuff and not have an enter paid entra. Do you care? Do you get super identities in foundational or is that. No. Okay, fine. Okay.
No, that's, that's under the permissions management part. So you get, you'll get some, you'll get some recommendations on RBAC or like you know, someone doesn't have mfa, that kind of stuff. You know, not say the basic stuff but the default stuff but not over permissioning side of things. Yeah, sorry, I hadn't scrolled down the list far enough to see permissions management, so apologize for that. What are there any standout features that you want to take us through?
It's probably worth talking about including the foundational and we kind of maybe talked about it last week a little bit but initially you didn't, you wasn't able to see some resources like you'd see API Manager, but you wouldn't necessarily see each, each of your APIs. As an example, with Foundational and Defender CSPM, I think it's both of those. You in effect can, you can get your inventory for most things now. It's been included in the, the pricing for it previously. I think you might have had to have the full cloud protective workload to even, you know, be able to inventory the, the resources and then get all the extra benefits from it that's been included. Things like, because there was once for DevOps security, defender for DevOps I think it was originally when it's in preview that was going to be a protective workload that is included now in Defender cspm to be able to check your code, you know, code to cloud sort of capability that the, well recently that, you know, there's the artificial intelligence security posture management, you know, there's, it's interesting it was twice in here, but be able to see that now because you know, OpenAI and the other models in the various clouds now you'll be able to understand how, how, you know, how they've been configured to try and reduce the risk of them seeing the, the attack path on those, understanding how someone could use that to then gain access to data or something like that. I think, excuse me, that's very powerful in today's world where AI is key or is the driver of everything.
Yeah, I kind of see that Defender CSPM is like a kind of a catch all workload, if we want to call it that. Right. So you obviously had the static sort of posture management, but kind of feels like that wasn't sort of valuable enough to enable it in some respects. Right. Because you do have other tools, don't you that you can run against, you know, your, your cloud infrastructure. There's lots of, you know, even open source tools that can help you with cspm. Right. But what, what I think they've done is they've, they've introduced the sort of DevOps process, haven't they? And the deployment process, the software development process into it as well. Because I bet you that's a big chunk of, you know, users of, you know, Azure is, you know, custom app development, AI development workload etc. And then they've just expanded that tooling out because those development teams aren't just using Azure, they're using other like tools and processes and you know, Docker Hub, etc. So they have to reach out into all these other places so that they can get true end to end protection for teams, you know, and, and one.
Of the things is trying to understand like the vulnerabilities in, on an operating system or container, you know, previously you might have to have a scanning tool, you know, tenable qualys, etc. Or defender for Endpoint, you know, onboarded on that machine. Not that you wouldn't not put an AV on it, but they may be so small, all the containers kind of thing, you know, they brought out the agentless vulnerability scanning where you know, in effect it's taking a snapshot of the disk and then scanning it offline to look for vulnerabilities for the software and everything. So you're not in, you're not impacting, you know, those workloads, having a scan or you know, vulnerability assessment done against them. Not that they tend to be very aggressive again, you know, in today's world for av, EDR and vulnerability management, but it's just taking out the picture, you know, that's kind of stuff. And same thing with containers and things like that, you know, and images. Yes. You know, some services can do that, but this is just doing it in the background for you and understanding what possibilities there are for the, you know, from the variabilities in that image. You know, maybe it's based on a, I think you said the previous, there's like, sometimes you have a base image that you've, you've, you've used and then you've added your, your build ad software on top of it. You need to understand what your risks are.
Yeah, yeah, definitely. I mean, I think my, the big one I'm really loving at the moment is attack path analysis. Totally, totally honest with you. And you know, and it's kind of linked in with external attack surface management because an Internet exposure analysis, because it's. What I find is it's not easy to quantify single resources in Azure or any cloud service because they're all interconnected and dependent on each other. It's very rare that you would have one single IAAS VM that's exposed to the Internet running a web server. In modern application development, that just doesn't really happen that often. Right. So being able to look at the posture of, of resources and how they are connected and the information that they share between each other. Because identities are really complicated. They're not really complicated. They can become complicated in Azure because you could create an identity and you can share it amongst lots of resources. Right. And then you, you don't really think about the posture of resource X which is, which shares an identity with resource Y. But resource Y is publicly accessible to the Internet and it has a posture management issue like let's say it's, I don't know, RDP is unauthenticated and open to the Internet as an example. Right. I just using stupid random, you know, examples but being able to see that that path mapped out and kind of automatically for you as well. But you can run your own queries to, to drill through that, to drill through that graph yourself and you can find out a lot of really good information from your, your, your environment through that. You've got to take it with a pinch of salt because I have seen a lot of, I'll call it false positives with attack path analysis and especially the criticality and the severity of some of the recommendations that it gives is questionable sometimes. But as an automated tool always running, always watching and being able to alert you to notifications for changes in your environment, that is pretty powerful to me. You know, because it's running 24 7.
Yeah, absolutely. And I think you're the, the attack paths and like you said there are some questionable attack paths but I think or from what I've seen it's more around the Internet exposed device having vulnerabilities on it itself, you know, having a critical one on there and in effect it's saying well if that could be compromised then they're in and you know, they've got access to all these resources kind of thing as well. I've seen that where it's more been around the vulnerabilities rather than the I suppose the configuration of it or the, the identities being used as well.
Yeah, but we've got lots of ways. You know my always go to example is Internet exposed Azure blob storage containers. You know, it's like it's, it's almost trivial how simple it is actually it's, it's different now. The, the experience in Azure is different. It's a lot harder to make them publicly accessible now. But you know, I've seen countless examples of somebody creating a public storage container to share something with somebody else and then not cleaning up afterwards. Right. So you know this attack path analysis is constantly watching. You know, you might have Azure policy in place to block that type of activity. But is your coverage 100%? Will it be 100% in three months time? Just having the safety net of something watching and saying, hey, I think you've got a storage container here and it's potentially got sensitive data in it by the way, it's publicly accessible. Are you okay with that? Right. Just having that. And even if it is, and I know I spoke critically of the, the alerts and some of the recommendations, but I would, I would prefer to be cleaning up a false positive than to not have that insight at all because I wouldn't say it's that noisy, you know, it just, just takes some management to keep an eye on it.
Yeah, yeah, exactly. But yeah, I mean we've talked about two, maybe three of those 15, 20 things on that list. It's definitely worth checking what's available and what the benefits are and where the, the resources or what workloads are, you know, available. You know, it's available on. I mean like I said, most of them are, you know, the three main ones plus these new Docker Hub and JFrog.
Yeah, I think the foundational CSPM is like a no brainer for like everybody because it's got good value there. If you need regulatory compliance, if you're publicly exposing things to the Internet, if you are, if you've got a development team building into Azure then, or you're using any type of containerization, defender CSPM is likely to be valuable for any of those individual workloads by themselves, I would say. Yeah.
Should we move on to pricing, Alan? Because I think there's some nuance there. Well, not nuance, it's quite simple but I suppose there's some things to think about. Yeah. So as we've said, foundational CSPM is free, included in the resources current spend in whichever cloud environment it's in. So you don't pay anything on top of what you're paying or paying already for the resources available.
Well then, from that perspective, sorry to buy in, but it is free, isn't it? Because it's, it is, it's, it's, it covers AWS resources and Microsoft don't get any of that money, do they? Right, sorry, I can just, I've taken back my statement. It is free.
Yeah, okay. So yeah, it's free, you don't have to pay anything. So for the foundational, sorry, Defender cspm, it is done at a subscription level enablement, so or account or workspace. I think it is in gcp. So it's done at the, the sort of yeah, the subscription level side of things. So anything in that subscription then is depending on the resource which I'm going to talk about in a minute is then billed for it. So the cost of CSPM is $5.11 per billable resource per month. So the thousand million dollar question is what is a billable resource? So I said a lot of the workloads aren't included in the or being classed as a billable resource. So the main areas are compute, storage and databases. So Anything in Azure AWS, GCP that is a virtual machine scale set or EC2 instance or Google compute Instance or Google Compute or Google Instance group is classes as a billable resource. But if they are deallocated or turned off, not running, then they don't get billed. So it's only billed when they're turned on, which is what we see on some of the other, you know, workloads. So it's not just the count of VMs, it's only if they're turned on. Storage accounts. So generally as it says storage accounts but there's an exclusion on storage accounts without blob containers or file shares. So if you're using tables or queues, I think it's the other one that they can be used for then you won't be, they won't be chargeable against CSPM but you might get some recommendations around them databases, I.e. sQL Server Postgres or MySQL SQL Mesh instances. Maria DB I probably absolutely destroyed that and synapses a class.
I'm not going to correct you. It's better if I don't. Oh, okay. Well, it's completely out. Yeah, no, no, I just continue on.
Yes, so that's the ones in Azure AWS's S3 buckets and RDS instances there is no exclusions for those. If they're there, they're being, you know, included Storage buckets. In GCP there are some exclusions but other regions then Europe West 1, US East 1, US West 2 and US Central, they're outside of those and there's a few others in there, then it's not included and cloud SQL instances are included. So those, those are the resources there. What you can do to understand how many resources you have that may be billable in Defender, in Defender for Cloud there is a, in the workbook section there is a, a cost estimation workbook and it will show you how much CSPM will cost you in, in each subscription or overall and including ads. I think GCP is coming from it. I don't think GCP is in there at the moment. So at least you can see straight off that if all machines were turned off, all those resources were turned off. This is how much it would cost you per month.
So are there any, like, real resources that aren't billable? Well, containers, images, instances, the Docker Hub images, the API APIs or OpenAI or AI security. They're not included. They're not a billable resource. So if you. Yeah, okay, so if you've got. Let's use a really basic example. Let's use a key vault. I got a. I got a subscription with a single resource group and a single resource of a key vault in it. If I defend it, it's Enable Defender cspm. Do I have to pay for.
You'll have it. Yeah. As far as I'm aware, there's, there's, you know, it's only based on the billable resources. I think some of the examples were if you had, I know, three servers and then you had a hundred APIs, you know, an API manager or API managers, you know, Paper API or API manager, that's all included. DevOps, doesn't matter how many, as far as I'm aware, how many DevOps instances or repos that it's scanning or pipelines that you've included. It's all included.
Interesting. Okay. Yeah, so. Okay. So actually, okay. I've just looked up the table, actually. Wow. It's quite a limited set, isn't it? Yeah, because things like app service isn't included, right? No, but you get recommendations on it and some good ones at that as well. But you can get. Yeah, but because one of the paid features of Defender CSPM is like prioritized, you know, recommendations. Right. Yeah.
So if you had a subscription that's just got. But I suppose they are banking on the fact that, you know, like an app service is likely to. Yeah, but an app service might back off to Cosmos, I suppose.
Yeah, but don't, don't forget though, this is the posture management side of things. There is also the cloud protective workload for app service where you maybe get more insights just on that one and you'll get activity alerts and incidents and things like that. So there's value in having the individual cloud protective workloads that you can have. Yeah, and I could, from a posture management sort of good standpoint, you know, all the code going up to your app service, making sure at least that's, you know, the best it can be, is probably not a bad thing for Defender cspm.
And, and I think that probably highlights why it might not be so scary. Because you set it at the subscription level. Right. Because you then think, oh, everything in my subscription is then included. I can't break it down any further. Right. But you might have in a, you know, it's probably a good call out for correct organization of Azure. Right. Landing zones.
Landing zones, segregation, you know, so because, you know, if you do have things correctly segregated, you can sort of decide, well, you can, you can limit your exposure to, you know, things being included. I, I can imagine for the cost, especially when you're saying, you know, like a virtual machine, you know, like a production level virtual machines. Not $5 a month, is it? You know, so of your relative spend on those virtual machines. Defender for cloud posture management might be a low cost. I know it's, it's adding cost, but I mean relative to the actual resource itself.
Yeah. And I think there used to be, there probably still is that if you do have one of the other protected cloud protective workloads, there are some, I'm going to say discounts because some of the other workloads enhance, you know, they, they may partly include some of it. So there is a not say cost reduction, but you're not paying twice for some of it. Some of the functionality I think is fair to say. Yeah, no, definitely, I agree. Yeah, amazing. Okay.
Yeah, definitely worth getting foundational CSPM in place and getting your other cloud environments hooked up to understand what it looks like. And then you can make the decision about moving to the, the full CSPM sort of functionality and seeing all the, I'm gonna say, cool stuff that comes out of it. We may not want to know it. Yeah. Or well, you need to know it.
What's your license period? How long do you even need to run your Defender CSPM for? You know, sorry being nefarious there. But yeah, you're only built every 30 days, aren't you? I think you build. Well if machines are turned off, you don't get build. So it's probably per hour. Yeah, I guess. Or per day maybe is the, the worst. So you've got that. But you do have to consider that recommendations change, new resources are built. Oh no, 100%. 100%. So 100.
Yeah. I mean if you want to try it out, see what you benefit from it, then yeah, you will. You do. If you've never enabled it at all on a subscription, then you do get 30 days a trial as far as I'm aware, for it. So you can then at least see what you get and, and then realize that you, you want to keep going with it, hopefully.
No, that, that, that is good. That it is, it is that approachable. Right. So you've got two different levels that you can start with and you've also got that flexibility of the trial as well, you know that, that you can't get. And it's build monthly and actually not just monthly because there is this, you know, if computers. Actually there's exclusions for deallocated VMs as an example. Right.
So, yeah, and, and you can vote Defender Cloud. There is a reservation you can have. So you can pay up front benefit. Yeah, yeah, yeah, pay up front and get a discount if you're, if you, if you, yeah, you're burnt, you're burning, but you, you're consuming enough costs there to reduce the cost. So there are ways to assist in the cost of it. Okay, cool. Thanks for that, Alan. I feel like we covered a lot, but not a lot at the same time. It's mental.
Yeah. It's almost like when we used to say, oh, we'll do Defender Cloud, but then we'll do individual workloads. We're almost done. CSPM and a few of its functionality, not even dived into it. I mean, I think you've done1 on DevOps security previously, so you've kind of covered a little bit of it or one section of it, but that was a whole episode. So, you know, Attack Paths and a few others. Probably doing its own episode.
Yeah, definitely. 100%. Yeah. Cool. So what's the next episode? I think it's the news, isn't it? Yeah, it will be January news at the start of February. Cool. Yeah, I haven't checked actually see if anything news come out. I've heard of some previous stuff that I can't talk about, but yeah, I'm.
Waiting for my Kale studio and my Azure data. Was it data Databox Data box. Yeah, I'm just looking for those updates. I'm just going to skip over everything else. Oh, you've done a load of updates to Azure SQL? Nah, don't fancy it. I need a new. I need a new submarine version of Azure Data Box. Thank you.
Cool. Okay. So did you enjoy this episode? If so, please do consider leaving us a review on Apple, Spotify or YouTube. The tree helps us reach out to more people like yourself. If you have any specific feedback or suggestions, we have a link in our show notes to get in contact with us. Yeah, and if you've made it this far, thanks ever so much for listening. We'll catch you on the next one. Yeah, thanks. All.