Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to episode 96. This week is myself, Michael, with Sarah and Mark. This week we have a return guest, a big friend of the podcast, Eurydiodonus, who's here to talk about CNAP. But before we get to our guest, let's take a little lap around the news. So I have a small number of news items.
First one is in public preview, we have label-based access control for Azure SQL database using Microsoft Purview policies. My colleague, Shoham, wrote a blog post on this, has been working on it. This allows you to essentially put labels on columns that contain sensitive data using labels that are provided by Microsoft Purview information protection. And yeah, this is great to see.
I don't know, but to me, you know, the SQL access model can get complex and this kind of simplifies it a little bit. But yeah, putting mandatory labels on objects is always a fantastic defense. Staying in the database realm, Microsoft Defender for Cloud now adds full coverage for our Azure open source relational databases. So that includes Azure Database for MySQL and Azure Database for PostgreSQL, in both cases, flexible server versions.
And yes, this includes things like suspicious database activities, brute force attacks, and so on. So yeah, we haven't just covered your SQL databases, SQL server databases, and Azure SQL databases. We now include MySQL and PostgreSQL. Azure Databox now supports hardware encryption. Azure Databox is used if you're transferring essentially terabytes of on-prem data to the cloud as probably the most efficient way of doing it.
Well now we support, in general, availability, AES 256 hardware encryption, also for Linux-based hosts. So this is great to see as well. So that way, you know, you encrypt it at the source and then we decrypt it at the end. And last but by no means least, and I am leaving this last because I am most excited about this, trusted signing is now in public preview. So trusted signing, this will evolve over the years, but trusted signing is code signing.
So it's the ability to take a container or take say a Windows executable and digitally sign that. So we now have all that ability in a very streamlined and cost-effective way built into Azure. As I mentioned, this will evolve over time to accommodate different signing mechanisms, but the infrastructure is there and you can do public trust or you can do private trust.
Private trust requires obviously a bit more scrutiny, a bit more background check, but private trust allows you to use your own CAs, for example, your own certificate authorities. This is really great to see. I've actually been kind of waiting for this for quite some time. So when the PM involved actually emailed me and said, we've gone GA, I was kind of floored, but this is great to see. Okay. Now we have the news out of the way. Let's turn our attention to our guest.
As I mentioned, we have Jory Diogenes, good friend of the podcast. Jory, welcome to the podcast yet again. We'd like to take a moment and reintroduce yourself for the umpteenth time to our listeners. Hey, Michael. Thanks for having me on again. Sure. Great to be back. My name is Jory Diogenes. I've been at Microsoft for the past 18 years, currently as a PM manager for the Fenerful Cloud managing a team of program managers, product managers for our Microsoft Synapse solution. Hey, tudo bem.
Tudo bem. I don't know much Brazilian Portuguese, but I do know that. So Jory, so can you give us an overview? What is CNAP and kind of where did it come from? And also to Michael's earlier point, what does it actually stand for? Yeah, sure. So CNAP is Cloud Native Application Protection Platform, mouthful acronym. And it was a term that was coined by Gartner.
And the whole rationale behind the CNAP was with the evolution of cloud security, it was very visible that having the best of breed, how they call on each vertical, it was not really sufficient because yes, we had cloud security partial management, which is a great thing, very important. We have cloud workload protection platform, which is yet another platform.
We have DevSecOps, Can, so many platforms, but these different platforms that the ultimate goal was to protect the cloud security infrastructure, they were not talking to each other. And there was a lot of opportunities in place to have one single place that they could share insights and based on those insights, the cloud administrator of whoever is managing that platform is able to make smart decisions, contextual decisions based on their own environment.
Because if you think about the traditional CSPM approach was here goes a set of baselines and make sure to remediate those recommendations to elevate a secure portion, which is good. But we always had complaints from customers saying, I have here 100 high severity secure recommendation. I have manpower to address this and I don't know what is critical to my environment. I don't know if this is very risky for me. What do I need to do it first?
So there was zero context when it comes to customers' environments. So the CNEP really solved this problem because now I give you what's really is important to your environment based on the insights that we collect across all platforms. So there's a lot of context when we tell you this is critical for your environment. So that's the whole idea about CNEP. So it basically wraps up a lot of the dependencies.
So the cloud platform itself, cloud security posture management or CSPM, that sounds like the identity and entitlement, the Kim, as well as the workloads themselves and even getting into some of the application stuff, it sounds like. So you kind of have a one stop shop for your workloads and the platform and identities and admin controls that it relies on. Yeah. And not only all this, but also DevSecOps.
We need to have visibility of what developers are pushing to the cloud when it comes to infrastructure as code, when it comes to guardrails to even prevent developers to push vulnerable codes to the cloud. All those insights are also ingested into the CNEP platform and smart decisions can be made based on those insights. So Yuri, how does CNEP, because you've been on this podcast before and talked about CSPM and cloud security posture management. What's the relationship between the two?
Because they are obviously related, but just if anybody's not clear. That's a great question, Sarah, because a lot of people ask this question, to be very honest. And the answer is now with this CNEP approach, CSPM belongs to CNEP. So it becomes one more module within this CNEP architecture. So we used to think about CNEP, it has different pillars. CSPM is one of those pillars, but now the CSPM insights will be rationalized into the CNEP engine.
And then when we are building attack paths, when we are building risk-based recommendations, we take all those things into consideration. So in summary, CSPM becomes part of the CNEP, but it's just one more pillar. Well, we've got now a pilot for security and we're talking about AI and there's so many tools out there. So I guess there could be people asking, why should I care about CNEP? And do I need this on top of all the other security tools I have? What would you say to them?
Well, there will be tools that will be completely replaced by CNEP because what we've seen in the market, as I said, is many customers, they started this cloud security journey by adopting a best of breed type of tool. For example, for vulnerability assessment. Oh, I have the best vulnerability assessments in the market. Well, it's great, but that vulnerability assessment is isolated, is not telling me anything, is not sharing those insights with all the tools.
So now I have to go to a different dashboard, obtain those insights and do a manual cross-reference with the information that I have in my CNEP. So vulnerability assessment, also part of the CNEP, is a much better approach because it gives the insight, share those insights with the platform. So there's a lot of tool replacement that will be generated because CNEP is able to provide those insights in a much richer approach.
That and a lot of customers, they are realizing that is not about the best of breed type of security tool. It's about consolidation and share of insights. So that's the whole purpose of CNEP. You mentioned AI, which is super important, and that will be definitely the next generation of CNEP, is ensuring that AI is part of the platform so that you can not only take smart decisions, but you can leverage AI to automate your remediation, to better understand the insights of your environment.
And I talked about this last year at Ignite, we announced a private preview of Defender for Cloud with Co-Pilot, which is still going on. And there are already scenarios that we are integrating Defender for Cloud with Co-Pilot to provide exactly that. Obviously, there are folks out there and teams who are already using Defender for Cloud. So will it be the same people using all this CNEP stuff? Or will there be other teams that will find some of the functionality in here helpful?
There will be multiple teams. Definitely there will be different personas utilizing the platform because, as I said, even DevSecOps engineers will be able to get value out of Microsoft's CNEP solution. For example, if we have developers using GitHub or Azure ADO, they will be able to interact with the DevOps security capabilities of Defender for Cloud, which is part of the Defender CSPM, and obtain some insights when it comes to infrastructure as code best practices and things like that.
So the scope of personas that will be utilizing the platform expands a little bit. There will be more, or at least there should be more integration between the teams. The teams need to share a common technology, which is the Defender for Cloud. So we hope that the teams will talk more with each other.
If they do not talk, at least they have a common tool to visualize the insights that will benefit not only the posture management team, but also the DevSecOps and even the SOC administrators because our threat detection is very rich and will be funneled to whatever same the customer is utilizing. So even the insights from our alerts and everything will still be streamed to the same solution. So definitely multiple personas.
So one thing you haven't mentioned so far, and if I'm wrong, let me know, but is there even a threat hunting aspect to CNEP? So threat hunting, as I said, is more related to, well, let's step back a little bit. There are two aspects of threat hunting. If we are talking about active threats, that's more a SOC role to do threat hunting and looking for alerts and how to hunt for active threats more from the instant response perspective.
And this can be done by leveraging the insights from our workload protection. So all the alerts and everything. Basically they will do threat hunting in a same platform. So for example, Microsoft Sentinel, right? So they will do this using Microsoft Sentinel by leveraging the insights that we provide to them. Now what we do have is a different type of hunting, which we call more like proactive hunting from the posture management perspective.
Because when you think about customers that are very mature in this CNEP journey, which honestly at this point in time is not a lot of customers that are on this level, but they already have enhanced their security posture. They already protect their workloads. So they have a team usually dedicated to do proactive hunting of posture management. What that really means? So I want to understand better my environment to see if there are potential breaches. There is a new zero day.
I want to search my environment and see if there is any workload that could be affected by this zero day based on indications of compromise or something. We have inside of the Venmo Cloud something called Cloud Security Explorer that allows customers to do this type of proactive hunting capability. Now this is different because here is more, as I said, proactive. It's more for the posture management team to handle.
The traditional threat hunting is more for the instant responders to do it because they are hunting active threats. Well, as I mentioned at the top of the podcast, Sarah and Mark know a lot about CNEP. I certainly do not. What are the kind of practicalities of this? How can someone get started with this? I mean, assuming someone like me who knows honestly very little.
Well, the good news for you and for everyone listening that is more interesting about adopting a CNEP solution is that we just released a new ebook totally free to download. 100 plus pages. You go to aka.ms for his lash MS CNEP and you can download the PDF. And this ebook, the good thing about this ebook is that the first chapters, they are very agnostic, which means that they explain what CNEP is. They explain not only the concepts, but the general considerations.
And we are bringing something that the market really, the industry actually needed, which is the concept of a maturity model. So we have this maturity model diagram and maturity model section within the ebook that tells you what are the steps or what are the different stages that you will follow to get from a traditional approach of CNEP implementation all the way to the optimal. So that gives you a roadmap to follow.
And then once we finish these agnostic chapters, we go to really Defender for Cloud explaining how to plan and then to deploy. So that's the whole concept and the idea behind the ebook. So you actually had a nice segue there. So what are the Microsoft products that we have? So you said Defender for Cloud. What are the, I mean, is it part of a suite? I mean, how does that all hang together?
Well, Defender for Cloud, it is an umbrella of different plans if you think about it, because we have Defender for SQL, we have Defender for Cosmos DB, we have Defender for servers. So these are different plans because these are workload protection plans. And then we have the main one for the posture management which is called Defender CSPM. So the ebook cover all these plans that are under the umbrella of Defender for Cloud.
All right, Jory, so as you know, because you've been on the podcast before, if you had just one final thought to leave our listeners with about this stuff, what would it be? To prioritize protection, right? Because what happened is we over and over see a lot of customers investing a lot into a detection, which is important. Don't take me wrong. It's important to have good analytics. It's important to receive alerts and take actions.
But if you are doing just that, and you are ignoring your security posture, you look at your security score and you're like 40% and you think because you have great threat detection, you are in a good space, that's like trying to lie to yourself, right? You have to do the homework because even our Microsoft digital defense report already revealed that 98% of the attacks could have been prevented with basic security hygiene.
So if you don't do the basics, really you are just reacting and you are really putting a lot of pressure on SOC analysts to triage alerts and to respond to incidents, whether you could even reduce the amount of alerts that you are receiving by basically doing the core security hygiene.
So when you start this cloud security journey, make sure to prioritize protection, elevate your security posture, invest time to understand your environment, and make sure that you improve the security posture every single day because this is a continuous process. You don't do just one time. This is a continuous improvement process. And align this methodology with good governance because that's another problem, right?
If you start to remediate things, how many times I've seen customers that reach like 90% on the security score in one week, the next week they are back to 40% and they were like, what happened? I said, well, this is because you are not preventing workloads to be provisioned using the secure best practice. That is the point of doing all this work, but you are not prohibiting users to provision storage accounts that are widely open to the internet.
So you have to have governance in place to prevent the provision of resources that are not secure by default. You have to align all those things. And these things are important. Otherwise, you're just going to react all the time. It's funny how often it's just the fundamentals, right? We live in an age where there's a whiz bang feature for absolutely everything. But 99,000 of 100 is just get the basics right. Actually, it's kind of funny.
That's probably the number one message I think we've had as final thoughts on this podcast. Get the basics right. Which is kind of funny. Everyone says that, right? Isn't that funny? Yeah. Anyway, no surprises. I mean, absolutely no surprises, but there you go. Hey, well, let's bring this thing to an end. As I mentioned before, this has been a relatively short episode. And I'm fine with that. I'd rather be short and sweet and on point rather than just waffling on for the sake of waffling on.
So, Juri, again, thank you for coming back on the podcast. I have no doubt we will have you back on in the future. In fact, I think I know when we may have you back. I think we need to talk about cybersecurity careers at some point. Yeah. Just like we did recently at Texas State University. Exactly. Exactly. Yeah. That's right. That's right. That's right. That's right. We've got a lot going on between Austin and San Antonio.
So, again, thank you so much for joining us this week and to all our listeners out there. We hope you found this episode of Use. Stay safe and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website, azsecuritypodcast.net. If you have any questions, please find us on Twitter at Azure SetPod. Background music is from ccmixtor.com and licensed under the Creative Commons license.