Let's look at how Cloud Security Posture Management principles have been incorporated into Microsoft Defender for Cloud in Azure. We can access Defender for cloud from links on the Azure home page or by going into resources and typing defender, where you can select from the drop-down list. The first and probably the most important metric is security posture. It's no coincidence that this metric shares a good portion of its name with cloud security posture management. 

The security posture score summarizes all your workloads' and resources' security status. To reinforce the concept that cloud security posture management is platform agnostic, we can see here that it is possible to connect AWS and GCP accounts to Defender for cloud for a one-stop shop monitoring solution. This is not saying that Defender for cloud monitors and assesses these other platforms. AWS and GCP have their own implementation of Cloud Security Posture Management and expose the results via an API. 

Ideally, we'd want a secure score of 100%, indicating we've implemented all threat protections available to us across all workloads, so 44% is hardly stellar and leaves room for improvement. It looks like we have two recommendations to implement to get to 100% coverage. This is a good time to tell you that there's a fair bit of latency in the initial threat assessment. I've only just created my resources, a VM with a Vnet and an Azure SQL database, and currently, I have two active recommendations. 

If I leave Microsoft Defender for Cloud to work its magic while I have lunch and walk the dog, when I come back, there are now seven recommendations. Let's explore our security posture by clicking on the hyperlink. You'll see on the left under Cloud Security, you can access the same view by selecting security posture. Clicking will display CSPM for multiple subscriptions if I have more than one, and I can enable permissions to access other vendors' cloud environments on the upper right. Let's view the current recommendations for this subscription.

As I said, it takes a while for all resources to be assessed across all security controls, and we can see that the top four have a status of completed, while the bottom two have not been assigned to anyone for remediation. In the right-hand Insights column, there's a bar graphic indicating the degree of threat that each attack vector or security control potentially poses. 

In the first row, enabling multi-factor authentication - weak passwords, phishing attacks, and other means of compromising user logins are still the most common form of gaining access to a system – will make a big improvement. 

Looking at the max score column, MFA is worth ten but currently scoring zero. Encrypt data in transit and Manage access permissions, the other two security controls that have been scored so far are four out of four. That means if I fix MFA right now, I can get a 100% secure score, as the MFA's potential score increase is 56%. The score recommendation dashboard shows us the low-hanging security fruit and the most important issues we need to address to increase our overall score. The current score for each security control shows us progress per control. While multi-factor authentication is an all-or-nothing control, we can drill into others like Enable enhanced security features.

There are two recommendations for increasing the security score here. Enable Microsoft Defender for resource manager and for DNS. One of the important features of a good Cloud Security Posture Management tool is easy and quick remediation, and I can enable Defender for DNS by clicking on the recommendation. This takes me through to a page where I can select fix and then fix one resource. While the remediation may be successful, it won't be reflected instantly in the secure score. As the name suggests, enhanced security features are more than the standard features that come with every Azure plan. We can go to the Defender for cloud overview page and under management, then environment settings, and select the relevant subscription. You'll see additional paid-for features with their prices which you can turn on. You can enable all of them with the button at the top or select individual Defender for cloud services. If you recall, enabling Defender on resource manager was one of the recommendations, so I'll switch that on and save.

Assessing regulatory compliance is another aspect of a good Cloud Security Posture Management tool. Drilling down into regulatory compliance assesses the security environment on Azure Security Benchmark version 3 and three security industry standards.

After 24 hours, my environment has a secure score of 64%. While I've implemented many of the recommended fixes, additional issues have been identified, further illustrating the depth and breadth of Microsoft Defender's Cloud Security Posture Management implementation.