Understanding Microsoft CNAPP: How Defender for Cloud Secures Your Multicloud Workloads

In today’s rapidly evolving cybersecurity landscape, cloud security has emerged as the next key frontier. As organizations increasingly adopt cloud technology, the need for robust and comprehensive cloud security measures has never been more critical. An emerging trend making waves in this frontier is cloud-native application protection platforms (CNAPP). In this blogpost, we will explain why traditional security approaches are not well-suited for the cloud, introduce CNAPP as a new type of cloud security platform, and highlight the unique position of Microsoft Security in this cybersecurity domain. 

We as baseVISION are here to support you on your cloud security journey. For this, we built a service offering around Microsoft Defender for Cloud that helps you protect your cloud resources, applications, and data end-to-end. 

Cloud Security is more important than ever

The adoption of cloud technology has transformed the way businesses operate, but it has also introduced new security challenges. This shift has expanded the attack surface, particularly for those managing on-premises (hybrid) and multicloud resources. Alarmingly, 86% of security decision-makers believe their current cybersecurity strategies are insufficient to keep up with their multicloud environments1. How about your organization? Are you overseeing all cloud environments deployed by your IT and business departments? The security concept “You can’t secure what you don’t know about” holds true in any environment. Do you manage the security posture of your cloud resources and the control plane to prevent breaches? Many significant security incidents occur due to poor hygiene in cloud workload and service configuration management. Can your SOC and incident response team detect and respond to attacks against your cloud environments? 

We’ve observed that many organizations started incorporating cloud solutions into their innovation strategies a few years back. Independent teams, usually outside the IT and security departments, utilized easily accessible cloud services for projects that often turned into vital production systems with sensitive data. Meanwhile, the IT department set up a governed landing zone, but systems deployed before accumulated significant risks. 

Two common situations we find when working with customers are: 

1. Cloud control plane access controls are too permissive and no proper RBAC model is defined and implemented. Identities often have more permissions than necessary. Adhering to the principle of least privilege is difficult given the vast number of roles and permissions available on cloud platforms. The recommendation in the screenshot below shows a user account only uses 65 out of nearly 6000 assigned permissions.

2. PaaS-type services that should only be accessed from within a virtual network are exposed to the public internet, often without minimal security measures like IP whitelisting or strong authentication mechanisms

Moving Beyond Traditional Security Approaches

«In the cloud, attack patterns are different, with fewer traditional endpoint-focused attacks and many more attacks focused on the interconnectedness of software-based infrastructure.»

Traditional security tools cover only partial aspects of cloud security and are not well-suited to cloud-based workloads and services. Many rely on network scanning, which is minimally effective in a dynamic, ephemeral environment like the cloud, or on agents that affect performance and increase costs unacceptably. Many traditional tools also send many discrete alerts and signals but lack context (who, what, when, where and why) for fast response in cloud-based applications and workloads2. While some traditional attacks conceptually also may target the cloud, the detection mechanisms need to shift. An attacker may execute a malicious command via the Azure management layer that modifies Azure Blob Storage or could escalate privileges and access credentials for services used by an Azure Kubernetes Services cluster3. No traditional EDR or security monitoring solution would detect or block this in real time. The MITRE ATT&CK Cloud Matrix provides an overview of all the cloud-based attack techniques your security tools should detect and respond to.

Rise of CNAPP

A large number of siloed security tools emerged from the need to address the unique risk surface of cloud-based workloads and services:

  • Cloud Security Posture Management (CSPM) allows for contextual security posture management across clouds. This type of management allows for continuous detection and remediation of misconfigurations.
  • Cloud Workload Protection (CWP) and Cloud Detection and Response (CDR) focuses on identifying and mitigating threats within cloud environments through continuous monitoring, advanced analytics, and incident response capabilities.
  • Cloud Infrastructure Entitlement Management (CIEM) focuses on managing and securing identities and their entitlements within cloud environments. It ensures that users and services have the appropriate level of access, reducing the risk of over-privileged access and potential security breaches.
  • Because developers are increasingly responsible for building cloud infrastructure and containers, the security tooling “shifted left” into the software development lifecycle. Methods like software composition analysis, exposure scanning (CVEs, secrets), infrastructure as code (IaC) scanning and static or dynamic source code analysis are integrated into common development toolsets like code repositories, build servers and container registries to identify vulnerabilities in software artefacts and infrastructure early in the software development lifecycle.

A siloed toolset forces security teams to manually piece together events, alerts, recommendations, and other signals to identify correlations and gain the necessary overview. A more unified approach is needed. This led to the rise of Cloud-Native Application Protection Platforms (CNAPP). CNAPPs consolidate the aforementioned features into one platform, providing a more unified and extensive security solution.

Platform Native Security

Security should be built-in, not bolted-on. This principle applies not only to the workloads and applications in the cloud but also to the underlying cloud platform itself. Microsoft Azure has long been at the forefront of integrating a broad range of security capabilities. The evolution of Azure Security Center, now known as Microsoft Defender for Cloud, highlights this commitment. Unsurprisingly, Microsoft was named as a representative CNAPP provider in the Gartner 2023 Market Guide4 and as a Leader in the Forrester Infrastructure-as-a-Service Platform Native Security report5.

The Evolution of Microsoft CNAPP

Since its launch in 2016, Microsoft Defender for Cloud has evolved from an Azure-centric solution to a full-scale CNAPP. Today, the solution provides capabilities across Azure, AWS and Google Cloud Platform. Azure Arc extends this support to Kubernetes clusters, Microsoft SQL servers, and Windows and Linux servers, no matter where they are located.

Yes, a CNAPP is per definition already a highly integrated collection of cloud security capabilities. Yet, Microsoft Defender for Cloud takes the level of integration a step further. It is embedded in the Microsoft Security ecosystem and connected to Microsoft Sentinel, Defender External Attack Surface Management, Microsoft Entra Permissions Management, GitHub Advanced Security and many more. Microsoft Defender for Cloud is now also part of Microsoft Defender XDR and security teams can access alerts and incidents from within the Microsoft Defender XDR portal. This provides even richer context to investigations that span cloud resources, devices and identities across the entire IT estate6.

How baseVISION supports you on your Cloud Security Journey

Adopting Microsoft CNAPP is not a one-time task but rather a journey that should align with your overall cloud adoption strategy. This is why we offer a range of services centered around Defender for Cloud, tailored to different stages of a cloud journey.

  • Microsoft Defender for Cloud Workshop: we introduce the platform, dive into its components and provide an overview of Microsoft Defender for Cloud. Gain valuable insights into its features and real-world use cases to enhance your understanding and get ready for a successful implementation.
  • CSPM Enablement: this is the cornerstone for adopting CNAPP. It includes setting up Defender for Cloud and Defender CSPM, large-scale environment onboarding, and an initial security posture evaluation. From the insights gained, we can advise on next steps and priorities.
  • Cloud Native Workload Protection Enablement: Services such as Azure Storage, Key Vault, and App Services abstract away many responsibilities and complexities. However, security in the cloud remains a shared responsibility. We guide you in utilizing the cloud-native protection features of Defender for Cloud, equipping you with the skills to hunt, detect, investigate, and respond to threats effectively.
  • Defender for Servers Implementation: Extend the endpoint detection and response capabilities of Defender for Endpoint to your Windows and Linux servers.
  • DevOps Security: Today, nearly every organization produces software, whether through in-house development, low-code platforms, or internal tools and scripts. Defender for Cloud offers the necessary tools to integrate security earlier in the development process and combines data from both build and runtime phases. This integration gives you the capability to protect applications and resources from code to cloud across various pipeline environments, including Azure DevOps, GitHub, and GitLab.

Technology alone cannot address cyber security issues. This is equally true for cloud security. With our extensive experience across various industries and proven methodologies from our Security Operations Center, we can help you tackle the human and procedural aspects as well.

For additional details, please refer to our service catalog: https://www.basevision.ch/product/microsoft-defender-for-cloud/

Conclusion

We hope this blogpost has given you some insights into the challenges and opportunities of cloud security, and how CNAPP can help you achieve a holistic and proactive protection for your cloud-native applications. Microsoft Security is a leader in this field, offering a comprehensive and integrated platform that is native to Azure and covering multicloud environments. If you want to learn more about our services or Microsoft Defender for Cloud, please contact Marco Reinli.

In this blog post, we have only scratched the surface of the extensive area of cloud security. Stay tuned for our future posts where we will delve deeper into this subject.

References

(1) Mathew Davis, Microsoft Cloud Security Priorities and Practices Research, Emerald Research Group, March 2022

(2) SANS, 2024 Cloud-Native Application Protection Platform (CNAPP) Buyers Guide

(3) “WireServing” Up Credentials: Escalating Privileges in Azure Kubernetes Services, Mandiant, August 2024, https://cloud.google.com/blog/topics/threat-intelligence/escalating-privileges-azure-kubernetes-services

(4) Gartner, Market Guide for Cloud-Native Application Protection Platforms, March 2023

(5) Microsoft, Forrester names Microsoft a Leader in 2023 Infrastructure-as-a-Service Platform Native Security report, May 2023, https://www.microsoft.com/en-us/security/blog/2023/05/03/forrester-names-microsoft-a-leader-in-2023-infrastructure-as-a-service-platform-native-security-report/

(6) Microsoft Learn, Microsoft Defender for Cloud in the Microsoft Defender portal, https://learn.microsoft.com/en-us/defender-xdr/microsoft-365-security-center-defender-cloud

Contact our security experts

Identify and respond to potential threats with baseVISION.

Marco Reinli

Senior Security Consultant