Blog Post

Microsoft Defender for Cloud Blog
11 MIN READ

Native-First Cloud Security Approach

singhabhi's avatar
singhabhi
Icon for Microsoft rankMicrosoft
Apr 01, 2024

Overview

Customers migrating to Public Cloud (Azure, AWS, Google Cloud) are often lifting and shifting existing toolsets. Some customers have the misleading notion that a best of breed approach is better than using Cloud Native solutions. As a result, their cloud workloads suffer from security and efficiency gaps. 

 

These 3rd party solutions rely on the visibility provided by CSPs APIs. However, each solution comes with its own set of limitations/blind spots. As a result, customers’ security becomes a combination of these blind spots, making it harder for security engineers and analyst to triage and respond to threats.

 

We will use Microsoft Azure (Azure) to demonstrate the advantages.

 

Understanding your attack surface

When transitioning to a public cloud platform such as Azure, the security attack surface undergoes a significant transformation. The attack surface expands as organizations relinquish some control over their infrastructure to cloud service providers.

 

In the cloud, various entry points, including virtual networks, APIs, and web interfaces, expose potential vulnerabilities. Misconfigurations in cloud settings, inadequate access controls, and insecure application designs can be exploited by malicious actors. The defense strategy, as a result, must evolve from a harder shell – a softer core requires a capable layered defense where each layer operates independently.

 

Additionally, shared responsibility models (https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility) necessitate careful consideration of security responsibilities between the cloud provider and the customer.

 

While cloud providers like Azure offer robust security measures, organizations must actively manage their configurations, monitor for potential threats, and enforce stringent access controls to mitigate the widened attack surface and safeguard sensitive data and applications in the cloud.

 

 

Misleading promise of a more secure environment

 

More often, customers leverage third-party solutions not to enhance and complement the cloud native security capabilities, but rather, to replace them. Customers often cite the following as key drivers:

 

  1. Specialized Expertise: Third-party security solutions are often believed to have been developed and maintained by experts in cybersecurity. These solutions are believed to provide specialized features and advanced threat intelligence that may go beyond the native security offerings of the cloud provider.

 

In reality, CSPs often have more highly specialized resources with vertical expertise. These resources not only understand their security domain (application security, container security, governance, etc.) but also have deeper understanding of the Cloud. CSPs also have a large attack surface themselves and at a scale unlike most of their customers. As a result, the CSP not only sees issues from different vantage points but also have developed counteracting mechanisms that scale. It will be hard for a security vendor to meet these capabilities.   

 

  1. Customization and Flexibility: Third-party security vendors often promise that their tools allow customers to tailor their security measures to specific needs and compliance requirements, and that this level of customization might not always be achievable with the standardized security features provided by the cloud platform.

 

In reality, CSPs are exposed to a large number of use cases because of their diverse customer base. As a result, the CSPs have an inherent incentive for native solutions to accommodate their customer base.

 

  1. Multi-Cloud Environments: Organizations operating in multi-cloud environments, utilizing services from different cloud providers, may feel that a third-party solution will provide consistent security policies and management across their diverse infrastructure.

 

In reality, Microsoft Defender for Cloud is a multi-cloud solution by design.

 

  1. Integrated Security Operations: Third-party security solutions, especially the legacy vendors, often cite their experience integrating customers’ existing security operations tools and processes as a differentiator. This integration experience is cited as a promise to streamline incident response, monitoring, and reporting, providing a more cohesive security posture.

 

In reality CSPs, given their attack surface, have very mature practices that they often incorporate in their products, which are integrated by design. Microsoft Defender for Cloud and Azure Sentinel provide alerts, automated responses, and incorporate latest Threat Intelligence (https://www.microsoft.com/en-us/security/blog/topic/threat-intelligence/?sort-by=newest-oldest&date=any)

 

  1. Advanced Threat Detection and Prevention: Some third-party vendors highlight their use of current technology trends like AI/ML to provide advanced threat detection and prevention mechanisms. They equate their smaller size with nimbleness and gain instant credibility through funding acquired from reputed Venture Capital firms.

 

Microsoft, for example, has made AI and ML a core capability, and has devoted immense resources: https://www.microsoft.com/en-us/microsoft-cloud/blog/2023/11/07/come-build-with-us-microsoft-and-openai-partnership-unveils-new-ai-opportunities/. As an outcome that benefits customers, the native solutions are leveraging these AI capabilities (https://www.microsoft.com/en-us/security/blog/2023/11/15/microsoft-unveils-expansion-of-ai-for-security-and-security-for-ai-at-microsoft-ignite/). Defender for Cloud has several alerts that are AI/ML driven (https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview#microsoft-initiatives)

Microsoft also spends over $4B /year on Security, this is much more than any other third-party.  

 

  1. Regulatory Compliance: Certain industries and regions have stringent regulatory requirements. Third-party vendors cite that their solutions offer features specifically designed to help organizations meet these compliance standards, ensuring that data handling practices align with legal and industry-specific guidelines.

 

Most of the CSPs provide compliance assessment solutions as a native capability. Microsoft Defender for Cloud, for example, has a native regulatory assessment capability as part of Cloud Security Posture Management (https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-regulatory-compliance-standards). The solution also allows customers to write their own controls to extend out of the box capabilities.

 

  1. Unified Security Management: For organizations with diverse IT environments, third-party security solutions are considered to provide a unified management interface that consolidates security policies, monitoring, and reporting, simplifying overall security operations.

As mentioned above, Microsoft Defender for Cloud is a multi-cloud solution that provides a unified security management capability (https://learn.microsoft.com/en-us/azure/defender-for-cloud/multicloud)

 

  1. Continuous Innovation and Updates: Third-party security vendors often cite that their company focuses solely on security, allowing them to rapidly adapt to emerging threats and deliver regular updates and patches.

 

Microsoft has devoted large number of resources as part of the Secure Future Initiative. This new initiative will bring together every part of Microsoft to advance cybersecurity protection. It will have three pillars focused on AI-based cyber defenses, advances in fundamental software engineering, and advocacy for stronger application of international norms to protect civilians from cyber threats (https://blogs.microsoft.com/on-the-issues/2023/11/02/secure-future-initiative-sfi-cybersecurity-cyberattacks/)

 

In summary, Customers’ desire to use third-party security solutions on public cloud platforms is often driven by the need for specialized expertise, customization, integration capabilities, advanced threat protection, and compliance adherence. In reality the native solutions can more efficiently fulfill the customer requirements.

 

Foundational problems with a non-native first approach

Let’s talk about some issues that will impact customer’s capability for an efficient and more secure environment when they base their strategy on a best of breed approach.

 

Best of breed introduces blind spots

The "best of breed" security approach involves selecting the most effective and specialized security tools from different vendors to build a comprehensive security posture. While this strategy has its advantages, it can also introduce security blind spots, particularly when applied to securing public cloud environments. Here are some reasons why:

 

  1. Integration Challenges: Best-of-breed solutions may not seamlessly integrate with each other or with the specific cloud platform being used. This lack of integration can lead to gaps in visibility and coordination, making it difficult to have a unified view of the security landscape.

 

This will never be an issue when using native solutions as the CSPs make sure the services work with each other seamlessly. For example, most of Defender for Cloud’s workload protection plans (https://learn.microsoft.com/en-us/azure/defender-for-cloud/workload-protections-dashboard) have push-button enablement, requiring no integration effort from Customers’ side. In most cases there is no reliance on an agent.  

 

  1. Complexity and Management Overhead: Managing multiple security solutions from different vendors can be complex and resource intensive. Security teams may struggle with the varied interfaces, policies, and update schedules, potentially overlooking crucial security configurations or failing to respond promptly to emerging threats.

 

In contrast, when using the native security solutions, security teams don’t face a steep learning curve as the native solutions leverage other native services such as dashboards, responses etc. For instance, Defender for Cloud leverages Azure Policy for security recommendations (https://learn.microsoft.com/en-us/azure/defender-for-cloud/security-policy-concept) and Azure Monitor Workbooks for Dashboards (https://learn.microsoft.com/en-us/azure/defender-for-cloud/custom-dashboards-azure-workbooks)

 

  1. Interoperability Issues: Public cloud environments often rely on a variety of interconnected services and APIs. If best-of-breed security tools are not designed to work seamlessly with these cloud-native services, there is a risk of missing potential threats or vulnerabilities in these specific areas.

 

When leveraging native security solutions, this will never be an issue as they have first party integrations by design. For example, Defender for Containers natively integrates with Azure Kubernetes Services and Azure Container Repository (https://learn.microsoft.com/en-us/azure/defender-for-cloud/custom-dashboards-azure-workbooks) as a result, changes in the Workload (AKS and ACR) will not require corresponding changes in Defender for Containers.

 

  1. Delayed Response to Threats: In a best-of-breed approach, security solutions may not share threat intelligence in real-time. This lack of communication between tools can result in delayed detection and response to security incidents, leaving organizations vulnerable during critical moments.

 

Defender for Cloud leverages Microsoft’s threat intelligence natively https://learn.microsoft.com/en-us/azure/defender-for-cloud/threat-intelligence-reports, https://techcommunity.microsoft.com/t5/microsoft-defender-threat/defender-for-cloud-and-defender-for-threat-intelligence-are/ba-p/3723047  

 

  1. Increased Attack Surface: Implementing multiple security solutions can inadvertently expand the attack surface. Each tool introduces its own set of configurations, APIs, and potential vulnerabilities. If not properly managed, this can create additional opportunities for attackers to exploit weaknesses in the security infrastructure.

 

Given the native solutions are first party and do not require changes to customers’ cloud environment, they do not introduce additional weaknesses.

 

  1. Resource Redundancy: Running multiple security tools concurrently may lead to redundant use of system resources. This redundancy can affect the overall performance of the cloud environment and increase operational costs without necessarily improving security effectiveness.

 

This will never be an issue with native solutions as they are designed for efficient usage if customers’ cloud resources and often the heavy lifting is done within CSPs control plane. For example, in case of Defender for Containers the limits are predefined. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-architecture?tabs=defender-for-container-arch-aks#defender-agent-component-details Similarly, Defender for SQL on VMs keeps impact on customer workloads to minimal CPU usage, averaging 3% for peak slices, compared against benchmark loads. https://learn.microsoft.com/en-us/azure/defender-for-cloud/faq-defender-for-databases#is-there-a-performance-effect-from-deploying-microsoft-defender-for-azure-sql-on-machines-

 

  1. Skillset Challenges: Different security tools often require specific skills for effective deployment and management. In a best-of-breed approach, security teams may need to acquire expertise in a diverse set of technologies, which could lead to skill gaps and inefficiencies.

 

In contrast, when using the native security solutions security teams don’t face a steep learning curve as the native solutions leverage other native services such as dashboards, responses etc. For instance, Defender for Cloud leverages Azure Policy for security recommendations and Azure Monitor Workbooks for Dashboards.

 

  1. Lack of Consistency in Policies: With various security solutions, maintaining consistent security policies across the entire cloud infrastructure becomes challenging. Inconsistencies may arise in configurations, monitoring thresholds, and incident response procedures, leaving areas of the environment less protected.

 

Defender for Cloud builds upon Azure policy and provides single pane to manage the security of customers’ entire multi-cloud environment. So, customers can easily identify, diagnose, and respond to the security events.

 

 

How a fractured control plane increases the security risks

 

A fractured cloud security control plane, characterized by a lack of cohesion and centralized management in security controls, can introduce various challenges and problems.

 

 

Impact on your Three Lines of Defense

 

https://www.isaca.org/resources/isaca-journal/issues/2018/volume-4/roles-of-three-lines-of-defense-for-information-security-and-governance

 

Security Analyst:

  • Limits the capability to detect threats.
  • Creates a bottleneck when triaging incidents.
  • Makes it harder to execute responses.

 

Security Assurance:

  • Capability to centrally manage the compliance to company policies.
  • Determine the impact of design decisions (open privileges, changes to workloads, changes to cloud environments to make 3rd party solution work) on compliance and overall security posture.

 

Security Engineering and Architecture:

  • Harder to understand the nuances of 3rd party point solutions.
  • Difficult to create repeatable patterns where each solution requires specific integration requirements unlike Native.
  • Harder to keep track costs as these solutions have different billing cycles, agreements, and do not account for any discount agreements the customer has negotiated with the CSP like Azure MACC.

 

Threat of vendor lock-in

Relying on a variety of security tools from different vendors may result in vendor lock-in issues. Migrating to a new solution or adapting to changes in the technology landscape becomes challenging when there is a lack of standardization and interoperability.

 

These solutions often leverage the capabilities that CSPs provide. When leveraging native solutions, the lock is not a major concern as the customer is already operating workloads on the Cloud.

 

 

Negative impact on ITSM process

Implementing changes or updates to security policies across a fractured control plane can be cumbersome. Coordinating changes across different tools and ensuring that updates are applied consistently can be a time-consuming process.

 

Additionally, in the event of a security incident, a fractured control plane hampers the ability to respond quickly and effectively. Coordinating incident response across different security tools and platforms may result in delays and increased impact.

 

 

Efficiency impact

When using Third party solutions it would be prudent for customers to keep in mind the motivations (https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/strategy/motivations#motivations) for migrating to the Public Cloud in the first place.  

 

In doing so customers will realize that the third-party solutions often adversely impact these motivations, like so:

 

Cost

Customers often have negotiated steep discounts with CSPs based on their usage. When customers leverage native security solutions, the usage helps them leverage these discounts. Additionally, the third-party solutions often leverage the CSPs native APIs as a result customer pays both for API usage as well as cost of Third-Party solution.

 

Agility

As we discussed above, Third-Party solutions increase the overhead on customers’ teams as a result the agility decreases because of skill gap, fractured control plane etc.

 

Scalability

Unlike native solutions, third party solutions do not scale with customers’ workloads as a result customers are required to either horizontally or vertically scale.

 

Resilience

Native solutions provide resilience by design. However, the third-party solution require customer to implement resilience using architecture patterns.

 

Complexity

As we discussed above, the third-party solutions add complexity in customers’ environment due to integration, operation, and maintenance requirements.

 

Summary

We discussed the challenges that customers face when they use third-party solutions in their cloud environment.

  • The challenges of using third-party security solutions on public cloud platforms: Third-party security solutions can introduce security and efficiency gaps, blind spots, integration challenges, and increased complexity and costs for customers migrating to public cloud platforms.
  • The advantages of using native security solutions from cloud service providers: Native security solutions, such as Microsoft Defender for Cloud, offer more specialized expertise, customization, flexibility, integration, threat intelligence, compliance, and innovation than third-party vendors.
  • The impact of the security attack surface transformation on public cloud platforms: The security attack surface expands and evolves when organizations transition to public cloud platforms, such as Azure, and native solutions help customers adopt a layered defense strategy by keeping shared responsibility model as a central premise.
  • The benefits of a native first approach for cloud security:  Customers should evaluate their motivations for migrating to the public cloud and how a native first approach can help them achieve their goals of cost, agility, scalability, resilience, and simplicity.

 

Call to Action

  • Evaluate your current security approach on public cloud platforms and consider the benefits of using native security solutions from cloud service providers.
  • Native security solutions, such as Microsoft Defender for Cloud, offer more specialized expertise, customization, flexibility, integration, threat intelligence, compliance, and innovation than third-party vendors.
  • Take the first step towards a more secure and efficient cloud environment by exploring the native security solutions available to you.

 

Updated Apr 02, 2024
Version 2.0
No CommentsBe the first to comment