Security Posture Management and Exposure Management
Design a cloud security posture management strategy using Microsoft Defender for Cloud, Secure Score, security baselines, and exposure management.
Security Posture Management and Exposure Management
Why Posture Management Matters at the Architecture Level
Most security breaches don’t exploit exotic zero-day vulnerabilities — they exploit misconfigured resources. A storage account left open to the internet, a management port exposed without restrictions, a database with no encryption at rest. These are configuration mistakes that already have known solutions.
A security architect’s job isn’t to fix these one by one. It’s to design a system that continuously finds, prioritises, and drives remediation of misconfigurations — before an attacker finds them first.
That system is Cloud Security Posture Management (CSPM), and in Microsoft’s ecosystem, it centres on Microsoft Defender for Cloud.
Microsoft Defender for Cloud: The Architecture
Defender for Cloud is actually two capabilities bundled under one name, and understanding this distinction is critical for the SC-100 exam:
Foundational CSPM (free) is enabled automatically for every Azure subscription. It provides:
- Secure Score — a numerical measure of your security posture
- Security recommendations based on the Microsoft Cloud Security Benchmark (MCSB)
- Basic asset inventory
Defender CSPM (paid) adds advanced capabilities:
- Attack path analysis — graph-based visualisation of how an attacker could move through your environment
- Cloud security explorer — query your security graph to find risky resource combinations
- Agentless scanning for vulnerabilities
- Governance rules to assign recommendation owners and deadlines
- Data-aware security posture — discovers sensitive data and factors that into risk
Then there are the Defender plans (Cloud Workload Protection), which provide runtime threat detection for specific resource types: Defender for Servers, Defender for Storage, Defender for Databases, Defender for Containers, Defender for App Service, Defender for Key Vault, and others.
| Capability | Foundational CSPM (Free) | Defender CSPM (Paid) | Defender Plans (CWP) |
|---|---|---|---|
| Core function | Configuration assessment | Advanced posture analysis | Runtime threat detection |
| Secure Score | ✅ Included | ✅ Enhanced insights | Contributes to score |
| Security recommendations | ✅ MCSB-based | ✅ Plus governance rules | Plan-specific recommendations |
| Attack path analysis | ❌ | ✅ Graph-based | ❌ (data feeds into CSPM) |
| Cloud security explorer | ❌ | ✅ Custom queries | ❌ |
| Agentless scanning | ❌ | ✅ VMs, containers | Some plans include agent-based |
| Threat alerts | ❌ | ❌ | ✅ Real-time detection |
| Pricing model | Free with Azure | Per-subscription/server | Per-resource or per-unit |
| Architect decision | Always enable | Enable for critical subscriptions | Enable per workload type |
The Architect’s Decision Framework
As a security architect, you’re not just enabling all the toggles. You’re designing a strategy:
- Which subscriptions get Defender CSPM? — Production and any subscription with sensitive data. Dev/test might only need foundational CSPM to control costs.
- Which Defender plans to enable? — Based on workload types. Containers in production? Enable Defender for Containers. SQL databases with customer data? Enable Defender for Databases.
- How will recommendations be triaged? — Governance rules assign owners and deadlines. Not every recommendation needs immediate action.
- What Secure Score target? — Set a realistic target (e.g., 70% in 90 days) rather than chasing 100%.
Secure Score: Measuring Posture
Secure Score is a percentage that measures how many security recommendations you’ve addressed out of the total available. But the number itself isn’t the point — the trend is.
A Secure Score of 55% isn’t alarming if it was 30% three months ago. A score of 80% is concerning if it was 90% last month. Architects design for continuous improvement, not a specific number.
How Secure Score works:
- Each recommendation has a maximum score (weighted by severity)
- Implementing the recommendation earns points
- Some recommendations are partially implementable (e.g., 8 of 10 VMs patched earns 80% of the points)
- Score is calculated per-subscription and aggregated
Key architect decisions around Secure Score:
- Exempt recommendations that don’t apply — A recommendation to enable DDoS protection on a VNet that only hosts internal dev workloads might be a valid exemption. Exempting it removes it from the denominator, giving a more accurate score.
- Use governance rules to assign recommendation owners with SLA deadlines
- Report Secure Score to leadership as a KPI — this creates organisational accountability
Security Baselines and MCSB
The Microsoft Cloud Security Benchmark (MCSB) is a set of security best practices mapped to common compliance frameworks (CIS, NIST, PCI DSS). It’s the foundation of Defender for Cloud’s recommendations.
Security baselines are MCSB controls applied to specific Azure services. For example, the security baseline for Azure Storage includes:
- Enforce HTTPS transfer
- Disable public blob access
- Enable soft delete for data protection
- Use managed keys or customer-managed keys for encryption
As an architect, you don’t memorise every baseline. You design the process:
- Azure Policy enforces baselines at scale — deny non-compliant configurations at deployment time
- Defender for Cloud detects drift from baselines post-deployment
- Governance rules ensure someone is accountable for remediation
Microsoft Security Exposure Management
Security Exposure Management is a newer capability that goes beyond individual recommendations to understand attack paths and blast radius.
Traditional CSPM asks: “Is this resource configured securely?” Exposure Management asks: “If this resource is compromised, what can the attacker reach next?”
Attack Path Analysis
Attack path analysis uses a graph model of your environment. It connects:
- Entry points — internet-facing resources, vulnerable VMs, exposed credentials
- Lateral movement — network connectivity, shared credentials, permission chains
- Critical assets — databases, key vaults, identity systems
The result is a visual map showing: “An attacker can reach your production database by first compromising this internet-facing VM (which has a known vulnerability), then using its managed identity (which has Key Vault access) to retrieve database credentials.”
This is extraordinarily powerful for prioritisation. Instead of remediating 200 medium-severity recommendations, you fix the 3 that sit on active attack paths to critical assets.
Designing an Exposure Management Strategy
An architect plans:
- Define critical assets — What are the crown jewels? Production databases, identity infrastructure, financial systems
- Enable Defender CSPM — Required for attack path analysis
- Review attack paths weekly — Not just the number, but the blast radius of each path
- Integrate with remediation workflows — Attack paths should create tickets in your ITSM tool
🌐 Scenario: Elena’s Posture Management Strategy
Dr. Elena Vasquez stands in Meridian Global Industries’ boardroom. Marcus Chen, the board chair, has asked a deceptively simple question: “How secure are we, and how do you know?”
Elena’s answer is Defender for Cloud. She’s designed a tiered CSPM strategy across Meridian’s 23 Azure subscriptions:
Tier 1 — Production subscriptions (8): Defender CSPM enabled. All relevant Defender plans active. Governance rules assign recommendation owners with 14-day SLAs for high severity, 30 days for medium. Weekly attack path analysis review with Li Wei’s IT Ops team.
Tier 2 — Staging/QA (6): Defender CSPM enabled. Limited Defender plans (Servers and Containers only). 30-day SLA for all severities.
Tier 3 — Dev/sandbox (9): Foundational CSPM only. Monthly review of Secure Score trends. No Defender plans — cost isn’t justified for ephemeral dev workloads.
“Our Secure Score across production is 72%, up from 48% when we started six months ago,” Elena tells Marcus. “More importantly, we’ve eliminated all critical attack paths to our manufacturing data. Last quarter, attack path analysis found that a developer’s VM had a managed identity with contributor access to three production subscriptions. That single finding was worth more than the 40 medium-severity recommendations we’d been working through.”
☁️ Scenario: Rajan’s Exposure Management Presentation
Rajan Krishnamurthy is presenting to Deepak Malhotra, CTO of a healthcare company that’s been breached twice in the past year. Deepak is sceptical of yet another security tool.
“Let me show you something specific,” Rajan says, pulling up the attack path analysis dashboard. “Your patient records database is reachable via four distinct attack paths. The shortest one goes through an internet-facing API server that hasn’t been patched in 90 days, uses a service principal with database admin rights, and the database itself has no network restrictions.”
Deepak leans forward. “We have 800 security recommendations in our backlog. Which ones matter?”
“These three,” Rajan points. “Patch that API server, scope that service principal to least privilege, and add a private endpoint to the database. Three changes eliminate all four attack paths to your most sensitive data.”
Rajan has designed the strategy: use attack path analysis to cut through recommendation noise and focus remediation on paths that actually lead to critical assets.
Exam Strategy: Posture Management Questions
SC-100 questions on posture management test your ability to design strategy, not configure tools. You’ll see scenarios like: “A company has 50 Azure subscriptions and wants to improve security posture. What should the architect recommend?” The answer isn’t “enable Defender for Cloud” — it’s how to enable it (tiered approach, governance rules, Secure Score targets).
Key patterns:
- If the question asks about prioritisation → attack path analysis (not just Secure Score)
- If the question asks about accountability → governance rules with owners and deadlines
- If the question mentions cost concerns → tiered CSPM approach (free for dev, paid for prod)
- If the question asks about multicloud → Defender for Cloud extends to AWS/GCP (covered next module)
- “Continuous assessment” in a question almost always points to CSPM, not periodic audits
A company has 30 Azure subscriptions across production, staging, and development. The CISO wants to improve security posture while controlling costs. Some subscriptions host sensitive customer data while others are developer sandboxes. What approach should the security architect recommend?
A security architect reviews the organisation's Defender for Cloud dashboard and sees 340 active recommendations with a Secure Score of 62%. The CISO asks which recommendations to address first. What approach provides the most effective prioritisation?
An organisation wants to ensure that all new Azure resources deployed by development teams meet security baselines. Some developers have complained that security reviews slow down their deployment pipeline. What architecture should the security architect design?
🎬 Video coming soon
Next up: Hybrid and Multicloud Security — extend everything you’ve learned about posture management to AWS, GCP, and on-premises environments using Azure Arc.