Calma Cloud

What is CSPM for Azure?

The short version: CSPM (Cloud Security Posture Management) is the continuous practice of finding and fixing misconfigurations in your cloud — public storage, weak TLS, databases open to the internet, over-broad access — and mapping each one to compliance frameworks like CIS, ISO 27001, NIST and GDPR. On Azure, Microsoft Defender for Cloud ships a free basic CSPM tier that's on by default; paid and independent tools add attack-path analysis, secret scanning, actionable remediation and a view of how your posture changes over time.

What CSPM actually does

CSPM answers a question the Azure portal doesn't answer on its own: across everything I run — every subscription, resource group and resource — what's misconfigured, how serious is it, and what do I fix first?

It's a continuous loop, not a one-off audit:

  1. Discover every resource across your subscriptions.
  2. Assess each one against a library of good-practice rules and compliance controls.
  3. Prioritise the findings by severity and exposure, so you're not staring at an undifferentiated wall of red.
  4. Remediate — ideally with the fix handed to you, not just the problem.
  5. Monitor over time — posture drifts as people deploy and change things; CSPM catches the drift.

The word that matters is configuration. CSPM isn't looking for software vulnerabilities (that's a different tool); it's looking at how your cloud is set up — the settings, permissions and exposure that you own and can change today.

What CSPM checks on Azure

Most of the real-world risk clusters into a handful of categories. A mature Azure CSPM covers all of them:

Category Example misconfigurations it catches
Data exposure Storage accounts allowing anonymous blob access; databases reachable from the public internet
Encryption / transport HTTPS not enforced; minimum TLS below 1.2; disks or data without encryption
Identity & access Over-permissive RBAC; too many subscription Owners; no MFA on privileged roles
Network Management ports (RDP/SSH) open to the internet; permissive NSG rules; no private endpoints
Logging & monitoring Missing diagnostic settings; no activity-log retention; no alerting on key events
Resilience No backup; single-region critical resources; no soft-delete on key vaults
Governance Missing tags; resources outside approved regions; no policy guardrails

Each finding is only useful if you know why it matters and how to fix it — which is why good CSPM attaches both a severity and a concrete remediation to every result.

Compliance frameworks CSPM maps to

The reason CSPM findings carry weight with auditors is that each maps to a named control in a recognised framework. The common set:

Framework What it is
CIS Azure Benchmark Prescriptive, Azure-specific security baseline — the most direct fit for CSPM checks
ISO 27001 International information-security management standard (Annex A controls)
NIST SP 800-53 US federal control catalogue, widely used as a reference
PCI DSS Payment-card data security
SOC 2 Trust-services criteria for service providers
HIPAA US healthcare data protection
GDPR / RGPD EU personal-data protection (Art. 32 security of processing, Art. 25 by design/default)

A single misconfiguration usually maps to several at once — e.g. public blob access touches CIS 3.7, ISO 27001 A.8.3, NIST AC-6 and GDPR Art. 32.1.b.

CSPM on Azure specifically: the built-in tier vs going further

Microsoft Defender for Cloud includes a basic CSPM tier that is free and enabled by default on every subscription: resource inventory, a Secure Score, and security recommendations. It's a genuine, useful baseline — and the right place to start.

Where paid Defender CSPM and independent tools add value:

Capability Free basic tier Deeper CSPM
Resource inventory, Secure Score, recommendations
Attack-path analysis
Secret scanning
Data-security posture (DSPM)
Actionable, copy-paste remediation per finding Partial
Posture trend over time / drift detection Limited
Compliance mapping across multiple frameworks Partial

The honest takeaway: the free tier tells you what; deeper tooling tells you what to do about it, in what order, and whether you're getting better or worse over time.

CSPM vs CNAPP, DSPM, CIEM and vulnerability scanning

These acronyms overlap and get used loosely. The short disambiguation:

Term Focuses on
CSPM Cloud configuration posture — misconfigurations and compliance
CNAPP An umbrella platform combining CSPM + workload protection + more
DSPM Data security posture — where sensitive data lives and who can reach it
CIEM Entitlements — cloud identities and their permissions
Vulnerability scanning Software flaws (CVEs) in code and images, not configuration

CSPM is the foundation most teams start with because misconfiguration — not exotic exploits — is behind the majority of real cloud incidents.

How to get started with CSPM on Azure

  1. Confirm Defender for Cloud's free CSPM is on (it is, by default) and look at your Secure Score.
  2. Pick one framework to anchor on — CIS Azure Benchmark is the most direct fit.
  3. Triage by exposure first: anything reachable from the public internet with weak auth.
  4. Fix, then watch the trend — a score that improves and holds is the goal, not a one-time cleanup.

How Calma Cloud approaches CSPM

Calma Cloud runs read-only and agentless against your tenant — nothing to install, and your inventory, credentials and reports stay in your own environment. It maps every finding to CIS / ISO 27001 / NIST / GDPR, hands you the fix per finding, and tracks your posture over time as a single calm score instead of a wall of red. The design principle is the opposite of alarmism: show what matters first, explain it plainly, and make the next step obvious.

Request a demo →

FAQ

  • What does CSPM stand for? Cloud Security Posture Management.
  • Does Azure have built-in CSPM? Yes — Microsoft Defender for Cloud includes a free basic CSPM tier, on by default (inventory, Secure Score, recommendations). Paid and third-party tools add attack paths, secret scanning, DSPM and richer remediation.
  • Is CSPM free on Azure? The basic tier is free; the deeper Defender CSPM plan and most independent tools are paid.
  • What frameworks does CSPM map to? Commonly CIS, ISO 27001, NIST, PCI DSS, SOC 2, HIPAA and GDPR.
  • Is CSPM the same as a vulnerability scanner? No. CSPM finds misconfigurations (how resources are set up); vulnerability scanning finds software flaws (CVEs). They complement each other.
  • CSPM vs CNAPP — what's the difference? CNAPP is an umbrella platform; CSPM is the configuration-posture piece within it.
  • Do I need to install agents? Not for configuration posture — CSPM reads the cloud control plane. Calma Cloud is read-only and agentless.
  • How is CSPM different from just using Secure Score? Secure Score is one signal; CSPM is the whole loop — discover, assess against frameworks, prioritise, remediate and track drift over time.