What is CSPM for Azure?
The short version: CSPM (Cloud Security Posture Management) is the continuous practice of finding and fixing misconfigurations in your cloud — public storage, weak TLS, databases open to the internet, over-broad access — and mapping each one to compliance frameworks like CIS, ISO 27001, NIST and GDPR. On Azure, Microsoft Defender for Cloud ships a free basic CSPM tier that's on by default; paid and independent tools add attack-path analysis, secret scanning, actionable remediation and a view of how your posture changes over time.
What CSPM actually does
CSPM answers a question the Azure portal doesn't answer on its own: across everything I run — every subscription, resource group and resource — what's misconfigured, how serious is it, and what do I fix first?
It's a continuous loop, not a one-off audit:
- Discover every resource across your subscriptions.
- Assess each one against a library of good-practice rules and compliance controls.
- Prioritise the findings by severity and exposure, so you're not staring at an undifferentiated wall of red.
- Remediate — ideally with the fix handed to you, not just the problem.
- Monitor over time — posture drifts as people deploy and change things; CSPM catches the drift.
The word that matters is configuration. CSPM isn't looking for software vulnerabilities (that's a different tool); it's looking at how your cloud is set up — the settings, permissions and exposure that you own and can change today.
What CSPM checks on Azure
Most of the real-world risk clusters into a handful of categories. A mature Azure CSPM covers all of them:
| Category | Example misconfigurations it catches |
|---|---|
| Data exposure | Storage accounts allowing anonymous blob access; databases reachable from the public internet |
| Encryption / transport | HTTPS not enforced; minimum TLS below 1.2; disks or data without encryption |
| Identity & access | Over-permissive RBAC; too many subscription Owners; no MFA on privileged roles |
| Network | Management ports (RDP/SSH) open to the internet; permissive NSG rules; no private endpoints |
| Logging & monitoring | Missing diagnostic settings; no activity-log retention; no alerting on key events |
| Resilience | No backup; single-region critical resources; no soft-delete on key vaults |
| Governance | Missing tags; resources outside approved regions; no policy guardrails |
Each finding is only useful if you know why it matters and how to fix it — which is why good CSPM attaches both a severity and a concrete remediation to every result.
Compliance frameworks CSPM maps to
The reason CSPM findings carry weight with auditors is that each maps to a named control in a recognised framework. The common set:
| Framework | What it is |
|---|---|
| CIS Azure Benchmark | Prescriptive, Azure-specific security baseline — the most direct fit for CSPM checks |
| ISO 27001 | International information-security management standard (Annex A controls) |
| NIST SP 800-53 | US federal control catalogue, widely used as a reference |
| PCI DSS | Payment-card data security |
| SOC 2 | Trust-services criteria for service providers |
| HIPAA | US healthcare data protection |
| GDPR / RGPD | EU personal-data protection (Art. 32 security of processing, Art. 25 by design/default) |
A single misconfiguration usually maps to several at once — e.g. public blob access touches CIS 3.7, ISO 27001 A.8.3, NIST AC-6 and GDPR Art. 32.1.b.
CSPM on Azure specifically: the built-in tier vs going further
Microsoft Defender for Cloud includes a basic CSPM tier that is free and enabled by default on every subscription: resource inventory, a Secure Score, and security recommendations. It's a genuine, useful baseline — and the right place to start.
Where paid Defender CSPM and independent tools add value:
| Capability | Free basic tier | Deeper CSPM |
|---|---|---|
| Resource inventory, Secure Score, recommendations | ✅ | ✅ |
| Attack-path analysis | — | ✅ |
| Secret scanning | — | ✅ |
| Data-security posture (DSPM) | — | ✅ |
| Actionable, copy-paste remediation per finding | Partial | ✅ |
| Posture trend over time / drift detection | Limited | ✅ |
| Compliance mapping across multiple frameworks | Partial | ✅ |
The honest takeaway: the free tier tells you what; deeper tooling tells you what to do about it, in what order, and whether you're getting better or worse over time.
CSPM vs CNAPP, DSPM, CIEM and vulnerability scanning
These acronyms overlap and get used loosely. The short disambiguation:
| Term | Focuses on |
|---|---|
| CSPM | Cloud configuration posture — misconfigurations and compliance |
| CNAPP | An umbrella platform combining CSPM + workload protection + more |
| DSPM | Data security posture — where sensitive data lives and who can reach it |
| CIEM | Entitlements — cloud identities and their permissions |
| Vulnerability scanning | Software flaws (CVEs) in code and images, not configuration |
CSPM is the foundation most teams start with because misconfiguration — not exotic exploits — is behind the majority of real cloud incidents.
How to get started with CSPM on Azure
- Confirm Defender for Cloud's free CSPM is on (it is, by default) and look at your Secure Score.
- Pick one framework to anchor on — CIS Azure Benchmark is the most direct fit.
- Triage by exposure first: anything reachable from the public internet with weak auth.
- Fix, then watch the trend — a score that improves and holds is the goal, not a one-time cleanup.
How Calma Cloud approaches CSPM
Calma Cloud runs read-only and agentless against your tenant — nothing to install, and your inventory, credentials and reports stay in your own environment. It maps every finding to CIS / ISO 27001 / NIST / GDPR, hands you the fix per finding, and tracks your posture over time as a single calm score instead of a wall of red. The design principle is the opposite of alarmism: show what matters first, explain it plainly, and make the next step obvious.
FAQ
- What does CSPM stand for? Cloud Security Posture Management.
- Does Azure have built-in CSPM? Yes — Microsoft Defender for Cloud includes a free basic CSPM tier, on by default (inventory, Secure Score, recommendations). Paid and third-party tools add attack paths, secret scanning, DSPM and richer remediation.
- Is CSPM free on Azure? The basic tier is free; the deeper Defender CSPM plan and most independent tools are paid.
- What frameworks does CSPM map to? Commonly CIS, ISO 27001, NIST, PCI DSS, SOC 2, HIPAA and GDPR.
- Is CSPM the same as a vulnerability scanner? No. CSPM finds misconfigurations (how resources are set up); vulnerability scanning finds software flaws (CVEs). They complement each other.
- CSPM vs CNAPP — what's the difference? CNAPP is an umbrella platform; CSPM is the configuration-posture piece within it.
- Do I need to install agents? Not for configuration posture — CSPM reads the cloud control plane. Calma Cloud is read-only and agentless.
- How is CSPM different from just using Secure Score? Secure Score is one signal; CSPM is the whole loop — discover, assess against frameworks, prioritise, remediate and track drift over time.
