You just gonna take that AWS? Let Microsoft school your users on cloud security?
And Google Cloud is next
Microsoft has torn the wraps off its multi-cloud security benchmark (MCSB), which replaces the four-year-old Azure Security Benchmark. Crucially, as the name suggests, it now has usage and configuration guidance that reaches into rival environments.
That's right, the operating systems maker that brought us Patch Tuesday is offering security tips for users of other platforms.
MCSB v1 hit general availability today and includes not only more information about securing Azure instances but also offers a few monitoring features – 172 automated checks, to be precise – for Amazon Web Services as well as usage advice.
Given how many organizations now use two or more public clouds – 87 percent of respondents in Flexera's 2023 State of the Cloud report said they have a multicloud strategy – it was important that Microsoft also look outward when talking about security baselines, according to Jim Cheng, senior software engineer at Microsoft.
We'll leave it up to you to decide if this is Redmond being genuinely helpful for multi-cloud folks, or the IT giant pointing out how other platforms need securing too, as well as Azure.
"Today we see that our customers often have to aggregate and reconcile their security management across multiple cloud platforms to meet security and compliance requirements," Cheng wrote in October 2022, when MCSB v1 entered public preview. "This often requires security teams to repeat the same implementation, monitoring, and assessments across different cloud environments and often for different compliance standards. This creates unnecessary overhead, cost, and effort."
To help evolve the Azure Security Benchmark to MCSB, Microsoft created a single control framework to address security controls across clouds, starting with AWS, and providing a consistent user experience for monitoring and enforcing the MCSB in Defender for Cloud.
Redmond is also remaining aligned with industry security standards including CIS, NIST, and PCI.
"Similar to Azure, MCSB monitoring is enabled by default in MDC [Microsoft Defender for Cloud] for AWS environments," Cheng wrote.
Google Cloud is next in line, with Microsoft extending the MCSB scope to include the platform later this year. Once that is done, Microsoft's cloud security benchmark will have covered the three largest public cloud providers, which account for 66 percent of the market, according to Synergy Research Group.
- Sensitive DoD emails exposed by unsecured Azure server
- Google Cloud's US-East load balancers are lousy with latency
- Among the thousands of ESXiArgs ransomware victims? FBI and CISA to the rescue
- Nearly 300 MSI motherboards will run any old code in Secure Boot, no questions asked
Adding Google Cloud will allow users "to use a single integrated dashboard to monitor your cloud security posture across all three major clouds," he wrote.
Since it went into public preview, Microsoft has grown the AWS monitoring capabilities to the 172 checks and published 93 Azure service baselines in the new MCSB format. The baselines touch on a broad array of areas, from AI and machine learning to analytics, compute, databases, and networking.
Along with adding Google Cloud to the lists of cloud environment covered by the benchmark, Microsoft will continue adding monitoring checks to Defender for Cloud that will cover Azure and other clouds and more compliance management and evidence-gathering capabilities in the Defender for Cloud portal, according to Cheng. ®