Last week, we continued our series on 10 Best Cloud Practices for the Modern Enterprise. This week, our focus will be on implementing Data-Centric Security Posture Management. This approach is crucial for discovering, classifying, and protecting sensitive data, using the context of that data to prioritize the most critical risks.

Data-Centric Security: Protect Your Cloud Data with Microsoft Defender

The ultimate objective of any cybersecurity program, including vulnerability management, is to prevent the unauthorized access, theft, or destruction of sensitive data.² While securing infrastructure, networks, and applications is a critical means to this end, a truly mature security strategy must also focus directly on the data itself. Data-centric security posture management is an approach that shifts the focus from solely protecting systems to actively discovering, classifying, and protecting the organization's "crown jewels"—its most sensitive data—wherever it may reside.

This approach provides the ultimate layer of business context for vulnerability prioritization. By understanding which assets contain or provide access to sensitive data, security teams can more accurately assess the true risk of a vulnerability. An attack path that leads to a publicly accessible web server with no sensitive information is a concern; an attack path that leads to a database containing the personal identifiable information (PII) or financial records of millions of customers is a potential catastrophe.²⁴ By integrating data-awareness into the vulnerability management lifecycle, organizations can ensure that their remediation efforts are laser-focused on preventing the most impactful data breaches.

Key Concepts

Sensitive Data Discovery

The first step in a data-centric approach is to find the sensitive data. This involves leveraging automated tools to continuously scan the entire multi-cloud and hybrid estate to discover data stores that contain sensitive information.²⁴ This is a non-trivial task, as data often resides in both well-known, managed databases and in "shadow data" locations, such as forgotten storage buckets or developer test environments. The discovery process should be capable of identifying a wide range of data types, including PII, protected health information (PHI), financial data (like credit card numbers), and intellectual property, across various data services like Azure Blob Storage, AWS S3, Azure SQL, and Amazon RDS.²⁴

Data Classification and Labeling

Once sensitive data is discovered, it must be classified based on its sensitivity level. This typically involves applying labels (e.g., Public, Internal, Confidential, Highly Confidential) to the data or the data store that contains it.²⁴ This classification serves as a critical input for security policies. For example, access controls, data loss prevention (DLP) policies, and encryption requirements can be automatically applied based on a file's or a database's sensitivity label. This ensures that the most stringent protections are applied to the most sensitive data.

Data-Aware Risk Assessment and Attack Path Analysis

This is where data-centric security directly intersects with vulnerability management. By correlating the vulnerability data with the data discovery and classification information, security teams can conduct a data-aware risk assessment. This means prioritizing vulnerabilities not just based on technical severity or asset type, but based on their proximity to and potential impact on sensitive data. The most powerful tool for this is data-aware attack path analysis. This capability allows security teams to visualize potential attack chains that specifically target and lead to a data breach, highlighting the exact sequence of vulnerabilities, misconfigurations, and permissions an attacker could exploit to reach a sensitive data store.²⁴

Microsoft Implementation

Microsoft provides a deeply integrated suite of tools that bring together data governance and data security, enabling a powerful data-centric security posture management program.

Microsoft Defender for Cloud - Data-Aware Security Posture

This capability, which is a key part of Defender CSPM and Microsoft Defender for Storage, is designed to automatically discover, classify, and help protect sensitive data across the multi-cloud environment ⁴

• Automated Sensitive Data Discovery: Defender for Cloud leverages smart sampling techniques and advanced discovery engines to find sensitive data across a wide range of data stores in Azure, AWS, and GCP. This includes object storage (Azure Blob, AWS S3) and various database services (Azure SQL, AWS RDS).²⁴ It can identify both managed data resources and shadow data repositories that may have been created outside of standard IT processes.

• Integration with Microsoft Purview: A key strength of the Microsoft solution is its seamless integration with Microsoft Purview, Microsoft's unified data governance platform. Defender for Cloud can leverage the sensitive information types and sensitivity labels defined in Microsoft Purview to automatically classify discovered data.²⁰ This creates a single, consistent data classification scheme across the entire organization, bridging the gap between data governance and security operations.

• Data-Centric Attack Path Analysis: The attack path analysis engine in Defender for Cloud is data-aware. It can specifically identify and prioritize attack paths that pose a risk of a data breach. For example, it can highlight a scenario where an internet-exposed virtual machine has overly permissive access to an AWS S3 bucket that has been discovered to contain sensitive financial data.²⁴ This allows security teams to immediately focus their remediation efforts on breaking this critical attack chain, whether by patching the VM, restricting its network access, or revoking its permissions to the S3 bucket.

• Threat Detection for Data Stores: Microsoft Defender for Storage provides an additional layer of protection by monitoring Azure storage accounts for anomalous activities that could indicate a threat. It can detect suspicious access patterns, harmful file uploads, and configuration changes that could lead to a data breach, generating security alerts that allow for rapid response.²⁴

By implementing this data-centric approach, organizations evolve their vulnerability management program to its most mature state. The prioritization model is no longer just risk-based; it is business-impact-based. This ensures that the most critical security resources are always aligned with the most critical business objective: protecting the organization's sensitive data.

Some security tools you can consider for improving your business security posture:

CrowdStrike Falcon: An AI-driven platform for securing your infrastructure at scale and keeping up with AI advancements. https://crowdstrike2001.partnerlinks.io/Cpf-coaching

INE Security Awareness and Training is essential for your team to stay updated with the evolving threat landscape, enhancing the effectiveness of the teams supporting your organization. https://get.ine.com/cpf-coaching

Tenable helps identify weaknesses in your infrastructure, whether on-premises, in the cloud, or in your software, providing your vulnerability management with the visibility it needs. https://shop.tenable.com/cpf-coaching

Cyvatar.AI Managed endpoint protection solution for SMBs and digital cloud environment https://cyvataraif5706.referralrock.com/l/CHRISTOPHE77/

Omnistruct helps you with privacy, GRC, and security programs. They can serve as your BISO to help scale your team and security program. https://omnistruct.com/partners/influencers-meet-omnistruct/

Guidde helps you turn your tribal, undocumented processes into easy-to-follow documented videos and instructions. https://affiliate.guidde.com/cpf-coaching

Cyberupgrade simplifies the process of enhancing your cyber and digital risk management, allowing you to grow your business without having to be a compliance expert. We take care of the complexities associated with frameworks like DORA, ISO 27001, and NIS2, enabling your team to concentrate on building, scaling, and serving your customers. https://join.cyberupgrade.net/cpf-coaching

1Password secures your secrets, tokens, passwords, documents, and more, whether you're at home, work, or school. They offer programs suited for everyone. https://1password.partnerlinks.io/cpf-coaching

Work Cited:

2. What is the vulnerability management lifecycle? - Red Canary, accessed June 26, 2025, https://redcanary.com/cybersecurity-101/security-operations/vulnerability-management-lifecycle/

4. Microsoft Defender for Cloud Overview, accessed June 26, 2025, https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction

20. Microsoft Defender Vulnerability Management | Microsoft Security, accessed June 26, 2025, https://www.microsoft.com/en-us/security/business/threat-protection/microsoft-defender-vulnerability-management

24. Overview - Data security posture management - Microsoft Defender for Cloud, accessed June 26, 2025, https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-data-security-posture