1 00:00:00,000 --> 00:00:09,600 Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, 2 00:00:09,600 --> 00:00:13,280 reliability and compliance on the Microsoft Cloud Platform. 3 00:00:13,280 --> 00:00:17,440 Hey everybody, welcome to episode 96. 4 00:00:17,440 --> 00:00:20,520 This week is myself, Michael, with Sarah and Mark. 5 00:00:20,520 --> 00:00:26,200 This week we have a return guest, a big friend of the podcast, Eurydiodonus, who's here to 6 00:00:26,200 --> 00:00:27,200 talk about CNAP. 7 00:00:27,200 --> 00:00:31,720 But before we get to our guest, let's take a little lap around the news. 8 00:00:31,720 --> 00:00:34,600 So I have a small number of news items. 9 00:00:34,600 --> 00:00:40,920 First one is in public preview, we have label-based access control for Azure SQL database using 10 00:00:40,920 --> 00:00:43,560 Microsoft Purview policies. 11 00:00:43,560 --> 00:00:48,360 My colleague, Shoham, wrote a blog post on this, has been working on it. 12 00:00:48,360 --> 00:00:54,000 This allows you to essentially put labels on columns that contain sensitive data using 13 00:00:54,000 --> 00:00:57,200 labels that are provided by Microsoft Purview information protection. 14 00:00:57,200 --> 00:00:59,720 And yeah, this is great to see. 15 00:00:59,720 --> 00:01:05,440 I don't know, but to me, you know, the SQL access model can get complex and this kind 16 00:01:05,440 --> 00:01:07,320 of simplifies it a little bit. 17 00:01:07,320 --> 00:01:11,360 But yeah, putting mandatory labels on objects is always a fantastic defense. 18 00:01:11,360 --> 00:01:17,240 Staying in the database realm, Microsoft Defender for Cloud now adds full coverage for our Azure 19 00:01:17,240 --> 00:01:18,760 open source relational databases. 20 00:01:18,760 --> 00:01:24,200 So that includes Azure Database for MySQL and Azure Database for PostgreSQL, in both 21 00:01:24,200 --> 00:01:26,360 cases, flexible server versions. 22 00:01:26,360 --> 00:01:31,680 And yes, this includes things like suspicious database activities, brute force attacks, 23 00:01:31,680 --> 00:01:32,680 and so on. 24 00:01:32,680 --> 00:01:38,040 So yeah, we haven't just covered your SQL databases, SQL server databases, and Azure 25 00:01:38,040 --> 00:01:39,040 SQL databases. 26 00:01:39,040 --> 00:01:42,600 We now include MySQL and PostgreSQL. 27 00:01:42,600 --> 00:01:45,760 Azure Databox now supports hardware encryption. 28 00:01:45,760 --> 00:01:51,880 Azure Databox is used if you're transferring essentially terabytes of on-prem data to the 29 00:01:51,880 --> 00:01:54,640 cloud as probably the most efficient way of doing it. 30 00:01:54,640 --> 00:02:01,120 Well now we support, in general, availability, AES 256 hardware encryption, also for Linux-based 31 00:02:01,120 --> 00:02:02,120 hosts. 32 00:02:02,120 --> 00:02:03,560 So this is great to see as well. 33 00:02:03,560 --> 00:02:07,800 So that way, you know, you encrypt it at the source and then we decrypt it at the end. 34 00:02:07,800 --> 00:02:11,680 And last but by no means least, and I am leaving this last because I am most excited about 35 00:02:11,680 --> 00:02:15,440 this, trusted signing is now in public preview. 36 00:02:15,440 --> 00:02:20,960 So trusted signing, this will evolve over the years, but trusted signing is code signing. 37 00:02:20,960 --> 00:02:27,480 So it's the ability to take a container or take say a Windows executable and digitally 38 00:02:27,480 --> 00:02:28,720 sign that. 39 00:02:28,720 --> 00:02:34,200 So we now have all that ability in a very streamlined and cost-effective way built into 40 00:02:34,200 --> 00:02:35,200 Azure. 41 00:02:35,200 --> 00:02:41,480 As I mentioned, this will evolve over time to accommodate different signing mechanisms, 42 00:02:41,480 --> 00:02:45,300 but the infrastructure is there and you can do public trust or you can do private trust. 43 00:02:45,300 --> 00:02:49,480 Private trust requires obviously a bit more scrutiny, a bit more background check, but 44 00:02:49,480 --> 00:02:53,920 private trust allows you to use your own CAs, for example, your own certificate authorities. 45 00:02:53,920 --> 00:02:55,280 This is really great to see. 46 00:02:55,280 --> 00:02:58,760 I've actually been kind of waiting for this for quite some time. 47 00:02:58,760 --> 00:03:04,520 So when the PM involved actually emailed me and said, we've gone GA, I was kind of floored, 48 00:03:04,520 --> 00:03:05,520 but this is great to see. 49 00:03:05,520 --> 00:03:06,520 Okay. 50 00:03:06,520 --> 00:03:08,040 Now we have the news out of the way. 51 00:03:08,040 --> 00:03:09,720 Let's turn our attention to our guest. 52 00:03:09,720 --> 00:03:13,200 As I mentioned, we have Jory Diogenes, good friend of the podcast. 53 00:03:13,200 --> 00:03:16,800 Jory, welcome to the podcast yet again. 54 00:03:16,800 --> 00:03:22,040 We'd like to take a moment and reintroduce yourself for the umpteenth time to our listeners. 55 00:03:22,040 --> 00:03:23,120 Hey, Michael. 56 00:03:23,120 --> 00:03:24,640 Thanks for having me on again. 57 00:03:24,640 --> 00:03:25,640 Sure. 58 00:03:25,640 --> 00:03:26,640 Great to be back. 59 00:03:26,640 --> 00:03:27,640 My name is Jory Diogenes. 60 00:03:27,640 --> 00:03:35,000 I've been at Microsoft for the past 18 years, currently as a PM manager for the Fenerful 61 00:03:35,000 --> 00:03:42,160 Cloud managing a team of program managers, product managers for our Microsoft Synapse 62 00:03:42,160 --> 00:03:43,160 solution. 63 00:03:43,160 --> 00:03:44,160 Hey, tudo bem. 64 00:03:44,160 --> 00:03:45,160 Tudo bem. 65 00:03:45,160 --> 00:03:51,280 I don't know much Brazilian Portuguese, but I do know that. 66 00:03:51,280 --> 00:03:54,240 So Jory, so can you give us an overview? 67 00:03:54,240 --> 00:03:57,040 What is CNAP and kind of where did it come from? 68 00:03:57,040 --> 00:04:00,880 And also to Michael's earlier point, what does it actually stand for? 69 00:04:00,880 --> 00:04:03,000 Yeah, sure. 70 00:04:03,000 --> 00:04:10,680 So CNAP is Cloud Native Application Protection Platform, mouthful acronym. 71 00:04:10,680 --> 00:04:16,280 And it was a term that was coined by Gartner. 72 00:04:16,280 --> 00:04:22,840 And the whole rationale behind the CNAP was with the evolution of cloud security, it was 73 00:04:22,840 --> 00:04:30,400 very visible that having the best of breed, how they call on each vertical, it was not 74 00:04:30,400 --> 00:04:35,560 really sufficient because yes, we had cloud security partial management, which is a great 75 00:04:35,560 --> 00:04:37,260 thing, very important. 76 00:04:37,260 --> 00:04:41,160 We have cloud workload protection platform, which is yet another platform. 77 00:04:41,160 --> 00:04:48,080 We have DevSecOps, Can, so many platforms, but these different platforms that the ultimate 78 00:04:48,080 --> 00:04:53,600 goal was to protect the cloud security infrastructure, they were not talking to each other. 79 00:04:53,600 --> 00:05:00,160 And there was a lot of opportunities in place to have one single place that they could share 80 00:05:00,160 --> 00:05:05,440 insights and based on those insights, the cloud administrator of whoever is managing 81 00:05:05,440 --> 00:05:12,880 that platform is able to make smart decisions, contextual decisions based on their own environment. 82 00:05:12,880 --> 00:05:20,860 Because if you think about the traditional CSPM approach was here goes a set of baselines 83 00:05:20,860 --> 00:05:27,480 and make sure to remediate those recommendations to elevate a secure portion, which is good. 84 00:05:27,480 --> 00:05:34,040 But we always had complaints from customers saying, I have here 100 high severity secure 85 00:05:34,040 --> 00:05:35,040 recommendation. 86 00:05:35,040 --> 00:05:40,040 I have manpower to address this and I don't know what is critical to my environment. 87 00:05:40,040 --> 00:05:42,880 I don't know if this is very risky for me. 88 00:05:42,880 --> 00:05:45,160 What do I need to do it first? 89 00:05:45,160 --> 00:05:49,520 So there was zero context when it comes to customers' environments. 90 00:05:49,520 --> 00:05:55,240 So the CNEP really solved this problem because now I give you what's really is important 91 00:05:55,240 --> 00:06:00,080 to your environment based on the insights that we collect across all platforms. 92 00:06:00,080 --> 00:06:06,100 So there's a lot of context when we tell you this is critical for your environment. 93 00:06:06,100 --> 00:06:09,040 So that's the whole idea about CNEP. 94 00:06:09,040 --> 00:06:12,160 So it basically wraps up a lot of the dependencies. 95 00:06:12,160 --> 00:06:17,440 So the cloud platform itself, cloud security posture management or CSPM, that sounds like 96 00:06:17,440 --> 00:06:26,360 the identity and entitlement, the Kim, as well as the workloads themselves and even 97 00:06:26,360 --> 00:06:28,880 getting into some of the application stuff, it sounds like. 98 00:06:28,880 --> 00:06:36,240 So you kind of have a one stop shop for your workloads and the platform and identities 99 00:06:36,240 --> 00:06:39,760 and admin controls that it relies on. 100 00:06:39,760 --> 00:06:40,760 Yeah. 101 00:06:40,760 --> 00:06:44,840 And not only all this, but also DevSecOps. 102 00:06:44,840 --> 00:06:50,080 We need to have visibility of what developers are pushing to the cloud when it comes to 103 00:06:50,080 --> 00:06:57,400 infrastructure as code, when it comes to guardrails to even prevent developers to push vulnerable 104 00:06:57,400 --> 00:06:59,120 codes to the cloud. 105 00:06:59,120 --> 00:07:05,040 All those insights are also ingested into the CNEP platform and smart decisions can 106 00:07:05,040 --> 00:07:07,680 be made based on those insights. 107 00:07:07,680 --> 00:07:15,880 So Yuri, how does CNEP, because you've been on this podcast before and talked about CSPM 108 00:07:15,880 --> 00:07:19,680 and cloud security posture management. 109 00:07:19,680 --> 00:07:23,200 What's the relationship between the two? 110 00:07:23,200 --> 00:07:28,480 Because they are obviously related, but just if anybody's not clear. 111 00:07:28,480 --> 00:07:33,120 That's a great question, Sarah, because a lot of people ask this question, to be very 112 00:07:33,120 --> 00:07:34,120 honest. 113 00:07:34,120 --> 00:07:42,520 And the answer is now with this CNEP approach, CSPM belongs to CNEP. 114 00:07:42,520 --> 00:07:48,000 So it becomes one more module within this CNEP architecture. 115 00:07:48,000 --> 00:07:51,120 So we used to think about CNEP, it has different pillars. 116 00:07:51,120 --> 00:07:58,280 CSPM is one of those pillars, but now the CSPM insights will be rationalized into the 117 00:07:58,280 --> 00:07:59,960 CNEP engine. 118 00:07:59,960 --> 00:08:05,920 And then when we are building attack paths, when we are building risk-based recommendations, 119 00:08:05,920 --> 00:08:07,800 we take all those things into consideration. 120 00:08:07,800 --> 00:08:13,920 So in summary, CSPM becomes part of the CNEP, but it's just one more pillar. 121 00:08:13,920 --> 00:08:20,360 Well, we've got now a pilot for security and we're talking about AI and there's so 122 00:08:20,360 --> 00:08:21,680 many tools out there. 123 00:08:21,680 --> 00:08:26,800 So I guess there could be people asking, why should I care about CNEP? 124 00:08:26,800 --> 00:08:31,320 And do I need this on top of all the other security tools I have? 125 00:08:31,320 --> 00:08:32,320 What would you say to them? 126 00:08:32,320 --> 00:08:38,280 Well, there will be tools that will be completely replaced by CNEP because what we've seen in 127 00:08:38,280 --> 00:08:42,920 the market, as I said, is many customers, they started this cloud security journey by 128 00:08:42,920 --> 00:08:48,080 adopting a best of breed type of tool. 129 00:08:48,080 --> 00:08:49,760 For example, for vulnerability assessment. 130 00:08:49,760 --> 00:08:52,640 Oh, I have the best vulnerability assessments in the market. 131 00:08:52,640 --> 00:08:58,960 Well, it's great, but that vulnerability assessment is isolated, is not telling me anything, is 132 00:08:58,960 --> 00:09:01,360 not sharing those insights with all the tools. 133 00:09:01,360 --> 00:09:08,800 So now I have to go to a different dashboard, obtain those insights and do a manual cross-reference 134 00:09:08,800 --> 00:09:10,720 with the information that I have in my CNEP. 135 00:09:10,720 --> 00:09:16,560 So vulnerability assessment, also part of the CNEP, is a much better approach because 136 00:09:16,560 --> 00:09:20,520 it gives the insight, share those insights with the platform. 137 00:09:20,520 --> 00:09:27,560 So there's a lot of tool replacement that will be generated because CNEP is able to 138 00:09:27,560 --> 00:09:32,520 provide those insights in a much richer approach. 139 00:09:32,520 --> 00:09:38,440 That and a lot of customers, they are realizing that is not about the best of breed type of 140 00:09:38,440 --> 00:09:39,440 security tool. 141 00:09:39,440 --> 00:09:44,440 It's about consolidation and share of insights. 142 00:09:44,440 --> 00:09:47,880 So that's the whole purpose of CNEP. 143 00:09:47,880 --> 00:09:55,120 You mentioned AI, which is super important, and that will be definitely the next generation 144 00:09:55,120 --> 00:10:02,440 of CNEP, is ensuring that AI is part of the platform so that you can not only take smart 145 00:10:02,440 --> 00:10:09,000 decisions, but you can leverage AI to automate your remediation, to better understand the 146 00:10:09,000 --> 00:10:11,360 insights of your environment. 147 00:10:11,360 --> 00:10:17,680 And I talked about this last year at Ignite, we announced a private preview of Defender 148 00:10:17,680 --> 00:10:23,320 for Cloud with Co-Pilot, which is still going on. 149 00:10:23,320 --> 00:10:28,960 And there are already scenarios that we are integrating Defender for Cloud with Co-Pilot 150 00:10:28,960 --> 00:10:31,200 to provide exactly that. 151 00:10:31,200 --> 00:10:37,720 Obviously, there are folks out there and teams who are already using Defender for Cloud. 152 00:10:37,720 --> 00:10:45,440 So will it be the same people using all this CNEP stuff? 153 00:10:45,440 --> 00:10:50,400 Or will there be other teams that will find some of the functionality in here helpful? 154 00:10:50,400 --> 00:10:52,840 There will be multiple teams. 155 00:10:52,840 --> 00:10:58,040 Definitely there will be different personas utilizing the platform because, as I said, 156 00:10:58,040 --> 00:11:06,480 even DevSecOps engineers will be able to get value out of Microsoft's CNEP solution. 157 00:11:06,480 --> 00:11:13,400 For example, if we have developers using GitHub or Azure ADO, they will be able to interact 158 00:11:13,400 --> 00:11:18,880 with the DevOps security capabilities of Defender for Cloud, which is part of the Defender CSPM, 159 00:11:18,880 --> 00:11:24,440 and obtain some insights when it comes to infrastructure as code best practices and 160 00:11:24,440 --> 00:11:25,440 things like that. 161 00:11:25,440 --> 00:11:31,560 So the scope of personas that will be utilizing the platform expands a little bit. 162 00:11:31,560 --> 00:11:36,280 There will be more, or at least there should be more integration between the teams. 163 00:11:36,280 --> 00:11:40,740 The teams need to share a common technology, which is the Defender for Cloud. 164 00:11:40,740 --> 00:11:44,360 So we hope that the teams will talk more with each other. 165 00:11:44,360 --> 00:11:49,080 If they do not talk, at least they have a common tool to visualize the insights that 166 00:11:49,080 --> 00:11:55,040 will benefit not only the posture management team, but also the DevSecOps and even the 167 00:11:55,040 --> 00:12:02,440 SOC administrators because our threat detection is very rich and will be funneled to whatever 168 00:12:02,440 --> 00:12:05,480 same the customer is utilizing. 169 00:12:05,480 --> 00:12:12,360 So even the insights from our alerts and everything will still be streamed to the same solution. 170 00:12:12,360 --> 00:12:15,600 So definitely multiple personas. 171 00:12:15,600 --> 00:12:20,280 So one thing you haven't mentioned so far, and if I'm wrong, let me know, but is there 172 00:12:20,280 --> 00:12:24,560 even a threat hunting aspect to CNEP? 173 00:12:24,560 --> 00:12:32,240 So threat hunting, as I said, is more related to, well, let's step back a little bit. 174 00:12:32,240 --> 00:12:35,840 There are two aspects of threat hunting. 175 00:12:35,840 --> 00:12:43,180 If we are talking about active threats, that's more a SOC role to do threat hunting and looking 176 00:12:43,180 --> 00:12:52,200 for alerts and how to hunt for active threats more from the instant response perspective. 177 00:12:52,200 --> 00:12:56,720 And this can be done by leveraging the insights from our workload protection. 178 00:12:56,720 --> 00:13:00,240 So all the alerts and everything. 179 00:13:00,240 --> 00:13:04,440 Basically they will do threat hunting in a same platform. 180 00:13:04,440 --> 00:13:06,700 So for example, Microsoft Sentinel, right? 181 00:13:06,700 --> 00:13:12,480 So they will do this using Microsoft Sentinel by leveraging the insights that we provide 182 00:13:12,480 --> 00:13:14,200 to them. 183 00:13:14,200 --> 00:13:20,480 Now what we do have is a different type of hunting, which we call more like proactive 184 00:13:20,480 --> 00:13:24,800 hunting from the posture management perspective. 185 00:13:24,800 --> 00:13:31,400 Because when you think about customers that are very mature in this CNEP journey, which 186 00:13:31,400 --> 00:13:36,520 honestly at this point in time is not a lot of customers that are on this level, but they 187 00:13:36,520 --> 00:13:40,420 already have enhanced their security posture. 188 00:13:40,420 --> 00:13:42,340 They already protect their workloads. 189 00:13:42,340 --> 00:13:48,440 So they have a team usually dedicated to do proactive hunting of posture management. 190 00:13:48,440 --> 00:13:49,440 What that really means? 191 00:13:49,440 --> 00:13:55,040 So I want to understand better my environment to see if there are potential breaches. 192 00:13:55,040 --> 00:13:56,040 There is a new zero day. 193 00:13:56,040 --> 00:14:00,320 I want to search my environment and see if there is any workload that could be affected 194 00:14:00,320 --> 00:14:07,640 by this zero day based on indications of compromise or something. 195 00:14:07,640 --> 00:14:12,700 We have inside of the Venmo Cloud something called Cloud Security Explorer that allows 196 00:14:12,700 --> 00:14:17,440 customers to do this type of proactive hunting capability. 197 00:14:17,440 --> 00:14:21,200 Now this is different because here is more, as I said, proactive. 198 00:14:21,200 --> 00:14:25,560 It's more for the posture management team to handle. 199 00:14:25,560 --> 00:14:32,040 The traditional threat hunting is more for the instant responders to do it because they 200 00:14:32,040 --> 00:14:33,880 are hunting active threats. 201 00:14:33,880 --> 00:14:39,480 Well, as I mentioned at the top of the podcast, Sarah and Mark know a lot about CNEP. 202 00:14:39,480 --> 00:14:40,480 I certainly do not. 203 00:14:40,480 --> 00:14:42,320 What are the kind of practicalities of this? 204 00:14:42,320 --> 00:14:43,880 How can someone get started with this? 205 00:14:43,880 --> 00:14:47,720 I mean, assuming someone like me who knows honestly very little. 206 00:14:47,720 --> 00:14:55,200 Well, the good news for you and for everyone listening that is more interesting about adopting 207 00:14:55,200 --> 00:15:03,200 a CNEP solution is that we just released a new ebook totally free to download. 208 00:15:03,200 --> 00:15:05,960 100 plus pages. 209 00:15:05,960 --> 00:15:13,560 You go to aka.ms for his lash MS CNEP and you can download the PDF. 210 00:15:13,560 --> 00:15:19,520 And this ebook, the good thing about this ebook is that the first chapters, they are 211 00:15:19,520 --> 00:15:25,440 very agnostic, which means that they explain what CNEP is. 212 00:15:25,440 --> 00:15:33,680 They explain not only the concepts, but the general considerations. 213 00:15:33,680 --> 00:15:38,600 And we are bringing something that the market really, the industry actually needed, which 214 00:15:38,600 --> 00:15:44,920 is the concept of a maturity model. 215 00:15:44,920 --> 00:15:52,680 So we have this maturity model diagram and maturity model section within the ebook that 216 00:15:52,680 --> 00:16:00,980 tells you what are the steps or what are the different stages that you will follow to get 217 00:16:00,980 --> 00:16:07,040 from a traditional approach of CNEP implementation all the way to the optimal. 218 00:16:07,040 --> 00:16:12,040 So that gives you a roadmap to follow. 219 00:16:12,040 --> 00:16:19,360 And then once we finish these agnostic chapters, we go to really Defender for Cloud explaining 220 00:16:19,360 --> 00:16:22,200 how to plan and then to deploy. 221 00:16:22,200 --> 00:16:27,760 So that's the whole concept and the idea behind the ebook. 222 00:16:27,760 --> 00:16:29,160 So you actually had a nice segue there. 223 00:16:29,160 --> 00:16:30,920 So what are the Microsoft products that we have? 224 00:16:30,920 --> 00:16:33,000 So you said Defender for Cloud. 225 00:16:33,000 --> 00:16:34,480 What are the, I mean, is it part of a suite? 226 00:16:34,480 --> 00:16:35,760 I mean, how does that all hang together? 227 00:16:35,760 --> 00:16:41,480 Well, Defender for Cloud, it is an umbrella of different plans if you think about it, 228 00:16:41,480 --> 00:16:47,120 because we have Defender for SQL, we have Defender for Cosmos DB, we have Defender for 229 00:16:47,120 --> 00:16:48,120 servers. 230 00:16:48,120 --> 00:16:52,240 So these are different plans because these are workload protection plans. 231 00:16:52,240 --> 00:16:57,060 And then we have the main one for the posture management which is called Defender CSPM. 232 00:16:57,060 --> 00:17:02,920 So the ebook cover all these plans that are under the umbrella of Defender for Cloud. 233 00:17:02,920 --> 00:17:08,760 All right, Jory, so as you know, because you've been on the podcast before, if you had just 234 00:17:08,760 --> 00:17:13,240 one final thought to leave our listeners with about this stuff, what would it be? 235 00:17:13,240 --> 00:17:15,880 To prioritize protection, right? 236 00:17:15,880 --> 00:17:23,720 Because what happened is we over and over see a lot of customers investing a lot into 237 00:17:23,720 --> 00:17:25,840 a detection, which is important. 238 00:17:25,840 --> 00:17:26,840 Don't take me wrong. 239 00:17:26,840 --> 00:17:27,840 It's important to have good analytics. 240 00:17:27,840 --> 00:17:32,520 It's important to receive alerts and take actions. 241 00:17:32,520 --> 00:17:38,840 But if you are doing just that, and you are ignoring your security posture, you look at 242 00:17:38,840 --> 00:17:44,000 your security score and you're like 40% and you think because you have great threat detection, 243 00:17:44,000 --> 00:17:48,080 you are in a good space, that's like trying to lie to yourself, right? 244 00:17:48,080 --> 00:17:57,200 You have to do the homework because even our Microsoft digital defense report already revealed 245 00:17:57,200 --> 00:18:02,880 that 98% of the attacks could have been prevented with basic security hygiene. 246 00:18:02,880 --> 00:18:09,680 So if you don't do the basics, really you are just reacting and you are really putting 247 00:18:09,680 --> 00:18:16,440 a lot of pressure on SOC analysts to triage alerts and to respond to incidents, whether 248 00:18:16,440 --> 00:18:22,620 you could even reduce the amount of alerts that you are receiving by basically doing 249 00:18:22,620 --> 00:18:25,100 the core security hygiene. 250 00:18:25,100 --> 00:18:31,360 So when you start this cloud security journey, make sure to prioritize protection, elevate 251 00:18:31,360 --> 00:18:40,120 your security posture, invest time to understand your environment, and make sure that you improve 252 00:18:40,120 --> 00:18:45,720 the security posture every single day because this is a continuous process. 253 00:18:45,720 --> 00:18:47,360 You don't do just one time. 254 00:18:47,360 --> 00:18:50,320 This is a continuous improvement process. 255 00:18:50,320 --> 00:18:57,840 And align this methodology with good governance because that's another problem, right? 256 00:18:57,840 --> 00:19:03,360 If you start to remediate things, how many times I've seen customers that reach like 257 00:19:03,360 --> 00:19:08,960 90% on the security score in one week, the next week they are back to 40% and they were 258 00:19:08,960 --> 00:19:09,960 like, what happened? 259 00:19:09,960 --> 00:19:17,280 I said, well, this is because you are not preventing workloads to be provisioned using 260 00:19:17,280 --> 00:19:18,920 the secure best practice. 261 00:19:18,920 --> 00:19:25,960 That is the point of doing all this work, but you are not prohibiting users to provision 262 00:19:25,960 --> 00:19:29,760 storage accounts that are widely open to the internet. 263 00:19:29,760 --> 00:19:36,240 So you have to have governance in place to prevent the provision of resources that are 264 00:19:36,240 --> 00:19:38,320 not secure by default. 265 00:19:38,320 --> 00:19:40,000 You have to align all those things. 266 00:19:40,000 --> 00:19:41,280 And these things are important. 267 00:19:41,280 --> 00:19:45,640 Otherwise, you're just going to react all the time. 268 00:19:45,640 --> 00:19:49,200 It's funny how often it's just the fundamentals, right? 269 00:19:49,200 --> 00:19:54,560 We live in an age where there's a whiz bang feature for absolutely everything. 270 00:19:54,560 --> 00:19:58,360 But 99,000 of 100 is just get the basics right. 271 00:19:58,360 --> 00:19:59,560 Actually, it's kind of funny. 272 00:19:59,560 --> 00:20:04,960 That's probably the number one message I think we've had as final thoughts on this podcast. 273 00:20:04,960 --> 00:20:05,960 Get the basics right. 274 00:20:05,960 --> 00:20:06,960 Which is kind of funny. 275 00:20:06,960 --> 00:20:07,960 Everyone says that, right? 276 00:20:07,960 --> 00:20:08,960 Isn't that funny? 277 00:20:08,960 --> 00:20:09,960 Yeah. 278 00:20:09,960 --> 00:20:10,960 Anyway, no surprises. 279 00:20:10,960 --> 00:20:13,000 I mean, absolutely no surprises, but there you go. 280 00:20:13,000 --> 00:20:15,080 Hey, well, let's bring this thing to an end. 281 00:20:15,080 --> 00:20:17,400 As I mentioned before, this has been a relatively short episode. 282 00:20:17,400 --> 00:20:18,760 And I'm fine with that. 283 00:20:18,760 --> 00:20:23,240 I'd rather be short and sweet and on point rather than just waffling on for the sake 284 00:20:23,240 --> 00:20:24,240 of waffling on. 285 00:20:24,240 --> 00:20:26,640 So, Juri, again, thank you for coming back on the podcast. 286 00:20:26,640 --> 00:20:29,080 I have no doubt we will have you back on in the future. 287 00:20:29,080 --> 00:20:32,480 In fact, I think I know when we may have you back. 288 00:20:32,480 --> 00:20:35,680 I think we need to talk about cybersecurity careers at some point. 289 00:20:35,680 --> 00:20:36,680 Yeah. 290 00:20:36,680 --> 00:20:40,360 Just like we did recently at Texas State University. 291 00:20:40,360 --> 00:20:41,360 Exactly. 292 00:20:41,360 --> 00:20:42,360 Exactly. 293 00:20:42,360 --> 00:20:43,360 Yeah. 294 00:20:43,360 --> 00:20:44,360 That's right. 295 00:20:44,360 --> 00:20:45,360 That's right. 296 00:20:45,360 --> 00:20:46,360 That's right. 297 00:20:46,360 --> 00:20:47,360 That's right. 298 00:20:47,360 --> 00:20:48,360 We've got a lot going on between Austin and San Antonio. 299 00:20:48,360 --> 00:20:52,120 So, again, thank you so much for joining us this week and to all our listeners out there. 300 00:20:52,120 --> 00:20:54,120 We hope you found this episode of Use. 301 00:20:54,120 --> 00:20:56,000 Stay safe and we'll see you next time. 302 00:20:56,000 --> 00:20:59,400 Thanks for listening to the Azure Security Podcast. 303 00:20:59,400 --> 00:21:06,200 You can find show notes and other resources at our website, azsecuritypodcast.net. 304 00:21:06,200 --> 00:21:10,960 If you have any questions, please find us on Twitter at Azure SetPod. 305 00:21:10,960 --> 00:21:16,400 Background music is from ccmixtor.com and licensed under the Creative Commons license.