1
00:00:00,000 --> 00:00:06,200
Welcome to the Azure Security Podcast,

2
00:00:06,200 --> 00:00:09,360
where we discuss topics relating to security, privacy,

3
00:00:09,360 --> 00:00:13,760
reliability, and compliance on the Microsoft Cloud Platform.

4
00:00:13,960 --> 00:00:17,040
Hey everybody, welcome to episode 25.

5
00:00:17,040 --> 00:00:18,800
We have a full house this week.

6
00:00:18,800 --> 00:00:22,040
It's myself, Gladys, Mark, and Sarah.

7
00:00:22,040 --> 00:00:24,780
We also have a special guest, Chuck Enstall,

8
00:00:24,780 --> 00:00:26,480
who's here to talk to us about some of

9
00:00:26,480 --> 00:00:29,720
the common questions he gets from customers relating to

10
00:00:29,720 --> 00:00:32,400
Azure Security. But before we get to Chuck,

11
00:00:32,400 --> 00:00:34,240
let's take a look at the news. Mark,

12
00:00:34,240 --> 00:00:35,800
do you want to kick things off?

13
00:00:35,800 --> 00:00:36,920
Yeah, just starting off,

14
00:00:36,920 --> 00:00:40,760
there's an expansion of our PCI DSS certification.

15
00:00:40,760 --> 00:00:41,880
We've got the link in there.

16
00:00:41,880 --> 00:00:46,560
I'm not a huge person that's detailed into the PCI DSS certs,

17
00:00:46,560 --> 00:00:49,160
but they did expand the scope of it.

18
00:00:49,160 --> 00:00:52,240
The next one that we've got is,

19
00:00:52,240 --> 00:00:54,920
there's a report that I put out there,

20
00:00:54,920 --> 00:00:57,600
and I got a link to the blog that describes it.

21
00:00:57,600 --> 00:01:00,080
We're definitely starting to see an increase in

22
00:01:00,080 --> 00:01:02,760
the firmware layer attacks.

23
00:01:02,760 --> 00:01:04,000
Like every piece of software,

24
00:01:04,000 --> 00:01:07,000
there's vulnerabilities and all the joy of that.

25
00:01:07,000 --> 00:01:09,160
We wanted to make sure that folks were there.

26
00:01:09,160 --> 00:01:10,760
It's a nice awareness piece there,

27
00:01:10,760 --> 00:01:14,600
and also talks a little bit about how we focus on

28
00:01:14,600 --> 00:01:18,600
that with our secured core capabilities within Windows.

29
00:01:18,600 --> 00:01:21,920
Next one is, obviously,

30
00:01:21,920 --> 00:01:26,120
there's been a fairly decent impact from

31
00:01:26,120 --> 00:01:30,000
the Exchange vulnerabilities that were published not too long ago.

32
00:01:30,000 --> 00:01:31,880
Our Dart team actually recorded

33
00:01:31,880 --> 00:01:34,160
our detection response team that does

34
00:01:34,160 --> 00:01:35,320
in-center response with customers,

35
00:01:35,320 --> 00:01:38,000
recorded really nice overview of

36
00:01:38,000 --> 00:01:41,720
the attacks and how they work and what to do about it.

37
00:01:41,720 --> 00:01:43,400
Wanted to make sure that you all saw

38
00:01:43,400 --> 00:01:45,560
that YouTube video is a big one.

39
00:01:45,560 --> 00:01:47,640
From the things that I'm working on,

40
00:01:47,640 --> 00:01:50,880
we're starting to take a look at the Azure Security benchmarks

41
00:01:50,880 --> 00:01:52,800
and what are the things we can do to improve it.

42
00:01:52,800 --> 00:01:56,040
I would love to get any feedback at me up on LinkedIn or Twitter.

43
00:01:56,040 --> 00:01:58,800
If there's anything that you're looking for in particular.

44
00:01:58,800 --> 00:02:01,920
We haven't really locked on the specifics plan yet,

45
00:02:01,920 --> 00:02:04,720
but we're thinking about through a shared responsibility model,

46
00:02:04,720 --> 00:02:06,640
we've gotten a decent amount of feedback of,

47
00:02:06,640 --> 00:02:08,880
okay, who does what, how much this is Microsoft,

48
00:02:08,880 --> 00:02:12,760
how much is this, is the enterprise identity or network,

49
00:02:12,760 --> 00:02:14,880
enterprise-wide teams across workloads,

50
00:02:14,880 --> 00:02:17,400
and how much of this security best practice

51
00:02:17,400 --> 00:02:20,000
would land on a specific workload owner.

52
00:02:20,000 --> 00:02:22,480
We're thinking about that and how we represent that.

53
00:02:22,480 --> 00:02:25,280
Love to get some feedback from you all on that one.

54
00:02:25,280 --> 00:02:28,640
The next one is the Cyber Reference Architecture,

55
00:02:28,640 --> 00:02:33,800
the very big complicated diagram that has all Microsoft's cyber capabilities

56
00:02:33,800 --> 00:02:35,200
or at least the main ones.

57
00:02:35,200 --> 00:02:37,000
We can't fit them all on it anymore.

58
00:02:37,000 --> 00:02:39,080
It's getting ready to come out.

59
00:02:39,080 --> 00:02:41,280
It can't give you a specific date,

60
00:02:41,280 --> 00:02:44,320
but it should be a matter of weeks from the recording this podcast.

61
00:02:44,320 --> 00:02:45,880
We'll be talking about that,

62
00:02:45,880 --> 00:02:48,080
I'm sure as it gets even closer.

63
00:02:48,080 --> 00:02:51,480
But wanted to give you all heads up that that updated version is coming.

64
00:02:51,480 --> 00:02:55,680
I continually get questions on LinkedIn and Twitter and whatnot for that.

65
00:02:55,680 --> 00:02:58,600
Then the last one is a little bit more for,

66
00:02:58,600 --> 00:03:00,960
it illustrates one of the things that we're thinking about

67
00:03:00,960 --> 00:03:04,160
as we're working on some DevSecOps guidance,

68
00:03:04,160 --> 00:03:08,480
is we're starting to appreciate how important it is when you do DevSecOps

69
00:03:08,480 --> 00:03:11,400
to look at the world through the lens of developers,

70
00:03:11,400 --> 00:03:13,560
security people, and operations,

71
00:03:13,560 --> 00:03:16,240
because each has a very important goal in an application.

72
00:03:16,240 --> 00:03:19,000
One is that it meets the business needs for purpose,

73
00:03:19,000 --> 00:03:21,440
it actually enables the organization.

74
00:03:21,440 --> 00:03:23,840
That's the Dev world representing the business,

75
00:03:23,840 --> 00:03:28,040
the ops is the reliability, stability, maintainability elements.

76
00:03:28,040 --> 00:03:32,160
Then security is that it stays safe and it meets all those security assurances

77
00:03:32,160 --> 00:03:34,760
of confidential integrity availability.

78
00:03:34,760 --> 00:03:38,040
We're really thinking about that need to merge the cultures.

79
00:03:38,040 --> 00:03:41,440
The last one was just an article that was a really interesting viewpoint

80
00:03:41,440 --> 00:03:47,200
that showed what the world looks like if you let the developers win every argument.

81
00:03:47,200 --> 00:03:53,080
The world is equally as dystopian as if you let the security people win every argument as well.

82
00:03:53,080 --> 00:03:56,600
But it was just an interesting insight there that I found interesting.

83
00:03:56,600 --> 00:03:58,280
So I thought that showed up with the group.

84
00:03:58,280 --> 00:04:00,200
Hello everyone.

85
00:04:00,200 --> 00:04:05,840
Besides Microsoft releasing an enormous amount of security information

86
00:04:05,840 --> 00:04:08,280
as part of the Ninja training,

87
00:04:08,280 --> 00:04:11,880
which I have mentioned in previous podcasts,

88
00:04:11,880 --> 00:04:15,640
we have been expanding the learning path we provide

89
00:04:15,640 --> 00:04:18,760
within the Microsoft learning site.

90
00:04:18,760 --> 00:04:23,280
That's www.microsoft.com.

91
00:04:23,280 --> 00:04:25,720
Since during our last podcast,

92
00:04:25,720 --> 00:04:30,480
Michael went through a high level view of the site capabilities.

93
00:04:30,480 --> 00:04:36,760
I wanted to quickly mention the SC-200 training provided within that site.

94
00:04:36,760 --> 00:04:43,400
He has eight parts focusing on different security solution.

95
00:04:43,400 --> 00:04:46,120
That includes Azure Sentinel,

96
00:04:46,120 --> 00:04:47,640
Azure Security Center,

97
00:04:47,640 --> 00:04:51,400
Azure Defender for Endpoint and others.

98
00:04:51,400 --> 00:04:55,840
So be sure to check out this material,

99
00:04:55,840 --> 00:05:01,880
as it's an excellent resource for those of you that want to start in the IT security field,

100
00:05:01,880 --> 00:05:07,520
or even expand further knowledge to support Cloud security services.

101
00:05:07,520 --> 00:05:10,280
In addition, last year,

102
00:05:10,280 --> 00:05:20,440
Microsoft opened many learning paths in LinkedIn learning to be delivered for free until June 2021.

103
00:05:20,440 --> 00:05:27,040
Well, Microsoft is extending access to those learning path until NO 2021.

104
00:05:27,040 --> 00:05:32,320
So make sure to add those as part of your learning as well.

105
00:05:32,320 --> 00:05:37,240
Another thing that I wanted to share is that EDR support for Windows

106
00:05:37,240 --> 00:05:41,920
2019 has been added to Microsoft Defender for Endpoint.

107
00:05:41,920 --> 00:05:49,840
This means that now the Windows 2019 VMs can have

108
00:05:49,840 --> 00:05:52,520
this capability enabled in that,

109
00:05:52,520 --> 00:05:59,760
which extends the capabilities that are included within Azure Defender.

110
00:05:59,760 --> 00:06:06,560
So make sure to enable these if you have the service already.

111
00:06:06,560 --> 00:06:10,040
Also, as part of identity,

112
00:06:10,040 --> 00:06:13,600
which I'm going to share a couple of news in here,

113
00:06:13,600 --> 00:06:16,920
customers can now quickly configure

114
00:06:16,920 --> 00:06:25,120
single sign-on and user provisioning to AWS single sign-on using the Azure AD app gallery.

115
00:06:25,120 --> 00:06:31,240
This means that now AWS single sign-on can be quickly connected to

116
00:06:31,240 --> 00:06:37,320
Azure AD for centralized access management of AWS resources.

117
00:06:37,320 --> 00:06:41,360
Of course, it means that the end users can sign into

118
00:06:41,360 --> 00:06:49,640
AWS single sign-on using the Azure AD credentials to access all their assigned AWS resources.

119
00:06:49,640 --> 00:06:53,360
The next identity related news is that

120
00:06:53,360 --> 00:06:56,320
the AD Federation Services Activity and

121
00:06:56,320 --> 00:07:00,080
Inside Report is now available in the Azure portal,

122
00:07:00,080 --> 00:07:07,960
which lets customer quickly identify which applications are capable of being upgraded to Azure AD.

123
00:07:07,960 --> 00:07:14,240
It assesses all the AD application for compatibility with Azure AD,

124
00:07:14,240 --> 00:07:16,040
checks for any issues,

125
00:07:16,040 --> 00:07:21,600
and gives guidance on preparing individual application for migration to Azure AD.

126
00:07:21,600 --> 00:07:28,120
Finally, I wanted to talk about the new Azure AD logging that has been

127
00:07:28,120 --> 00:07:30,800
enabled or is on preview.

128
00:07:30,800 --> 00:07:34,960
This include provision and alerts for service principle,

129
00:07:34,960 --> 00:07:39,160
extending some of the logs are extending the ADFS logging,

130
00:07:39,160 --> 00:07:45,120
and even providing some sign-in alerts related to MFF.

131
00:07:45,920 --> 00:07:49,240
A whole bunch of stuff took my interest this week.

132
00:07:49,240 --> 00:07:55,440
The first one is GitHub Advanced Security is now available in beta.

133
00:07:55,440 --> 00:07:59,680
The way I looked at this when I saw it is it reminds me of Azure Security Center,

134
00:07:59,680 --> 00:08:01,240
but for your code.

135
00:08:01,240 --> 00:08:04,200
If you've got code in GitHub,

136
00:08:04,200 --> 00:08:08,000
it will actually scan over your repos looking for common issues,

137
00:08:08,000 --> 00:08:11,120
and it will give you essentially a dashboard,

138
00:08:11,120 --> 00:08:14,200
which gives you a nice idea of improving your security,

139
00:08:14,200 --> 00:08:16,160
what issues are being found, and so on.

140
00:08:16,160 --> 00:08:17,440
I absolutely love that.

141
00:08:17,440 --> 00:08:23,080
They've now added the ability to do scanning for secrets in private repos.

142
00:08:23,080 --> 00:08:26,800
This is nice because we hear on more than one occasion

143
00:08:26,800 --> 00:08:30,600
where someone's embedded a credential and then uses that credential

144
00:08:30,600 --> 00:08:34,000
during normal operations,

145
00:08:34,000 --> 00:08:37,120
and then they happen to check that credential into GitHub.

146
00:08:37,120 --> 00:08:40,040
Now the attackers have access to the credential.

147
00:08:40,040 --> 00:08:44,240
That's also available in the GitHub Advanced Security.

148
00:08:44,240 --> 00:08:49,960
Another topic that is related to GitHub is I think we call CodeQL.

149
00:08:49,960 --> 00:08:51,680
It's a code query language.

150
00:08:51,680 --> 00:08:55,600
The best way of looking at CodeQL is a way of querying code,

151
00:08:55,600 --> 00:08:57,200
looking for specific kinds of patterns,

152
00:08:57,200 --> 00:08:59,720
as you would say a SQL query, but for code.

153
00:08:59,720 --> 00:09:03,200
What we've done is we've open sourced the CodeQL queries

154
00:09:03,200 --> 00:09:08,080
that are used to hunt for salariegate type activity.

155
00:09:08,080 --> 00:09:10,000
This is really cool.

156
00:09:10,000 --> 00:09:11,800
I'm a huge fan of CodeQL.

157
00:09:11,800 --> 00:09:17,440
The best way I think of thinking about CodeQL is, again, imagine SQL,

158
00:09:17,440 --> 00:09:21,360
but for querying code and querying kinds of constructs in code,

159
00:09:21,360 --> 00:09:23,880
like if you see this kind of data in this kind of code construct,

160
00:09:23,880 --> 00:09:27,760
then we may have a SQL injection vulnerability here, those kinds of things.

161
00:09:27,760 --> 00:09:32,040
The other nice thing about CodeQL is it really democratizes these rules

162
00:09:32,040 --> 00:09:36,240
that are used for finding new classes of vulnerability.

163
00:09:36,240 --> 00:09:40,040
We have, upon GitHub, a plethora of rules that have been written

164
00:09:40,040 --> 00:09:43,760
by other people for finding specific kinds of vulnerabilities.

165
00:09:43,760 --> 00:09:46,480
So if you're a developer or you run a development shop

166
00:09:46,480 --> 00:09:48,960
or you're in charge of a development team,

167
00:09:48,960 --> 00:09:54,600
you really should spend some time looking at CodeQL in GitHub.

168
00:09:54,600 --> 00:09:59,760
Another thing that took my interest this week was we now have,

169
00:09:59,760 --> 00:10:03,200
in IoT Hub, we've made some security changes.

170
00:10:03,200 --> 00:10:08,440
We are now able to sort of fine tune the way some of your IP filters work.

171
00:10:08,440 --> 00:10:12,000
You must add your computer's IP address into the allow list now

172
00:10:12,000 --> 00:10:15,920
to make it work correctly so that you can actually access it through the portal.

173
00:10:15,920 --> 00:10:17,920
Historically, that wasn't the case.

174
00:10:17,920 --> 00:10:22,280
And also, we've made some pretty significant networking changes,

175
00:10:22,280 --> 00:10:24,960
running IoT Hub using Azure portal, using Client Store,

176
00:10:24,960 --> 00:10:28,680
and the same VNet, as an IoT Hub private link.

177
00:10:28,680 --> 00:10:30,480
So do be aware of some of the networking changes

178
00:10:30,480 --> 00:10:33,800
that have come down the pike for IoT Hub.

179
00:10:33,800 --> 00:10:36,600
For some reason, we seem to be getting a lot of changes,

180
00:10:36,600 --> 00:10:38,880
updates in SQL and Synapse.

181
00:10:38,880 --> 00:10:43,560
One of the ones that I noticed this week was dynamic data masking granular permissions.

182
00:10:43,560 --> 00:10:48,120
Dynamic data masking allows you to mask out certain kinds of sensitive data.

183
00:10:48,120 --> 00:10:49,080
It's not encryption.

184
00:10:49,080 --> 00:10:52,840
It's not really an air quotes security control,

185
00:10:52,840 --> 00:10:57,760
but it's there certainly to help accidental disclosure of sensitive data.

186
00:10:57,760 --> 00:11:01,160
So for example, in the US with a social security number,

187
00:11:01,160 --> 00:11:03,120
you could tell SQL Server to say,

188
00:11:03,120 --> 00:11:07,240
when data from this column is returned, it's a social security number.

189
00:11:07,240 --> 00:11:11,200
So mask out all the characters except the last four digits.

190
00:11:11,200 --> 00:11:15,720
We now have the ability to set the policies at a much more granular level.

191
00:11:15,720 --> 00:11:21,400
So you could set the actual permissions and the policies that are in place right down to,

192
00:11:21,400 --> 00:11:24,720
at the schema level, at the table level, and right down to the column level as well.

193
00:11:24,720 --> 00:11:29,560
So nice to see some fine tuning of that ability.

194
00:11:29,560 --> 00:11:34,760
For media services, we've added a whole bunch of new security features there as well,

195
00:11:34,760 --> 00:11:39,040
including things like customer managed key support and managed identities.

196
00:11:39,040 --> 00:11:44,360
So again, this is one of the three main areas or two examples of three of the main areas

197
00:11:44,360 --> 00:11:46,360
that we see happening across the board,

198
00:11:46,360 --> 00:11:53,480
increased use of managed identities and increased use of support for customer managed keys.

199
00:11:53,480 --> 00:11:59,520
So media services now has the ability to have customer managed keys and managed identities.

200
00:11:59,520 --> 00:12:08,520
Next one is in public preview, as your event grid now supports system assigned managed identities.

201
00:12:08,520 --> 00:12:18,000
So another feature that I saw was in public preview, as your event grid now has support for system assigned managed identities.

202
00:12:18,000 --> 00:12:23,360
What you can do is you can put a managed identity on a publisher.

203
00:12:23,360 --> 00:12:28,600
So when it publishes events, let's say it pushes those events out to a storage account,

204
00:12:28,600 --> 00:12:32,360
you could have a policy, an RBAC policy on the storage account that says,

205
00:12:32,360 --> 00:12:38,400
that event grid can write to me and nothing else or perhaps, you know, something reading the events.

206
00:12:38,400 --> 00:12:45,640
But ultimately, you've got a fantastic ability here to restrict who can write to the likes of say,

207
00:12:45,640 --> 00:12:52,280
service bus or event hubs, blob storage and as your storage here.

208
00:12:52,280 --> 00:12:57,120
This next one is not really truly security, but I was really excited to see it.

209
00:12:57,120 --> 00:13:04,000
We have a thing called as your communication services, which lets you do things like sending and receiving text messages,

210
00:13:04,000 --> 00:13:06,280
phone calls and so on.

211
00:13:06,280 --> 00:13:08,160
You know, is it a security feature? No.

212
00:13:08,160 --> 00:13:11,840
But it really caught my attention because I didn't even know this is coming down the pike.

213
00:13:11,840 --> 00:13:15,280
Apparently it's been in preview for some time, but I didn't even know it's coming down the pike.

214
00:13:15,280 --> 00:13:21,520
But for people who wanted to build custom sort of two factor authentication mechanisms, not that you should,

215
00:13:21,520 --> 00:13:25,880
but I'm just saying if you wanted to, you could certainly use a service like this.

216
00:13:25,880 --> 00:13:30,560
Back to the SQL topic, some papers I noticed this last couple of weeks.

217
00:13:30,560 --> 00:13:34,120
One is called security delegation of authority.

218
00:13:34,120 --> 00:13:40,160
And another one is the intro into security principles in the context of database systems.

219
00:13:40,160 --> 00:13:43,000
This is really cool. Here's why this is so cool.

220
00:13:43,000 --> 00:13:46,200
SQL databases have their own security model.

221
00:13:46,200 --> 00:13:48,000
It's not the Azure security model.

222
00:13:48,000 --> 00:13:49,520
It's not a Windows security model.

223
00:13:49,520 --> 00:13:51,160
It's not a Linux security model.

224
00:13:51,160 --> 00:13:54,040
They're different models and there are good reasons for that.

225
00:13:54,040 --> 00:13:59,680
And so when you got this sort of boundary between Azure security and SQL security,

226
00:13:59,680 --> 00:14:05,640
you sort of had to understand how to map one to the other and how to do away with that kind of impedance mismatch.

227
00:14:05,640 --> 00:14:09,680
And we've been trying over the last few years to really help in that area.

228
00:14:09,680 --> 00:14:11,960
So this document is absolutely fantastic.

229
00:14:11,960 --> 00:14:16,160
It talks about basically how SQL database security models work.

230
00:14:16,160 --> 00:14:21,840
And I think once you understand that, it becomes a lot easier to map on to sort of how to use Azure security

231
00:14:21,840 --> 00:14:24,560
to complement SQL security as well.

232
00:14:24,560 --> 00:14:30,480
And the last one is Azure Active Directory only authentication for Azure SQL.

233
00:14:30,480 --> 00:14:33,400
So it turns out there's a little story behind this.

234
00:14:33,400 --> 00:14:37,520
The news about this coming out actually leaked a little bit early

235
00:14:37,520 --> 00:14:40,600
and people were running around trying to turn this feature on.

236
00:14:40,600 --> 00:14:41,480
And they couldn't find it.

237
00:14:41,480 --> 00:14:44,240
And the reason was because it wasn't available yet.

238
00:14:44,240 --> 00:14:45,560
But it's coming out in April.

239
00:14:45,560 --> 00:14:49,200
So what this allows you to do is in Azure SQL DB, you can go in, you can say,

240
00:14:49,200 --> 00:14:53,400
use Azure Active Directory for all authentication from this point forward.

241
00:14:53,400 --> 00:14:55,640
No more SQL authentication.

242
00:14:55,640 --> 00:15:00,360
Very similar to the on-prem ability where we can say use Windows authentication only.

243
00:15:00,360 --> 00:15:04,280
But in this case, we're using Azure Active Directory authentication only.

244
00:15:04,280 --> 00:15:10,960
That is absolutely fantastic to see because again, it gets rid of one of those sort of legacy security things

245
00:15:10,960 --> 00:15:13,920
that we have as a holdout from the old days of SQL security.

246
00:15:13,920 --> 00:15:16,480
And that's all I have.

247
00:15:16,480 --> 00:15:20,360
OK, so my God, loads of stuff there.

248
00:15:20,360 --> 00:15:21,920
So let me do a few.

249
00:15:21,920 --> 00:15:27,120
So of course, it would be wrong for me not to talk about something Azure Monitor E.

250
00:15:27,120 --> 00:15:33,880
So ExpressRoute monitoring in Azure Monitor has now gone GA.

251
00:15:33,880 --> 00:15:37,720
So what that is, is if you're using Azure ExpressRoute,

252
00:15:37,720 --> 00:15:44,280
you can now look at the metrics and the config details of ExpressRoute just through Azure Monitor.

253
00:15:44,280 --> 00:15:48,320
So it means you can see things like peerings, connections and gateways.

254
00:15:48,320 --> 00:15:50,440
You can see the health status.

255
00:15:50,440 --> 00:15:56,160
You can see important circuit metrics like availability and throughput, any packet drops

256
00:15:56,160 --> 00:16:01,760
and other bits and bobs like that, which of course is important if you are connecting your on-premise

257
00:16:01,760 --> 00:16:04,800
to Azure through an ExpressRoute.

258
00:16:04,800 --> 00:16:13,600
Another thing that's gone GA is networking for key vault references on Windows in App Service and Azure Functions.

259
00:16:13,600 --> 00:16:20,760
So Windows apps that have virtual network integrations can now access restricted network vaults,

260
00:16:20,760 --> 00:16:25,280
which is really cool because of course, the more we can restrict access to secrets, the better.

261
00:16:25,280 --> 00:16:32,520
And this is just for Windows at the moment, but it is coming for Linux very soon.

262
00:16:32,520 --> 00:16:37,040
There is an issue at the moment, literally at the point of us recording this.

263
00:16:37,040 --> 00:16:40,360
So hopefully, if you're listening to this in the future, this will be gone.

264
00:16:40,360 --> 00:16:43,880
But I guess I should mention it because it's in the news update.

265
00:16:43,880 --> 00:16:51,040
There is a known issue which prevents versionless references from automatically updating when they're behind network restrictions.

266
00:16:51,040 --> 00:16:52,320
It is going to be fixed soon.

267
00:16:52,320 --> 00:16:58,640
We're aware of it, but it is recommended just at the moment not to use both those features at the same time.

268
00:16:58,640 --> 00:17:04,200
But hopefully by the time, unless you're super keen and you listen to this podcast the day it comes out,

269
00:17:04,200 --> 00:17:09,200
which I hope at least some of you do, then hopefully we'll affix that, but just a note.

270
00:17:09,200 --> 00:17:12,280
Next one is another GA announcement.

271
00:17:12,280 --> 00:17:16,320
Encryption scopes in Azure Storage are now generally available.

272
00:17:16,320 --> 00:17:21,760
So they allow you to provision multiple encryption keys in a storage account for blobs.

273
00:17:21,760 --> 00:17:27,760
It used to be that you could only use one account scoped encryption key.

274
00:17:27,760 --> 00:17:35,720
And the last thing is Azure Private Link for Azure Cash for Redis is in GA now.

275
00:17:35,720 --> 00:17:40,720
So Private Link, as you may know from all the other products that also have Private Link,

276
00:17:40,720 --> 00:17:46,680
it provides private connectivity from a virtual network into your cash instance.

277
00:17:46,680 --> 00:17:51,440
By the way, I know some people say cash in my part of the world, I say cash.

278
00:17:51,440 --> 00:17:58,520
But what it means is that you can actually access the cash without going, putting your data through the public internet.

279
00:17:58,520 --> 00:18:05,000
So what this means specifically for this one is that you can connect to an Azure Cash for Redis

280
00:18:05,000 --> 00:18:06,320
from a virtual network.

281
00:18:06,320 --> 00:18:12,000
And now that's often a preference for customers to just not have things go out to the public internet.

282
00:18:12,000 --> 00:18:18,680
Some customers may need that for regulatory purposes or just to meet their internal security standards.

283
00:18:18,680 --> 00:18:21,720
So again, if you've been waiting for that, here it is.

284
00:18:21,720 --> 00:18:26,040
And that is all of my news for this week.

285
00:18:26,040 --> 00:18:27,480
All right, now we've got the news out of the way.

286
00:18:27,480 --> 00:18:30,160
Let's turn our attention to our guest.

287
00:18:30,160 --> 00:18:35,000
This week we have Chuck Enstall, who is a Azure Security Architect.

288
00:18:35,000 --> 00:18:40,920
He's a global black belt, and he's here to talk to us about some of the questions that he's seen from customers

289
00:18:40,920 --> 00:18:48,040
and some of the areas of perhaps a friction or areas where there may be a little bit of a knowledge gap.

290
00:18:48,040 --> 00:18:51,640
So before we get stuck into it, Chuck, do you want to give us a little bit of a background on yourself,

291
00:18:51,640 --> 00:18:53,920
how long have you been in Microsoft, what you do?

292
00:18:53,920 --> 00:18:54,960
Thanks, Michael, for having me.

293
00:18:54,960 --> 00:18:55,520
I appreciate it.

294
00:18:55,520 --> 00:18:59,840
So yeah, I've been in Microsoft for a little over 13 years in total.

295
00:18:59,840 --> 00:19:01,240
I'm a retread.

296
00:19:01,240 --> 00:19:12,200
So started in 2005, left, spent a number of years at Apple, and then came back into one of the earlier CSA roles when Azure was still in incubation.

297
00:19:12,200 --> 00:19:18,640
Always had a focus on security and then jumped into the Azure Security Architect role.

298
00:19:18,640 --> 00:19:22,760
Myself and my colleague Tom Quinn were, I think, the first two guys.

299
00:19:22,760 --> 00:19:26,720
Tom was there before me kind of doing this on truly a global scale.

300
00:19:26,720 --> 00:19:32,720
And then we started to add some folks as the field realized this was a pretty valuable role.

301
00:19:32,720 --> 00:19:37,160
And so in fact, Marcus, I most was one of my interviewers.

302
00:19:37,160 --> 00:19:41,600
So I really had to slide some cash under the table in order to get to this role with Mark.

303
00:19:41,600 --> 00:19:51,640
So but yeah, so I've always been in a technical pre-sales role at Microsoft, mostly focused around Windows Server and everything that goes along with it.

304
00:19:51,640 --> 00:19:56,240
So domain services, remote desktop services, certificate services, things like that.

305
00:19:56,240 --> 00:20:01,360
But yeah, I've been doing this role now since probably 2018.

306
00:20:01,360 --> 00:20:05,200
One of the things that we mentioned is this notion of global black belt.

307
00:20:05,200 --> 00:20:09,360
So so what is a global black belt and what is your role?

308
00:20:09,360 --> 00:20:10,280
Yeah, so great question.

309
00:20:10,280 --> 00:20:18,280
It's it's actually a title, a moniker that we at least maybe I typically don't use with customers because it has very little relevance or context.

310
00:20:18,280 --> 00:20:29,600
But the the understanding is that you're kind of a resource of last resort, potentially someone who if there is no one else to ask or have a question answered.

311
00:20:29,600 --> 00:20:31,280
Let's let's go to the global black belt.

312
00:20:31,280 --> 00:20:38,120
So we're a point of escalation from the field and we kind of sit in between our engineering team.

313
00:20:38,120 --> 00:20:47,280
So the CXP CXC, you know, the product groups themselves and try to keep some of that constant incoming flak off of their plates.

314
00:20:47,280 --> 00:20:55,640
So that we can answer that and go deep and potentially across a number of products, features, solutions that Microsoft offers.

315
00:20:55,640 --> 00:20:58,240
So we're not looking at it in a siloed way.

316
00:20:58,240 --> 00:21:05,280
And we're looking at things that are in Azure, things that are on premises, clients, server, both things that are in other clouds.

317
00:21:05,280 --> 00:21:09,200
So we kind of help tie it all together with the customer.

318
00:21:09,200 --> 00:21:12,320
The only thing we don't do is anything really hands on.

319
00:21:12,320 --> 00:21:24,960
We're not consultants that we we offer that up for either the our CEs or MCS or something like that or or a qualified partner to actually do the finish the implementation or CXC.

320
00:21:24,960 --> 00:21:26,960
I really had to kick this off with a question.

321
00:21:26,960 --> 00:21:35,440
I want to get your view on it because I see this all the time with customers across the entire spectrum.

322
00:21:35,440 --> 00:21:39,960
And that is that there's often quite siloed.

323
00:21:39,960 --> 00:21:47,560
And you sort of mentioned that we're quite siloed areas of expertise like we'll be designing something with a customer going through the business requirements and so on.

324
00:21:47,560 --> 00:21:51,880
And then we'll get the security guys in and say, yeah, yeah, yeah, you know, we need to do this that and the other.

325
00:21:51,880 --> 00:21:54,680
And then most then so hard, but we can't do this because we need the networking.

326
00:21:54,680 --> 00:21:59,520
We need the networking folks and then the networking folks say, well, we need the identity folks.

327
00:21:59,520 --> 00:22:07,400
So I mean, do you see this as well where there's almost this almost these walls between security, networking and identity?

328
00:22:07,400 --> 00:22:11,160
I mean, do you see this getting better or is this just something we're going to have to live with for a while?

329
00:22:11,160 --> 00:22:13,080
So it's a great question.

330
00:22:13,080 --> 00:22:14,960
And I see it every week.

331
00:22:14,960 --> 00:22:16,000
It has gotten better.

332
00:22:16,000 --> 00:22:19,800
If you if you look back decades, it was very siloed.

333
00:22:19,800 --> 00:22:26,720
It has gotten better if there's one organization inside of a company that is siloed more than any others.

334
00:22:26,720 --> 00:22:29,160
It oftentimes is security.

335
00:22:29,160 --> 00:22:35,800
We'll go in and we'll work with an organization trying to remove some blockers, you know, increase their agility,

336
00:22:35,800 --> 00:22:38,520
you know, velocity, whatever you'd like to call it.

337
00:22:38,520 --> 00:22:43,000
And so you look around and they've created a cloud center of excellence or whatever they call it.

338
00:22:43,000 --> 00:22:50,520
And you've got all the appropriate stakeholders from, you know, so application, architects, storage folks, networking.

339
00:22:50,520 --> 00:22:52,920
And then where's the security folks?

340
00:22:52,920 --> 00:22:56,920
We never invite them because they're just, you know, crotchety there.

341
00:22:56,920 --> 00:22:59,920
They always just say, no, they don't understand cloud.

342
00:22:59,920 --> 00:23:02,240
And and that's really a miss.

343
00:23:02,240 --> 00:23:06,360
And then you say, well, here is probably why we're having these issues, right?

344
00:23:06,360 --> 00:23:08,080
Why security is saying no.

345
00:23:08,080 --> 00:23:09,920
So yeah, I do see that silo.

346
00:23:09,920 --> 00:23:16,600
It's still going on when we do come in and have conversations about a security topic.

347
00:23:16,600 --> 00:23:22,600
If we're, you know, we start to ask ahead of time, make sure the account team invites all the appropriate stakeholders

348
00:23:22,600 --> 00:23:26,640
because we don't want to get five, 10, 15 minutes in and we start talking about something.

349
00:23:26,640 --> 00:23:30,320
And then it moves to identity and they go, hold on, Chuck.

350
00:23:30,320 --> 00:23:33,160
We don't have our identity folks on the call.

351
00:23:33,160 --> 00:23:34,840
Ouch. Well, why?

352
00:23:34,840 --> 00:23:38,760
I mean, it's no longer that siloed.

353
00:23:38,760 --> 00:23:41,640
It is something that's very fluid.

354
00:23:41,640 --> 00:23:46,200
We have to have all those folks together in order to really make progress.

355
00:23:46,200 --> 00:23:49,960
And it gets to a point where you can't say, well, that's really not what I do.

356
00:23:49,960 --> 00:23:54,600
There's no longer a hard, clear cut, my job, not my job type of thing.

357
00:23:54,600 --> 00:23:56,680
And we see that in organizations still.

358
00:23:56,680 --> 00:23:58,680
It is getting better.

359
00:23:58,680 --> 00:24:02,000
But we also see that oftentimes in inside of Microsoft.

360
00:24:02,000 --> 00:24:04,960
So I think it is getting better.

361
00:24:04,960 --> 00:24:06,480
We're striving to do that internally.

362
00:24:06,480 --> 00:24:09,920
We're we're actually helping our customers kind of understand that.

363
00:24:09,920 --> 00:24:15,320
Invite the network folks, invite the identity folks, even though if you don't think they're required,

364
00:24:15,320 --> 00:24:16,760
it's good for them to know, right?

365
00:24:16,760 --> 00:24:18,080
Kind of cross train.

366
00:24:18,080 --> 00:24:21,480
The same thing, invite the security folks early and often.

367
00:24:21,480 --> 00:24:23,240
They're going to become your best friends.

368
00:24:23,240 --> 00:24:30,520
It's going to be easier for them to sign off and produce a risk report on a particular application

369
00:24:30,520 --> 00:24:33,480
if they're involved and they feel they're a stakeholder.

370
00:24:33,480 --> 00:24:36,360
So it is still a siloed approach.

371
00:24:36,360 --> 00:24:37,440
I think it is getting better.

372
00:24:37,440 --> 00:24:39,440
I think it's just going to take some time.

373
00:24:39,440 --> 00:24:39,840
Yeah.

374
00:24:39,840 --> 00:24:47,080
And the way the way that I like to think about this is like, you know, I feel like we're redrawing the lines.

375
00:24:47,080 --> 00:24:48,920
There will be some new lines, right?

376
00:24:48,920 --> 00:24:50,600
Hopefully not as siloed as we've been.

377
00:24:50,600 --> 00:24:56,600
But like the lines that were we really haven't questioned them since like, I don't know, the late 90s, early 2000s,

378
00:24:56,600 --> 00:25:01,120
when enterprise computing, you know, kind of took over from a mainframe and desktop.

379
00:25:01,120 --> 00:25:06,600
Like I feel like we're going back and questioning stuff that was being settled when Active Directory came around.

380
00:25:06,600 --> 00:25:11,320
So I'm curious, Chuck, like as as organizations kind of embark on DevOps,

381
00:25:11,320 --> 00:25:17,720
which is emerging of the two cultures and and DevSecOps, which is emerging of the three to make sure it's, you know,

382
00:25:17,720 --> 00:25:24,080
reliable, it's it's performant and meets the business requirements and it's secure.

383
00:25:24,080 --> 00:25:27,040
Like, are you seeing progress within there?

384
00:25:27,040 --> 00:25:30,160
Or is it, you know, still too early to tell?

385
00:25:30,160 --> 00:25:39,120
I'm kind of curious how how that plays out and also the sort of cloud ops versus, you know, on-prem ops as cloud teams kind of bring in their own security people.

386
00:25:39,120 --> 00:25:42,720
So I'm curious what you're seeing in those spaces, in the emerging space.

387
00:25:42,720 --> 00:25:46,400
So Mark, that is an excellent point.

388
00:25:46,400 --> 00:25:49,080
And there's still some confusion around that.

389
00:25:49,080 --> 00:25:57,400
I think largely because security folks, networking people, they've never considered themselves any sort of a developer or

390
00:25:57,400 --> 00:26:00,200
scripter or automation person, right?

391
00:26:00,200 --> 00:26:02,400
That was for IT operations or development.

392
00:26:02,400 --> 00:26:08,240
Yeah, that's that's another one of those, I think pillars that really needs to be understood at some fundamental level,

393
00:26:08,240 --> 00:26:12,400
that this idea of being able to write a simple script.

394
00:26:12,400 --> 00:26:21,560
And that's PowerShell, Azure CLI, whatever it is, Bash script, you need to have some competency there.

395
00:26:21,560 --> 00:26:24,240
And that's going to make things better all around.

396
00:26:24,240 --> 00:26:26,840
And by the way, I love to use the word sec DevOps.

397
00:26:26,840 --> 00:26:28,320
I like to put security first.

398
00:26:28,320 --> 00:26:29,040
It's more important.

399
00:26:29,040 --> 00:26:33,080
But that really I've given up on that.

400
00:26:33,080 --> 00:26:37,640
I just like to think and I'm like, it is going secure DevOps, but I'm now dev sec ops.

401
00:26:37,640 --> 00:26:39,080
Yeah, I'm just trying to bring it back.

402
00:26:39,080 --> 00:26:47,280
But but I think that's right, it's very, very important that security folks and what we're seeing, interestingly enough, is I think some of the folks that are

403
00:26:47,280 --> 00:26:54,560
instant response focus, sock professionals are kind of ahead of that curve in many ways.

404
00:26:54,560 --> 00:26:58,240
But they're kind of after the fact they're consumers of this data.

405
00:26:58,240 --> 00:27:00,760
And then they're writing all these scripts to kind of do correlations.

406
00:27:00,760 --> 00:27:08,920
What we'd like to see is the security architects really get into this process and integrate into those teams so that they can do that.

407
00:27:08,920 --> 00:27:13,200
Dev sec ops process and learn from the developers learn from the IT operations.

408
00:27:13,200 --> 00:27:23,840
And we have to break down those walls of silos even further so that we do get good across domain, SME sharing any of subject matter experts sharing these capabilities.

409
00:27:23,840 --> 00:27:24,840
Hey, let me show you how to do this.

410
00:27:24,840 --> 00:27:26,280
Oh, good. Let me show you how to do this.

411
00:27:26,280 --> 00:27:31,520
And that's when things really start to fire on all cylinders and start to move forward.

412
00:27:31,520 --> 00:27:38,720
We do have, I think, much more work to go when it comes there, especially just companies trying to even decide on

413
00:27:38,720 --> 00:27:42,160
a standardization from an automation perspective.

414
00:27:42,160 --> 00:27:44,800
And I think Terraform is really kind of leading there.

415
00:27:44,800 --> 00:27:48,680
But we've got folks using Ansible and Chef and Puppet and Arm.

416
00:27:48,680 --> 00:27:50,880
And it's great that they're doing it.

417
00:27:50,880 --> 00:27:59,280
But even that starts to sometimes seem overwhelming to some of these security folks and networking folks that say, listen, you know, I'm too old for this.

418
00:27:59,280 --> 00:28:01,160
My career does this really matter.

419
00:28:01,160 --> 00:28:04,480
So I think part of our job at Microsoft is to really show them.

420
00:28:04,480 --> 00:28:06,600
Yeah, this can make your job easier.

421
00:28:06,600 --> 00:28:07,400
It can make it better.

422
00:28:07,400 --> 00:28:10,120
You can focus on higher order processes.

423
00:28:10,120 --> 00:28:12,440
So I love that call out, Mark.

424
00:28:12,440 --> 00:28:15,040
Chuck, how does compliance fit into all of this?

425
00:28:15,040 --> 00:28:16,920
Compliance is a big word, right?

426
00:28:16,920 --> 00:28:18,760
Means different things to different people.

427
00:28:18,760 --> 00:28:21,480
But what do you get asked about?

428
00:28:21,480 --> 00:28:22,960
Well, thanks for that question, Sarah.

429
00:28:22,960 --> 00:28:25,360
And by the way, good to talk with you again.

430
00:28:25,360 --> 00:28:27,240
It's been a month or so.

431
00:28:27,240 --> 00:28:27,880
I know.

432
00:28:27,880 --> 00:28:29,200
I know.

433
00:28:29,200 --> 00:28:34,360
Those of you who don't know, Chuck, and I was also one of Chuck's colleagues.

434
00:28:34,360 --> 00:28:40,840
I was, I think, the fourth person with David Sanchez, who's been on the podcast before.

435
00:28:40,840 --> 00:28:43,600
Chuck's been to visit me down on the side of the world.

436
00:28:43,600 --> 00:28:49,520
You were very surprised when you asked for nonfat milk and they said, we have milk.

437
00:28:49,520 --> 00:28:51,400
Yes, I was embarrassing.

438
00:28:51,400 --> 00:28:55,120
And thank you for being my cultural attache to that.

439
00:28:55,120 --> 00:28:58,680
And speaking of David, it was more embarrassing.

440
00:28:58,680 --> 00:29:02,240
I first met David prior to him joining the global black belt team.

441
00:29:02,240 --> 00:29:03,680
And we were in Madrid.

442
00:29:03,680 --> 00:29:06,120
And he took me to a Starbucks.

443
00:29:06,120 --> 00:29:09,480
And I said, how do you ask them for nonfat milk?

444
00:29:09,480 --> 00:29:14,400
And he kind of looked at me like, I don't think there is a Spanish word for nonfat milk, right?

445
00:29:14,400 --> 00:29:16,000
So even more embarrassing, I've learned.

446
00:29:16,000 --> 00:29:17,320
I just drink coffee black now.

447
00:29:17,320 --> 00:29:20,520
So again, Sarah, thanks for that question.

448
00:29:20,520 --> 00:29:22,320
Compliance is a big topic.

449
00:29:22,320 --> 00:29:27,280
It really has a number of different connotations, depending on who you ask.

450
00:29:27,280 --> 00:29:32,800
I think what folks are looking for is guidance around being able to comport

451
00:29:32,800 --> 00:29:35,960
with numerous different compliance frameworks.

452
00:29:35,960 --> 00:29:37,680
So that could be PCI DSS.

453
00:29:37,680 --> 00:29:42,920
It could be HIPAA high-trust and high-tech, GDPR, FedRAMP.

454
00:29:42,920 --> 00:29:44,520
There's a number of them.

455
00:29:44,520 --> 00:29:49,240
And I think it's important to really address those.

456
00:29:49,240 --> 00:29:55,040
And it doesn't mean that you have to be able to be a certified auditor on PCI DSS,

457
00:29:55,040 --> 00:30:01,240
go down to the NTH degree on the details, but absolutely work with organizations

458
00:30:01,240 --> 00:30:08,320
to make sure that you can show them that we have an adequate amount of controls inside

459
00:30:08,320 --> 00:30:13,280
of the platform that can help them obtain those objectives.

460
00:30:13,280 --> 00:30:16,160
And then, of course, bring in additional resources.

461
00:30:16,160 --> 00:30:22,400
But just it's a dialogue that we have to enter into with organizations across the board

462
00:30:22,400 --> 00:30:25,320
and ongoing a conversation.

463
00:30:25,320 --> 00:30:29,360
So it's never going to be, hey, I've answered this question and we should be go.

464
00:30:29,360 --> 00:30:31,400
Now you're always going to be compliant.

465
00:30:31,400 --> 00:30:36,400
The nature of Cloud itself with the shared responsibilities matrix makes it imperative

466
00:30:36,400 --> 00:30:42,800
for Microsoft to work very closely with organizations across any of those compliance frameworks

467
00:30:42,800 --> 00:30:48,000
and make sure that we're, again, constantly staying in touch because products change inside

468
00:30:48,000 --> 00:30:50,880
of Azure at the features that capabilities might shift.

469
00:30:50,880 --> 00:30:56,200
New things come up, which we just talked about some of those at the top of the podcast.

470
00:30:56,200 --> 00:31:00,120
And then, of course, the frameworks themselves change.

471
00:31:00,120 --> 00:31:02,600
So it's a great question.

472
00:31:02,600 --> 00:31:07,160
It's something I think we need to give even more credence to and have more discussions

473
00:31:07,160 --> 00:31:10,680
with customers around compliance in general.

474
00:31:10,680 --> 00:31:14,600
Yeah, I want to concur with something you said about you don't have to be an expert

475
00:31:14,600 --> 00:31:15,880
in compliance.

476
00:31:15,880 --> 00:31:20,000
One thing that spent a lot of time with customers is building threat models for them.

477
00:31:20,000 --> 00:31:24,320
So we take a solution and we look at the threats and the mitigations and so on.

478
00:31:24,320 --> 00:31:29,400
And those mitigations map quite nicely to the technical controls in many compliance programs.

479
00:31:29,400 --> 00:31:34,960
I just work with the customers just recently and we were talking about PCI DSS and then

480
00:31:34,960 --> 00:31:38,920
I just sort of talked about GDPR in general and HIPAA and high trust and high tech, as

481
00:31:38,920 --> 00:31:40,920
you mentioned, just in general, just in passing.

482
00:31:40,920 --> 00:31:46,280
One of the people on the call said, why are we learning about compliance?

483
00:31:46,280 --> 00:31:48,960
Why do I need to know about compliance?

484
00:31:48,960 --> 00:31:53,760
My response was you need to understand at least what the compliance programs are and

485
00:31:53,760 --> 00:31:56,760
what the implications are of these compliance programs.

486
00:31:56,760 --> 00:31:59,320
I don't think you need to be a compliance alpha geek.

487
00:31:59,320 --> 00:32:02,160
Leave that to the compliance people and the legal people.

488
00:32:02,160 --> 00:32:06,880
But you need to at least understand the implications that GDPR may have on your solution or the

489
00:32:06,880 --> 00:32:11,920
implications that FedRent may have on your solution or the implications that PCI DSS

490
00:32:11,920 --> 00:32:15,160
3.2.1 may have on your solution.

491
00:32:15,160 --> 00:32:18,680
You have to be mindful of these, especially if you are one of the lead architects working

492
00:32:18,680 --> 00:32:20,720
on the design of a system.

493
00:32:20,720 --> 00:32:21,720
Absolutely agree.

494
00:32:21,720 --> 00:32:26,200
One of the, I wouldn't even go farther than that, speaking of threat modeling against

495
00:32:26,200 --> 00:32:28,280
a compliance framework.

496
00:32:28,280 --> 00:32:33,880
That's the number one issue that drives me in this particular role is that I get to learn.

497
00:32:33,880 --> 00:32:38,000
I have the opportunity to learn something brand new every single day.

498
00:32:38,000 --> 00:32:45,720
I learn it during interactions with our customers, with my colleagues.

499
00:32:45,720 --> 00:32:50,360
The field, the security field, the cloud field technology is just almost seems infinitely

500
00:32:50,360 --> 00:32:53,800
broad to me that I get excited.

501
00:32:53,800 --> 00:32:56,280
I said, what am I going to learn new today?

502
00:32:56,280 --> 00:32:58,560
And in the process, maybe help someone else learn something.

503
00:32:58,560 --> 00:33:04,040
So this idea of, hey, I really don't know compliance and boy, there's another opportunity

504
00:33:04,040 --> 00:33:09,160
to get into a field that maybe even five years ago, you would not have had that opportunity

505
00:33:09,160 --> 00:33:10,160
to do so.

506
00:33:10,160 --> 00:33:11,240
Now it's all coming together.

507
00:33:11,240 --> 00:33:12,240
So I love it.

508
00:33:12,240 --> 00:33:15,040
I have a big question for you.

509
00:33:15,040 --> 00:33:21,640
Let's ask about how they should segregate between say their tenant, their subscription

510
00:33:21,640 --> 00:33:24,640
and their resource groups.

511
00:33:24,640 --> 00:33:30,280
What are the general best practices that you advise customers to do there?

512
00:33:30,280 --> 00:33:31,280
Because big question.

513
00:33:31,280 --> 00:33:33,320
Oh, and how many do they need?

514
00:33:33,320 --> 00:33:36,800
Again, big question and may depend on the customer.

515
00:33:36,800 --> 00:33:42,800
But what's your general advice to anyone listening who might be trying to sort out their architecture

516
00:33:42,800 --> 00:33:46,920
in Azure from a security perspective and segregation perspective?

517
00:33:46,920 --> 00:33:47,920
Yeah.

518
00:33:47,920 --> 00:33:49,520
So it is a great question.

519
00:33:49,520 --> 00:33:52,120
And it's actually a pretty heavy topic.

520
00:33:52,120 --> 00:34:00,440
It's maybe more organizational, legal things than it is technological, although there are

521
00:34:00,440 --> 00:34:02,320
aspects to it.

522
00:34:02,320 --> 00:34:09,880
So my general guidance to every company is one instance of Azure Active Directory.

523
00:34:09,880 --> 00:34:12,080
So kind of that one ring to rule them all.

524
00:34:12,080 --> 00:34:18,960
And sometimes we, I get involved with an organization that's maybe farther down the path and maybe

525
00:34:18,960 --> 00:34:22,160
they're suffering because of decisions they'd made early on.

526
00:34:22,160 --> 00:34:24,360
And we have to unwind some of that stuff.

527
00:34:24,360 --> 00:34:27,000
Or what's our go forward path?

528
00:34:27,000 --> 00:34:34,040
If we can get in front of with some folks that are still in their infancy and using cloud

529
00:34:34,040 --> 00:34:39,280
in Azure or even right at the get go, then yeah, we're going to say one instance of Azure

530
00:34:39,280 --> 00:34:40,920
Active Directory.

531
00:34:40,920 --> 00:34:47,200
And what we mean by that is for production test, pre-production, non-prod, dev, whatever

532
00:34:47,200 --> 00:34:52,960
you want to call it, everything that's running in Azure, one directory infrastructure.

533
00:34:52,960 --> 00:34:58,240
And that's atypical from what folks have done on premises where we used to have, here's

534
00:34:58,240 --> 00:35:02,600
my non-prod domain, here's my production domain.

535
00:35:02,600 --> 00:35:08,440
And that was fine, but we don't have this concept of domains inside of Azure Active

536
00:35:08,440 --> 00:35:09,440
Directory.

537
00:35:09,440 --> 00:35:13,960
And we've seen, oftentimes folks would do different synchronizations, right?

538
00:35:13,960 --> 00:35:19,160
They'd have a directory synchronization from non-prod into a tenant and one from prod into

539
00:35:19,160 --> 00:35:20,160
a tenant.

540
00:35:20,160 --> 00:35:24,160
And it really does bad things.

541
00:35:24,160 --> 00:35:30,880
Operationally from a cost perspective, from a security visibility, we start to have these

542
00:35:30,880 --> 00:35:32,680
identity spread out all over the place.

543
00:35:32,680 --> 00:35:35,960
It's confusing and confounding to the end users.

544
00:35:35,960 --> 00:35:38,880
So we want all that to go into one directory.

545
00:35:38,880 --> 00:35:44,600
And Sarah, as you've heard me say to customers where we've tag-teamed, it would need to be

546
00:35:44,600 --> 00:35:49,760
a constitutional amendment to add another directory, right?

547
00:35:49,760 --> 00:35:51,560
Are there good reasons for it?

548
00:35:51,560 --> 00:35:54,480
Sure, but let's make sure they're really good.

549
00:35:54,480 --> 00:36:01,320
So let's keep with that one directory so that my identity in the cloud is a single, at a

550
00:36:01,320 --> 00:36:02,320
single point.

551
00:36:02,320 --> 00:36:08,200
And then I can use very, very strong role-based access controls to work toward that kind of

552
00:36:08,200 --> 00:36:12,640
zero trust architecture, that least privilege access model based on that single identity.

553
00:36:12,640 --> 00:36:16,600
I have non-repudiation, less things to worry about, right?

554
00:36:16,600 --> 00:36:18,080
Less reduce the attack service.

555
00:36:18,080 --> 00:36:21,520
There's a lot of benefits to a single directory.

556
00:36:21,520 --> 00:36:28,280
And then as you convince folks to say, this is the way, maybe that's kind of a Mandalorian

557
00:36:28,280 --> 00:36:33,080
thing, but this is the way, then everything else starts to kind of fall into place.

558
00:36:33,080 --> 00:36:39,000
So now I have one root management group to which I kind of fix Azure policy and policy

559
00:36:39,000 --> 00:36:44,880
initiatives, role assignments, things like that, that can then be inherited in the kind

560
00:36:44,880 --> 00:36:48,720
of nested inheritance model that we have with management groups.

561
00:36:48,720 --> 00:36:51,760
Things start to kind of get easier at that perspective.

562
00:36:51,760 --> 00:36:53,920
And then the subscriptions.

563
00:36:53,920 --> 00:36:58,600
I know we've seen a lot of folks trying to pack as much as they can into a subscription

564
00:36:58,600 --> 00:37:04,280
and then use role-based access control at the resource group levels to kind of segregate

565
00:37:04,280 --> 00:37:05,280
things.

566
00:37:05,280 --> 00:37:09,520
There are no charges for a subscription.

567
00:37:09,520 --> 00:37:16,760
So we say, why not look at segregating things, separating things based on a subscription

568
00:37:16,760 --> 00:37:17,760
boundary?

569
00:37:17,760 --> 00:37:21,000
And it gives you a lot of additional benefits as well.

570
00:37:21,000 --> 00:37:28,200
So I'm less likely to run into some, any sort of limitations or quotas that we see around

571
00:37:28,200 --> 00:37:34,920
subscriptions, around the number of role assignments that you can have, the number of NSGs and

572
00:37:34,920 --> 00:37:38,080
things like that, that oftentimes are at a subscription level.

573
00:37:38,080 --> 00:37:42,840
So having that separated really frees up the amount of resources we have available, gives

574
00:37:42,840 --> 00:37:45,000
you a little bit extra headroom.

575
00:37:45,000 --> 00:37:49,040
It also has a very nice billing boundary, but it also gives me the ability to really

576
00:37:49,040 --> 00:37:52,840
separate from a security view based on those role-based access control.

577
00:37:52,840 --> 00:37:58,920
So that way I don't have a subscription owner who has a look into everything in the subscription

578
00:37:58,920 --> 00:38:04,160
where maybe I don't want them to have any view into this other subscription and the

579
00:38:04,160 --> 00:38:06,000
data there.

580
00:38:06,000 --> 00:38:11,800
So I think when we look at it, we say single-tenant, maybe as many subscriptions as you're willing

581
00:38:11,800 --> 00:38:18,800
to have out there to use that as your first security boundary and then secure stuff even

582
00:38:18,800 --> 00:38:23,520
farther as you get into those resources that run in the resource groups.

583
00:38:23,520 --> 00:38:29,000
So it gives you quite a bit of additional flexibility and I think more granular control

584
00:38:29,000 --> 00:38:30,080
if you do that.

585
00:38:30,080 --> 00:38:35,760
So and again, taking this back to automation, once we get this all automated or to some

586
00:38:35,760 --> 00:38:40,840
degree of automation, having a lot of subscriptions really doesn't matter anymore, right?

587
00:38:40,840 --> 00:38:44,680
As far as, oh, that's too many subscriptions to manage.

588
00:38:44,680 --> 00:38:48,960
It really at the end of the day, you're managing the resources and you're going to have the

589
00:38:48,960 --> 00:38:55,880
same amount of resources irrespective of if you have one subscription or 50 subscriptions.

590
00:38:55,880 --> 00:39:02,160
So in following on from that, this idea of subscription limitations and quotas, if we

591
00:39:02,160 --> 00:39:09,240
are using role-based access controls appropriately and as we should, if we've got these resources

592
00:39:09,240 --> 00:39:15,440
spread over more subscriptions, I'm less likely to bump into some of these could become very

593
00:39:15,440 --> 00:39:21,040
critical showstopping limitations such as the number of role-based access controls is

594
00:39:21,040 --> 00:39:22,880
limited per subscription.

595
00:39:22,880 --> 00:39:29,040
You hit a boundary of 2,000 role assignments that you can do for Azure resources in a subscription

596
00:39:29,040 --> 00:39:30,760
and that sounds like a lot, right?

597
00:39:30,760 --> 00:39:31,760
2,000.

598
00:39:31,760 --> 00:39:33,520
We have had customers that have hit it.

599
00:39:33,520 --> 00:39:35,680
So really, how do we unwind that?

600
00:39:35,680 --> 00:39:38,800
Start moving those resources into different subscriptions.

601
00:39:38,800 --> 00:39:45,600
So we're trying to just get ahead of these types of things, making sure that the customers

602
00:39:45,600 --> 00:39:50,040
aren't painting themselves into a corner, these organizations, because we'd rather have

603
00:39:50,040 --> 00:39:56,240
them understand long-term what they might run into six months a year from now or even

604
00:39:56,240 --> 00:40:02,040
further out and why we were recommending multiple subscriptions so that they can make a very,

605
00:40:02,040 --> 00:40:03,920
very informed decision.

606
00:40:03,920 --> 00:40:09,880
First access controls is one of those, another more network-oriented control would be this

607
00:40:09,880 --> 00:40:12,160
idea of network security groups.

608
00:40:12,160 --> 00:40:18,280
There is a limit to 5,000 NSGs or network security groups that you can have in a subscription.

609
00:40:18,280 --> 00:40:20,640
And again, you think, oh, check 5,000.

610
00:40:20,640 --> 00:40:23,160
Have had customers who have hit it.

611
00:40:23,160 --> 00:40:29,840
Seems crazy, but a lot of folks are using NSGs that are assigned to the NICS, which is perfectly

612
00:40:29,840 --> 00:40:35,520
legitimate, allowable, but you can imagine that there's quite a few NSGs that start to

613
00:40:35,520 --> 00:40:36,520
pop up.

614
00:40:36,520 --> 00:40:42,320
So again, if we can, we recommend, hey, potentially use on the subnets and not on the NICS, maybe

615
00:40:42,320 --> 00:40:48,560
separate those virtual machines and therefore the NICS into different subscriptions, I less

616
00:40:48,560 --> 00:40:51,320
likely to run into those boundaries.

617
00:40:51,320 --> 00:40:55,320
And that all, we take that in from a security perspective.

618
00:40:55,320 --> 00:41:00,680
So I just wanted to add that little bit to this idea of multiple subscriptions.

619
00:41:00,680 --> 00:41:05,880
It might be something really to think about as you're looking at your overall governance

620
00:41:05,880 --> 00:41:08,320
and standards for deploying in Azure.

621
00:41:08,320 --> 00:41:12,480
Yeah, I had a customer hit, I can't remember what the limit was, because they thought that

622
00:41:12,480 --> 00:41:15,040
absolutely everything was always infinite.

623
00:41:15,040 --> 00:41:16,440
And turns out that wasn't correct.

624
00:41:16,440 --> 00:41:20,960
I mean, like you say, the numbers are, the limits are large, extremely large, but it's

625
00:41:20,960 --> 00:41:25,400
still worthwhile knowing what they are just in case.

626
00:41:25,400 --> 00:41:29,840
And like you say, actually the solution that this one customer came up with was to basically

627
00:41:29,840 --> 00:41:35,000
have more than one subscription and the problems magically went away.

628
00:41:35,000 --> 00:41:40,920
So on that, we always ask our guests to leave our listeners with a final thought.

629
00:41:40,920 --> 00:41:43,760
So what would your final thought be?

630
00:41:43,760 --> 00:41:49,520
So final thought, it might be final thoughts, but I guess my final thought is it always

631
00:41:49,520 --> 00:41:56,640
approach every opportunity as new, as fresh.

632
00:41:56,640 --> 00:42:04,520
So in other words, in my mind as an architect, as an engineer, I know that X, Y, and Z always

633
00:42:04,520 --> 00:42:05,520
work.

634
00:42:05,520 --> 00:42:07,960
I would say, you certainly keep that, that's experiential.

635
00:42:07,960 --> 00:42:11,480
But approach it with the blank slate, like this is a brand new problem, I'm going to

636
00:42:11,480 --> 00:42:17,400
approach it and really think about the problem and especially given that oftentimes this

637
00:42:17,400 --> 00:42:19,040
is brand new territory.

638
00:42:19,040 --> 00:42:21,440
So always come at everything fresh.

639
00:42:21,440 --> 00:42:28,840
Don't try to pre-solution within the first 30 seconds of a particular conversation.

640
00:42:28,840 --> 00:42:35,280
So and be open and willing to think about something completely new and different, some

641
00:42:35,280 --> 00:42:40,680
new type of approach and always think in the mind of an attacker.

642
00:42:40,680 --> 00:42:42,640
So who could get to this and how?

643
00:42:42,640 --> 00:42:47,520
Kind of be nefarious and devious in your own head to see where we can shore up those

644
00:42:47,520 --> 00:42:49,520
defenses.

645
00:42:49,520 --> 00:42:51,640
So I think you should bring up the think like an attacker stuff.

646
00:42:51,640 --> 00:42:55,480
Yeah, if you have people in your organization who think like attackers, you need to be grooming

647
00:42:55,480 --> 00:42:57,920
those people to really work.

648
00:42:57,920 --> 00:43:00,200
No, I'm actually quite serious.

649
00:43:00,200 --> 00:43:01,200
Yes.

650
00:43:01,200 --> 00:43:06,680
Normally, and Sarah can back me up here, I never interject after a final thought until

651
00:43:06,680 --> 00:43:12,800
this time because this is something that I am deeply passionate about.

652
00:43:12,800 --> 00:43:17,320
Having worked with so many customers who design things without realizing what an attacker

653
00:43:17,320 --> 00:43:19,200
can actually do.

654
00:43:19,200 --> 00:43:23,320
And even with threat modeling, we're showing the potential risks that an application may

655
00:43:23,320 --> 00:43:25,280
have.

656
00:43:25,280 --> 00:43:28,840
This is a critically important part.

657
00:43:28,840 --> 00:43:35,400
If you have people who really do have that skill set, you need to be grooming them and

658
00:43:35,400 --> 00:43:40,040
helping them work with other people to make sure that they're securing the environment.

659
00:43:40,040 --> 00:43:41,320
Yes, a really good point.

660
00:43:41,320 --> 00:43:42,320
Thank you very much.

661
00:43:42,320 --> 00:43:44,240
So with that, let's bring this to an end.

662
00:43:44,240 --> 00:43:46,800
Chuck, thank you so much for joining us this week.

663
00:43:46,800 --> 00:43:50,680
I always learned something from our guests and this was absolutely no exception.

664
00:43:50,680 --> 00:43:53,000
And to our listeners out there, thank you so much for listening.

665
00:43:53,000 --> 00:43:54,600
Stay safe and we'll see you next time.

666
00:43:54,600 --> 00:43:57,600
Thanks for listening to the Azure Security Podcast.

667
00:43:57,600 --> 00:44:04,400
You can find show notes and other resources at our website azsecuritypodcast.net.

668
00:44:04,400 --> 00:44:09,560
If you have any questions, please find us on Twitter at Azure SecPod.

669
00:44:09,560 --> 00:44:19,680
Music is from ccmixter.com and licensed under the Creative Commons license.