1
00:00:00,000 --> 00:00:06,200
Welcome to the Azure Security Podcast,

2
00:00:06,200 --> 00:00:09,360
where we discuss topics relating to security, privacy,

3
00:00:09,360 --> 00:00:13,640
reliability, and compliance on the Microsoft Cloud Platform.

4
00:00:13,640 --> 00:00:16,960
Hey everybody, welcome to Episode 26.

5
00:00:16,960 --> 00:00:18,360
We've not been keeping score,

6
00:00:18,360 --> 00:00:19,680
it's actually our one-year anniversary.

7
00:00:19,680 --> 00:00:21,720
Very excited to be at the one-year point.

8
00:00:21,720 --> 00:00:24,640
Hopefully, we'll have many more years to come.

9
00:00:24,640 --> 00:00:26,240
Of course, being a security geek,

10
00:00:26,240 --> 00:00:27,840
what's the first thing I want to go and check?

11
00:00:27,840 --> 00:00:31,200
What is the certificate on the Azure Security Podcast website?

12
00:00:31,200 --> 00:00:33,360
This week, we have a guest.

13
00:00:33,360 --> 00:00:35,320
We have Tanu Abala, who's here from

14
00:00:35,320 --> 00:00:39,560
the Azure Hybrid Networking Team to talk to us about Azure Bastion.

15
00:00:39,560 --> 00:00:41,040
We also have a full house.

16
00:00:41,040 --> 00:00:43,520
We have myself, Mark, Gladys, and Sarah.

17
00:00:43,520 --> 00:00:44,880
But before we get to Tanu,

18
00:00:44,880 --> 00:00:46,560
let's take a look at the news. Gladys,

19
00:00:46,560 --> 00:00:48,360
why don't you kick things off?

20
00:00:48,360 --> 00:00:50,760
It was a little bit difficult to select

21
00:00:50,760 --> 00:00:53,200
what to talk about in the new sense.

22
00:00:53,200 --> 00:00:57,240
There are so many capabilities that were in preview during Ignite,

23
00:00:57,240 --> 00:00:59,400
and now they're generally available.

24
00:00:59,400 --> 00:01:02,880
The first one that I want to talk about is that we're releasing in

25
00:01:02,880 --> 00:01:08,000
public preview some new capabilities with ADFS signings.

26
00:01:08,000 --> 00:01:11,960
This is really good with Connect Health.

27
00:01:11,960 --> 00:01:17,080
We are providing integration with Azure AD Activity Reporting,

28
00:01:17,080 --> 00:01:22,040
providing unified view of hybrid identity infrastructure.

29
00:01:22,040 --> 00:01:24,760
This is a good one to look at.

30
00:01:24,760 --> 00:01:29,720
In addition, we go general availability with

31
00:01:29,720 --> 00:01:35,680
a Heather-based authentication for single sign-on in application proxy.

32
00:01:35,680 --> 00:01:40,640
Many of you have heard me talking about Azure Application Proxy before.

33
00:01:40,640 --> 00:01:45,360
I'm really excited about this product because it's a way to

34
00:01:45,360 --> 00:01:48,480
get connections to on-prem applications.

35
00:01:48,480 --> 00:01:51,960
It supports SAML, password, or OIDC,

36
00:01:51,960 --> 00:01:55,720
but now we are providing Heather-based authentication.

37
00:01:55,720 --> 00:02:01,920
Finally, I wanted to talk about new guidance that we are releasing to

38
00:02:01,920 --> 00:02:06,080
help customer-enabled support for TLS 1.2.

39
00:02:06,080 --> 00:02:09,240
This is important because as June 30th,

40
00:02:09,240 --> 00:02:15,280
2021, we are deprecating from Azure AD TLS 1.0,

41
00:02:15,280 --> 00:02:20,280
1.1, and 3Ds, Cyber Suite. That's all for me.

42
00:02:20,280 --> 00:02:24,120
Hey everyone. A couple of bits of news for me this week.

43
00:02:24,120 --> 00:02:30,760
Firstly, Azure AD B2C is now available in public preview in Australia,

44
00:02:30,760 --> 00:02:32,720
which is very cool.

45
00:02:32,720 --> 00:02:36,360
This has been available in Australia,

46
00:02:36,360 --> 00:02:41,480
but not having the user data stored locally.

47
00:02:41,480 --> 00:02:45,440
This is a big thing if you've been waiting to use B2C and you're in

48
00:02:45,440 --> 00:02:51,960
Australia and my part of the world, but you weren't able to send user data overseas,

49
00:02:51,960 --> 00:02:54,520
you can now look at using B2C.

50
00:02:54,520 --> 00:02:56,600
Next, I'm going to talk about my baby.

51
00:02:56,600 --> 00:02:59,800
I'm going to talk about Azure Sentinel and talk about some of the things we

52
00:02:59,800 --> 00:03:04,560
released during the last month or so.

53
00:03:04,560 --> 00:03:06,680
Going through the updates,

54
00:03:06,680 --> 00:03:08,600
which we will link to in the show notes.

55
00:03:08,600 --> 00:03:12,880
You can now set workbooks to automatically refresh when you're in View Mode.

56
00:03:12,880 --> 00:03:18,120
Workbooks are like dashboards in Azure Sentinel and you do need to

57
00:03:18,120 --> 00:03:20,520
refresh them at the moment,

58
00:03:20,520 --> 00:03:24,040
but now you can actually set that to auto refresh because of course,

59
00:03:24,040 --> 00:03:27,280
it might be that you're looking at statistics that change regularly.

60
00:03:27,280 --> 00:03:31,040
If you're using them as a dashboard up in your SOC or wherever,

61
00:03:31,040 --> 00:03:34,080
ideally you want them to refresh.

62
00:03:34,080 --> 00:03:35,440
You can do that.

63
00:03:35,440 --> 00:03:39,520
The supported refresh intervals are from five minutes to a day.

64
00:03:39,520 --> 00:03:43,200
Do remember that auto refresh is still turned off by default,

65
00:03:43,200 --> 00:03:45,480
you do need to go turn it on.

66
00:03:45,480 --> 00:03:47,440
When you close a workbook,

67
00:03:47,440 --> 00:03:51,640
it doesn't run in the background and this is just to optimize performance and not put

68
00:03:51,640 --> 00:03:54,120
too much load on the platform.

69
00:03:54,120 --> 00:03:59,640
Another thing that we've got going this month in Sentinel is new detections for Azure Filewall.

70
00:03:59,640 --> 00:04:04,160
We've added quite a lot of out-of-the-box detections in the analytics area.

71
00:04:04,160 --> 00:04:06,920
Some of them we've got known in video in my P,

72
00:04:06,920 --> 00:04:09,280
known gallium domains, known phosphorus group.

73
00:04:09,280 --> 00:04:10,600
Go and check those out,

74
00:04:10,600 --> 00:04:13,040
especially of course if you're using Azure Filewall.

75
00:04:13,040 --> 00:04:15,080
Even if you're not using Azure Filewall,

76
00:04:15,080 --> 00:04:19,320
you could look at maybe amending those rules and the logic in them,

77
00:04:19,320 --> 00:04:22,720
and creating your own for your firewalls because they are written by

78
00:04:22,720 --> 00:04:26,400
our threat intelligence folks who are very clever.

79
00:04:26,400 --> 00:04:27,960
We did touch on this,

80
00:04:27,960 --> 00:04:30,240
but I guess I'll just do it for completeness.

81
00:04:30,240 --> 00:04:33,200
We also have automation rules.

82
00:04:33,200 --> 00:04:36,720
Now they were announced at Ignite,

83
00:04:36,720 --> 00:04:41,000
but automation rules are a really nice way to do

84
00:04:41,000 --> 00:04:45,040
very simple little changes in Sentinel in an automated fashion,

85
00:04:45,040 --> 00:04:47,360
without having to go full on logic apps.

86
00:04:47,360 --> 00:04:49,880
So definitely go check that out.

87
00:04:49,880 --> 00:04:51,720
Something that sounds tiny,

88
00:04:51,720 --> 00:04:55,080
but a lot of customers have been asking for is that you can now print

89
00:04:55,080 --> 00:04:58,040
workbooks or save them as a PDF.

90
00:04:58,040 --> 00:05:03,120
Workbooks are a way of monitoring things and they are a way of reporting statistics.

91
00:05:03,120 --> 00:05:07,680
So it's not surprising that a lot of customers have been asking to be able to

92
00:05:07,680 --> 00:05:10,920
save as a PDF so they can send it to their management or if they're

93
00:05:10,920 --> 00:05:15,080
a managed service provider they might need to send some statistics to their customers.

94
00:05:15,080 --> 00:05:17,040
So now that is available.

95
00:05:17,040 --> 00:05:19,160
Hooray. So you don't have to do,

96
00:05:19,160 --> 00:05:24,200
you don't have to try and do a screenshot of it which is much nicer.

97
00:05:24,200 --> 00:05:28,240
We also, something that's gone into public preview is the incident timeline.

98
00:05:28,240 --> 00:05:34,880
So what that does is it basically means that you can have a timeline view on your incident page.

99
00:05:34,880 --> 00:05:38,200
We used to only have the timeline within the investigation graph.

100
00:05:38,200 --> 00:05:40,840
That means that you can see your notes and comments,

101
00:05:40,840 --> 00:05:45,400
the entities involved and the timeline of what happened all in one place,

102
00:05:45,400 --> 00:05:47,760
which of course is great for triaging.

103
00:05:47,760 --> 00:05:51,640
So moving on from Sentinel and moving on to log analytics.

104
00:05:51,640 --> 00:05:56,400
So the log analytics agent which previously was known as

105
00:05:56,400 --> 00:06:00,400
the MMA agent also known as the OMS agent.

106
00:06:00,400 --> 00:06:06,560
The Windows version of that agent for winter 2021 is now generally available.

107
00:06:06,560 --> 00:06:09,880
So that basically means it's got some bug fixes,

108
00:06:09,880 --> 00:06:13,000
it changes how the agent handles certificates.

109
00:06:13,000 --> 00:06:18,440
As always, we do suggest that you use the latest version of the agent.

110
00:06:18,440 --> 00:06:20,960
So if you're using this agent in your environment,

111
00:06:20,960 --> 00:06:24,080
do go and look at upgrading.

112
00:06:24,080 --> 00:06:30,680
That leads me nicely onto another thing that we haven't talked about on the show yet.

113
00:06:30,680 --> 00:06:33,080
If you're using the log analytics agent,

114
00:06:33,080 --> 00:06:39,320
we are actually transitioning to a new agent which is known as the Azure Monitor agent or the AMA.

115
00:06:39,320 --> 00:06:43,200
Now the Azure Monitor agent essentially does the same sort of things.

116
00:06:43,200 --> 00:06:45,960
It collects Windows events and it can collect Syslog and

117
00:06:45,960 --> 00:06:49,040
other telemetry from the machine it's installed on,

118
00:06:49,040 --> 00:06:54,040
but there's going to be a lot more features with it.

119
00:06:54,040 --> 00:06:56,840
Now some of those, they're not all there at the moment,

120
00:06:56,840 --> 00:06:58,720
it's still a new product in preview.

121
00:06:58,720 --> 00:07:01,480
But certainly if you're using the log analytics agent,

122
00:07:01,480 --> 00:07:06,920
go and look at the Azure Monitor agent because in due course,

123
00:07:06,920 --> 00:07:09,480
this will be replacing it and that's a good thing

124
00:07:09,480 --> 00:07:12,480
because it's going to have loads of really cool features.

125
00:07:12,480 --> 00:07:15,320
A few things caught my interest over the last couple of weeks.

126
00:07:15,320 --> 00:07:21,400
The first is object level security is now generally available in Power BI Premium and Pro.

127
00:07:21,400 --> 00:07:24,040
This is not a replacement for say,

128
00:07:24,040 --> 00:07:28,960
row level security or even column level security or access control mechanisms that are

129
00:07:28,960 --> 00:07:32,000
say in Azure Synapse or SQL DB.

130
00:07:32,000 --> 00:07:37,200
But this is another layer of access control that you can put in place,

131
00:07:37,200 --> 00:07:40,480
but it's down at the Power BI layer.

132
00:07:40,480 --> 00:07:43,560
Another thing to call my interest was in App Service.

133
00:07:43,560 --> 00:07:46,240
We've now updated the authentication portal.

134
00:07:46,240 --> 00:07:49,880
This is now available in GA in general availability.

135
00:07:49,880 --> 00:07:52,760
We're just changing the way it looks and the way it handles,

136
00:07:52,760 --> 00:07:57,520
just to make it more streamlined and make it just more obvious how you're going to use

137
00:07:57,520 --> 00:08:02,560
authentication when you're using modern identity and Azure App Service.

138
00:08:02,560 --> 00:08:06,440
Another one is we now have in general availability,

139
00:08:06,440 --> 00:08:09,320
private link support for Azure Cash for Redis.

140
00:08:09,320 --> 00:08:14,120
It only seems like a few days ago, we announced that it was in public preview.

141
00:08:14,120 --> 00:08:15,360
This is really cool.

142
00:08:15,360 --> 00:08:19,440
As I've mentioned on many podcasts prior,

143
00:08:19,440 --> 00:08:25,040
we're seeing a general move across the platform to more use of things like private link,

144
00:08:25,040 --> 00:08:29,840
private endpoints, customer managed keys for data at rest,

145
00:08:29,840 --> 00:08:32,120
encryption of data at rest, and so on.

146
00:08:32,120 --> 00:08:36,160
So it's great to see that yet another Azure PaaS offering,

147
00:08:36,160 --> 00:08:40,040
platform as a service offering is now supporting private links.

148
00:08:40,040 --> 00:08:42,960
This next one isn't actually that new,

149
00:08:42,960 --> 00:08:46,920
but I only came across it this last week with a customer.

150
00:08:46,920 --> 00:08:49,720
That's a thing called SKIM,

151
00:08:49,720 --> 00:08:52,600
which can be used with Azure Databricks.

152
00:08:52,600 --> 00:08:57,760
So SKIM is essentially a way of helping you map between

153
00:08:57,760 --> 00:09:01,560
Azure Active Directory users and groups and Databricks.

154
00:09:01,560 --> 00:09:08,000
So you're going to realize tools like Databricks were not designed upfront to work,

155
00:09:08,000 --> 00:09:12,320
specifically with Azure AD or Azure in general for that matter.

156
00:09:12,320 --> 00:09:15,360
So this provides a really nice mapping between the two.

157
00:09:15,360 --> 00:09:20,360
So it's great to see that there's now support for SKIM in Databricks.

158
00:09:20,360 --> 00:09:23,160
The next two actually got nothing to do with security whatsoever,

159
00:09:23,160 --> 00:09:24,840
but I just can't help myself.

160
00:09:24,840 --> 00:09:27,440
The first is that Microsoft Power FX,

161
00:09:27,440 --> 00:09:28,720
which is an open source,

162
00:09:28,720 --> 00:09:32,720
low-code programming language that we can use with the Power Platform.

163
00:09:32,720 --> 00:09:36,120
For example, Microsoft Power Apps is now in public preview.

164
00:09:36,120 --> 00:09:40,400
It's very similar to the way Excel works.

165
00:09:40,400 --> 00:09:42,840
If you've been to development in Excel,

166
00:09:42,840 --> 00:09:47,040
you'll feel pretty much at home using Power FX.

167
00:09:47,040 --> 00:09:48,600
The last one because again,

168
00:09:48,600 --> 00:09:51,960
I just can't help myself because I despise JavaScript so much,

169
00:09:51,960 --> 00:09:56,320
but TypeScript 4.3 Beta is now available.

170
00:09:56,320 --> 00:10:00,440
So if you've not been using TypeScript and you've been hitting your head against the wall

171
00:10:00,440 --> 00:10:03,160
using JavaScript, especially in large projects,

172
00:10:03,160 --> 00:10:07,120
then do yourself a favor and spend a little bit of time with TypeScript.

173
00:10:07,120 --> 00:10:08,600
That's all I have.

174
00:10:08,600 --> 00:10:12,720
A couple of things caught my eye in the news and also had some interesting discussions

175
00:10:12,720 --> 00:10:16,120
and realizations that are going to show up in some of our public documentation soon

176
00:10:16,120 --> 00:10:17,320
that I thought I'd cover.

177
00:10:17,320 --> 00:10:20,880
The first kind of hearkens back to my old days of consulting with the federal government,

178
00:10:20,880 --> 00:10:22,640
which I did for many years.

179
00:10:22,640 --> 00:10:26,120
The public preview of the Azure Stig solution.

180
00:10:26,120 --> 00:10:31,800
To help with those Windows and Linux virtual machines and be able to get that out there

181
00:10:31,800 --> 00:10:32,800
and get it configured quickly.

182
00:10:32,800 --> 00:10:38,040
So I want to make sure folks are aware of that because I remember how little fun it was to do Stig.

183
00:10:38,040 --> 00:10:42,120
Then there's a couple updates in Azure Security Center on the public preview side

184
00:10:42,120 --> 00:10:45,920
and the general availability that were interesting.

185
00:10:45,920 --> 00:10:49,120
One of the highlights is that the Azure Firewall Management,

186
00:10:49,120 --> 00:10:51,480
the integration of it into Azure Security Center,

187
00:10:51,480 --> 00:10:54,040
is actually generally available.

188
00:10:54,040 --> 00:10:57,320
Then there's a couple of other detections and rules and enhancements.

189
00:10:57,320 --> 00:11:03,680
The usual DevOps resulting in new features on a fairly regular basis stuff.

190
00:11:03,680 --> 00:11:05,680
So I got the links there in the show notes.

191
00:11:05,680 --> 00:11:11,000
The two topics that have been interesting that light bulbs up in my head

192
00:11:11,000 --> 00:11:16,680
as we were going through building some security guidance for the cloud adoption framework.

193
00:11:16,680 --> 00:11:19,720
The first one, we came to this realization,

194
00:11:19,720 --> 00:11:23,080
we're trying to figure out what's the most important thing about DevSecOps.

195
00:11:23,080 --> 00:11:27,320
There's a lot about it. There's the SAS, the DAS, the integrated CI CD,

196
00:11:27,320 --> 00:11:32,720
make sure it's native and so that you're doing stuff that shows up as a bug

197
00:11:32,720 --> 00:11:35,200
and security bugs are in a whole separate process they have to learn

198
00:11:35,200 --> 00:11:38,000
and just kind of that whole integration thing.

199
00:11:38,000 --> 00:11:41,800
But the thing that we started to realize is that

200
00:11:41,800 --> 00:11:44,680
the biggest thing about DevSecOps is to do it right.

201
00:11:44,680 --> 00:11:50,080
And we know this is hard and it's a change, but it requires actually kind of honoring all three of them.

202
00:11:50,080 --> 00:11:53,760
So the Dev, which really represents a business and the need to ship features

203
00:11:53,760 --> 00:11:57,440
and keep it moving forward and get those capabilities live.

204
00:11:57,440 --> 00:11:59,440
If you don't have that, it doesn't work.

205
00:11:59,440 --> 00:12:01,840
Like you've got to do that or the app isn't relevant.

206
00:12:01,840 --> 00:12:04,040
Then the Ops side, the performance, the reliability,

207
00:12:04,040 --> 00:12:08,560
all the things that IT brings to the table is also critical because if you don't have that,

208
00:12:08,560 --> 00:12:12,080
then it's not going to be a very pleasant app experience.

209
00:12:12,080 --> 00:12:14,800
It's not going to be as compelling as you want it to be, etc.

210
00:12:14,800 --> 00:12:19,560
And the security side, the second part of DevSecOps is really what keeps it safe

211
00:12:19,560 --> 00:12:25,160
and those classic confidentiality, integrity, availability, assurances.

212
00:12:25,160 --> 00:12:30,120
And the thing that just really kind of came to mind that was super important is that you need them all.

213
00:12:30,120 --> 00:12:31,600
It's sort of like a race team.

214
00:12:31,600 --> 00:12:37,440
Like if you have a driver that makes a bunch of mistakes and you lose the race, you've lost the race.

215
00:12:37,440 --> 00:12:40,520
If the tire blows out and you lose the race, you lose the race.

216
00:12:40,520 --> 00:12:44,560
If the engine blows and you lose the race, you lose the race. It doesn't really matter.

217
00:12:44,560 --> 00:12:47,440
So it's really important to kind of honor all of those things.

218
00:12:47,440 --> 00:12:50,400
You can't really let one voice dominate all the decisions.

219
00:12:50,400 --> 00:12:52,160
Like you can't do all Dev all the time.

220
00:12:52,160 --> 00:12:53,520
Yeah, they're going to win some arguments.

221
00:12:53,520 --> 00:12:54,880
Can't do all Ops all the time.

222
00:12:54,880 --> 00:12:57,760
You know, being conservative and architecting it carefully, etc.

223
00:12:57,760 --> 00:12:59,000
And the same thing with securities.

224
00:12:59,000 --> 00:13:00,880
You can't overpivot on security.

225
00:13:00,880 --> 00:13:04,000
You've got to figure out the MVPs for each of those and blend them together.

226
00:13:04,000 --> 00:13:11,080
So it's a really interesting set of realizations that, you know, kind of occupied my mind in the past couple of weeks.

227
00:13:11,080 --> 00:13:14,160
And then another one was, you know, as we were kind of looking, you know,

228
00:13:14,160 --> 00:13:17,720
working up the security governance guidance on that we're putting together,

229
00:13:17,720 --> 00:13:23,520
we sort of realized that there's a real difference between security and compliance,

230
00:13:23,520 --> 00:13:26,480
but there's also a very strong commonality because, you know,

231
00:13:26,480 --> 00:13:30,400
security is really about dealing with the threats in front of you right now.

232
00:13:30,400 --> 00:13:34,960
And compliance is about meeting the requirements that were written sometime in the past.

233
00:13:34,960 --> 00:13:38,360
Could be five, 10, 15, 20 years, depending on the regulation.

234
00:13:38,360 --> 00:13:43,000
And so it was really sort of, you know, that's always been sort of the difference between the two for me.

235
00:13:43,000 --> 00:13:47,600
But then the thing that started to realize this as we get to this real time data in the cloud,

236
00:13:47,600 --> 00:13:50,440
and we can actually instantly tell you, are you configured right?

237
00:13:50,440 --> 00:13:51,400
Are you patched?

238
00:13:51,400 --> 00:13:57,040
It's an all answer all these questions instantly with real time stuff that used to take, you know, months of an audit.

239
00:13:57,040 --> 00:14:00,920
You know, we're starting to see those two disciplines get closer and closer together again,

240
00:14:00,920 --> 00:14:04,760
because you can now do the scope you need closer to comprehensive, you know,

241
00:14:04,760 --> 00:14:07,280
still have people process and human things.

242
00:14:07,280 --> 00:14:08,760
And you can do it quickly.

243
00:14:08,760 --> 00:14:12,440
And so you can actually meet both requirements without having to make these massive tradeoffs

244
00:14:12,440 --> 00:14:14,880
that led to these very different dynamics.

245
00:14:14,880 --> 00:14:20,440
So those were the things that really been top of my mind over the past couple of weeks.

246
00:14:20,440 --> 00:14:25,800
I don't know if you know or not, Mark, but I actually worked on the secure software developments dig back in the day,

247
00:14:25,800 --> 00:14:27,600
the original version of it.

248
00:14:27,600 --> 00:14:28,600
I actually enjoyed working on it.

249
00:14:28,600 --> 00:14:30,320
It was actually a good bunch of people I worked with.

250
00:14:30,320 --> 00:14:34,000
And it was like a 35, 40 page document.

251
00:14:34,000 --> 00:14:35,760
It was actually a lot of fun.

252
00:14:35,760 --> 00:14:40,520
Now that we've got the news out of the way, let's turn our attention to our guests this week.

253
00:14:40,520 --> 00:14:42,440
We have Tanu Bala.

254
00:14:42,440 --> 00:14:47,200
She's a program manager in the Azure Hybrid Networking Team.

255
00:14:47,200 --> 00:14:48,480
Tanu, welcome to the podcast.

256
00:14:48,480 --> 00:14:52,440
We'd like to spend a moment to introduce yourself, give us an idea of what you do at Microsoft.

257
00:14:52,440 --> 00:14:55,920
Sure. Hi. It's great to be here.

258
00:14:55,920 --> 00:15:01,120
So I've been at Microsoft now for, wow, a little less than a year, I guess.

259
00:15:01,120 --> 00:15:04,440
My background is in computer science and business.

260
00:15:04,440 --> 00:15:10,040
And so for my first job, I thought that program management sounded like a great fit.

261
00:15:10,040 --> 00:15:13,160
So I ended up on the Azure Hybrid Networking Team,

262
00:15:13,160 --> 00:15:17,400
where I've been working with Azure ExpressRoute, Azure Bastion,

263
00:15:17,400 --> 00:15:21,560
and a few other services since I started my time here.

264
00:15:21,560 --> 00:15:22,200
Fantastic.

265
00:15:22,200 --> 00:15:26,440
So I got to start with probably the most simple question.

266
00:15:26,440 --> 00:15:30,200
Sure. A lot of people are asking the same question.

267
00:15:30,200 --> 00:15:32,440
What is a bastion?

268
00:15:32,440 --> 00:15:33,280
Yeah, sure.

269
00:15:33,280 --> 00:15:38,400
So a bastion host is either like the computer or virtual machine

270
00:15:38,400 --> 00:15:43,880
that's used to separate external traffic from a customer's private network.

271
00:15:43,880 --> 00:15:48,480
So it can be used to provide access to the resources that are in the network,

272
00:15:48,480 --> 00:15:50,640
and it can be the main point of entry.

273
00:15:50,640 --> 00:15:54,520
And so what that means is that any resources sitting in the private network

274
00:15:54,520 --> 00:15:57,480
no longer need a public IP address to be accessed,

275
00:15:57,480 --> 00:16:03,000
so they're not accessible directly from the internet or by external traffic.

276
00:16:03,000 --> 00:16:07,720
So I have to ask, then, what is Azure Bastion?

277
00:16:07,720 --> 00:16:13,920
So as the name suggests, Azure Bastion is Azure's Bastion host offering.

278
00:16:13,920 --> 00:16:19,560
It's a fully platform managed PAS or platform as a service,

279
00:16:19,560 --> 00:16:24,600
and it provides lightweight and secure connectivity to your Azure VMs

280
00:16:24,600 --> 00:16:29,000
and eliminates the need to assign them public IP addresses.

281
00:16:29,000 --> 00:16:34,080
So from an IT Pro or from a security architect perspective,

282
00:16:34,080 --> 00:16:38,680
how would you compare contrast like a traditional bastion architecture

283
00:16:38,680 --> 00:16:41,480
if someone has one set up versus an Azure Bastion?

284
00:16:41,480 --> 00:16:45,960
What are the pros, the cons, the advantages, analogies, and whatnot?

285
00:16:45,960 --> 00:16:46,360
Sure.

286
00:16:46,360 --> 00:16:53,240
So a big part of that comes from the fact that Azure Bastion is a PAS service.

287
00:16:53,240 --> 00:16:59,960
So while an IT admin or pro could manually set up and configure their own

288
00:16:59,960 --> 00:17:05,200
jumpbox server or bastion host in their Azure virtual network setup,

289
00:17:05,200 --> 00:17:10,320
that would require constant maintenance, configuration, and management,

290
00:17:10,320 --> 00:17:15,120
whereas Azure Bastion works right out of the box when you deploy it,

291
00:17:15,120 --> 00:17:18,760
and there's no need to consider the underlying infrastructure

292
00:17:18,760 --> 00:17:22,640
or the security considerations that are being taken under the hood

293
00:17:22,640 --> 00:17:27,560
so that whoever is setting it up or anyone else that's trying to use

294
00:17:27,560 --> 00:17:32,480
the Azure Bastion resource just gets smooth RDP and SSH access

295
00:17:32,480 --> 00:17:35,240
via the Azure portal, they get monitoring tools,

296
00:17:35,240 --> 00:17:41,440
and maintenance and updates to their Bastion without having to worry about it.

297
00:17:41,440 --> 00:17:45,440
So it's kind of like the, it's like, you know, running a SharePoint server

298
00:17:45,440 --> 00:17:48,920
online versus Office 365 in a way.

299
00:17:48,920 --> 00:17:50,600
Yeah, share exactly.

300
00:17:50,600 --> 00:17:53,240
One thing that, and perhaps this is really obvious to a lot of people,

301
00:17:53,240 --> 00:17:59,200
but I assume that this is used, you mentioned RDP,

302
00:17:59,200 --> 00:18:02,160
my guess is this is used for managing just VMs,

303
00:18:02,160 --> 00:18:05,240
like IaaS solutions inside of Azure.

304
00:18:05,240 --> 00:18:06,120
Yes, that's right.

305
00:18:06,120 --> 00:18:13,680
So right now, Azure Bastion does only provide RDP and SSH access to Azure IaaS VMs.

306
00:18:13,680 --> 00:18:18,160
However, we are constantly considering how to expand the target resource set

307
00:18:18,160 --> 00:18:23,600
so that customers can begin to use Azure Bastion to connect to other resources as well.

308
00:18:23,600 --> 00:18:26,680
So expansion there may come over time.

309
00:18:26,680 --> 00:18:29,840
What are the ways that customers connect to it?

310
00:18:29,840 --> 00:18:32,600
Do they have to use the portal?

311
00:18:32,600 --> 00:18:38,320
Yes, right now we are heavily focused on the Azure portal based experience,

312
00:18:38,320 --> 00:18:42,800
which fits well with the lightweight aspect of Azure Bastion.

313
00:18:42,800 --> 00:18:46,400
It provides a way for users to connect via the browser

314
00:18:46,400 --> 00:18:50,240
without needing to download any additional agents or software

315
00:18:50,240 --> 00:18:54,040
in order to enable the Azure Bastion Connect experience.

316
00:18:54,040 --> 00:18:57,960
So it really is, they click a button to deploy their Bastion,

317
00:18:57,960 --> 00:19:00,600
maybe configure it with a few more clicks,

318
00:19:00,600 --> 00:19:05,760
and then they can just access their VMs via the Bastion in the portal.

319
00:19:05,760 --> 00:19:08,640
So I have a question that's got nothing to do with security necessarily,

320
00:19:08,640 --> 00:19:12,280
but it's just something that's always kind of eluded me for a while.

321
00:19:12,280 --> 00:19:14,040
How does it actually work?

322
00:19:14,040 --> 00:19:20,200
I mean, here I am in a browser and I'm seeing Windows desktop getting rendered.

323
00:19:20,200 --> 00:19:21,560
Pretty amazing speech.

324
00:19:21,560 --> 00:19:26,280
I mean, it's not laggy, there's no real screen tearing going on.

325
00:19:26,280 --> 00:19:30,600
So under the covers, just from a purely curiosity perspective,

326
00:19:30,600 --> 00:19:32,640
kind of what's going on there.

327
00:19:32,640 --> 00:19:34,720
Yeah, it's cool.

328
00:19:34,720 --> 00:19:41,440
What we do is we decode the RDP and SSH streams on the Azure Bastion host itself,

329
00:19:41,440 --> 00:19:45,600
and then the video frames are sent via a web socket to the browser

330
00:19:45,600 --> 00:19:49,000
for the customer to see in their portal experience.

331
00:19:49,000 --> 00:19:50,240
And that's an important point, right?

332
00:19:50,240 --> 00:19:51,640
Because that's all over TLS, right?

333
00:19:51,640 --> 00:19:52,920
You don't need anything special.

334
00:19:52,920 --> 00:19:58,560
This is just from a browser, TLS out to an Azure Bastion service.

335
00:19:58,560 --> 00:20:01,760
So from a firewall perspective and so on,

336
00:20:01,760 --> 00:20:04,800
I'm just basically doing HTTPS traffic.

337
00:20:04,800 --> 00:20:05,640
Yes, that's right.

338
00:20:05,640 --> 00:20:07,360
That's totally right.

339
00:20:07,360 --> 00:20:09,760
I'm a big fan of Azure Bastion.

340
00:20:09,760 --> 00:20:13,320
I have to do all my interview questions right away so that people get that.

341
00:20:13,320 --> 00:20:18,320
But one of the things we're looking at this for is privileged access workstations

342
00:20:18,320 --> 00:20:20,560
as part of securing privileged access.

343
00:20:20,560 --> 00:20:23,320
Because we've got this native connection to the cloud,

344
00:20:23,320 --> 00:20:27,720
but we need to connect it to the on-prem legacy resources,

345
00:20:27,720 --> 00:20:30,640
which you might be hosting on IaaS, might be on-prem.

346
00:20:30,640 --> 00:20:34,040
And so Azure Bastion is one of the things that we're looking at for that.

347
00:20:34,040 --> 00:20:38,200
So I was curious, is the only scenario that people are thinking about it from,

348
00:20:38,200 --> 00:20:43,880
or what are the common scenarios that you're seeing that this would use?

349
00:20:43,880 --> 00:20:46,360
How are you seeing it used by our customers?

350
00:20:46,360 --> 00:20:46,840
Sure.

351
00:20:46,840 --> 00:20:55,520
So right now, because Azure Bastion does focus on enabling connectivity to Azure IaaS VMs,

352
00:20:55,520 --> 00:20:59,800
there are two main architectures that we see.

353
00:20:59,800 --> 00:21:07,320
The more often used one at the moment, just because it's where Bastion started,

354
00:21:07,320 --> 00:21:12,960
is the idea of one Azure Bastion resource per Azure VNet.

355
00:21:12,960 --> 00:21:17,440
And so customers will choose to just deploy a Bastion in each of their VNets

356
00:21:17,440 --> 00:21:21,320
in order to access the VMs that sit in each one.

357
00:21:21,320 --> 00:21:25,680
The other option now, more recently, is a hub and spoke model,

358
00:21:25,680 --> 00:21:30,560
because Azure Bastion has recently started to support VNet peering.

359
00:21:30,560 --> 00:21:38,400
So customers may instead choose to deploy a single Azure Bastion resource in a hub VNet,

360
00:21:38,400 --> 00:21:44,960
and then have it provide access to all the VMs that sit in the peered VNets of that hub.

361
00:21:44,960 --> 00:21:50,920
Both of these options are very specific to an Azure-only environment,

362
00:21:50,920 --> 00:21:54,720
with the target resources being Azure IaaS VMs.

363
00:21:54,720 --> 00:22:01,800
But the common architectures that will expand over time as the resources we can access

364
00:22:01,800 --> 00:22:04,280
via Bastion expand over time.

365
00:22:04,280 --> 00:22:10,560
So one thing that every customer I deal with, and I deal a lot with healthcare and finance,

366
00:22:10,560 --> 00:22:14,200
are things like logging and monitoring both at the control plane or the data plane.

367
00:22:14,200 --> 00:22:16,040
I mean, I think the control plane is fairly straightforward.

368
00:22:16,040 --> 00:22:19,640
You know, it's using Azure Monitor.

369
00:22:19,640 --> 00:22:20,880
But what about at the data plane?

370
00:22:20,880 --> 00:22:24,280
Or just in general, what are the best practices, or what sort of features do you have in place

371
00:22:24,280 --> 00:22:29,000
so I can see who access what and when and so on?

372
00:22:29,000 --> 00:22:36,320
Azure Bastion is always considering ways to expand the logging that's available for customers,

373
00:22:36,320 --> 00:22:45,160
especially our more compliance heavy customers, to be able to see, for example, like who's logging in and when.

374
00:22:45,160 --> 00:22:48,800
Right now, monitoring is fairly new.

375
00:22:48,800 --> 00:22:56,240
And so what we do have for customers is metrics that they can view such as Bastion communication status

376
00:22:56,240 --> 00:22:59,600
to see if the Bastion is actually up and reachable.

377
00:22:59,600 --> 00:23:07,480
Metrics for like total memory, CPU usage, memory usage, and then session count to see how many sessions

378
00:23:07,480 --> 00:23:11,880
were concurrently being used on the Bastion at any given time.

379
00:23:11,880 --> 00:23:17,040
These are our first ways of metrics that we're offering to customers.

380
00:23:17,040 --> 00:23:25,800
And then aside from that, you can also see basic Bastion logs to understand when it was used to connect to what VM.

381
00:23:25,800 --> 00:23:33,800
Over time, that will expand to include more specific logging of who is accessing the Bastion

382
00:23:33,800 --> 00:23:43,760
and how long they're staying on it in order to offer like more options for customers who have higher compliance requirements.

383
00:23:43,760 --> 00:23:48,400
So who do you think Azure Bastion will be good for?

384
00:23:48,400 --> 00:23:59,560
Sure. So one big user persona that we consider often is the IT admin, and we've kind of discussed them before already in these questions.

385
00:23:59,560 --> 00:24:05,720
And so we're thinking about the IT admin who's managing the networking needs for their company.

386
00:24:05,720 --> 00:24:12,840
And for them, Azure Bastion needs to be easy to deploy and set up, easy to manage and configure,

387
00:24:12,840 --> 00:24:15,240
and easy for others to use.

388
00:24:15,240 --> 00:24:24,160
And so we already see this persona influencing the current Azure Bastion offering with things like it being platform managed,

389
00:24:24,160 --> 00:24:30,560
lightweight with the portal experience, and offering just general security.

390
00:24:30,560 --> 00:24:34,960
But it also shapes our feature work going forward as well.

391
00:24:34,960 --> 00:24:40,880
We asked this of all I guess, but is anything currently in preview or anything that you can talk about?

392
00:24:40,880 --> 00:24:48,240
Yeah, so we are actually just finishing up our public preview for VNet clearing support for Azure Bastion.

393
00:24:48,240 --> 00:24:56,680
So customers will likely see that this preview is generally available very soon, which is exciting for us.

394
00:24:56,680 --> 00:25:03,320
Following the topic of we asked this of every guest, we always ask our guests for any final thoughts they have,

395
00:25:03,320 --> 00:25:06,280
any single idea that they would like to leave without listeners.

396
00:25:06,280 --> 00:25:14,120
So don't access your VM via public IP if you don't have to, and you don't have to with Azure Bastion.

397
00:25:14,120 --> 00:25:16,560
It really is a simple solution.

398
00:25:16,560 --> 00:25:19,240
Our goal is for it to be lightweight and secure.

399
00:25:19,240 --> 00:25:27,360
And so customers can really just deploy their Bastion and start to use that to access VMs and eliminate the need for public IPs.

400
00:25:27,360 --> 00:25:35,120
Someday, it would be great to see all VMs in Azure getting access to via Bastion instead of via public IP addresses

401
00:25:35,120 --> 00:25:39,680
in order to improve the security of every customer's Azure experience.

402
00:25:39,680 --> 00:25:44,120
I don't think I know of a single customer, certainly not an ideal within healthcare and finance,

403
00:25:44,120 --> 00:25:48,440
who even allow VMs to have a public IP address associated with them.

404
00:25:48,440 --> 00:25:52,400
So yeah, I think as you bastion will be a fantastic solution for them.

405
00:25:52,400 --> 00:25:55,360
And on that thought, thank you so much for joining us this week.

406
00:25:55,360 --> 00:25:57,760
Tanya, I really appreciate you taking the time out.

407
00:25:57,760 --> 00:25:59,000
I know you're extremely busy.

408
00:25:59,000 --> 00:26:02,760
I know you're working on a whole bunch of new features that are coming out in bastion.

409
00:26:02,760 --> 00:26:04,200
So we really appreciate that.

410
00:26:04,200 --> 00:26:08,480
I always learned something from my guests and this was absolutely no exception.

411
00:26:08,480 --> 00:26:11,840
And for all of you out there, thank you for listening.

412
00:26:11,840 --> 00:26:13,440
Thank you for listening to our first year.

413
00:26:13,440 --> 00:26:15,680
We're really excited to have that under our belt.

414
00:26:15,680 --> 00:26:19,720
I think it's an important milestone for the podcast.

415
00:26:19,720 --> 00:26:21,400
So again, thank you for listening.

416
00:26:21,400 --> 00:26:23,400
Stay safe and we'll see you next time.

417
00:26:23,400 --> 00:26:26,280
Thanks for listening to the Azure Security Podcast.

418
00:26:26,280 --> 00:26:33,120
You can find show notes and other resources at our website azsecuritypodcast.net.

419
00:26:33,120 --> 00:26:38,000
If you have any questions, please find us on Twitter at azuresetpod.

420
00:26:38,000 --> 00:27:03,800
Background music is from ccmixter.com and licensed under the Creative Commons license.