WEBVTT 00:00:03.660 --> 00:00:06.240 Welcome to the Azure Security Podcast, where 00:00:06.240 --> 00:00:08.759 we discuss topics relating to security, privacy, 00:00:09.039 --> 00:00:11.460 reliability, and compliance on the Microsoft 00:00:11.460 --> 00:00:16.260 Cloud Platform. Hey everybody, welcome to episode 00:00:16.260 --> 00:00:20.300 120. This week it's just myself, Michael, with 00:00:20.300 --> 00:00:23.039 a guest that we had on a few months back now, 00:00:23.600 --> 00:00:26.800 Meryl, who's here to talk to us about the Zero 00:00:26.800 --> 00:00:29.679 Trust Workshop. But before we get to Merrill, 00:00:29.780 --> 00:00:32.740 I have one little news item to talk about. As 00:00:32.740 --> 00:00:34.280 many of you know, many because I keep talking 00:00:34.280 --> 00:00:37.960 about it, I was in Azure Data before joining 00:00:37.960 --> 00:00:41.899 the Red team, and that includes products like 00:00:41.899 --> 00:00:44.479 Azure SQL Database, Cosmos DB, and so on. And 00:00:44.479 --> 00:00:46.460 I mainly worked on, well, obviously I worked 00:00:46.460 --> 00:00:48.159 on the security side of things, but a big part 00:00:48.159 --> 00:00:51.579 of what I worked on was cryptography. And Peter 00:00:51.579 --> 00:00:54.539 Van Hover, who's a security PM over in the Azure 00:00:54.539 --> 00:00:57.460 data team, has written a blog post called Everything 00:00:57.460 --> 00:00:59.939 You Need to Know About Transparent Data Encryption 00:00:59.939 --> 00:01:03.740 Key Management for Database Restore. We were 00:01:03.740 --> 00:01:06.819 asked many times for sort of some of the minutiae 00:01:06.819 --> 00:01:10.540 around cryptography in SQL Server and Azure SQL 00:01:10.540 --> 00:01:13.000 Database and Cosmos DB for that matter. So it's 00:01:13.000 --> 00:01:16.099 really great to see Peter writing this blog post 00:01:16.099 --> 00:01:19.939 explaining. basically all the minutiae of cryptography 00:01:19.939 --> 00:01:22.099 in transparent data encryption key management 00:01:22.099 --> 00:01:24.620 when doing a database restore. All right, that's 00:01:24.620 --> 00:01:26.579 all the news I have. I said it would be short. 00:01:26.739 --> 00:01:29.560 So let's turn our attention to our guest. As 00:01:29.560 --> 00:01:31.700 I mentioned, our guest this week is someone we've 00:01:31.700 --> 00:01:33.920 had on the podcast before, Meryl. Meryl, welcome 00:01:33.920 --> 00:01:35.680 back to the podcast. We'd like to take a moment 00:01:35.680 --> 00:01:38.900 and introduce yourself to our listeners. Hey, 00:01:38.959 --> 00:01:41.459 Michael. It's good to be here. My name is Meryl 00:01:41.459 --> 00:01:44.120 Fernando. I work in the Microsoft Entra customer 00:01:44.120 --> 00:01:47.640 experience team. And I'm from Melbourne, Australia. 00:01:48.060 --> 00:01:52.079 So very excited to be here. My role, my day job 00:01:52.079 --> 00:01:55.260 is to help customers deploy Microsoft Entra, 00:01:55.439 --> 00:01:58.980 secure their environments. And identity is something 00:01:58.980 --> 00:02:02.519 that takes a long time because you need, it impacts 00:02:02.519 --> 00:02:04.680 people. So it's not like an Azure feature you 00:02:04.680 --> 00:02:08.120 just turn on or deploy in the backend. It really 00:02:08.120 --> 00:02:10.280 impacts people, you know, the sign -in experience, 00:02:10.500 --> 00:02:13.979 how they get. to their applications or how they're 00:02:13.979 --> 00:02:16.819 blocked from their app. So when everything's 00:02:16.819 --> 00:02:18.939 working fine, people don't even see us. It's 00:02:18.939 --> 00:02:21.460 single sign -on, it's all hidden. But when things 00:02:21.460 --> 00:02:23.780 go wrong, everyone in the world knows. You'll 00:02:23.780 --> 00:02:28.539 see newspapers and articles written and it'll 00:02:28.539 --> 00:02:30.719 come on the news saying there's a Microsoft outage 00:02:30.719 --> 00:02:34.979 and all of that. So it's a very critical, important 00:02:34.979 --> 00:02:37.960 piece of the world. But Entra is not just sign 00:02:37.960 --> 00:02:41.620 -in. There's a lot happening there. So I help 00:02:41.620 --> 00:02:45.400 big enterprise customers deploy Entra. And the 00:02:45.400 --> 00:02:49.900 key in my role as customer experience PM is to 00:02:49.900 --> 00:02:52.599 bring that feedback. into Microsoft. I'm sort 00:02:52.599 --> 00:02:55.819 of like the voice of the customer in the product 00:02:55.819 --> 00:02:59.639 feature reviews and giving early feedback and 00:02:59.639 --> 00:03:03.360 involving our customers in new features and things 00:03:03.360 --> 00:03:05.960 that we work on. And these days, there's a lot 00:03:05.960 --> 00:03:09.780 happening in AI and all of that space. So it's 00:03:09.780 --> 00:03:13.280 a very busy time leading up to Ignite. Hey, so 00:03:13.280 --> 00:03:15.340 before we get on to the topic, which is the Zero 00:03:15.340 --> 00:03:19.169 Trust Workshop, You have a weekly podcast, right? 00:03:19.229 --> 00:03:20.770 So why don't you spend a little bit and just 00:03:20.770 --> 00:03:22.210 talk about that, like what sort of objectives 00:03:22.210 --> 00:03:24.669 you're trying to achieve with it? Yes, yeah. 00:03:24.789 --> 00:03:28.250 So like everything that I do and I like create 00:03:28.250 --> 00:03:30.949 a lot of tools on my website, you can go to merrill 00:03:30.949 --> 00:03:34.069 .net and see some of the ones that I've created. 00:03:34.789 --> 00:03:37.250 It's something where I wanted it and it didn't 00:03:37.250 --> 00:03:39.409 exist. So I sort of like, yeah, I'll go ahead 00:03:39.409 --> 00:03:43.740 and create it. So I'm new to security. It's about 00:03:43.740 --> 00:03:46.740 like five or eight years since I came into security. 00:03:47.240 --> 00:03:52.259 I started as like a VB, VB5, VB3 programmer and 00:03:52.259 --> 00:03:56.580 been a dev my whole life. But there are a lot 00:03:56.580 --> 00:03:59.560 of dev podcasts. There's a lot in that space. 00:03:59.840 --> 00:04:03.560 You have a lot of choice to pick from. So when 00:04:03.560 --> 00:04:05.800 I came onto nTribe, it was like, okay, I need 00:04:05.800 --> 00:04:08.840 to learn from people, learn from the experts, 00:04:09.039 --> 00:04:13.759 and hear what they see as the problems they are 00:04:13.759 --> 00:04:17.319 solving and so on. And I didn't really find anything 00:04:17.319 --> 00:04:21.240 on security. And Azure Security was one that 00:04:21.240 --> 00:04:22.680 I was like, oh, yeah, there's something now, 00:04:22.720 --> 00:04:25.000 at least on security. And I was very excited 00:04:25.000 --> 00:04:29.149 when you launched. Was it five? About four years? 00:04:29.149 --> 00:04:31.709 Yeah, man. I think it's about five years ago. 00:04:31.790 --> 00:04:33.470 It's crazy. Look, I'm going to be honest. I'm 00:04:33.470 --> 00:04:36.889 really kind of pretty impressed that we've been 00:04:36.889 --> 00:04:40.970 going this long. Actually, I'll make a comment. 00:04:41.050 --> 00:04:43.389 There was a comment that was made before we started 00:04:43.389 --> 00:04:46.149 this podcast where someone, I'm not going to 00:04:46.149 --> 00:04:47.529 name who it was, said, you won't have enough 00:04:47.529 --> 00:04:51.970 content to do it. And I'm like, have you been 00:04:51.970 --> 00:04:53.790 in the security space at all? It's like, really? 00:04:53.870 --> 00:04:56.720 There's going to be plenty of content. We have 00:04:56.720 --> 00:04:58.579 no problems getting people on the podcast who 00:04:58.579 --> 00:05:01.420 want to talk about security. And it's a case 00:05:01.420 --> 00:05:04.779 of just, honestly, the big impediments, if anything 00:05:04.779 --> 00:05:06.819 else, is just our time. That's all. It's a lot 00:05:06.819 --> 00:05:09.920 of work, editing and coming up with what to talk 00:05:09.920 --> 00:05:11.920 about and so on. But yeah, no problems at all. 00:05:11.980 --> 00:05:13.240 But thank you for bringing that up. Yeah, it's 00:05:13.240 --> 00:05:15.680 been about five years now. It's been crazy. So 00:05:15.680 --> 00:05:19.579 I was very keen. And so the Azure Security Podcast 00:05:19.579 --> 00:05:22.579 really filled the gap, bringing on different... 00:05:23.050 --> 00:05:26.350 pms feature teams and i love learning about all 00:05:26.350 --> 00:05:28.569 the different spaces but i come from identity 00:05:28.569 --> 00:05:32.209 and entra and there is very little to like no 00:05:32.209 --> 00:05:36.009 content you might get like one episode in you 00:05:36.009 --> 00:05:39.810 know over over a 12 month 10 month period on 00:05:39.810 --> 00:05:44.750 identity so i was like i need to bring in and 00:05:44.750 --> 00:05:48.290 my uh i had a selfish goal i wanted to talk to 00:05:48.290 --> 00:05:50.910 very interesting people. And it's a way to build 00:05:50.910 --> 00:05:53.930 up a lot of friendships and, you know, connect 00:05:53.930 --> 00:05:57.410 with people. So I've had a lot of fun. I made 00:05:57.410 --> 00:06:00.029 it a weekly one. And so, yeah, if someone said 00:06:00.029 --> 00:06:02.750 it's a challenge for security, I'm doing just 00:06:02.750 --> 00:06:05.810 on Entra. It's called Entra chat, Entra .chat. 00:06:06.110 --> 00:06:08.689 I got the domain as well. So it was really good. 00:06:09.279 --> 00:06:12.319 So if you head over to entra .chat, I'm at week 00:06:12.319 --> 00:06:15.759 25 now. So it's like 25 episodes. It's a baby 00:06:15.759 --> 00:06:19.379 compared to the Azure Security Podcast. But there 00:06:19.379 --> 00:06:22.399 are people who are in the space, identity, IAM 00:06:22.399 --> 00:06:26.139 experts. For me, I'm not looking for like a big 00:06:26.139 --> 00:06:29.060 audience, but people who are really in this space 00:06:29.060 --> 00:06:32.860 for them to see what others are doing, learn 00:06:32.860 --> 00:06:36.680 from them. And especially IAM is not a... field 00:06:36.680 --> 00:06:39.500 where you go and train for it it's an it's an 00:06:39.500 --> 00:06:41.560 area where people actually fall into this domain 00:06:41.560 --> 00:06:44.319 by accident like they're they're just put in 00:06:44.319 --> 00:06:47.720 as the m365 admin or they're an exchange admin 00:06:47.720 --> 00:06:51.360 most of the time it's an exchange or ad admin 00:06:52.829 --> 00:06:55.269 And this whole space is new to them. They learn 00:06:55.269 --> 00:06:58.370 on the go. There are no like courses that you 00:06:58.370 --> 00:07:01.870 can follow to become an identity or IAM, access 00:07:01.870 --> 00:07:04.870 management expert. There are some vendor related 00:07:04.870 --> 00:07:07.430 things. There is no like a degree, et cetera, 00:07:07.449 --> 00:07:10.649 even that you do. So it's a very unique space, 00:07:10.829 --> 00:07:14.290 but it's like I see people share on Twitter and 00:07:14.290 --> 00:07:17.470 so on. It does pay well because it's a very niche 00:07:17.470 --> 00:07:20.550 space as well. So from a career perspective, 00:07:20.949 --> 00:07:23.660 it's really good. Because every company needs 00:07:23.660 --> 00:07:27.240 identity. You can take out other products and 00:07:27.240 --> 00:07:30.980 services, but every org needs identity. And it's 00:07:30.980 --> 00:07:34.699 now at the forefront of a lot of the security 00:07:34.699 --> 00:07:37.459 initiatives. And I'll talk about the Zero Trust 00:07:37.459 --> 00:07:41.199 Workshop and the SFI initiatives we have. If 00:07:41.199 --> 00:07:44.100 you see the pillars that Microsoft has from SFI, 00:07:44.160 --> 00:07:47.660 a lot of the work that we're doing to fix things 00:07:47.660 --> 00:07:50.860 is at the identity layer and the control plane. 00:07:52.250 --> 00:07:55.490 very central to every organization. There is 00:07:55.490 --> 00:07:58.290 no clear -cut path to learn from it. And that's 00:07:58.290 --> 00:08:01.290 the whole reason I started the IntraChat to bring, 00:08:01.449 --> 00:08:05.670 and I bring a mix of lots of MVPs and customers. 00:08:06.149 --> 00:08:09.949 My two, like the very popular episodes, one with 00:08:09.949 --> 00:08:14.230 the McDonald's identity architect, George, and 00:08:14.230 --> 00:08:17.110 they manage like 1 million users in their tenant, 00:08:17.310 --> 00:08:19.990 right? So this is like a global thing, 1 million 00:08:19.990 --> 00:08:23.319 tenants, challenges. they face are unique, but 00:08:23.319 --> 00:08:26.360 at the same time, there's a lot that every identity 00:08:26.360 --> 00:08:28.899 admin faces the challenges some of that, you 00:08:28.899 --> 00:08:31.160 know, the folks at McDonald's face with the same, 00:08:31.199 --> 00:08:35.419 you know, Entra suite that everyone is using, 00:08:35.539 --> 00:08:39.740 Entra ID. Whether you're like 1 million users 00:08:39.740 --> 00:08:42.620 in your tenant or whether you have 10 to 100 00:08:42.620 --> 00:08:45.840 users in your tenant, you're using the same portal 00:08:45.840 --> 00:08:48.179 to manage all of this. So there's a lot of knowledge 00:08:48.179 --> 00:08:51.639 that we can learn from each other and so on. 00:08:51.700 --> 00:08:55.559 So it's been very fun doing that on a weekly 00:08:55.559 --> 00:08:59.039 basis, getting feature PMs, talking about their 00:08:59.039 --> 00:09:01.700 products, getting MVPs who have lots of experience 00:09:01.700 --> 00:09:06.240 coming in and sharing. yeah so I've had a lot 00:09:06.240 --> 00:09:08.659 of fun it's never a challenge to find people 00:09:08.659 --> 00:09:11.659 I have people like a lot of people asking me 00:09:11.659 --> 00:09:13.360 to come on the podcast because they have stories 00:09:13.360 --> 00:09:16.220 to tell and I try to focus more on that because 00:09:16.220 --> 00:09:19.179 it's a podcast We just talk and share stories. 00:09:19.320 --> 00:09:21.220 You know, how do you learn? Because I don't want 00:09:21.220 --> 00:09:23.519 them to sit through like just a feature description 00:09:23.519 --> 00:09:27.620 about how a particular feature works. But, you 00:09:27.620 --> 00:09:31.820 know, how they think that happened, like, you 00:09:31.820 --> 00:09:35.000 know, the stories, the water cooler stories, 00:09:35.080 --> 00:09:38.100 because those are areas I feel people can learn 00:09:38.100 --> 00:09:41.620 and relate to as well to what they're doing in 00:09:41.620 --> 00:09:44.370 their day job. Let's finish bringing that up. 00:09:44.389 --> 00:09:46.909 When we recorded the episode with Mark Racinovich, 00:09:46.970 --> 00:09:49.649 we had an agenda to go through. We didn't stick 00:09:49.649 --> 00:09:54.889 even closely to it. Mark started meandering off 00:09:54.889 --> 00:09:57.389 into things and then I helped meander even further. 00:09:57.669 --> 00:09:59.649 I found a couple of rabbit holes to go down. 00:10:00.190 --> 00:10:02.090 Mark Simons was the one who sort of pulled us 00:10:02.090 --> 00:10:04.809 back up into reality. It was actually kind of 00:10:04.809 --> 00:10:07.470 funny, but it was a great episode because it 00:10:07.470 --> 00:10:10.519 was just a couple of nerds. you know, talking 00:10:10.519 --> 00:10:12.519 about post -quantum cryptography, it was really 00:10:12.519 --> 00:10:15.559 a good episode. But you're right. I mean, you 00:10:15.559 --> 00:10:17.240 also get to meet a lot of good people. And I 00:10:17.240 --> 00:10:20.820 think that's critically important too. All right, 00:10:20.820 --> 00:10:22.139 so let's get back. Talking about going down a 00:10:22.139 --> 00:10:26.299 rabbit hole. So let's get to the actual topic 00:10:26.299 --> 00:10:28.860 of this podcast, which is the Zero Trust Workshop. 00:10:29.539 --> 00:10:31.899 So why don't you tell us the origin story for 00:10:31.899 --> 00:10:33.820 the Zero Trust Workshop? And hopefully on the 00:10:33.820 --> 00:10:35.720 way, you explain kind of Zero Trust as well. 00:10:36.649 --> 00:10:39.309 Yes, yeah, absolutely. So the origin story is 00:10:39.309 --> 00:10:42.690 it didn't even start off as zero trust. We in 00:10:42.690 --> 00:10:46.230 identity saw that when we go to customers and 00:10:46.230 --> 00:10:49.750 we tell them to do things, there are certain 00:10:49.750 --> 00:10:52.330 things that need to be done like in a sequence. 00:10:52.330 --> 00:10:55.129 So, for example, if you tell one of the best 00:10:55.129 --> 00:10:58.169 practice we tell is. you need to do device compliance, 00:10:58.429 --> 00:11:01.490 right? When someone is signing into your application, 00:11:01.710 --> 00:11:04.070 signing into your tenant, you need to say, okay, 00:11:04.110 --> 00:11:06.470 are they coming from a known device? Does it 00:11:06.470 --> 00:11:10.129 have the firewall turned on? Does it have antivirus 00:11:10.129 --> 00:11:13.289 deployed? Is it compliant? Does it have BitLock 00:11:13.289 --> 00:11:15.750 encryption turned on? So there are all those 00:11:15.750 --> 00:11:17.429 things that you need to do. So we tell them, 00:11:17.470 --> 00:11:19.330 look, you must have a conditional access policy 00:11:19.330 --> 00:11:23.370 that knows whether you're coming from a device 00:11:23.370 --> 00:11:26.169 that is secure, it doesn't have malware on it, 00:11:26.399 --> 00:11:29.779 et cetera, versus something you have from somewhere 00:11:29.779 --> 00:11:33.159 else. And that would include the Linux and Mac 00:11:33.159 --> 00:11:35.340 analogs to all of those things as well, right? 00:11:35.480 --> 00:11:38.860 Yes, absolutely, yeah. It's like cross -platform 00:11:38.860 --> 00:11:43.639 as well. So our best practice is, yeah, just 00:11:43.639 --> 00:11:46.279 do this, turn on this policy. But before you 00:11:46.279 --> 00:11:48.860 can even get to that, you need to make sure that 00:11:48.860 --> 00:11:51.059 the device is managed, is the device enrolled 00:11:51.059 --> 00:11:54.000 into Intune. If you're doing a domain join device, 00:11:54.240 --> 00:11:56.019 there is something you need to do called intra 00:11:56.019 --> 00:11:59.820 -hybrid join. And intra -hybrid join, you can't 00:11:59.820 --> 00:12:02.259 just flick one switch. You need to do things 00:12:02.259 --> 00:12:04.059 like in the intra -connect sync, you need to 00:12:04.059 --> 00:12:06.240 configure the connect sync, make sure the devices 00:12:06.240 --> 00:12:09.580 are synced from on -premiere to intra -ID. So 00:12:09.580 --> 00:12:12.179 there's a whole bunch of steps you need to do 00:12:12.179 --> 00:12:15.179 before you can turn it on. And I've been in customer 00:12:15.179 --> 00:12:17.879 projects where it's taken like six months, sometimes 00:12:17.879 --> 00:12:20.639 even a year to do that. that one thing to get 00:12:20.639 --> 00:12:23.200 the devices inter -joint when you're talking 00:12:23.200 --> 00:12:28.159 like 100 ,000 devices across the company. So 00:12:28.159 --> 00:12:30.899 what might be like a simple activity is it takes 00:12:30.899 --> 00:12:34.120 a lot of time to do it. And a lot of people don't 00:12:34.120 --> 00:12:36.940 know that. Like my role is to help customers, 00:12:37.139 --> 00:12:39.720 you know, walk them through these plans and we 00:12:39.720 --> 00:12:43.240 have SMAs who, you know, help in that flow. But 00:12:43.240 --> 00:12:45.799 what we realized is there's always like a sequence 00:12:45.799 --> 00:12:49.080 of things you need to do. And customers are very 00:12:49.080 --> 00:12:51.480 paralyzed. I don't even know where to start. 00:12:51.820 --> 00:12:54.399 There's so much to do. Even if you take something 00:12:54.399 --> 00:12:58.120 as simple as rolling out MFA to everyone, there's 00:12:58.120 --> 00:13:00.440 a lot you need to do. You need to make sure that 00:13:00.440 --> 00:13:03.539 they're using devices that are capable of doing. 00:13:03.580 --> 00:13:06.519 If you want to enforce authenticator, what version 00:13:06.519 --> 00:13:09.340 of the mobile are people using? There's a lot 00:13:09.340 --> 00:13:12.100 of work that they need to do to plan for those. 00:13:12.600 --> 00:13:15.740 So that's how it started out as just identity. 00:13:16.860 --> 00:13:20.000 All of our, like my team, we have like 100 plus 00:13:20.000 --> 00:13:22.759 people spread out across the globe. And each 00:13:22.759 --> 00:13:24.899 region has different challenges from Germany, 00:13:24.899 --> 00:13:28.799 having European challenges to the US folks and 00:13:28.799 --> 00:13:32.340 in Australia as well. So we sort of took our 00:13:32.340 --> 00:13:34.139 collective knowledge and we were like, how do 00:13:34.139 --> 00:13:37.889 we... communicate this to people. It started 00:13:37.889 --> 00:13:40.929 as like a PowerPoint deck, like Mark would know, 00:13:40.970 --> 00:13:43.929 Mark Syvers would. We had this PowerPoint slide 00:13:43.929 --> 00:13:46.190 which said, you know, these are the things you 00:13:46.190 --> 00:13:48.789 need to do. And there were all these slides that 00:13:48.789 --> 00:13:52.990 were there. And then what we did is we moved 00:13:52.990 --> 00:13:56.230 into like an Excel sheet. So I came up with the 00:13:56.230 --> 00:13:59.350 idea, like let's make people flick, like we do 00:13:59.350 --> 00:14:02.830 a way where we ask questions from customers. 00:14:03.500 --> 00:14:06.340 we can say what state they are in. So we came 00:14:06.340 --> 00:14:09.559 up with the idea of creating a spreadsheet. So 00:14:09.559 --> 00:14:12.779 we have the Zero Trust Workshop now where you 00:14:12.779 --> 00:14:16.100 can go download the spreadsheet. It has the knowledge 00:14:16.100 --> 00:14:19.120 of lots of different SMEs. It's evolved from 00:14:19.120 --> 00:14:21.500 identity to lots of other pillars and we'll get 00:14:21.500 --> 00:14:25.820 into them. And what you do is... You can set 00:14:25.820 --> 00:14:29.159 up a workshop with a customer and you can go 00:14:29.159 --> 00:14:32.039 through a sequence of these questions with them. 00:14:32.100 --> 00:14:33.759 Have you done this? Have you done this? Like 00:14:33.759 --> 00:14:37.659 one of the first things we ask is, have you stopped 00:14:37.659 --> 00:14:41.340 acquiring apps that have legacy authentication? 00:14:41.440 --> 00:14:44.720 Like we consider like Kerberos and LDAP legacy 00:14:44.720 --> 00:14:47.580 because you can't apply conditional access on 00:14:47.580 --> 00:14:50.000 them. Like they're just network level protocols. 00:14:50.340 --> 00:14:53.320 There's no way to have. checks in in the middle 00:14:53.320 --> 00:14:56.960 whereas with the modern auth like oidc and open 00:14:56.960 --> 00:15:01.019 id open id connect saml with the modern authentication 00:15:01.019 --> 00:15:04.460 you can actually have policies that do the device 00:15:04.460 --> 00:15:07.940 checks that can do a lot more things in between 00:15:07.940 --> 00:15:10.460 before we allow the user to access the application 00:15:10.460 --> 00:15:14.879 so one big question is have you stopped procuring 00:15:14.879 --> 00:15:17.259 those products like have you in your organization 00:15:17.259 --> 00:15:20.259 so it's not even a technology thing It's like 00:15:20.259 --> 00:15:22.320 you go to the procurement team and tell them, 00:15:22.320 --> 00:15:25.279 like, this is one of the criteria, like don't 00:15:25.279 --> 00:15:30.500 acquire apps that are not working on modern authentication. 00:15:31.139 --> 00:15:35.700 So that workshop embodies a lot of all of our 00:15:35.700 --> 00:15:38.639 knowledge and best practices that we poured into 00:15:38.639 --> 00:15:42.940 that. And I can talk a lot more about, you know, 00:15:42.960 --> 00:15:46.120 what we've done in that space. And it's now evolved. 00:15:46.700 --> 00:15:50.620 to a lot more than just Entra. And it's growing. 00:15:50.720 --> 00:15:53.799 We have some big plans for it. You bring up Kerberos. 00:15:53.820 --> 00:15:58.059 So what is it about OpenID Connect that makes 00:15:58.059 --> 00:16:02.700 it conditional, accessible, and Kerberos not? 00:16:02.980 --> 00:16:05.120 What is it that, I'm not going to say unique 00:16:05.120 --> 00:16:07.679 to it, but what is it that we look for? Yes, 00:16:07.679 --> 00:16:11.200 that's a really good question, right? When we 00:16:11.200 --> 00:16:14.960 say legacy protocols with Kerberos, NTLM, basic 00:16:14.960 --> 00:16:16.840 authentication, the ones we were used to from 00:16:16.840 --> 00:16:21.539 the 90s, and people, if you're in legacy, in 00:16:21.539 --> 00:16:23.600 enterprise today, it's still used heavily, right? 00:16:23.659 --> 00:16:26.860 You go to some website, most of the time it just 00:16:26.860 --> 00:16:28.980 works, but suddenly you see a Windows pop -up 00:16:28.980 --> 00:16:31.299 dialog asking you for the username and password, 00:16:31.419 --> 00:16:35.539 then you need to fill that in. So those are using... 00:16:36.519 --> 00:16:40.059 what we call chatty protocols, because they were 00:16:40.059 --> 00:16:41.899 created for the world, which was for a different 00:16:41.899 --> 00:16:47.000 era, right? Like the 80s, 90s eras, when the 00:16:47.000 --> 00:16:49.960 LANs and servers just first came into being. 00:16:50.139 --> 00:16:53.559 And they all connected over local network. They 00:16:53.559 --> 00:16:57.440 would keep talking back to the server whenever 00:16:57.440 --> 00:17:00.159 the user tried to do anything. So there's a lot 00:17:00.159 --> 00:17:03.340 of traffic going back and forth. It works really 00:17:03.340 --> 00:17:05.990 well when you're on the LAN. But once you move 00:17:05.990 --> 00:17:09.450 to the internet and you have people from all 00:17:09.450 --> 00:17:12.130 over the world and the whole latency of doing 00:17:12.130 --> 00:17:16.410 things, it becomes really unusable. So those 00:17:16.410 --> 00:17:19.910 protocols don't really work well in the internet 00:17:19.910 --> 00:17:22.170 era and especially like with mobiles, right? 00:17:22.990 --> 00:17:25.829 your battery would just die with all the pinging 00:17:25.829 --> 00:17:28.650 that happens because every time you do something, 00:17:28.789 --> 00:17:31.289 there are three parties in the old protocol. 00:17:31.430 --> 00:17:33.690 There is the Windows Domain Controller, there 00:17:33.690 --> 00:17:36.289 is the Windows Server that you are using, and 00:17:36.289 --> 00:17:38.069 the actual application server you're accessing. 00:17:38.509 --> 00:17:40.630 There are all these three, and if the Domain 00:17:40.630 --> 00:17:42.869 Controller goes down, you lose access to your 00:17:42.869 --> 00:17:46.970 application, right? And you can't really do a 00:17:46.970 --> 00:17:49.559 lot there. With Entra and the new protocols, 00:17:50.019 --> 00:17:52.960 we have this, we moved to tokens. Like there 00:17:52.960 --> 00:17:56.579 is this MS Build TikTok I keep seeing all the 00:17:56.579 --> 00:17:59.900 time where they ask people tokens or passwords. 00:18:00.359 --> 00:18:04.980 And Mark, Mark, like they ask everyone and they 00:18:04.980 --> 00:18:08.420 go, like everyone goes tokens. Because the new 00:18:08.420 --> 00:18:12.220 identity world is built on these modern protocols. 00:18:12.339 --> 00:18:15.349 We realized like. Kerberos and all of that's 00:18:15.349 --> 00:18:17.690 not going to work. So the whole world came up 00:18:17.690 --> 00:18:21.910 with these protocols where you get a token and 00:18:21.910 --> 00:18:25.730 for one hour, usually an hour, you don't need 00:18:25.730 --> 00:18:27.950 to go back to the identity provider. So even 00:18:27.950 --> 00:18:30.990 if, for example, Intra goes down, you can still 00:18:30.990 --> 00:18:33.410 be using your application for that one hour, 00:18:33.490 --> 00:18:37.930 however long that token that you have. You don't 00:18:37.930 --> 00:18:41.130 need all three parties involved in that mix. 00:18:43.240 --> 00:18:45.740 One of the key things it does is it does a web 00:18:45.740 --> 00:18:49.480 -based authentication. So there's a flow there 00:18:49.480 --> 00:18:52.460 where there's a web -based auth, which allows 00:18:52.460 --> 00:18:55.299 Entra to do a lot of things in the browser. Like 00:18:55.299 --> 00:18:58.079 it can check for certs on the device. It can 00:18:58.079 --> 00:19:00.940 check what IP location you're coming from. There 00:19:00.940 --> 00:19:04.000 are all these activities that are happening with 00:19:04.000 --> 00:19:06.900 conditional access being as a policy engine for 00:19:06.900 --> 00:19:09.670 Microsoft. that can go and evaluate all these 00:19:09.670 --> 00:19:12.190 things before saying, okay, I'm now going to 00:19:12.190 --> 00:19:15.049 let you access the application so you are allowed 00:19:15.049 --> 00:19:17.890 to go, which you can't do with Kerberos. All 00:19:17.890 --> 00:19:20.670 it does is when it comes to the server in that 00:19:20.670 --> 00:19:24.450 protocol, it just says these are the user's credentials, 00:19:24.450 --> 00:19:28.869 like the basic username, password, or the Kerberos 00:19:28.869 --> 00:19:31.650 token that it has, a ticket that comes with it. 00:19:31.910 --> 00:19:35.599 It has no context about... the IP address of 00:19:35.599 --> 00:19:37.579 the user, where they're coming from, what sort 00:19:37.579 --> 00:19:40.579 of device they're coming from. Not even whether 00:19:40.579 --> 00:19:45.039 I would say if it's a Mac or Windows. As long 00:19:45.039 --> 00:19:48.039 as the protocol was meeting the requirements, 00:19:48.240 --> 00:19:53.140 it was let through. So that was a huge change 00:19:53.140 --> 00:19:56.119 from the old world to the new world. And almost 00:19:56.119 --> 00:19:58.119 everything today is built on the new protocol. 00:19:58.200 --> 00:20:02.970 But most people are... I wouldn't say lazy, but 00:20:02.970 --> 00:20:04.950 they sort of stick to the old things and they're 00:20:04.950 --> 00:20:07.869 like, yeah, let's just use Kerberos. Like, it's 00:20:07.869 --> 00:20:11.789 there, so let's keep using it. But if you want 00:20:11.789 --> 00:20:15.009 to do zero trust, especially, you need to stop 00:20:15.009 --> 00:20:18.890 using those legacy apps and legacy protocols. 00:20:20.049 --> 00:20:22.549 Microsoft, we're actively trying to kill some 00:20:22.549 --> 00:20:24.069 of those older ones, like, you know, relying 00:20:24.069 --> 00:20:27.470 on things like Samba and so on. It's funny you 00:20:27.470 --> 00:20:30.579 should bring that up. That was the security PM 00:20:30.579 --> 00:20:33.819 for IIS 5, the web server. And that was the version 00:20:33.819 --> 00:20:35.700 of the web server that integrated Kerberos for 00:20:35.700 --> 00:20:37.819 the first time. So you're saying that all my 00:20:37.819 --> 00:20:39.880 work I did back then is now, well, it's all for 00:20:39.880 --> 00:20:43.900 nothing. That is tight at the time. It was really, 00:20:43.980 --> 00:20:46.940 really cool. It was awesome. I mean, we could 00:20:46.940 --> 00:20:50.880 make a connection to, we could actually flow 00:20:50.880 --> 00:20:52.480 the identity through the environment. It was 00:20:52.480 --> 00:20:56.289 really, really, really nice. I mean, for me, 00:20:56.369 --> 00:20:58.670 it is still awesome to this day, especially when 00:20:58.670 --> 00:21:02.390 it comes to as a developer. With Kerberos, I 00:21:02.390 --> 00:21:04.710 didn't have to do anything. I just wrote my ASP, 00:21:04.750 --> 00:21:07.869 classic ASP or ASP .NET app, threw it on IIS, 00:21:08.109 --> 00:21:10.990 and suddenly when someone came to my site, I 00:21:10.990 --> 00:21:14.329 knew who the user was. I wrote zero code. I just 00:21:14.329 --> 00:21:16.930 write one line and say user .identity, and it 00:21:16.930 --> 00:21:20.289 lets me know who the user's details are. That 00:21:20.289 --> 00:21:24.680 flexibility hasn't come to... the the modern 00:21:24.680 --> 00:21:28.140 auth it's very complicated like even i keep i 00:21:28.140 --> 00:21:31.339 struggle with oidc and the protocol and the tokens 00:21:31.339 --> 00:21:36.160 and id token and oauth and like it's a very complex 00:21:36.160 --> 00:21:39.539 subject on its own and devs struggle a lot like 00:21:39.539 --> 00:21:42.539 as a dev i'm building an application you know 00:21:42.539 --> 00:21:44.440 building it on azure i'm worried about the business 00:21:44.440 --> 00:21:46.980 story and the business scenario authentication 00:21:46.980 --> 00:21:52.170 always always gets in the way And it's such a 00:21:52.170 --> 00:21:56.630 complex thing that it's a huge beast. Devs don't 00:21:56.630 --> 00:22:00.269 really understand it. It took me a long time 00:22:00.269 --> 00:22:03.029 to understand it, even as a dev. And even now 00:22:03.029 --> 00:22:06.150 I keep forgetting like, oh, ID token, refresh 00:22:06.150 --> 00:22:09.029 token, and the audience claim and this claim. 00:22:09.130 --> 00:22:12.210 Like you can do the wrong thing and like the 00:22:12.210 --> 00:22:15.069 code will still work. It's a less secure product. 00:22:15.750 --> 00:22:20.470 So that simplicity of Kerberos hasn't come to 00:22:20.470 --> 00:22:22.170 the dev side. Like today, if you're going to 00:22:22.170 --> 00:22:25.230 do modern auth, you need to write like hundreds 00:22:25.230 --> 00:22:29.009 of lines of code. With Microsoft, we try to simplify 00:22:29.009 --> 00:22:32.279 it. We create this library called msal. And we 00:22:32.279 --> 00:22:35.019 say, yeah, put this in, follow this pattern and 00:22:35.019 --> 00:22:37.480 everything will just work because we have a whole 00:22:37.480 --> 00:22:40.420 team building that library and they keep updating 00:22:40.420 --> 00:22:42.579 it with all of, you know, we find new vulnerabilities, 00:22:42.779 --> 00:22:46.480 they fix that library. It's a complex topic. 00:22:46.539 --> 00:22:48.740 You need to know a lot about the OIDC protocol 00:22:48.740 --> 00:22:52.960 and all of that. But Kerberos, and that's why 00:22:52.960 --> 00:22:55.400 they're still popular because... The vendors, 00:22:55.559 --> 00:22:58.480 all of them, they just like it because you don't 00:22:58.480 --> 00:23:00.000 really even need to think about it. There is 00:23:00.000 --> 00:23:03.299 no certificates. There is no configuration needed. 00:23:04.180 --> 00:23:08.859 So it's an amazing experience for devs from that 00:23:08.859 --> 00:23:14.460 side of it. You can thank me later. We need to 00:23:14.460 --> 00:23:16.660 crack the nut on that one. I agree with you. 00:23:16.700 --> 00:23:19.660 When I wrote with Heimlich and Simone, when I 00:23:19.660 --> 00:23:21.440 wrote Designing and Developing Secure ASI Solutions, 00:23:21.839 --> 00:23:24.720 I wrote the identity chapter. And it was hard 00:23:24.720 --> 00:23:28.140 to write because the stuff is so complex. And 00:23:28.140 --> 00:23:30.220 I hark back to when I wrote a book on Windows 00:23:30.220 --> 00:23:33.900 2000 and included Kerberos and IIS. It was easy. 00:23:34.359 --> 00:23:38.900 It was really, really easy. But anyway, why don't 00:23:38.900 --> 00:23:40.720 we get back to the topic at hand? I think you 00:23:40.720 --> 00:23:43.880 and I, we should just, you know, if we start 00:23:43.880 --> 00:23:44.940 talking about something else, we should just 00:23:44.940 --> 00:23:46.559 like pull ourselves back out of the rabbit hole. 00:23:47.839 --> 00:23:49.640 This is one thing I love about podcasts, right? 00:23:49.700 --> 00:23:52.579 Is that some things like that are really, really 00:23:52.579 --> 00:23:55.019 interesting. And I think we need to make things 00:23:55.019 --> 00:23:57.559 like that more public. Some things are not as 00:23:57.559 --> 00:24:00.119 easy as perhaps they used to be, but they're 00:24:00.119 --> 00:24:02.019 more secure and they're more flexible and like 00:24:02.019 --> 00:24:04.720 you say, with conditional access and so on. And 00:24:04.720 --> 00:24:07.140 the rationale and the reasons why they are the 00:24:07.140 --> 00:24:09.819 way they are are sometimes lost. And so I think 00:24:09.819 --> 00:24:11.599 that's great that you bring those topics up, 00:24:11.660 --> 00:24:14.539 but we are so far away from the Zero Trust Workshop 00:24:14.539 --> 00:24:17.880 at this point. So let me bring ourselves back 00:24:17.880 --> 00:24:20.059 in and say, okay, now we've gone through the 00:24:20.059 --> 00:24:21.579 origin story. By the way, I love the idea of 00:24:21.579 --> 00:24:24.960 the fact that it was, you know, basically necessity 00:24:24.960 --> 00:24:27.220 being the mother of invention, right? There's 00:24:27.220 --> 00:24:28.779 something that was needed and you invented it. 00:24:28.839 --> 00:24:32.160 And I think that's always great when things are 00:24:32.160 --> 00:24:34.759 sort of built from the grassroots upwards. So 00:24:34.759 --> 00:24:37.519 what is the Zero Trust Workshop and how is it 00:24:37.519 --> 00:24:39.099 sort of delivered to customers? How can people 00:24:39.099 --> 00:24:43.529 use it? You know, give us a scoop. Yeah, so essentially 00:24:43.529 --> 00:24:47.569 what we did is I'm an SME on Entry and Identity. 00:24:47.569 --> 00:24:50.150 And in Microsoft security, it's a huge stack. 00:24:51.009 --> 00:24:54.730 It's a huge business at Microsoft as well under 00:24:54.730 --> 00:24:56.930 Charlie Bell. And there are lots of different 00:24:56.930 --> 00:24:59.490 services and products. So when you say zero trust. 00:25:00.089 --> 00:25:02.150 Most people think of, oh, if I just do a zero 00:25:02.150 --> 00:25:05.410 trust network access, I deploy it and yay, now 00:25:05.410 --> 00:25:08.109 I'm zero trust. But it's actually a lot more 00:25:08.109 --> 00:25:10.650 than all of that, right? Like there's a lot we 00:25:10.650 --> 00:25:13.029 need to do. Like we took the example of legacy 00:25:13.029 --> 00:25:15.990 protocols and legacy apps. Like you need to modernize 00:25:15.990 --> 00:25:18.849 your apps and that's no product you can buy that 00:25:18.849 --> 00:25:21.630 can fix it. You need to do this whole work to 00:25:21.630 --> 00:25:24.069 go and get rid of all these legacy apps in your 00:25:24.069 --> 00:25:27.339 environment or, you know, wrap them. into a way 00:25:27.339 --> 00:25:29.859 that they're more secure it's a whole company 00:25:29.859 --> 00:25:33.279 strategy on moving to newer modern ways of doing 00:25:33.279 --> 00:25:36.059 things that you can secure it so it's not just 00:25:36.059 --> 00:25:39.400 about getting a product and deploying it it's 00:25:39.400 --> 00:25:41.980 a whole thinking around how you would do zero 00:25:41.980 --> 00:25:44.559 trust where you don't trust anything just because 00:25:44.559 --> 00:25:47.099 it comes with a you know token or credential 00:25:47.099 --> 00:25:52.640 so What we did with the Zero Trust Workshop is 00:25:52.640 --> 00:25:56.599 we started with identity and our customers loved 00:25:56.599 --> 00:25:59.900 it. What we do is we run a workshop. We bring 00:25:59.900 --> 00:26:04.079 everyone in from identity and the security team 00:26:04.079 --> 00:26:07.400 and various other teams, the security operations 00:26:07.400 --> 00:26:12.099 team, and we go through this blueprint that we've 00:26:12.099 --> 00:26:15.019 created. And we ask them questions like, have 00:26:15.019 --> 00:26:17.019 you done this? Have you deployed conditional 00:26:17.019 --> 00:26:19.640 access? Have you, not even before you deploy, 00:26:19.779 --> 00:26:21.779 do you have a design for conditional access? 00:26:21.859 --> 00:26:24.619 What is your conditional access strategy, right? 00:26:24.700 --> 00:26:27.640 Should everyone be able to come into your network 00:26:27.640 --> 00:26:31.000 or do you have a policy that says maybe when 00:26:31.000 --> 00:26:33.519 you're accessing Azure, you need to be only on 00:26:33.519 --> 00:26:37.440 a fixed device, like a known device, or whether 00:26:37.440 --> 00:26:40.160 you come from a particular network. you need 00:26:40.160 --> 00:26:41.859 to come up with your strategy for that. So we 00:26:41.859 --> 00:26:45.119 walk them through these questions from, are you 00:26:45.119 --> 00:26:47.680 using legacy apps? Are you doing this? Are you 00:26:47.680 --> 00:26:51.839 still using things like access reviews? Like 00:26:51.839 --> 00:26:54.579 are people, do you regularly review who has access 00:26:54.579 --> 00:26:57.119 to your Azure environment, right? Every three 00:26:57.119 --> 00:27:00.299 months, has someone moved roles and do they still 00:27:00.299 --> 00:27:03.500 have access to a Cosmos DB that they shouldn't 00:27:03.500 --> 00:27:06.579 have access to? They are no longer in HR, they 00:27:06.579 --> 00:27:08.839 move to something else, but they still have access 00:27:08.839 --> 00:27:11.079 to maybe, you know, payroll and other information 00:27:11.079 --> 00:27:13.539 which they don't need. So all of that's part 00:27:13.539 --> 00:27:17.380 of identity governance. And we go through all 00:27:17.380 --> 00:27:21.180 these questions. It's typically a two to three 00:27:21.180 --> 00:27:24.880 hour workshop that we run just on identity because 00:27:24.880 --> 00:27:28.000 we want to give them like a full picture of what 00:27:28.000 --> 00:27:30.339 is their current state. And as we go through 00:27:30.339 --> 00:27:34.180 the workshop, we made this very visual. So there's 00:27:34.180 --> 00:27:37.180 like a roadmap with swim lanes. There are boxes 00:27:37.180 --> 00:27:40.539 for each thing. And every box or question, you 00:27:40.539 --> 00:27:43.539 have a dropdown and you can say, yeah, we haven't 00:27:43.539 --> 00:27:46.599 thought about it. Or you can say, yes, we are 00:27:46.599 --> 00:27:49.900 in the process of planning or we actually have 00:27:49.900 --> 00:27:52.099 a project that's running that's doing this. We 00:27:52.099 --> 00:27:55.259 are deploying a solution. Or you can say things 00:27:55.259 --> 00:27:59.119 like we are using a third -party solution. Like 00:27:59.119 --> 00:28:00.819 it doesn't need to be a Microsoft solution if 00:28:00.819 --> 00:28:03.660 you're using like SailPoint for identity governance 00:28:03.660 --> 00:28:08.059 or Jam for device management. The workshop is 00:28:08.059 --> 00:28:11.099 very like we try to make it platform agnostic 00:28:11.099 --> 00:28:15.269 so it's more usable to everyone because... Every 00:28:15.269 --> 00:28:17.470 enterprise in reality has a mix of different 00:28:17.470 --> 00:28:20.670 security solutions. So it's not going all in 00:28:20.670 --> 00:28:22.750 with Microsoft. So we try to make this very pragmatic 00:28:22.750 --> 00:28:26.430 about being able to call those things out. So 00:28:26.430 --> 00:28:30.789 once you finish that, you end up with a neat 00:28:30.789 --> 00:28:34.529 roadmap of, oh, these are gaps. We haven't thought 00:28:34.529 --> 00:28:37.589 of this before. And we need to do these things. 00:28:37.710 --> 00:28:40.220 And it gives you a sequence. this is a better 00:28:40.220 --> 00:28:42.079 way to do it because we've taken the knowledge 00:28:42.079 --> 00:28:45.480 of hundreds of our practitioners who have done 00:28:45.480 --> 00:28:48.039 like thousands of customer deployments where 00:28:48.039 --> 00:28:49.940 we've gone through and done these deployments. 00:28:50.019 --> 00:28:52.440 So we've taken that essence of that knowledge 00:28:52.440 --> 00:28:55.700 of everyone and put them into this sort of workshop 00:28:55.700 --> 00:28:58.940 that you can run. And a lot of customers, like 00:28:58.940 --> 00:29:01.799 we've done this now for a few years, some of 00:29:01.799 --> 00:29:03.619 our early customers who went through this exercise, 00:29:03.779 --> 00:29:06.670 they've come back saying, This has been amazing. 00:29:06.789 --> 00:29:10.390 We went to our business stakeholders. We showed 00:29:10.390 --> 00:29:14.529 them the plan and we got funding to do this because 00:29:14.529 --> 00:29:16.289 some of these are like multi -year projects that 00:29:16.289 --> 00:29:18.730 you need to run. So they got extra funding from 00:29:18.730 --> 00:29:20.970 the business. They were able to use the workshop 00:29:20.970 --> 00:29:26.789 as a artifact for this. gone ahead and then deployed 00:29:26.789 --> 00:29:29.509 you know mfa across the board and device compliance 00:29:29.509 --> 00:29:33.049 and various other projects and initiatives and 00:29:33.049 --> 00:29:35.349 they've improved their posture from where they 00:29:35.349 --> 00:29:38.230 were to before and they can clearly show okay 00:29:38.230 --> 00:29:40.549 this year last year two years ago we were at 00:29:40.549 --> 00:29:44.509 this state now we've come so far in in the space 00:29:44.509 --> 00:29:48.369 and they've moved on and we've also been updating 00:29:48.369 --> 00:29:51.430 the workshop because We learn things at Microsoft, 00:29:51.589 --> 00:29:55.289 like SFI happened and there are new breaches 00:29:55.289 --> 00:29:58.430 happening. We learn new things and we have new 00:29:58.430 --> 00:30:01.509 capabilities to address these different things. 00:30:01.990 --> 00:30:05.910 So we also keep updating the workshop to include 00:30:05.910 --> 00:30:10.349 the new things we learn. And so they're able 00:30:10.349 --> 00:30:12.809 to say, okay, we've come this far, but there's 00:30:12.809 --> 00:30:16.950 also more that we need to do over time. So the 00:30:16.950 --> 00:30:20.000 Zero Trust Workshop, covers a number of pillars. 00:30:20.220 --> 00:30:24.480 We now have three, six pillars in there all together. 00:30:25.059 --> 00:30:27.880 For the Azure folks, we have one of the new ones 00:30:27.880 --> 00:30:31.359 we introduced is an infrastructure roadmap, and 00:30:31.359 --> 00:30:34.200 there's also a network roadmap. So the infrastructure 00:30:34.200 --> 00:30:37.980 roadmap is all about how you go about, you know, 00:30:37.980 --> 00:30:41.720 doing all of the Azure side, looking at things 00:30:41.720 --> 00:30:44.599 from servers, you know, all of the different 00:30:44.599 --> 00:30:47.420 things you need to consider. for all the servers 00:30:47.420 --> 00:30:50.059 and VMs you're running? How do you set up Azure 00:30:50.059 --> 00:30:54.960 governance? How do you set up SIEM? There's a 00:30:54.960 --> 00:30:57.859 whole streamline on containers. How do you do 00:30:57.859 --> 00:31:01.980 the various Kubernetes containers, whether you're 00:31:01.980 --> 00:31:04.220 following the zero trust practices when it comes 00:31:04.220 --> 00:31:08.279 to that, and various services like Azure Arc. 00:31:08.920 --> 00:31:11.880 And there's a lot of SFI learnings that Microsoft 00:31:11.880 --> 00:31:15.500 had, and we've taken and put those in as well. 00:31:16.700 --> 00:31:20.900 So SFI is really interesting because we at Microsoft, 00:31:21.180 --> 00:31:23.420 and Michael, you'll know, we've been doing a 00:31:23.420 --> 00:31:26.920 lot of things internally at Microsoft based on 00:31:26.920 --> 00:31:30.779 SFI learnings. And just to make sure everyone 00:31:30.779 --> 00:31:33.420 who's listening knows, SFI is a secure future 00:31:33.420 --> 00:31:35.240 initiative. It's a big initiative that started 00:31:35.240 --> 00:31:38.880 quite some time ago now. basically because of 00:31:38.880 --> 00:31:40.819 some attacks that have happened on our network. 00:31:41.019 --> 00:31:43.319 There's some big changes that we're making across 00:31:43.319 --> 00:31:46.599 the board. So, for example, a really simple example 00:31:46.599 --> 00:31:49.940 is apps that are registered that have not been 00:31:49.940 --> 00:31:53.579 used in N months are basically deleted because 00:31:53.579 --> 00:31:57.559 they could be a pivot point for an attack. So, 00:31:57.559 --> 00:32:01.480 yeah, millions of unused registered apps have 00:32:01.480 --> 00:32:03.890 been removed from the environment. Other things 00:32:03.890 --> 00:32:06.829 like cleaning up passwords to use managed identities 00:32:06.829 --> 00:32:09.289 and enter ID in general, but for applications 00:32:09.289 --> 00:32:11.329 using managed identities, lots and lots of other 00:32:11.329 --> 00:32:13.250 things. I could keep going forever, but just 00:32:13.250 --> 00:32:15.549 so everyone's aware, SFI is Secure Future Initiative. 00:32:17.029 --> 00:32:20.369 Yeah, and everyone, Satya said, security is job 00:32:20.369 --> 00:32:23.509 number one for everyone at Microsoft. So if we 00:32:23.509 --> 00:32:26.890 are assigned a ticket that's related to security, 00:32:27.130 --> 00:32:29.529 we have to drop everything else and make that 00:32:29.529 --> 00:32:31.849 the first priority and make sure we address it. 00:32:32.460 --> 00:32:37.200 before we go on to the other things. So there's 00:32:37.200 --> 00:32:41.359 a lot of learnings that we've had and a lot of 00:32:41.359 --> 00:32:43.819 things that Microsoft is doing internally, which 00:32:43.819 --> 00:32:46.099 a lot of people don't see outside. Like we do 00:32:46.099 --> 00:32:49.660 publish a quarterly report of all of Microsoft's 00:32:49.660 --> 00:32:52.220 progress in this. So we're very transparent about 00:32:52.220 --> 00:32:56.259 what we've done. A good example is like one of 00:32:56.259 --> 00:32:59.759 the attacks. the attackers used like a test tenant 00:32:59.759 --> 00:33:03.119 and then they pivoted to a corporate tenant from 00:33:03.119 --> 00:33:05.880 there. We've gone ahead and we've been shutting 00:33:05.880 --> 00:33:09.140 down all of the tenants, like millions of tenants 00:33:09.140 --> 00:33:12.980 have been deprovisioned. Now, if you need a tenant, 00:33:13.119 --> 00:33:16.440 you can't even get a dev tenant easily. You need 00:33:16.440 --> 00:33:20.000 to go through a whole process and the tenant 00:33:20.000 --> 00:33:22.940 that you get even for dev work is like, it's 00:33:22.940 --> 00:33:26.140 short -lived, like it has a... 90 -day lifetime, 00:33:26.480 --> 00:33:29.019 then the tenant is completely deleted and wiped. 00:33:29.259 --> 00:33:32.359 So you need to now, you can get a trial tenant, 00:33:32.480 --> 00:33:35.119 but you need to create it every 90 days so that 00:33:35.119 --> 00:33:37.819 it makes sure there is no lingering access. And 00:33:37.819 --> 00:33:39.339 there's a whole bunch of policies that are pushed 00:33:39.339 --> 00:33:42.500 to it as well, right? I've noticed that network 00:33:42.500 --> 00:33:44.819 security groups, for example, have some strict 00:33:44.819 --> 00:33:47.099 policies on them. I mean, and you get that for 00:33:47.099 --> 00:33:50.440 free. Congratulations. But that's just it, though. 00:33:50.440 --> 00:33:52.099 It has to be the default, right? If it's not 00:33:52.099 --> 00:33:54.500 the default, then people won't... err on the 00:33:54.500 --> 00:33:56.500 side of security, and if it's the default, look, 00:33:56.579 --> 00:33:58.400 I'm going to be honest, some defaults can be 00:33:58.400 --> 00:34:01.279 painful, right? They can get in the way. But 00:34:01.279 --> 00:34:03.819 it's a secure default, and if you need to deviate 00:34:03.819 --> 00:34:05.460 from it, then so be it. But at least that's the 00:34:05.460 --> 00:34:07.619 default to start off with. And I think that's 00:34:07.619 --> 00:34:10.579 such a critically important part of SFI because 00:34:10.579 --> 00:34:14.199 the second major pillar of SFI is secure by default. 00:34:15.420 --> 00:34:18.619 So, yeah, I've spun up a, like you said, gone 00:34:18.619 --> 00:34:21.550 through all the paperwork and, you know. whatever 00:34:21.550 --> 00:34:25.769 I have to get done to get a tenant. And yeah, 00:34:25.809 --> 00:34:27.309 when I deployed it, I noticed there's a whole 00:34:27.309 --> 00:34:30.070 bunch of really good security faults, which is 00:34:30.070 --> 00:34:33.710 a good thing. Absolutely. And that's all based 00:34:33.710 --> 00:34:36.030 on our learning. And for me, fascinating thing, 00:34:36.130 --> 00:34:37.590 this is the first time I've been at Microsoft. 00:34:37.750 --> 00:34:39.849 I haven't been here at Microsoft, you know, for 00:34:39.849 --> 00:34:41.989 the whole trustworthy computing and the other 00:34:41.989 --> 00:34:46.210 eras that Microsoft went through. I'm fascinated 00:34:46.210 --> 00:34:48.869 by Microsoft, like from the leadership down. 00:34:49.630 --> 00:34:52.550 like how relentless they are about going and 00:34:52.550 --> 00:34:54.590 making sure it's all fixed like i've worked in 00:34:54.590 --> 00:34:57.869 other enterprises before it's never been that 00:34:57.869 --> 00:35:00.329 like it's more like okay it's the security team's 00:35:00.329 --> 00:35:03.969 problem like they'll do it but here it's like 00:35:03.969 --> 00:35:07.849 relentless the way microsoft executes on going 00:35:07.849 --> 00:35:10.349 and fixing like even like years down the line 00:35:10.349 --> 00:35:13.929 making sure that these things get addressed we 00:35:13.929 --> 00:35:16.429 have features that take sometimes years to build 00:35:16.429 --> 00:35:19.110 and you'll see a new feature pop up which was 00:35:19.110 --> 00:35:22.210 because of what we learned during like even solarigate 00:35:22.210 --> 00:35:26.820 you know things that happens back five, six years 00:35:26.820 --> 00:35:30.340 ago, they went through and did the right thing, 00:35:30.340 --> 00:35:33.219 like, over time. So that's been really fascinating 00:35:33.219 --> 00:35:36.300 to watch from the inside for me. And it's a story 00:35:36.300 --> 00:35:39.400 I don't think many people see outside. They just 00:35:39.400 --> 00:35:41.179 see, like, you know, the reports and, you know, 00:35:41.199 --> 00:35:45.219 other things. But it's a whole culture at Microsoft 00:35:45.219 --> 00:35:48.820 that I really like, you know. I also want to 00:35:48.820 --> 00:35:50.679 pull on that a little bit. I've seen a lot of 00:35:50.679 --> 00:35:54.260 that where a feature... let's just say two years 00:35:54.260 --> 00:35:56.659 in the future. It was on the schedule for two 00:35:56.659 --> 00:35:58.360 years in the future. I'm making numbers up, right? 00:35:58.760 --> 00:36:01.039 But they got pulled forward, right? They got 00:36:01.039 --> 00:36:03.639 bumped up the list because of secure future initiative, 00:36:03.780 --> 00:36:05.960 because it's a requirement. I've seen features 00:36:05.960 --> 00:36:08.480 that didn't have managed identity support that 00:36:08.480 --> 00:36:10.199 we're going to have eventually, but all of a 00:36:10.199 --> 00:36:12.039 sudden they have managed identity support. Yes. 00:36:12.360 --> 00:36:14.679 because of SFI. Yeah, that's really good news. 00:36:15.039 --> 00:36:18.719 So really briefly, you said there are six pillars. 00:36:18.820 --> 00:36:20.579 Can you just go through those six pillars really 00:36:20.579 --> 00:36:22.659 fast and give me a couple of examples of each 00:36:22.659 --> 00:36:26.219 one? Yes, yeah. So these zero trust pillars are 00:36:26.219 --> 00:36:28.780 based on industry standards. Like you have NIST. 00:36:29.440 --> 00:36:31.719 and others who have published the Zero Trust 00:36:31.719 --> 00:36:34.440 Pillars. So the first one is identity. So in 00:36:34.440 --> 00:36:36.519 our workshop, we don't even use the product names. 00:36:36.679 --> 00:36:39.619 The first one is identity, which relates to Entra 00:36:39.619 --> 00:36:43.460 and mostly about users and groups and all of 00:36:43.460 --> 00:36:46.500 that side of things and access governance, access 00:36:46.500 --> 00:36:50.320 to apps. Then we have devices. which is, you 00:36:50.320 --> 00:36:51.960 know, what are the devices that people are accessing 00:36:51.960 --> 00:36:54.659 their network from? Because when you use Zero 00:36:54.659 --> 00:36:57.739 Trust, they're using some device, right? So mobiles 00:36:57.739 --> 00:37:01.920 to laptops and so on. So that in the Microsoft 00:37:01.920 --> 00:37:05.420 terminology is mainly about things on the Intune 00:37:05.420 --> 00:37:08.679 side of the house. So how do you enforce, like 00:37:08.679 --> 00:37:11.519 what I said, like BitLocker encryption on your 00:37:11.519 --> 00:37:14.619 device? And have you rolled that out? Have you 00:37:14.619 --> 00:37:16.599 rolled out Windows Hello for Business? You know, 00:37:16.619 --> 00:37:19.139 the whole passwordless thing. And there's so 00:37:19.139 --> 00:37:22.280 much more from the Intune side, like Defender 00:37:22.280 --> 00:37:26.219 for Endpoint about securing the device on it 00:37:26.219 --> 00:37:29.739 and all of the various XDR capabilities there 00:37:29.739 --> 00:37:33.239 as well. So that's devices. Then the biggest 00:37:33.239 --> 00:37:36.400 one is data and the most complex one. When you 00:37:36.400 --> 00:37:38.139 say data, it's like all over the place. Data 00:37:38.139 --> 00:37:42.860 from M365 in documents and emails to data in 00:37:42.860 --> 00:37:46.360 Cosmos DB, in your SQL DBs. An organization has 00:37:46.360 --> 00:37:49.119 data spread out across the board. And how are 00:37:49.119 --> 00:37:51.739 you governing the data? How do you differentiate 00:37:51.739 --> 00:37:55.980 what's very business critical to the chats that 00:37:55.980 --> 00:37:59.780 people have on Viva Engage or Yammer? Some companies 00:37:59.780 --> 00:38:02.119 just treat everything the same and they end up 00:38:02.119 --> 00:38:04.739 having a weak posture because... they are trying 00:38:04.739 --> 00:38:07.500 to put all of it in one bucket. But actually, 00:38:07.639 --> 00:38:11.079 some things like your customer data needs a very 00:38:11.079 --> 00:38:14.880 different sensitivity and encryption and things 00:38:14.880 --> 00:38:19.199 compared to just a chat that you might have with 00:38:19.199 --> 00:38:22.960 someone. So there is a whole pillar on data. 00:38:23.639 --> 00:38:26.320 And the Microsoft story there is the Purview 00:38:26.320 --> 00:38:29.179 side of the house and the capability that Purview 00:38:29.179 --> 00:38:32.789 has. Then we have network. So network is like 00:38:32.789 --> 00:38:35.550 the key, one of the big pillars. And Microsoft 00:38:35.550 --> 00:38:38.610 now, we have our own zero trust network access 00:38:38.610 --> 00:38:43.010 solution as well with intra -private access and 00:38:43.010 --> 00:38:46.550 intra -internet access. So we cover all of what 00:38:46.550 --> 00:38:49.650 you should be doing in that space. Infrastructure 00:38:49.650 --> 00:38:52.210 is what I just told you about Azure. There's 00:38:52.210 --> 00:38:54.889 a whole lot on the Azure side of the house, what 00:38:54.889 --> 00:38:59.260 you would do. And the final one is security operations. 00:38:59.420 --> 00:39:02.940 So it's a good combination of what people think 00:39:02.940 --> 00:39:06.440 about from an Azure security on an Azure security 00:39:06.440 --> 00:39:10.059 podcast. So the security operations is one of 00:39:10.059 --> 00:39:12.980 the newest pillars we added. They go into all 00:39:12.980 --> 00:39:15.900 of the Microsoft Defender suite of products and 00:39:15.900 --> 00:39:19.199 Sentinel because you need to really be seeing 00:39:19.199 --> 00:39:21.079 what's happening in your organization. You need 00:39:21.079 --> 00:39:23.880 visibility. into what your users are doing and 00:39:23.880 --> 00:39:27.099 also be able to track attackers, threat actors, 00:39:27.199 --> 00:39:30.420 and so on. So that was one of the other newest 00:39:30.420 --> 00:39:32.519 pillars we added. There are lots of services 00:39:32.519 --> 00:39:37.460 there, all the MDA, MDI, MDO suite of things, 00:39:37.679 --> 00:39:42.039 which is very comprehensive once you go through 00:39:42.039 --> 00:39:45.260 all of that. We also have some really cool new 00:39:45.260 --> 00:39:49.409 pillars that we are working on. Things like AI 00:39:49.409 --> 00:39:51.710 and agents. So that's the new thing that's going 00:39:51.710 --> 00:39:56.210 to be coming along. So we are working on adding 00:39:56.210 --> 00:39:59.289 all of those additional pillars as well. It's 00:39:59.289 --> 00:40:00.710 nice that it's so complete, right? Because a 00:40:00.710 --> 00:40:01.969 lot of people think, oh, you know, just cover 00:40:01.969 --> 00:40:04.210 this one thing and we'll be golden. But that's 00:40:04.210 --> 00:40:05.989 never the case. Shall I give you an example of 00:40:05.989 --> 00:40:09.449 why I say that? So my manager, Craig Nelson, 00:40:09.690 --> 00:40:12.050 who was on the podcast some weeks ago, he's the 00:40:12.050 --> 00:40:14.050 vice president of the red team at Microsoft. 00:40:14.889 --> 00:40:18.570 He makes a comment which is, you own your terrain. 00:40:20.170 --> 00:40:22.909 However, the terrain is different at different 00:40:22.909 --> 00:40:25.389 layers. Networking terrain is different than 00:40:25.389 --> 00:40:26.869 the identity terrain, which is different than 00:40:26.869 --> 00:40:28.610 the app terrain, which is different than the 00:40:28.610 --> 00:40:31.389 blah, blah, blah terrain. They're all different. 00:40:31.650 --> 00:40:33.469 So it's fantastic that you guys are covering 00:40:33.469 --> 00:40:36.429 all these things at different layers. Even though 00:40:36.429 --> 00:40:38.090 they may all be at the application layer, they're 00:40:38.090 --> 00:40:41.309 all sort of different. So that's really great. 00:40:41.530 --> 00:40:43.550 So how do Microsoft partners fit into all of 00:40:43.550 --> 00:40:47.190 this? Yeah, so that's one of the things like 00:40:47.190 --> 00:40:49.670 we can't do this just by Microsoft. You need 00:40:49.670 --> 00:40:52.690 a lot of SMEs. You know, you need people who 00:40:52.690 --> 00:40:55.809 have the knowledge you have done these and deployed 00:40:55.809 --> 00:40:59.429 successfully with customers. And when a customer 00:40:59.429 --> 00:41:02.610 is doing it, they can get help from our partners. 00:41:02.650 --> 00:41:04.929 So what we've been doing is we've been training 00:41:04.929 --> 00:41:07.510 a lot of Microsoft partners on how to do these 00:41:07.510 --> 00:41:10.550 workshops. And what I love is those practitioners. 00:41:11.400 --> 00:41:13.519 They have done these things. They have helped 00:41:13.519 --> 00:41:16.460 customers deploy these various solutions. They 00:41:16.460 --> 00:41:18.820 have their own learning and knowledge. With the 00:41:18.820 --> 00:41:20.880 workshop, they're able to take this blueprint 00:41:20.880 --> 00:41:24.340 and bring their knowledge and expertise and then 00:41:24.340 --> 00:41:29.239 scale it out to customers. So most of my team, 00:41:29.300 --> 00:41:31.039 we work with the large enterprise customers, 00:41:31.360 --> 00:41:34.300 but there are like hundreds and thousands. Like 00:41:34.300 --> 00:41:35.900 the large enterprise customers are maybe like 00:41:35.900 --> 00:41:39.440 10 % of Microsoft's overall customers when it 00:41:39.440 --> 00:41:42.679 comes to the... products that people use. 80 00:41:42.679 --> 00:41:45.739 % you would see like small and medium businesses, 00:41:45.860 --> 00:41:49.840 you know, with 5 ,000 users, 10 ,000, even, you 00:41:49.840 --> 00:41:53.400 know, 1 ,000 and less. So we need to be able 00:41:53.400 --> 00:41:56.320 to go and help all of them deploy various things 00:41:56.320 --> 00:41:59.579 as well. And that's where our partners come in 00:41:59.579 --> 00:42:01.739 and partners at, you know, different scales. 00:42:01.780 --> 00:42:04.739 So they are able to take these workshops and 00:42:04.739 --> 00:42:07.019 then run it. We've been training and scaling 00:42:07.019 --> 00:42:10.590 up all of our partners. on how to deliver these 00:42:10.590 --> 00:42:12.769 workshops. And they've been sharing a lot of 00:42:12.769 --> 00:42:15.050 feedback and helping improve the workshop as 00:42:15.050 --> 00:42:18.150 well. Yeah, I mean, it's easy to be in the Microsoft 00:42:18.150 --> 00:42:20.250 ivory tower sometimes. So I think it's great 00:42:20.250 --> 00:42:23.230 to see other people chiming in as well. And I'm 00:42:23.230 --> 00:42:25.449 really glad that you guys have made it essentially 00:42:25.449 --> 00:42:27.829 technology agnostic as well, which is great. 00:42:28.849 --> 00:42:31.369 So what's in the future? What are you guys looking 00:42:31.369 --> 00:42:34.369 at? I mean, I have no doubt, no doubt that AI 00:42:34.369 --> 00:42:38.429 has got some... It's somewhere involved in here 00:42:38.429 --> 00:42:42.550 somewhere. Yeah, so there is an AI and apps that 00:42:42.550 --> 00:42:47.070 we have, new pillars that will come to the workshop. 00:42:47.550 --> 00:42:50.090 Another big part of the workshop is the assessment. 00:42:50.989 --> 00:42:53.949 We have a very basic assessment today, which 00:42:53.949 --> 00:42:57.090 tells you some things that you should do. But 00:42:57.090 --> 00:42:59.369 there's something we are working on. We plan 00:42:59.369 --> 00:43:02.489 to launch it with the next SFI report that comes 00:43:02.489 --> 00:43:04.969 on. It's something I've been working on very 00:43:04.969 --> 00:43:07.469 closely with because internally at Microsoft, 00:43:07.570 --> 00:43:09.590 you've seen, right? We said, okay, apps shouldn't 00:43:09.590 --> 00:43:12.369 be using secrets. And people have had to go and 00:43:12.369 --> 00:43:15.289 remove all the secrets from their apps. We have 00:43:15.289 --> 00:43:17.670 a way to track them and, you know, know what 00:43:17.670 --> 00:43:19.849 they need to do. And our customers have been 00:43:19.849 --> 00:43:22.369 telling us. look, it's good you are doing all 00:43:22.369 --> 00:43:24.150 these things to secure your environment, but 00:43:24.150 --> 00:43:26.170 we are also running Entra, we are also running 00:43:26.170 --> 00:43:30.210 Intune and other services. Tell us how we can 00:43:30.210 --> 00:43:32.369 secure, do the same things that Microsoft is 00:43:32.369 --> 00:43:36.469 doing. So we've gone ahead and we've taken ISFI 00:43:36.469 --> 00:43:39.639 learnings and we've published them. But there 00:43:39.639 --> 00:43:44.099 are like 100 plus things you need to check as 00:43:44.099 --> 00:43:46.820 part of SFI that we are doing from, you know, 00:43:46.840 --> 00:43:49.920 the network zones to so much work happening at 00:43:49.920 --> 00:43:52.739 Microsoft. So what we are trying to do is give 00:43:52.739 --> 00:43:55.639 away for customers to run a script. We'll be 00:43:55.639 --> 00:43:58.260 sharing with them like a PowerShell module that 00:43:58.260 --> 00:44:00.940 they can run and they can get their own list 00:44:00.940 --> 00:44:05.199 of, look, you have these 100 apps that have secrets 00:44:05.199 --> 00:44:08.750 in them. These apps have secrets that are valid 00:44:08.750 --> 00:44:13.030 for 10 years, which means anyone who's worked 00:44:13.030 --> 00:44:16.010 at the company, they will have access because 00:44:16.010 --> 00:44:19.309 if they have a copy of the secret and you don't 00:44:19.309 --> 00:44:21.070 rotate your secret, they will have access even 00:44:21.070 --> 00:44:24.590 if they are let go to connect to your environment 00:44:24.590 --> 00:44:28.730 from outside. So insiders who are insiders today, 00:44:28.829 --> 00:44:31.949 but they become outsiders and you have that threat. 00:44:32.190 --> 00:44:34.750 factor as well so we're building this assessment 00:44:34.750 --> 00:44:38.650 that will give you a neat list of these are the 00:44:38.650 --> 00:44:41.510 issues we found very similar way to how microsoft 00:44:41.510 --> 00:44:43.789 is running things internally with our internal 00:44:43.789 --> 00:44:47.190 tools where we look and monitor and we enforce 00:44:47.190 --> 00:44:49.530 you know the newer things based on our learning 00:44:49.530 --> 00:44:52.449 so the assessment is something people can look 00:44:52.449 --> 00:44:56.150 out for it's going to really help you you know 00:44:56.150 --> 00:44:58.789 overall assess the health of your environment 00:44:58.789 --> 00:45:03.130 and these pillars so that's happening another 00:45:03.130 --> 00:45:06.010 big part of it is we are building we're taking 00:45:06.010 --> 00:45:08.030 our product teams are taking these learnings 00:45:08.030 --> 00:45:11.969 and building it into the product so we today 00:45:11.969 --> 00:45:16.289 have things like we are building agents so using 00:45:16.289 --> 00:45:22.059 AI for security so we recently published a conditional 00:45:22.059 --> 00:45:26.320 access optimization agent in Entra because over 00:45:26.320 --> 00:45:29.800 time we see agents taking on this role. You don't 00:45:29.800 --> 00:45:35.360 want to have a large identity or access team 00:45:35.360 --> 00:45:39.280 that is chasing up behind people to remove their 00:45:39.280 --> 00:45:42.699 secrets and so on. So we have plans where we 00:45:42.699 --> 00:45:46.579 can use agents that can do a lot of the heavy 00:45:46.579 --> 00:45:49.449 lifting for you. Ones that have come out are 00:45:49.449 --> 00:45:51.989 like Conditional Access Optimization Agent and 00:45:51.989 --> 00:45:55.489 there is an Identity Access Review Agent that 00:45:55.489 --> 00:45:58.010 launched as well. And there's a lot more coming. 00:45:58.150 --> 00:46:01.969 So wait for Ignite where we will be sharing all 00:46:01.969 --> 00:46:04.670 of that. So we are taking these learnings. We 00:46:04.670 --> 00:46:07.230 want to build it into the product as well and 00:46:07.230 --> 00:46:10.349 make it a lot more easier to do these things 00:46:10.349 --> 00:46:13.329 where it doesn't have to be manual. You will 00:46:13.329 --> 00:46:15.670 have agents that will help you and guide you. 00:46:16.219 --> 00:46:18.239 uh do a lot of that so that is like the long 00:46:18.239 --> 00:46:22.559 -term vision of uh of this right like you don't 00:46:22.559 --> 00:46:24.940 we want to move away from having experts like 00:46:24.940 --> 00:46:28.559 me being able to go and work with you know individual 00:46:28.559 --> 00:46:32.519 logs to having a lot more being done by agents 00:46:32.519 --> 00:46:36.860 that can help guide iams to you know improve 00:46:36.860 --> 00:46:40.219 that it's like it's like having an sme uh in 00:46:40.219 --> 00:46:42.559 this in each domain space that they can work 00:46:42.559 --> 00:46:45.809 with easily But humans have the final say though, 00:46:45.849 --> 00:46:47.889 right? On the agents? Yeah. Okay, fantastic. 00:46:48.289 --> 00:46:51.030 I mean, I don't know. We'll have to see. But 00:46:51.030 --> 00:46:54.090 right now, the agent proposes things. It even 00:46:54.090 --> 00:46:56.730 says, okay, I've come up with, you have like 00:46:56.730 --> 00:47:00.090 10 CA policies. We can actually collapse this 00:47:00.090 --> 00:47:02.190 into one because they're doing a very similar 00:47:02.190 --> 00:47:05.989 thing. And it proposes a new CA policy. So today 00:47:05.989 --> 00:47:08.289 the human, like we need to say, yes, yeah, I 00:47:08.289 --> 00:47:10.789 approve that. You can go ahead and create that 00:47:10.789 --> 00:47:15.570 policy. So that check is there today. Nice. Well, 00:47:15.610 --> 00:47:16.929 I think we covered a lot of ground, including 00:47:16.929 --> 00:47:18.230 a lot of ground that I never thought we would 00:47:18.230 --> 00:47:20.250 cover. But anyway, there it is, just the way 00:47:20.250 --> 00:47:22.829 it is. So let's start to bring this episode to 00:47:22.829 --> 00:47:25.730 an end. I think since last time you were on, 00:47:25.769 --> 00:47:28.489 we added a new sort of section to the podcast 00:47:28.489 --> 00:47:31.449 episodes, which is, you know, what does a day 00:47:31.449 --> 00:47:35.389 in the life of Merrill look like? Yes. Yeah. 00:47:35.469 --> 00:47:38.389 So for me, it's an interesting one and I love 00:47:38.389 --> 00:47:40.840 it. working at Microsoft and my role is sort 00:47:40.840 --> 00:47:44.199 of a remote role as well. So it's a fun role 00:47:44.199 --> 00:47:49.119 for me to balance my family and work life. I 00:47:49.119 --> 00:47:51.699 have four kids. They are mostly still in school. 00:47:51.780 --> 00:47:55.480 My eldest just started uni. So it's been like 00:47:55.480 --> 00:47:59.599 a full hands -on for me with having a household 00:47:59.599 --> 00:48:04.659 with four kids and many of them teenagers. For 00:48:04.659 --> 00:48:06.820 me, the day starts really early because I'm in 00:48:06.820 --> 00:48:10.820 Melbourne. And like today, my first meeting was 00:48:10.820 --> 00:48:14.159 at 6 a .m. And this is like my third meeting 00:48:14.159 --> 00:48:18.000 of the day. And it's only like 8 o 'clock, 8 00:48:18.000 --> 00:48:23.039 .50. So it starts early. But what I like is I 00:48:23.039 --> 00:48:26.480 can then go drop the kids off at school so I 00:48:26.480 --> 00:48:29.110 can take a break in between. go take them to 00:48:29.110 --> 00:48:32.389 school, and then I enjoy a nice walk and then 00:48:32.389 --> 00:48:35.429 come back and start my day. So it's like the 00:48:35.429 --> 00:48:37.530 morning time is with all the Redmond folks and 00:48:37.530 --> 00:48:41.690 most of my team. I get to do that. Then I get 00:48:41.690 --> 00:48:44.230 to have a break. Then I work with some of my 00:48:44.230 --> 00:48:47.429 customers in Australia because their daytime 00:48:47.429 --> 00:48:50.469 starts, help them out and, you know, various 00:48:50.469 --> 00:48:53.389 projects and work that I do. So for me, it's 00:48:53.389 --> 00:48:56.389 very neat because most of the people that ping 00:48:56.389 --> 00:49:00.650 me are away. because it's Redmond evening and 00:49:00.650 --> 00:49:02.469 they're off for the day. So I get done with all 00:49:02.469 --> 00:49:04.889 the meetings in the morning and I have the rest 00:49:04.889 --> 00:49:07.929 of the day for me to focus, do like focused work. 00:49:08.289 --> 00:49:12.110 So I get to enjoy that, go pick up the kids from 00:49:12.110 --> 00:49:16.489 school. And like, it's a really good work -life 00:49:16.489 --> 00:49:20.190 balance that I have. And yeah, it's a lot of 00:49:20.190 --> 00:49:24.789 fun, enjoyable work at Microsoft. Yeah, it's 00:49:24.789 --> 00:49:28.030 a key thing, right? Enjoy yourself. It's fun. 00:49:28.530 --> 00:49:32.550 Yeah. So, all right. So if you had one, you are 00:49:32.550 --> 00:49:33.889 familiar with this because we had it on the last 00:49:33.889 --> 00:49:36.130 podcast episode with you. But if you had just 00:49:36.130 --> 00:49:38.590 one thought to leave our listeners with, what 00:49:38.590 --> 00:49:41.900 would it be? For them. One big thing I would 00:49:41.900 --> 00:49:44.980 say is in this day and age when I don't know 00:49:44.980 --> 00:49:48.179 if I'll have a job tomorrow because that's how 00:49:48.179 --> 00:49:52.019 the world is working, you might be let go for 00:49:52.019 --> 00:49:54.739 no reason of your own, right? It's not something 00:49:54.739 --> 00:49:57.960 your manager or anyone else can control. It's 00:49:57.960 --> 00:50:02.019 to really do things that will accrue to your 00:50:02.019 --> 00:50:06.050 career, right? One of the easiest things is your 00:50:06.050 --> 00:50:10.289 access to writing blog, creating content on YouTube, 00:50:10.489 --> 00:50:13.230 sharing things, sharing your knowledge. And a 00:50:13.230 --> 00:50:16.610 lot of people are like, they do a lot, they learn 00:50:16.610 --> 00:50:18.730 a lot of things, but they never end up sharing 00:50:18.730 --> 00:50:23.130 it. And with my Entra chat, I do a weekly newsletter 00:50:23.130 --> 00:50:26.650 where I take all the blog posts and things about 00:50:26.650 --> 00:50:29.530 Entra. And I post them in a weekly newsletter 00:50:29.530 --> 00:50:32.829 I send out. I have like 15, 16 ,000 subscribers 00:50:32.829 --> 00:50:36.590 to that newsletter today. And creating content, 00:50:36.889 --> 00:50:39.769 you know, showing your expertise, even if it's 00:50:39.769 --> 00:50:41.590 like you learned something new, sharing it on, 00:50:41.670 --> 00:50:44.070 you have your choice, right? Like you can pick 00:50:44.070 --> 00:50:47.570 from LinkedIn to Twitter, whatever it is, sharing 00:50:47.570 --> 00:50:49.670 that knowledge, writing blog posts on things 00:50:49.670 --> 00:50:52.050 you learned, but you can make it generic. So 00:50:52.050 --> 00:50:54.110 it doesn't need to be a company specific thing. 00:50:55.469 --> 00:50:58.010 all of that accrues to your career, right? In 00:50:58.010 --> 00:51:00.590 the future, that's going to help you stand out 00:51:00.590 --> 00:51:02.550 when you are going to apply for a job. Because 00:51:02.550 --> 00:51:05.409 I learned this, I was working before, like for 00:51:05.409 --> 00:51:08.550 about 12 years in a company. I got let go. I 00:51:08.550 --> 00:51:10.550 built a fantastic network within the company. 00:51:10.989 --> 00:51:13.869 But the day I was let go, I had to then apply 00:51:13.869 --> 00:51:17.829 for a job and do a resume. And there's no difference 00:51:17.829 --> 00:51:20.630 between me and someone who might be, you know, 00:51:20.690 --> 00:51:23.570 coming in new. someone had to read my resume 00:51:23.570 --> 00:51:27.110 to know the difference and i was like there's 00:51:27.110 --> 00:51:30.050 a lot i put in and i i lost all of that when 00:51:30.050 --> 00:51:32.230 i left the company right like you lose complete 00:51:32.230 --> 00:51:35.449 access to things within the company so for your 00:51:35.449 --> 00:51:39.269 career you should try to build your profile outside 00:51:39.269 --> 00:51:42.230 of your work like this will accrue for the rest 00:51:42.230 --> 00:51:44.829 of your life like i'm towards the later end of 00:51:44.829 --> 00:51:48.570 my career but for everyone starting out new you 00:51:48.570 --> 00:51:52.139 have to have to get your sort of voice out write 00:51:52.139 --> 00:51:54.280 blog posts, share things with the community. 00:51:54.599 --> 00:51:57.139 If you can, you know, when there are calls for 00:51:57.139 --> 00:52:00.340 speakers, apply and go and talk because you might 00:52:00.340 --> 00:52:03.579 think you don't know much, but the little that 00:52:03.579 --> 00:52:05.780 you know, the experience is something definitely 00:52:05.780 --> 00:52:08.380 that at least one or two other people can learn 00:52:08.380 --> 00:52:12.389 from. And just share that. It can be... It doesn't 00:52:12.389 --> 00:52:15.289 need to be a blog post or a long YouTube video. 00:52:15.349 --> 00:52:18.250 People have different specialties. The way I 00:52:18.250 --> 00:52:20.329 got into social media is I created these small 00:52:20.329 --> 00:52:23.289 diagrams of things and people love images and 00:52:23.289 --> 00:52:27.590 diagrams. So I take some complex topic and I 00:52:27.590 --> 00:52:29.829 say, hey, this is how pasta -sync works. And 00:52:29.829 --> 00:52:33.090 I just do a very small visual and that helps 00:52:33.090 --> 00:52:36.349 people, you know, learn something, which in the 00:52:36.349 --> 00:52:39.489 day of, you know, micro -scrolling and so on, 00:52:39.570 --> 00:52:42.900 you get that. my tip for everyone is this like 00:52:42.900 --> 00:52:46.280 do this work you the payback it's like you know 00:52:46.280 --> 00:52:48.579 depositing early into your savings account or 00:52:48.579 --> 00:52:51.440 in your bank because it'll stick with you for 00:52:51.440 --> 00:52:54.340 your entire career and it's something that will 00:52:54.340 --> 00:52:58.260 open new doors new friendships uh take that extra 00:52:58.260 --> 00:53:01.360 time your your work with companies there's not 00:53:01.360 --> 00:53:03.760 much you know loyalty anymore you might be told 00:53:03.760 --> 00:53:06.460 tomorrow like you know this is the end you you 00:53:06.460 --> 00:53:09.849 need to find your own way so do things that will 00:53:09.849 --> 00:53:12.869 accrue to your career. So that's my tip. It's 00:53:12.869 --> 00:53:15.090 your portfolio, right? It's your portfolio of 00:53:15.090 --> 00:53:16.789 knowledge and expertise. And the other thing 00:53:16.789 --> 00:53:19.210 I want to point out, you raised something really 00:53:19.210 --> 00:53:23.170 interesting there. You'd be surprised if you 00:53:23.170 --> 00:53:24.650 don't think you're an expert at something, but 00:53:24.650 --> 00:53:26.469 you put out there, hey, I did this thing today 00:53:26.469 --> 00:53:28.130 and I learned this and I didn't think about it 00:53:28.130 --> 00:53:30.510 this way. It's interesting how many people look 00:53:30.510 --> 00:53:33.699 at things from a different perspective. And sometimes 00:53:33.699 --> 00:53:36.039 you may read something where someone wasn't an 00:53:36.039 --> 00:53:37.599 expert and said, hey, you know, I did this thing 00:53:37.599 --> 00:53:39.800 today. And did you know it did A, B, and C, but 00:53:39.800 --> 00:53:43.739 only if X, Y, and Z are set? And then you look 00:53:43.739 --> 00:53:45.440 at it, you're like, oh my God, that's why I'm 00:53:45.440 --> 00:53:47.360 having the problem because X, Y, Z are not set. 00:53:47.760 --> 00:53:50.340 I didn't realize that. You'd be amazed at how 00:53:50.340 --> 00:53:53.079 many times that kind of thing happens. So you 00:53:53.079 --> 00:53:55.360 don't have to be, I often joke that being an 00:53:55.360 --> 00:53:57.960 expert is just being one page ahead in the book. 00:54:00.440 --> 00:54:03.199 There is some truth to that. And I agree a hundred 00:54:03.199 --> 00:54:06.019 percent. You need to be writing things and posting 00:54:06.019 --> 00:54:08.780 things and not being an idiot about things either. 00:54:08.880 --> 00:54:10.739 I mean, if you, you know, stay technical, stay 00:54:10.739 --> 00:54:13.920 professional, um, cause that stuff lasts forever. 00:54:14.619 --> 00:54:17.079 So yeah, write things, book blog posts, come 00:54:17.079 --> 00:54:19.179 on, come on our blog, you know, on our, on our 00:54:19.179 --> 00:54:22.199 podcast, you know, it all, it all adds up. So 00:54:22.199 --> 00:54:24.619 feel free to reach out. Like I get people reaching 00:54:24.619 --> 00:54:26.480 out asking, Hey, can I come on your podcast? 00:54:26.579 --> 00:54:28.800 I asked him, you know, what's interesting story 00:54:28.800 --> 00:54:31.579 you have? Like a lot of people fear that and 00:54:31.579 --> 00:54:34.219 rejection, but I mean, I do have to say no, because 00:54:34.219 --> 00:54:37.679 I can only have so many guests, but like shoot 00:54:37.679 --> 00:54:39.260 your shot, right? Like you have nothing to lose. 00:54:39.340 --> 00:54:42.340 You just need to keep reaching out to people 00:54:42.340 --> 00:54:46.739 and create your brand that then helps you. get 00:54:46.739 --> 00:54:49.460 get on to podcasts and people go like he's doing 00:54:49.460 --> 00:54:52.760 interesting stuff share your scripts uh you you're 00:54:52.760 --> 00:54:55.500 writing scripts today at work you know take that 00:54:55.500 --> 00:54:58.579 make it simple and just post it share it on a 00:54:58.579 --> 00:55:01.980 blog post you can spin up like your like there 00:55:01.980 --> 00:55:05.300 are so many free services from substack to uh 00:55:05.300 --> 00:55:08.119 you know wordpress and blogging and like you 00:55:08.119 --> 00:55:10.619 know notions uh you are like spoiled for choice 00:55:11.260 --> 00:55:14.059 pick something, pick just even LinkedIn without 00:55:14.059 --> 00:55:17.780 scrolling, like people consume content. I like 00:55:17.780 --> 00:55:20.400 what Scott Hanselman says, right? Like you go 00:55:20.400 --> 00:55:22.699 from being a consumer to creator. So one of my 00:55:22.699 --> 00:55:24.500 New Year's resolutions like many years back was 00:55:24.500 --> 00:55:28.900 I'm going to create content more than, not more 00:55:28.900 --> 00:55:30.679 than, but I'm going to at least spend a little 00:55:30.679 --> 00:55:33.800 bit of effort. creating content well there's 00:55:33.800 --> 00:55:36.119 a lot to consume right there is a lot to consume 00:55:36.119 --> 00:55:38.420 and in fact you could spend all day consuming 00:55:38.420 --> 00:55:40.900 you can you could spend your entire life consuming 00:55:40.900 --> 00:55:44.059 yes and i i really like that we need more people 00:55:44.059 --> 00:55:47.719 like you and other people creating and you know 00:55:47.719 --> 00:55:50.519 rather than just consuming consuming is very 00:55:50.519 --> 00:55:53.480 passive exactly and you can find your own niche 00:55:53.480 --> 00:55:56.059 right like you don't need to have hundreds and 00:55:56.059 --> 00:55:58.519 thousands of followers right like that doesn't 00:55:58.519 --> 00:56:02.059 even need to be a thing But I focus only on Entra. 00:56:02.159 --> 00:56:06.699 When I started on this journey, I was like, I'm 00:56:06.699 --> 00:56:08.960 only going to focus on Entra and I only focus 00:56:08.960 --> 00:56:13.000 on a very specific part of Entra as well. But 00:56:13.000 --> 00:56:15.119 it's so wide, right? You don't need to be very 00:56:15.119 --> 00:56:18.300 generic. The more you're focused on a specific 00:56:18.300 --> 00:56:21.880 area that you're working on daily, you will connect 00:56:21.880 --> 00:56:24.280 and you'll find others who are doing the same 00:56:24.280 --> 00:56:27.739 thing and you'll build these relationships. I've 00:56:27.739 --> 00:56:30.260 now built so many relationships with people from 00:56:30.260 --> 00:56:34.539 like from Germany to Denmark to even in Alaska, 00:56:34.639 --> 00:56:37.239 like different parts of the globe that you wouldn't 00:56:37.239 --> 00:56:41.139 imagine. And we worked on projects on like we 00:56:41.139 --> 00:56:44.559 published open source tools, just pinging someone 00:56:44.559 --> 00:56:46.960 and saying, hey, I saw this and chatting with 00:56:46.960 --> 00:56:51.199 them. And you do amazing things. And it's a lot. 00:56:51.239 --> 00:56:53.679 It's very rewarding and it stays with you. It's 00:56:53.679 --> 00:56:56.699 not. it's not your career or a job that you have 00:56:56.699 --> 00:56:59.320 and then when it suddenly ends you're like like 00:56:59.320 --> 00:57:03.260 you you lose your identity um this stays with 00:57:03.260 --> 00:57:07.320 you for a long time so that's that's my tip like 00:57:07.320 --> 00:57:10.260 a takeaway yeah like create content like i give 00:57:10.260 --> 00:57:13.099 this advice to everyone i see but i see very 00:57:13.099 --> 00:57:15.380 few people following through so the competition 00:57:15.380 --> 00:57:19.039 is really non -existent right For those who are 00:57:19.039 --> 00:57:21.679 creating content, you can just start today and 00:57:21.679 --> 00:57:23.900 you have a long career ahead. It doesn't, you 00:57:23.900 --> 00:57:27.059 don't, it won't become like, like overnight sensation, 00:57:27.159 --> 00:57:29.440 which people do, right? If you do some really 00:57:29.440 --> 00:57:33.340 cool black hat presentations and so on, but you 00:57:33.340 --> 00:57:36.400 can start small and, you know, it will open doors 00:57:36.400 --> 00:57:40.480 that you cannot imagine. Like it's done for me. 00:57:41.000 --> 00:57:42.820 Yeah. I mean, you can have like, it doesn't have 00:57:42.820 --> 00:57:44.539 to be in black hat, right? It could be like a 00:57:44.539 --> 00:57:47.750 local thing, you know, some local, bunch of people 00:57:47.750 --> 00:57:50.170 get together on a every month or so and talk 00:57:50.170 --> 00:57:53.530 about tech stuff you can talk about the thing 00:57:53.530 --> 00:57:55.989 that you know excites you and you're you know 00:57:55.989 --> 00:57:57.489 you're knowledgeable of you don't it doesn't 00:57:57.489 --> 00:57:59.809 have to be black hat or rsa or anything like 00:57:59.809 --> 00:58:03.230 that all right let's bring this to an end it 00:58:03.230 --> 00:58:04.889 was supposed to be all about the zero trust workshop 00:58:04.889 --> 00:58:06.250 but i think we actually covered a lot of ground 00:58:06.250 --> 00:58:08.610 um but i think a lot of good ground a lot of 00:58:08.610 --> 00:58:10.570 important ground so i'm very happy that we had 00:58:10.570 --> 00:58:13.570 this uh we had this time together So with that, 00:58:13.590 --> 00:58:15.090 let's bring this episode to an end. Meryl, thank 00:58:15.090 --> 00:58:18.329 you again for joining us. It's always a pleasure 00:58:18.329 --> 00:58:21.010 having you on the podcast. And to all our listeners 00:58:21.010 --> 00:58:22.530 out there, we hope you found this episode useful. 00:58:22.610 --> 00:58:25.269 Stay safe and we'll see you next time. Thanks 00:58:25.269 --> 00:58:27.230 for listening to the Azure Security Podcast. 00:58:27.670 --> 00:58:30.630 You can find show notes and other resources at 00:58:30.630 --> 00:58:35.210 our website, azsecuritypodcast .net. If you have 00:58:35.210 --> 00:58:38.409 any questions, please find us on Twitter at AzureSecPod. 00:58:39.239 --> 00:58:42.980 Background music is from ccmixter .com and licensed 00:58:42.980 --> 00:58:44.960 under the Creative Commons License.