1 00:00:00,000 --> 00:00:06,200 Welcome to the Azure Security Podcast, 2 00:00:06,200 --> 00:00:09,360 where we discuss topics relating to security, privacy, 3 00:00:09,360 --> 00:00:13,760 reliability, and compliance on the Microsoft Cloud Platform. 4 00:00:13,760 --> 00:00:17,240 Hey everybody, welcome to Episode 33. 5 00:00:17,240 --> 00:00:18,640 We have everyone here this week. 6 00:00:18,640 --> 00:00:20,600 It's myself, Sarah Gladys and Mark. 7 00:00:20,600 --> 00:00:23,120 We also have a guest, Carmichael Patton, 8 00:00:23,120 --> 00:00:25,420 who is here to talk to us about Zero Trust. 9 00:00:25,420 --> 00:00:27,200 But before we get to our guest, 10 00:00:27,200 --> 00:00:28,180 let's take a look at the news. 11 00:00:28,180 --> 00:00:29,480 I'll kick things off. 12 00:00:29,480 --> 00:00:33,020 First item that took my attention the last few weeks 13 00:00:33,020 --> 00:00:38,420 is a YouTube video about using Azure Sentinel 14 00:00:38,420 --> 00:00:41,260 to analyze ubiquity logs. 15 00:00:41,260 --> 00:00:45,460 I use ubiquity Wi-Fi gear here at home. 16 00:00:45,460 --> 00:00:47,940 I'm a huge fan of learning by doing, 17 00:00:47,940 --> 00:00:51,900 and I've been trying to find an excuse to use Sentinel in anger. 18 00:00:51,900 --> 00:00:54,860 Well, this solved the problem really. 19 00:00:54,860 --> 00:00:56,320 It's a nice little video, 20 00:00:56,320 --> 00:00:58,700 shows how you can take your ubiquity logs 21 00:00:58,700 --> 00:01:02,260 and ingest them into Sentinel and see what's going on. 22 00:01:02,260 --> 00:01:05,180 The only thing I really learned from all of this 23 00:01:05,180 --> 00:01:07,220 was that no one really cares about my network, 24 00:01:07,220 --> 00:01:09,220 but I guess that's a good thing. 25 00:01:09,220 --> 00:01:12,620 Next thing is Azure Automation now supports 26 00:01:12,620 --> 00:01:14,780 user-assigned managed identities, 27 00:01:14,780 --> 00:01:16,580 and it's in public preview. 28 00:01:16,580 --> 00:01:18,580 This is actually pretty cool for a number of reasons. 29 00:01:18,580 --> 00:01:20,660 As I mentioned so many times, 30 00:01:20,660 --> 00:01:23,180 you'll see more and more PaaS and SaaS offerings 31 00:01:23,180 --> 00:01:26,620 support the likes of system-wide managed identities 32 00:01:26,620 --> 00:01:28,740 and user-managed identities. 33 00:01:28,740 --> 00:01:31,300 The nice thing about user-assigned managed identities 34 00:01:31,300 --> 00:01:35,060 is that you can set one up and use it multiple places. 35 00:01:35,060 --> 00:01:36,900 And the reason why that's important is because 36 00:01:36,900 --> 00:01:40,980 Azure does have a limit to the number of role assignments 37 00:01:40,980 --> 00:01:42,100 per subscription. 38 00:01:42,980 --> 00:01:45,900 So this helps alleviate that because 39 00:01:45,900 --> 00:01:47,780 if you have a system-managed identity, 40 00:01:47,780 --> 00:01:50,540 you can only apply it once to one resource, 41 00:01:50,540 --> 00:01:52,300 whereas a user-assigned managed identity, 42 00:01:52,300 --> 00:01:54,580 you can use it all over the place, 43 00:01:54,580 --> 00:01:57,300 which is nice to see. 44 00:01:57,300 --> 00:01:59,060 So something else I saw the last few weeks 45 00:01:59,060 --> 00:02:02,420 was we now have free extended security updates 46 00:02:02,420 --> 00:02:06,180 only on Azure for Windows Server 2012 47 00:02:06,180 --> 00:02:11,020 and SQL Server 2012 R2 and SQL Server 2012. 48 00:02:11,020 --> 00:02:13,860 So if you've got an on-prem solution 49 00:02:13,860 --> 00:02:15,660 based on these platforms, 50 00:02:15,660 --> 00:02:18,220 and you can't sort of cut over to a new version 51 00:02:18,220 --> 00:02:20,500 of the operating system in time for 52 00:02:20,500 --> 00:02:23,820 the extended security updates to expire, 53 00:02:23,820 --> 00:02:26,420 you can move that workload into Azure 54 00:02:26,420 --> 00:02:30,780 and we will actually add more years at the end 55 00:02:30,780 --> 00:02:32,580 so that you can actually take more time 56 00:02:32,580 --> 00:02:35,020 to essentially move to a more secure 57 00:02:35,020 --> 00:02:37,100 and more updated operating system. 58 00:02:37,100 --> 00:02:38,180 So it's just kind of cool. 59 00:02:38,180 --> 00:02:40,580 So take your current workloads, move them to Azure 60 00:02:40,580 --> 00:02:45,580 and you'll get an extension to your Windows security updates. 61 00:02:45,860 --> 00:02:47,900 Another feature which I was really happy to see 62 00:02:47,900 --> 00:02:50,700 was confidential computing using always encrypted 63 00:02:50,700 --> 00:02:55,420 and secure enclaves for Azure SQL Database is now GA. 64 00:02:55,420 --> 00:02:56,260 This is great to see. 65 00:02:56,260 --> 00:02:58,540 This has been in preview for some time now. 66 00:02:58,540 --> 00:03:01,740 I've been playing around with it quite a bit, 67 00:03:01,740 --> 00:03:03,020 but it's nice to see that it's in GA. 68 00:03:03,020 --> 00:03:05,900 So essentially what you do is you set up an Azure SQL DB 69 00:03:05,900 --> 00:03:10,180 and when you come to set which kind of infrastructure 70 00:03:10,180 --> 00:03:11,180 it's gonna live on, 71 00:03:11,180 --> 00:03:14,420 you can choose one of the DC series VMs 72 00:03:14,420 --> 00:03:16,140 and that will give you support 73 00:03:16,140 --> 00:03:18,260 to the underlying Intel hardware 74 00:03:18,260 --> 00:03:21,300 that supports the software guard extensions or SGX 75 00:03:21,300 --> 00:03:22,740 and that will now give you support 76 00:03:22,740 --> 00:03:25,180 for always encrypted using secure enclaves. 77 00:03:25,180 --> 00:03:27,740 So that's a really nice thing to see as well. 78 00:03:27,740 --> 00:03:30,740 We also now support Azure AD authentication 79 00:03:30,740 --> 00:03:32,780 for application insights. 80 00:03:32,780 --> 00:03:35,300 Normally, in the past it's been really kind of painful 81 00:03:35,300 --> 00:03:37,060 to support various authentication schemes 82 00:03:37,060 --> 00:03:39,540 for data going into app insights, 83 00:03:39,540 --> 00:03:41,340 but now we support out of the box 84 00:03:41,340 --> 00:03:44,740 the ability to use Azure Active Directory identities. 85 00:03:44,740 --> 00:03:47,860 There's now an update to secrets configuration 86 00:03:47,860 --> 00:03:50,900 in app service and Azure functions. 87 00:03:50,900 --> 00:03:53,020 I'm not gonna go into all the details, 88 00:03:53,020 --> 00:03:55,420 but historically we only have a small number of ways 89 00:03:55,420 --> 00:03:58,300 of storing secrets that's then accessible by app service 90 00:03:58,300 --> 00:03:59,620 and Azure functions. 91 00:03:59,620 --> 00:04:03,020 Well, we've now increased that to include things 92 00:04:03,020 --> 00:04:05,340 like better support for Azure Key Vault. 93 00:04:06,340 --> 00:04:09,940 And the last item I have, this is also in preview, 94 00:04:09,940 --> 00:04:13,100 is the ability to configure token lifetimes 95 00:04:13,100 --> 00:04:15,940 in the Microsoft Identity Platform. 96 00:04:15,940 --> 00:04:18,740 A lot of customers I see have been really wanting this 97 00:04:18,740 --> 00:04:19,900 for quite some time. 98 00:04:19,900 --> 00:04:24,900 So now you have complete control over when tokens are issued 99 00:04:25,420 --> 00:04:27,220 and when they need to be refreshed. 100 00:04:27,220 --> 00:04:29,740 And that's all I have for this week. 101 00:04:29,740 --> 00:04:31,540 So I've got a couple of things. 102 00:04:31,540 --> 00:04:34,260 Oh my goodness, and nothing about Azure Sentinel, 103 00:04:34,260 --> 00:04:37,180 though I could probably find something if we wanted. 104 00:04:37,180 --> 00:04:40,420 No, today I'm gonna talk about the next generation 105 00:04:40,420 --> 00:04:43,860 firewall capabilities which are in the firewall premium. 106 00:04:43,860 --> 00:04:47,860 It has been in preview for a while, but it's now gone GA. 107 00:04:47,860 --> 00:04:51,540 So if you haven't looked at the Azure firewall premium, 108 00:04:51,540 --> 00:04:54,900 what it has in it above normal Azure firewall 109 00:04:54,900 --> 00:04:57,020 is TLS inspection. 110 00:04:57,020 --> 00:04:59,860 It does signature based intrusion detection 111 00:04:59,860 --> 00:05:02,180 and prevention or IDPS, 112 00:05:02,180 --> 00:05:06,620 of which I know is a requirement of many regulatory, 113 00:05:06,620 --> 00:05:09,300 quite a few regulatory regimes. 114 00:05:09,300 --> 00:05:10,980 You need to have that. 115 00:05:10,980 --> 00:05:15,380 It also lets you filter web things based on categories. 116 00:05:15,380 --> 00:05:18,340 So things like social networking, gambling, 117 00:05:18,340 --> 00:05:20,460 other dodgy things, 118 00:05:20,460 --> 00:05:22,380 that you might want people to go on 119 00:05:22,380 --> 00:05:25,740 through your enterprise internet connection. 120 00:05:25,740 --> 00:05:28,660 And we've also got URL filtering. 121 00:05:28,660 --> 00:05:31,620 So you can actually filter outbound access 122 00:05:31,620 --> 00:05:35,740 to specific URLs, not just fully qualified domain names. 123 00:05:35,740 --> 00:05:39,140 So that's really, really quite cool. 124 00:05:39,140 --> 00:05:40,900 So it is very cool. 125 00:05:40,900 --> 00:05:42,220 Go and have a look at it. 126 00:05:42,220 --> 00:05:44,340 I know if you're one of those customers that needs to wait 127 00:05:44,340 --> 00:05:47,180 for something to be GA before you're gonna use it, 128 00:05:47,180 --> 00:05:48,340 now is the time. 129 00:05:48,340 --> 00:05:49,740 So go and have a look, 130 00:05:49,740 --> 00:05:52,620 because Azure firewall is probably not as loved 131 00:05:52,620 --> 00:05:54,820 as it should be because it's just a firewall, 132 00:05:54,820 --> 00:05:55,660 but it's very cool. 133 00:05:55,660 --> 00:05:57,740 You can deploy it as code. 134 00:05:57,740 --> 00:06:01,820 So it can fit very nicely in with your cloud deployments. 135 00:06:01,820 --> 00:06:04,100 Next for AKS. 136 00:06:04,100 --> 00:06:08,260 AKS will now allow Active Directory integrated clusters 137 00:06:08,260 --> 00:06:11,940 to be created without a local admin user account, 138 00:06:11,940 --> 00:06:14,540 which is cool because of course, 139 00:06:14,540 --> 00:06:17,060 a local admin account is not the best thing 140 00:06:17,060 --> 00:06:18,540 from a security perspective 141 00:06:18,540 --> 00:06:21,060 because anyone can use local accounts, 142 00:06:21,060 --> 00:06:24,140 whereas now you can actually create clusters 143 00:06:24,140 --> 00:06:28,660 just disabling those local accounts 144 00:06:28,660 --> 00:06:32,180 when you've set up the AAD authentication. 145 00:06:32,180 --> 00:06:34,580 So again, very nice. 146 00:06:34,580 --> 00:06:36,380 Nothing sort of groundbreaking, 147 00:06:36,380 --> 00:06:39,420 but again, really good for your security hygiene. 148 00:06:39,420 --> 00:06:42,220 And then a couple of things in ASC, 149 00:06:42,220 --> 00:06:44,420 as Azure Security Center, 150 00:06:44,420 --> 00:06:47,820 we've got some new alerts in Azure Defender for Key Vault. 151 00:06:47,820 --> 00:06:50,420 So if you're using Key Vault and you need to keep an eye on it, 152 00:06:50,420 --> 00:06:52,940 Azure Defender is checking out some new alerts. 153 00:06:52,940 --> 00:06:55,900 We've also got recommendations. 154 00:06:55,900 --> 00:06:58,340 The recommendations to encrypt with customer managed keys 155 00:06:58,340 --> 00:07:00,380 is now disabled by default. 156 00:07:00,380 --> 00:07:02,100 So if you're using ASC 157 00:07:02,100 --> 00:07:04,860 and you use those security hygiene recommendations, 158 00:07:04,860 --> 00:07:06,780 which are very cool, 159 00:07:06,780 --> 00:07:09,900 of course, if you're not using customer managed keys, 160 00:07:09,900 --> 00:07:11,780 I'd say probably the vast majority of our customers 161 00:07:11,780 --> 00:07:13,500 do not manage their own keys, 162 00:07:13,500 --> 00:07:15,700 but there are some parts of the world 163 00:07:15,700 --> 00:07:18,020 and some industries that require it. 164 00:07:18,020 --> 00:07:20,220 You don't want your secure score to go down 165 00:07:20,220 --> 00:07:22,300 just because there's a recommendation, 166 00:07:22,300 --> 00:07:24,540 a hygiene recommendation that isn't relevant to you. 167 00:07:24,540 --> 00:07:26,940 So that's now disabled by default. 168 00:07:26,940 --> 00:07:29,900 Another just FYI, 169 00:07:29,900 --> 00:07:32,980 the prefix for Kubernetes alerts in ASC 170 00:07:32,980 --> 00:07:36,060 has changed from AKS to K8S. 171 00:07:36,060 --> 00:07:39,140 So AKS is Azure Kubernetes Service. 172 00:07:39,140 --> 00:07:42,060 K8S is actually the more standardized way 173 00:07:42,060 --> 00:07:44,660 of abbreviating Kubernetes. 174 00:07:44,660 --> 00:07:49,660 And that's all of my updates for this week. 175 00:07:49,780 --> 00:07:53,300 As we all know, Microsoft keeps looking for better ways 176 00:07:53,300 --> 00:07:57,380 to help provide users with a way to own 177 00:07:57,380 --> 00:07:59,940 and control their own identity. 178 00:07:59,940 --> 00:08:01,500 So there are many capabilities 179 00:08:01,500 --> 00:08:03,700 that are being developed around this. 180 00:08:03,700 --> 00:08:06,460 One of them is Azure Active Directory 181 00:08:06,460 --> 00:08:08,460 verifiable credentials, 182 00:08:08,460 --> 00:08:11,020 which is currently in public peer preview. 183 00:08:11,020 --> 00:08:13,220 We talked a little bit about it 184 00:08:13,220 --> 00:08:15,980 when it was in private peer preview. 185 00:08:15,980 --> 00:08:18,900 But if you haven't heard about it before, 186 00:08:18,900 --> 00:08:21,260 it is a way to centrally manage 187 00:08:21,260 --> 00:08:24,460 decentralized identity or DIDs. 188 00:08:24,460 --> 00:08:26,340 For example, when you're first logging 189 00:08:26,340 --> 00:08:28,220 into a company environment, 190 00:08:28,220 --> 00:08:30,140 you're given an account password 191 00:08:30,140 --> 00:08:33,300 or some other method to log in. 192 00:08:33,300 --> 00:08:34,860 When you first log in, 193 00:08:34,860 --> 00:08:36,940 the service sends you to a site 194 00:08:36,940 --> 00:08:40,420 for you to scan for a QR code, 195 00:08:40,420 --> 00:08:43,580 which with your phone camera, 196 00:08:43,580 --> 00:08:46,740 in order to enable the verifiable credential 197 00:08:46,740 --> 00:08:49,420 in your authenticator app or to start it. 198 00:08:50,380 --> 00:08:53,060 This is really cool because we are expanding 199 00:08:53,060 --> 00:08:56,020 the factors of authentication. 200 00:08:56,020 --> 00:08:58,900 For example, something you know, account and password, 201 00:08:58,900 --> 00:09:00,580 something you have, in this case, 202 00:09:00,580 --> 00:09:02,740 the verifiable credential. 203 00:09:02,740 --> 00:09:04,740 If you use conditional access, 204 00:09:04,740 --> 00:09:08,060 then you expand to use a factor 205 00:09:08,060 --> 00:09:10,820 that verifies where you're logging from 206 00:09:10,820 --> 00:09:15,820 or somewhere you are, such as IP address. 207 00:09:15,980 --> 00:09:18,660 And if you enable the Windows protection, 208 00:09:18,660 --> 00:09:20,940 you could have something you are, 209 00:09:20,940 --> 00:09:24,060 like biometrics provided through Windows Hello, 210 00:09:24,060 --> 00:09:28,020 or even something you do, like a picture password. 211 00:09:28,020 --> 00:09:30,700 I think this is huge because we're starting to look 212 00:09:30,700 --> 00:09:35,700 at identity as a bigger than the platform itself. 213 00:09:35,860 --> 00:09:38,260 This concept of decentralization 214 00:09:38,260 --> 00:09:40,260 is really important as well. 215 00:09:40,260 --> 00:09:43,740 In Microsoft, we are anchoring the verifiable credential 216 00:09:43,740 --> 00:09:46,920 with a decentralized identifier, 217 00:09:47,940 --> 00:09:51,420 which points to a public blockchain. 218 00:09:51,420 --> 00:09:55,140 This makes the credential durable over time 219 00:09:55,140 --> 00:09:56,500 and across domains. 220 00:09:56,500 --> 00:10:00,580 So in theory, let's say that Microsoft 221 00:10:00,580 --> 00:10:02,180 were to go out of business, 222 00:10:02,180 --> 00:10:04,780 just still will have the credential, 223 00:10:04,780 --> 00:10:07,900 it be yours as an individual, 224 00:10:07,900 --> 00:10:10,420 and available for you to control. 225 00:10:10,420 --> 00:10:14,740 This also means that multiple autonomous systems 226 00:10:14,740 --> 00:10:16,380 can use it as well. 227 00:10:16,380 --> 00:10:20,500 Anyway, identity management is going through a lot of changes. 228 00:10:20,500 --> 00:10:24,660 So it will be fun to watch all the identity capabilities 229 00:10:24,660 --> 00:10:28,460 that will be released in the next few years. 230 00:10:28,460 --> 00:10:30,540 The other thing that I wanted to mention 231 00:10:30,540 --> 00:10:32,940 since we're talking about identity 232 00:10:32,940 --> 00:10:36,460 is that everyone should look at aka.ms, 233 00:10:36,460 --> 00:10:41,260 sensitive operations report, and run the assessment. 234 00:10:41,260 --> 00:10:44,500 This assessment got created earlier this year, 235 00:10:44,500 --> 00:10:46,420 but it's still very relevant. 236 00:10:46,420 --> 00:10:50,900 One of the most common ways for attackers to get persistent 237 00:10:50,900 --> 00:10:54,340 in the environment is by adding new credentials 238 00:10:54,340 --> 00:10:58,580 to existing applications and service principle. 239 00:10:58,580 --> 00:11:00,820 This allows the attackers to authenticate 240 00:11:00,820 --> 00:11:05,100 as the target application or service principle itself, 241 00:11:05,100 --> 00:11:08,340 granting them access to all resources 242 00:11:08,340 --> 00:11:12,300 to which the application has permissions for. 243 00:11:12,300 --> 00:11:16,260 The assessment will help you detect such actions, 244 00:11:16,260 --> 00:11:21,260 modified applications and principle creation 245 00:11:21,260 --> 00:11:25,540 and authentication methods, modified federation settings, 246 00:11:25,540 --> 00:11:28,700 new permissions granted to service principle, 247 00:11:28,700 --> 00:11:30,540 and many others. 248 00:11:30,540 --> 00:11:33,860 Now let's jump into another area of Azure. 249 00:11:33,860 --> 00:11:38,300 Azure Bastion is now in public preview. 250 00:11:38,300 --> 00:11:39,780 As mentioned before, 251 00:11:39,780 --> 00:11:45,260 Azure Bastion is a service you deploy to let you connect 252 00:11:45,260 --> 00:11:50,460 to virtual machine using your browser and Azure portal. 253 00:11:50,460 --> 00:11:54,180 It is a past service that you provision inside your virtual 254 00:11:54,180 --> 00:11:59,700 network and provides secure and seamless RDP and SSH 255 00:11:59,700 --> 00:12:03,980 for the virtual machines directly from the Azure portal 256 00:12:03,980 --> 00:12:05,820 over TLS. 257 00:12:05,820 --> 00:12:08,100 When you connect to Azure Bastion, 258 00:12:08,100 --> 00:12:12,340 your virtual machine do not need IP address agent 259 00:12:12,340 --> 00:12:14,340 or a special client. 260 00:12:14,340 --> 00:12:16,620 There's another way that you could do this 261 00:12:16,620 --> 00:12:17,900 without Azure Bastion. 262 00:12:17,900 --> 00:12:21,500 Basically, you could give an external IP, 263 00:12:21,500 --> 00:12:26,500 but that means that your VM will be available externally 264 00:12:27,940 --> 00:12:32,540 all the time, unless you use a service such as 265 00:12:32,540 --> 00:12:37,540 Just-In-Time DM, which allows you to lower the risk 266 00:12:38,220 --> 00:12:43,220 by providing a time-based access to that RDP connection. 267 00:12:43,220 --> 00:12:45,220 The other thing that I wanted to mention is that 268 00:12:45,220 --> 00:12:49,220 Windows 365 will be available in August 2nd. 269 00:12:49,220 --> 00:12:52,220 I'm really excited about this and playing with it 270 00:12:52,220 --> 00:12:56,220 because it allows you to securely stream your 271 00:12:56,220 --> 00:12:59,220 Windows experience, including your personalized apps, 272 00:12:59,220 --> 00:13:03,220 content, and settings from the Microsoft Cloud 273 00:13:03,220 --> 00:13:08,220 to any device with Windows 365 Cloud PC. 274 00:13:08,220 --> 00:13:12,220 This means Mac, and it allows you to use it 275 00:13:12,220 --> 00:13:17,220 this means Mac, iOS, Android, and I think soon 276 00:13:17,380 --> 00:13:19,540 Linux is coming up. 277 00:13:19,540 --> 00:13:22,020 Your applications, your settings, your content 278 00:13:22,020 --> 00:13:27,020 are streamed from the Microsoft Cloud to any of the devices. 279 00:13:27,020 --> 00:13:30,500 There's persistent integration between the Cloud 280 00:13:30,500 --> 00:13:31,340 and the device. 281 00:13:31,340 --> 00:13:34,780 So if you disconnect, you come back to whatever 282 00:13:34,780 --> 00:13:36,500 you were doing before. 283 00:13:36,500 --> 00:13:39,340 The information is stored in the Cloud, 284 00:13:39,340 --> 00:13:41,340 not in the devices itself. 285 00:13:41,340 --> 00:13:46,340 The system is always up to date and built on the strength 286 00:13:46,700 --> 00:13:50,220 of Microsoft security capabilities and baseline. 287 00:13:50,220 --> 00:13:53,980 It uses network speed provided by the Cloud service 288 00:13:53,980 --> 00:13:58,500 instead of the device itself where the user 289 00:13:58,500 --> 00:14:00,060 is connecting from. 290 00:14:00,060 --> 00:14:04,300 So it's not about that physical network speed, 291 00:14:04,300 --> 00:14:08,620 but the Cloud network, which in turn allows you 292 00:14:08,620 --> 00:14:12,380 to collaborate with large files much easier, 293 00:14:12,380 --> 00:14:16,340 no matter where you are and which device you connect from. 294 00:14:16,340 --> 00:14:19,540 I'm looking forward to play with this, 295 00:14:19,540 --> 00:14:24,540 and I know that once this is released with the 5G 296 00:14:24,660 --> 00:14:26,900 Azure space and other capabilities 297 00:14:26,900 --> 00:14:30,860 that Microsoft is working on, and it's releasing, 298 00:14:30,860 --> 00:14:33,940 this will open up a lot of opportunities 299 00:14:33,940 --> 00:14:38,940 for more mobility and at the same time availability. 300 00:14:39,740 --> 00:14:42,740 And in my world, a couple different things. 301 00:14:42,740 --> 00:14:45,940 First is, as most folks probably know, 302 00:14:45,940 --> 00:14:50,140 I'm a Zero Trust architecture forum co-chair 303 00:14:50,140 --> 00:14:51,580 over at the Open Group. 304 00:14:51,580 --> 00:14:53,620 We recently had an Open Group event 305 00:14:53,620 --> 00:14:55,540 where we announced the Zero Trust commandments 306 00:14:55,540 --> 00:14:57,900 that we're working on, essentially taking the core 307 00:14:57,900 --> 00:15:00,500 principles that are already published and out there 308 00:15:00,500 --> 00:15:03,940 and translating those into commandments, 309 00:15:03,940 --> 00:15:06,940 very much in the vein of the Jericho commandments 310 00:15:06,940 --> 00:15:10,780 that really kicked off Zero Trust some decade or two ago. 311 00:15:10,780 --> 00:15:12,420 We're exploring an interesting idea there 312 00:15:12,420 --> 00:15:14,540 where we're taking that assume-preach, 313 00:15:14,540 --> 00:15:18,140 assume-compromise idea as a core assumption 314 00:15:18,140 --> 00:15:20,900 and looking at it more as an assume failure 315 00:15:20,900 --> 00:15:25,300 and also having the yin-yang assume success 316 00:15:25,300 --> 00:15:27,660 because business does continue 317 00:15:27,660 --> 00:15:29,580 and organizations do continue after a breach. 318 00:15:29,580 --> 00:15:32,820 And so trying to have that blend of the positive negative 319 00:15:32,820 --> 00:15:35,460 instead of completely focusing on the negative. 320 00:15:35,460 --> 00:15:37,340 So it's sort of an interesting set of things, 321 00:15:37,340 --> 00:15:40,340 but then developing those guiding commandments 322 00:15:40,340 --> 00:15:42,620 that real clear guidance to follow up on it. 323 00:15:42,620 --> 00:15:43,780 So it's work in progress. 324 00:15:43,780 --> 00:15:47,740 I put a link in the show notes there for the LinkedIn group 325 00:15:47,740 --> 00:15:50,540 where y'all can join and kind of share your opinions 326 00:15:50,540 --> 00:15:51,820 and discussions there. 327 00:15:51,820 --> 00:15:53,740 And then for those that are Open Group members 328 00:15:53,740 --> 00:15:55,980 that are organizations that work, 329 00:15:55,980 --> 00:15:58,580 if you work for an organization that's in the Open Group, 330 00:15:58,580 --> 00:16:01,860 you can also participate directly in that process as well. 331 00:16:01,860 --> 00:16:05,500 And some recent acquisitions recently hit the news. 332 00:16:05,500 --> 00:16:07,620 Microsoft purchased a company named Risk IQ 333 00:16:07,620 --> 00:16:10,100 which provides intelligence information 334 00:16:10,100 --> 00:16:12,260 for your company, for other companies, et cetera. 335 00:16:12,260 --> 00:16:14,140 So really, really exciting news 336 00:16:14,140 --> 00:16:16,540 and really interested in digging in with that team 337 00:16:16,540 --> 00:16:19,380 to kind of really deeply understand what they're doing 338 00:16:19,380 --> 00:16:21,260 and how to connect it with all the other good stuff 339 00:16:21,260 --> 00:16:22,700 that we're doing. 340 00:16:22,700 --> 00:16:25,580 We also bought Cloud Knox. 341 00:16:25,580 --> 00:16:29,380 So this is a cloud infrastructure entitlement management 342 00:16:29,380 --> 00:16:34,060 company that helps kind of discover and help you kind of 343 00:16:34,060 --> 00:16:37,540 secure and tighten up permissions within Azure, AWS 344 00:16:37,540 --> 00:16:39,060 and the like. 345 00:16:39,060 --> 00:16:41,060 So really, really excited about that 346 00:16:41,060 --> 00:16:43,620 to help organizations get some clarity there 347 00:16:43,620 --> 00:16:47,380 and clean up any permissions or any issues there 348 00:16:47,380 --> 00:16:49,900 from kind of the rough and tumble of DevOps 349 00:16:49,900 --> 00:16:52,060 and learning the cloud and figuring it out, 350 00:16:52,060 --> 00:16:53,820 that might be there. 351 00:16:53,820 --> 00:16:56,340 And then on the firmware side, 352 00:16:56,340 --> 00:16:58,500 specifically the IoT firmware side, 353 00:16:58,500 --> 00:17:01,500 we bought a company called ReFirm recently. 354 00:17:01,500 --> 00:17:05,660 And so they're really into kind of scanning 355 00:17:05,660 --> 00:17:09,020 and looking at the firmware of your IoT devices 356 00:17:09,020 --> 00:17:12,020 and is that secure, is there vulnerabilities in there, et cetera. 357 00:17:12,020 --> 00:17:15,740 So really excited to have that capability as well. 358 00:17:15,740 --> 00:17:17,860 So really can't wait to connect 359 00:17:17,860 --> 00:17:20,100 all these different pieces together. 360 00:17:20,100 --> 00:17:23,220 Next thing, this is very important for those 361 00:17:23,220 --> 00:17:25,100 who are in the security operations space, 362 00:17:25,100 --> 00:17:30,700 SecOps analysts, SOC analysts, managers, directors, et cetera. 363 00:17:30,700 --> 00:17:34,900 One of the biggest things there is a lot of folks 364 00:17:34,900 --> 00:17:38,220 are very network familiar and really been trained on 365 00:17:38,220 --> 00:17:41,460 and really get like IP addresses and subnets 366 00:17:41,460 --> 00:17:45,660 and CIDR addresses and you name it, really good at that. 367 00:17:45,660 --> 00:17:48,340 But identity was never something that a lot of security 368 00:17:48,340 --> 00:17:50,140 operations analysts were trained on. 369 00:17:50,140 --> 00:17:52,860 And it's becoming more and more central to investigating 370 00:17:52,860 --> 00:17:54,700 and it's understanding what happened 371 00:17:54,700 --> 00:17:57,220 because the network traffic, you don't always have that 372 00:17:57,220 --> 00:17:59,340 and it's not always clear and easy to figure out 373 00:17:59,340 --> 00:18:01,540 who was trying to do what at the time. 374 00:18:01,540 --> 00:18:04,700 And so we released this Azure AD SecOps guide 375 00:18:04,700 --> 00:18:09,700 set on the dock site that helps with all those kind of things 376 00:18:09,700 --> 00:18:12,660 related to investigations and remediations, 377 00:18:12,660 --> 00:18:13,660 detections, et cetera. 378 00:18:13,660 --> 00:18:15,660 So really, really powerful stuff. 379 00:18:15,660 --> 00:18:18,540 Highly recommend folks out there check that out. 380 00:18:18,540 --> 00:18:22,340 And then just a couple of few reminders, 381 00:18:22,340 --> 00:18:24,500 the ransomware guidance is out there. 382 00:18:24,500 --> 00:18:26,340 We actually kind of merged together 383 00:18:26,340 --> 00:18:28,980 the human operator and the ransomware, aka MSURL. 384 00:18:28,980 --> 00:18:31,260 So both of them lead to the same place. 385 00:18:31,260 --> 00:18:34,740 We translated the slide deck, that downloadable plan 386 00:18:34,740 --> 00:18:37,380 into kind of one, two, three guidance in the documentation 387 00:18:37,380 --> 00:18:42,220 to make it easier to follow and follow along with as guidance. 388 00:18:42,220 --> 00:18:44,460 Of course, recently published in the last couple of months 389 00:18:44,460 --> 00:18:48,100 the cyber reference architecture already had like 9,000 hits. 390 00:18:48,100 --> 00:18:49,820 I think on the landing page recently, 391 00:18:49,820 --> 00:18:51,740 so that one's getting some attention, 392 00:18:51,740 --> 00:18:53,540 but make sure you don't miss that one. 393 00:18:53,540 --> 00:18:57,020 And then the more of the security program guidance 394 00:18:57,020 --> 00:18:59,820 in our cloud adoption framework or CAF, 395 00:18:59,820 --> 00:19:01,540 secure methodology is also out there. 396 00:19:01,540 --> 00:19:04,140 So we put those links in the show notes as well. 397 00:19:04,140 --> 00:19:05,340 And that's all I got. 398 00:19:06,260 --> 00:19:08,100 Okay, let's change tags now 399 00:19:08,100 --> 00:19:10,260 and let's introduce our guest this week. 400 00:19:10,260 --> 00:19:12,100 This week we have Karl Michael Patton, 401 00:19:12,100 --> 00:19:14,420 who's here to talk to us about ZeroTrust. 402 00:19:14,420 --> 00:19:15,980 Karl Michael, welcome to the podcast. 403 00:19:15,980 --> 00:19:17,460 Would you care to take a moment 404 00:19:17,460 --> 00:19:19,580 and introduce yourself to our listeners? 405 00:19:19,580 --> 00:19:20,980 Yeah, sure. 406 00:19:20,980 --> 00:19:22,660 So as mentioned, I'm Karl Michael Patton. 407 00:19:22,660 --> 00:19:26,020 I'm a senior security architect here inside of Microsoft 408 00:19:26,020 --> 00:19:29,580 in our digital security and resiliency organization. 409 00:19:29,580 --> 00:19:33,580 We're like the internal security IT org here at Microsoft. 410 00:19:33,580 --> 00:19:35,860 So our our billet is to ensure 411 00:19:35,860 --> 00:19:38,740 that we as a company are secured. 412 00:19:38,740 --> 00:19:41,460 For the most part, for the last six years 413 00:19:41,460 --> 00:19:42,820 or so that I've been here, 414 00:19:42,820 --> 00:19:46,140 it's been around a lot of what is not Microsoft. 415 00:19:46,140 --> 00:19:49,300 My area of focus is around all of the non-window systems. 416 00:19:49,300 --> 00:19:52,340 How do we protect, you know, iOS, Android, Mac, Linux, 417 00:19:52,340 --> 00:19:54,260 as well as in the cloud, 418 00:19:54,260 --> 00:19:57,220 how do we do open source containerization, 419 00:19:58,340 --> 00:20:00,020 you know, orchestration, things like that. 420 00:20:00,020 --> 00:20:03,100 The relevancy here is for the last three years, 421 00:20:03,100 --> 00:20:07,420 I've been on our team leading our internal ZeroTrust efforts 422 00:20:07,420 --> 00:20:11,540 to how do we get ZeroTrust deployed inside of Microsoft. 423 00:20:12,700 --> 00:20:14,100 So what is ZeroTrust? 424 00:20:14,100 --> 00:20:17,100 Why are we trying to address with it? 425 00:20:17,100 --> 00:20:18,180 That's a great question, Gladys. 426 00:20:18,180 --> 00:20:21,180 I think, you know, for us or for me, 427 00:20:21,180 --> 00:20:22,980 it really comes down to three things, right? 428 00:20:22,980 --> 00:20:26,300 It's healthy devices, healthy identity and telemetry 429 00:20:26,300 --> 00:20:29,340 to understand the states of both of those, right? 430 00:20:29,340 --> 00:20:33,460 And I think that's maybe a little bit over simplification 431 00:20:33,460 --> 00:20:35,460 of what ZeroTrust is. 432 00:20:35,460 --> 00:20:37,380 And I think it's been around in the industry 433 00:20:37,380 --> 00:20:38,220 for quite a while. 434 00:20:38,220 --> 00:20:40,420 It started out as a network strategy, you know, 435 00:20:40,420 --> 00:20:42,740 how do you micro segment your networks? 436 00:20:42,740 --> 00:20:45,420 But I think as we have moved through, 437 00:20:45,420 --> 00:20:48,300 especially this last year, 438 00:20:48,300 --> 00:20:50,500 we've had to really pivot and think about it 439 00:20:50,500 --> 00:20:51,580 in a different way, you know, 440 00:20:51,580 --> 00:20:54,180 we're not on those traditional networks anymore. 441 00:20:54,180 --> 00:20:57,380 We're actually accessing a lot of cloud resources now. 442 00:20:57,380 --> 00:21:00,260 And so how do we ensure that we're protecting ourselves 443 00:21:00,260 --> 00:21:02,380 without having the corporate environment 444 00:21:02,380 --> 00:21:04,220 to actually do a lot of those protections 445 00:21:04,220 --> 00:21:05,900 that we had before. 446 00:21:05,900 --> 00:21:08,700 So let me take a little bit of a sort of a skeptic's hat 447 00:21:08,700 --> 00:21:11,380 for a moment, like, so what's the big deal 448 00:21:11,380 --> 00:21:12,780 about ZeroTrust? 449 00:21:12,780 --> 00:21:14,660 Why would I even bother doing this? 450 00:21:14,660 --> 00:21:16,300 You know, I'm doing my job just fine. 451 00:21:16,300 --> 00:21:19,180 You know, like, how would you respond to that? 452 00:21:19,180 --> 00:21:20,540 Well, I think it's, first off, 453 00:21:20,540 --> 00:21:22,300 I would say keep a skeptical approach, right? 454 00:21:22,300 --> 00:21:23,380 I think there's a lot of, 455 00:21:23,380 --> 00:21:25,540 even our own architecture that we put out there. 456 00:21:25,540 --> 00:21:28,340 And I think for every company, ZeroTrust is a little different. 457 00:21:28,340 --> 00:21:30,100 So I think keeping that skeptic's hat on 458 00:21:30,100 --> 00:21:32,500 when you're looking at it is a good approach. 459 00:21:32,500 --> 00:21:34,900 I think, you know, come in with the understandings 460 00:21:34,900 --> 00:21:35,740 of what you need. 461 00:21:35,740 --> 00:21:39,100 And I think one of the things we say is have a good set 462 00:21:39,100 --> 00:21:40,620 of telemetry to understand your risks 463 00:21:40,620 --> 00:21:41,820 and really, really, you're falling. 464 00:21:41,820 --> 00:21:44,300 But I think to answer your question, 465 00:21:44,300 --> 00:21:46,180 you know, again, sort of just simplify it, right? 466 00:21:46,180 --> 00:21:50,260 Is you could go to the complete knee jerk 467 00:21:50,260 --> 00:21:53,180 and overreact and put in so much security 468 00:21:53,180 --> 00:21:56,100 and compliance on top of getting access, 469 00:21:56,100 --> 00:21:57,660 but you become nonproductive. 470 00:21:57,660 --> 00:22:00,580 And I think the, where I would say to the skeptics, 471 00:22:00,580 --> 00:22:02,780 it's really more about productivity, 472 00:22:02,780 --> 00:22:04,940 but staying secure, right? 473 00:22:04,940 --> 00:22:07,100 Like, what are the benefits that you're gonna get out of it? 474 00:22:07,100 --> 00:22:07,940 Right? 475 00:22:07,940 --> 00:22:10,420 If you're, you know, you have your endpoints managed 476 00:22:10,420 --> 00:22:14,220 and your identity is providing health to access those. 477 00:22:14,220 --> 00:22:16,540 Your security teams are getting improved visibility 478 00:22:16,540 --> 00:22:18,660 because you're putting, you know, anti-mower 479 00:22:18,660 --> 00:22:20,700 and vulnerability management on those devices. 480 00:22:20,700 --> 00:22:23,740 You're getting logs and telemetry from them directly. 481 00:22:23,740 --> 00:22:25,620 You're not having to rely on other devices 482 00:22:25,620 --> 00:22:27,100 or other things to try to guess 483 00:22:27,100 --> 00:22:29,300 and speculate what those devices are doing. 484 00:22:29,300 --> 00:22:30,140 But at the end of the day, 485 00:22:30,140 --> 00:22:32,420 the users are able to get to what they're trying to get to, 486 00:22:32,420 --> 00:22:33,260 right? 487 00:22:33,260 --> 00:22:35,380 Is, you know, especially when everybody's working from home, 488 00:22:35,380 --> 00:22:37,740 I have access to all of the systems I need to access to 489 00:22:37,740 --> 00:22:39,780 without having to worry about that. 490 00:22:39,780 --> 00:22:43,580 But I am coming from that, that managed and healthy device. 491 00:22:43,580 --> 00:22:45,500 Yeah, I mean, it's something, it's hard. 492 00:22:47,500 --> 00:22:50,900 I went through the, some of the things where we saw 493 00:22:50,900 --> 00:22:53,380 a whole bunch of different vendors presentations 494 00:22:53,380 --> 00:22:57,020 on Zero Trust and it was just fascinating to see 495 00:22:57,020 --> 00:22:58,740 like all the different views of it. 496 00:22:58,740 --> 00:23:01,420 And I mean, I just felt such sympathy for the people 497 00:23:01,420 --> 00:23:04,500 that have to deal with that crazy amount of confusion. 498 00:23:04,500 --> 00:23:05,820 And oh, Zero Trust is this, 499 00:23:05,820 --> 00:23:08,260 which happens to find the products that I'm selling you. 500 00:23:08,260 --> 00:23:10,540 I think that's the number one thing is like navigating that 501 00:23:10,540 --> 00:23:11,820 to get to that core truth. 502 00:23:11,820 --> 00:23:15,260 And so I'm actually really excited about the NIST work 503 00:23:15,260 --> 00:23:17,700 in the National Cybersecurity Center of Excellence, 504 00:23:17,700 --> 00:23:22,340 the MCCOE lab to sort of, you know, drive that consistency 505 00:23:22,340 --> 00:23:24,940 and drive that kind of clarity on it. 506 00:23:24,940 --> 00:23:26,580 So people know what it is, what it isn't. 507 00:23:26,580 --> 00:23:30,620 And oh, by the way, even though it does some amazing stuff, 508 00:23:30,620 --> 00:23:31,780 it's not like a magic wand 509 00:23:31,780 --> 00:23:33,500 and you just don't have to bother operating it. 510 00:23:33,500 --> 00:23:35,380 You just put it in product and go. 511 00:23:35,380 --> 00:23:37,580 Love that point you made. 512 00:23:37,580 --> 00:23:40,540 It does have to be operated and practiced every day. 513 00:23:40,540 --> 00:23:41,460 Yeah, it's funny. 514 00:23:41,460 --> 00:23:44,860 I remember you were running me to an event we did 515 00:23:44,860 --> 00:23:46,020 a little over a year ago. 516 00:23:46,020 --> 00:23:47,740 We went to a customer's onsite. 517 00:23:47,740 --> 00:23:49,260 They had a bunch of different vendors there 518 00:23:49,260 --> 00:23:51,460 to sort of do similar to what you were talking about. 519 00:23:51,460 --> 00:23:54,300 But for them explicitly, 520 00:23:54,300 --> 00:23:57,300 and they questioned one of the vendors asked was back 521 00:23:57,300 --> 00:24:00,660 to the customer, you know, 522 00:24:00,660 --> 00:24:03,780 hey, what is it that you could do for us? 523 00:24:03,780 --> 00:24:04,700 And then we were looking at him 524 00:24:04,700 --> 00:24:06,100 and this person is pretty well known 525 00:24:06,100 --> 00:24:07,140 in the Zero Trust circles, 526 00:24:07,140 --> 00:24:08,660 but I remember looking at him going, 527 00:24:08,660 --> 00:24:11,540 shouldn't we be collaborating and doing things for them 528 00:24:11,540 --> 00:24:14,060 to make it easier for them to deploy all of our technology? 529 00:24:14,060 --> 00:24:15,060 It doesn't matter what it is, right? 530 00:24:15,060 --> 00:24:16,540 Or who is deploying it? 531 00:24:16,540 --> 00:24:17,740 I mean, that's the thing about Zero Trust 532 00:24:17,740 --> 00:24:20,260 that makes it so great is it's not a product. 533 00:24:20,260 --> 00:24:21,100 It's not a suite. 534 00:24:21,100 --> 00:24:22,300 It's not an application. 535 00:24:22,300 --> 00:24:24,540 It's not a thing you lay down in your environment 536 00:24:24,540 --> 00:24:26,180 and know now you have Zero Trust. 537 00:24:26,180 --> 00:24:27,580 It's an architecture. 538 00:24:27,580 --> 00:24:29,660 It's a thing that you deploy in your environment 539 00:24:29,660 --> 00:24:33,700 based on the needs that you have to satisfy the risks 540 00:24:33,700 --> 00:24:35,220 that you have in your environment, right? 541 00:24:35,220 --> 00:24:38,460 And I think that's, even for us, 542 00:24:38,460 --> 00:24:40,100 again, I'm not the marketing guy. 543 00:24:40,100 --> 00:24:41,860 We look at third-party products 544 00:24:41,860 --> 00:24:43,420 and we have third-party products 545 00:24:43,420 --> 00:24:45,220 inside of Microsoft that we use. 546 00:24:45,220 --> 00:24:50,060 So how do I get to ensure that those are also in my model 547 00:24:50,060 --> 00:24:51,900 to ensure that I have healthy devices 548 00:24:51,900 --> 00:24:53,020 and healthy identities, right? 549 00:24:53,020 --> 00:24:54,420 And if I go to my VPN, 550 00:24:54,420 --> 00:24:56,780 which is not a Microsoft VPN, right? 551 00:24:56,780 --> 00:25:00,300 You know, am I conditionally access enforced 552 00:25:00,300 --> 00:25:03,660 and for health on that VPN tunnel to get in, right? 553 00:25:03,660 --> 00:25:05,700 I have to be able to ensure that those things work. 554 00:25:05,700 --> 00:25:06,900 So I think, you know, again, 555 00:25:06,900 --> 00:25:08,060 sort of to your point, Mark, 556 00:25:08,060 --> 00:25:10,500 which is it's not just a thing. 557 00:25:10,500 --> 00:25:11,660 It's an idea. 558 00:25:11,660 --> 00:25:14,540 It's an architecture and how do we make it work together? 559 00:25:14,540 --> 00:25:17,140 And I think that NIST approach was interesting the other day, 560 00:25:17,140 --> 00:25:18,660 listening to all the groups collaborate. 561 00:25:18,660 --> 00:25:20,260 And I'm hoping that as an industry, 562 00:25:20,260 --> 00:25:21,700 we start collaborating more on this 563 00:25:21,700 --> 00:25:23,180 to make it easier for folks. 564 00:25:23,180 --> 00:25:25,140 Yeah, I fully realize hope is a four-letter word, 565 00:25:25,140 --> 00:25:27,820 but I'm right there with you in that. 566 00:25:27,820 --> 00:25:29,620 And the word that I'm starting to use, 567 00:25:29,620 --> 00:25:31,660 like to cover all of the things, 568 00:25:31,660 --> 00:25:33,140 because it's so different depending on whether you're 569 00:25:33,140 --> 00:25:35,260 like a CISO or like a SOC analyst 570 00:25:35,260 --> 00:25:38,580 or a director of identity security or something. 571 00:25:38,580 --> 00:25:40,340 It's so different. 572 00:25:40,340 --> 00:25:41,900 I mean, I think of it as a transformation. 573 00:25:41,900 --> 00:25:43,220 It's like a digital transformation. 574 00:25:43,220 --> 00:25:45,100 Like it's gonna change the retail dude 575 00:25:45,100 --> 00:25:46,740 or lady on the ground. 576 00:25:46,740 --> 00:25:47,900 That's like checking people out. 577 00:25:47,900 --> 00:25:49,500 It's gonna change the business strategy. 578 00:25:49,500 --> 00:25:51,220 It's gonna change everything, right? 579 00:25:51,220 --> 00:25:53,580 So I feel like that it's basically a transformation 580 00:25:53,580 --> 00:25:55,460 that touches everyone. 581 00:25:55,460 --> 00:25:57,780 You just described our last year of working from home 582 00:25:57,780 --> 00:26:00,060 for all of our storm employees. 583 00:26:00,060 --> 00:26:02,180 So one thing I'm a huge proponent of 584 00:26:02,180 --> 00:26:04,220 in the world of security is pragmatism. 585 00:26:04,220 --> 00:26:08,140 And to me, pragmatism is absolutely foremost. 586 00:26:08,140 --> 00:26:12,260 Is it still, is it possible to achieve zero trust goals 587 00:26:12,260 --> 00:26:14,220 and stay within the spirit of zero trust 588 00:26:14,220 --> 00:26:16,900 without like adhering to the letter of the law? 589 00:26:16,900 --> 00:26:17,980 Yeah, absolutely. 590 00:26:17,980 --> 00:26:18,820 I think so, right? 591 00:26:18,820 --> 00:26:20,860 And kind of going back to the three things 592 00:26:20,860 --> 00:26:21,940 that I mentioned before, 593 00:26:21,940 --> 00:26:24,660 which is focus on identity or that the identity, 594 00:26:24,660 --> 00:26:26,180 the health of the identity, 595 00:26:26,180 --> 00:26:28,380 the health of the devices and the telemetry, right? 596 00:26:28,380 --> 00:26:31,580 So focus on ensuring that your users 597 00:26:31,580 --> 00:26:34,100 are doing things like multi-factor authentication 598 00:26:34,100 --> 00:26:36,180 to validate who they are. 599 00:26:36,180 --> 00:26:38,140 If you can go passwordless, I mean, 600 00:26:38,140 --> 00:26:41,420 those are just spirits of identity and healthy identity, right? 601 00:26:41,420 --> 00:26:45,020 Is if I can make sure that Michael is who Michael is 602 00:26:45,020 --> 00:26:47,300 and it's not Mark spoofing his account 603 00:26:47,300 --> 00:26:50,740 to try to get into, change the podcast recording 604 00:26:50,740 --> 00:26:52,300 or something, right? 605 00:26:52,300 --> 00:26:55,380 And then the other piece of that is the devices, 606 00:26:55,380 --> 00:26:57,180 it doesn't matter what you're doing, 607 00:26:57,180 --> 00:26:59,580 getting those devices into management. 608 00:26:59,580 --> 00:27:01,500 I think a lot of companies in UW, 609 00:27:01,500 --> 00:27:05,100 we're probably call ourselves a unicorn to some extent 610 00:27:05,100 --> 00:27:08,460 because I think we fully embrace the BYOD strategy. 611 00:27:08,460 --> 00:27:11,300 It's not just mobile devices, iOS and Android, 612 00:27:11,300 --> 00:27:14,580 with which we have about a hundred thousand of each or more. 613 00:27:14,580 --> 00:27:17,420 It's the Windows devices, the Macs, 614 00:27:17,420 --> 00:27:20,180 the even to some extent Linux devices, right? 615 00:27:20,180 --> 00:27:23,140 That users bring in because their job requires it, 616 00:27:23,140 --> 00:27:25,220 but it's their own device that they wanna connect 617 00:27:25,220 --> 00:27:28,780 to our resources for having an idea 618 00:27:28,780 --> 00:27:33,780 or strategy around that and just don't make it difficult, 619 00:27:34,340 --> 00:27:38,980 make it simple and you can actually come close to that letter 620 00:27:38,980 --> 00:27:40,980 of the law to some extent or at least a spirit of the law, 621 00:27:40,980 --> 00:27:42,380 like you said, right? 622 00:27:42,380 --> 00:27:45,460 Michael, it's just having that management there. 623 00:27:45,460 --> 00:27:49,980 And then telemetry, I think I'll probably just say this 624 00:27:49,980 --> 00:27:51,860 openly, if you don't have telemetry, 625 00:27:51,860 --> 00:27:54,180 if you don't understand what's going on in your environment 626 00:27:54,180 --> 00:27:55,780 then how do you understand the risks 627 00:27:55,780 --> 00:27:57,940 that are happening in your environment, right? 628 00:27:57,940 --> 00:27:59,940 And I think that's ultimately what we're trying to solve 629 00:27:59,940 --> 00:28:03,380 for is to minimize the risk where possible 630 00:28:03,380 --> 00:28:06,140 and just getting that understanding, 631 00:28:06,140 --> 00:28:07,900 where are my users coming from? 632 00:28:07,900 --> 00:28:10,100 How are they accessing things, even if it's Office 633 00:28:10,100 --> 00:28:12,580 or even if it's Exchange or your line of business application, 634 00:28:12,580 --> 00:28:14,100 whatever that is, your HR app, 635 00:28:14,100 --> 00:28:15,940 your time and away reporting app, 636 00:28:16,900 --> 00:28:18,060 how are they accessing it? 637 00:28:18,060 --> 00:28:20,620 What devices are they accessing it from? 638 00:28:20,620 --> 00:28:22,420 When are they accessing it? 639 00:28:22,420 --> 00:28:24,980 Just getting an idea of what's happening in your environment 640 00:28:24,980 --> 00:28:26,900 and then making decisions based on that. 641 00:28:26,900 --> 00:28:29,220 It doesn't have to be the full letter of the law, 642 00:28:29,220 --> 00:28:30,820 like you said, of zero trust. 643 00:28:30,820 --> 00:28:34,060 It could be small steps of just applying MFA 644 00:28:34,060 --> 00:28:35,660 just to ensure that it's the users 645 00:28:35,660 --> 00:28:37,660 and then going from there, right? 646 00:28:37,660 --> 00:28:41,060 So is there a role here for AI and ML? 647 00:28:41,060 --> 00:28:42,940 I know we're using a ton of buzzwords, 648 00:28:42,940 --> 00:28:44,900 but gotta ask the question. 649 00:28:44,900 --> 00:28:46,340 Yeah, no, that's it. 650 00:28:46,340 --> 00:28:49,260 Wow, is there a role for AI and ML? 651 00:28:49,260 --> 00:28:52,060 The answer is wholeheartedly yes. 652 00:28:52,060 --> 00:28:54,820 And I think we rely on it very heavily, right? 653 00:28:54,820 --> 00:28:57,140 In the decision-making that we do. 654 00:28:57,140 --> 00:28:59,700 When we use Microsoft Defender for Endpoint, 655 00:28:59,700 --> 00:29:01,780 NDE on all of our endpoints, 656 00:29:01,780 --> 00:29:06,500 and we're getting the telemetry from those devices, 657 00:29:06,500 --> 00:29:09,820 you're not gonna ask your first line SOC analysts 658 00:29:09,820 --> 00:29:11,980 to sit there and look through all of that telemetry. 659 00:29:11,980 --> 00:29:13,900 You're gonna use that machine learning 660 00:29:13,900 --> 00:29:15,940 and some of those AI tools that we have 661 00:29:15,940 --> 00:29:20,820 to try to at least understand where things may be occurring 662 00:29:20,820 --> 00:29:23,420 to try to give you that notification 663 00:29:23,420 --> 00:29:27,220 and then have them go from there on their exploration, right? 664 00:29:27,220 --> 00:29:31,100 Without having that sort of detailed modeling 665 00:29:31,100 --> 00:29:33,300 that can actually depict what's happening 666 00:29:33,300 --> 00:29:34,820 and then making those alerts, 667 00:29:34,820 --> 00:29:37,740 then that becomes almost impossible for a SOC. 668 00:29:37,740 --> 00:29:39,540 When you have, I forget what the numbers are, 669 00:29:39,540 --> 00:29:41,500 what two trillion bytes of data, 670 00:29:41,500 --> 00:29:46,500 day, two billion events a day in AED or whatnot, 671 00:29:46,740 --> 00:29:47,980 I forget what all the numbers are, 672 00:29:47,980 --> 00:29:50,580 but in the sheer number of 673 00:29:50,580 --> 00:29:53,620 telemetry of learning and reporting 674 00:29:53,620 --> 00:29:55,460 and all that stuff that we get is just ridiculous 675 00:29:55,460 --> 00:29:57,300 without having the AI and machine learning. 676 00:29:57,300 --> 00:30:00,500 And we didn't even talk about Azure Defender for identity. 677 00:30:00,500 --> 00:30:01,940 I mean, all of the stuff that happens there 678 00:30:01,940 --> 00:30:04,580 to understand what's happening with your identity 679 00:30:04,580 --> 00:30:06,540 to ensure that you are who you are 680 00:30:06,540 --> 00:30:11,540 and that your account hasn't been compromised, right? 681 00:30:11,660 --> 00:30:13,820 It's just, there's so much there for that. 682 00:30:14,860 --> 00:30:16,500 In everything that you're talking, 683 00:30:16,500 --> 00:30:18,220 you're mentioning a lot of identity. 684 00:30:18,220 --> 00:30:21,460 Why do we focus so much on identity? 685 00:30:21,460 --> 00:30:25,740 Yeah, early on we looked to say identity is a new boundary, 686 00:30:25,740 --> 00:30:28,300 and I think it's almost true at this point, right? 687 00:30:28,300 --> 00:30:33,300 In that we've moved away from network being that boundary 688 00:30:33,300 --> 00:30:35,620 and especially over the last 18 months, 689 00:30:36,620 --> 00:30:38,260 the users are no longer in the office. 690 00:30:38,260 --> 00:30:40,820 They're sitting in their home offices connecting to us 691 00:30:40,820 --> 00:30:43,060 and we use split tunnel VPN 692 00:30:43,060 --> 00:30:44,620 so they're not necessarily even coming in 693 00:30:44,620 --> 00:30:46,540 to our data centers. 694 00:30:46,540 --> 00:30:51,540 So we have to rely on the identity now 695 00:30:51,500 --> 00:30:54,860 being that access point for how they're connecting 696 00:30:54,860 --> 00:30:55,900 to our resources. 697 00:30:55,900 --> 00:30:59,100 When I go to office or when I go to Teams 698 00:30:59,100 --> 00:31:02,020 or when I go to PowerPoint, Power BI, 699 00:31:02,020 --> 00:31:05,420 name and application or even a third party app 700 00:31:05,420 --> 00:31:08,220 that is tied to my identity. 701 00:31:08,220 --> 00:31:10,220 If I go to the login there, 702 00:31:10,220 --> 00:31:13,620 it's logging in with my at microsoft.com credentials 703 00:31:13,620 --> 00:31:16,060 and then it's going out and it's checking 704 00:31:16,060 --> 00:31:17,780 to make sure that my identity is healthy 705 00:31:17,780 --> 00:31:19,700 and then it's pulling in all of the other stuff. 706 00:31:19,700 --> 00:31:20,980 Azure Active Directory now has 707 00:31:20,980 --> 00:31:23,100 conditional access enforcement on top of that too. 708 00:31:23,100 --> 00:31:26,940 So that identity suite really becomes 709 00:31:26,940 --> 00:31:29,140 the new gating function, 710 00:31:29,140 --> 00:31:31,780 whether you call it the policy enforcement 711 00:31:31,780 --> 00:31:35,020 or whatever terminology you wanna use for that, 712 00:31:35,020 --> 00:31:36,300 that's where it's all happening. 713 00:31:36,300 --> 00:31:39,340 Those decisions are being made on top of that identity 714 00:31:39,340 --> 00:31:40,940 when you're accessing that. 715 00:31:40,940 --> 00:31:41,780 And then beyond that, 716 00:31:41,780 --> 00:31:44,780 it's continually assessing that same thing, right? 717 00:31:44,780 --> 00:31:47,940 It's not just making that one time look and saying, 718 00:31:47,940 --> 00:31:50,740 hey, okay, yeah, Carmichael can go in, 719 00:31:50,740 --> 00:31:52,620 he can access office, he can access Teams, 720 00:31:52,620 --> 00:31:55,460 he can join a meeting and meet with the folks here 721 00:31:55,460 --> 00:31:57,940 and chat about zero trust. 722 00:31:57,940 --> 00:32:01,980 But every period of time, whatever you've tuned it to, 723 00:32:01,980 --> 00:32:04,140 I'm also getting reattested to that 724 00:32:04,140 --> 00:32:06,620 and making sure that throughout that lifecycle, 725 00:32:06,620 --> 00:32:09,980 I'm continuously being validated through my identity, 726 00:32:11,180 --> 00:32:12,100 whether that's the, 727 00:32:12,100 --> 00:32:14,660 I think we're doing hourly token refresh, 728 00:32:14,660 --> 00:32:17,980 with MFA every 24 hours, 729 00:32:17,980 --> 00:32:19,220 I believe something to that effect, 730 00:32:19,220 --> 00:32:22,380 but it really has sort of shifted away 731 00:32:22,380 --> 00:32:25,540 from that legacy network being the traditional network 732 00:32:25,540 --> 00:32:28,180 to the identity now being the boundary. 733 00:32:28,180 --> 00:32:33,180 So we've got, we talk about zero trust having six pillars. 734 00:32:33,220 --> 00:32:35,020 Can you talk about the challenges 735 00:32:35,020 --> 00:32:37,420 that Microsoft has gone through for each pillar? 736 00:32:39,780 --> 00:32:41,500 Probably too many to talk about 737 00:32:41,500 --> 00:32:43,260 in the period of time we have, 738 00:32:43,260 --> 00:32:47,580 but yeah, I mean, we talked a lot about identity already, 739 00:32:47,580 --> 00:32:49,380 we talked about devices already, 740 00:32:49,380 --> 00:32:52,260 which make up two core pillars there. 741 00:32:53,540 --> 00:32:56,980 Infrastructure, we always have a challenge 742 00:32:56,980 --> 00:33:01,060 of ensuring that the infrastructure itself is healthy, 743 00:33:01,060 --> 00:33:05,700 that the applications are being built safely 744 00:33:05,700 --> 00:33:07,340 that they're using the right, 745 00:33:09,300 --> 00:33:10,220 what's the word I'm looking for, 746 00:33:10,220 --> 00:33:15,020 the right libraries from the identity, the new MSOL libraries 747 00:33:15,020 --> 00:33:16,580 for folks that weren't aware, 748 00:33:16,580 --> 00:33:19,780 ADOL is slowly being retired as of June, 749 00:33:19,780 --> 00:33:22,580 I think some of the support for it has gone away, 750 00:33:22,580 --> 00:33:24,460 limited, I think it's now down to limited support. 751 00:33:24,460 --> 00:33:26,140 So making sure that the new libraries 752 00:33:26,140 --> 00:33:28,940 are being integrated into there 753 00:33:28,940 --> 00:33:31,860 so that the conditional access flow works. 754 00:33:31,860 --> 00:33:35,020 And I think we'd actually be surprised 755 00:33:35,020 --> 00:33:36,660 that that doesn't happen even on some 756 00:33:36,660 --> 00:33:38,300 of our first party applications 757 00:33:38,300 --> 00:33:40,180 that we sell to customers, right? 758 00:33:40,180 --> 00:33:42,380 It's going back to those teams and saying, 759 00:33:42,380 --> 00:33:44,580 hey, I gotta make conditional access work, 760 00:33:44,580 --> 00:33:48,220 not just for Microsoft, but for insert customer here, right? 761 00:33:50,260 --> 00:33:53,460 I think networking is a good one, 762 00:33:53,460 --> 00:33:55,700 especially as we get through 763 00:33:55,700 --> 00:33:58,180 trying to figure out how to segment our environment, 764 00:33:58,180 --> 00:34:00,780 traditionally we've been pretty flat, 765 00:34:00,780 --> 00:34:02,900 but with the new models, 766 00:34:02,900 --> 00:34:04,460 and I talked a lot about getting away 767 00:34:04,460 --> 00:34:07,540 from sort of that traditional on-prem model, 768 00:34:07,540 --> 00:34:09,700 moving more to the cloud model, 769 00:34:09,700 --> 00:34:11,860 we've been fortunate about 93% of our traffic 770 00:34:11,860 --> 00:34:13,860 actually goes directly out to the clouds, 771 00:34:13,860 --> 00:34:17,620 whether that's our first party SAS or PAS solutions, 772 00:34:17,620 --> 00:34:21,220 or if it's third party solutions that we have. 773 00:34:21,220 --> 00:34:24,180 But for what's left in the environment, 774 00:34:24,180 --> 00:34:27,660 how do we ensure that we're segmenting it in the right way? 775 00:34:27,660 --> 00:34:29,140 And I think the challenge for us lately 776 00:34:29,140 --> 00:34:31,820 has been trying to get into these IoT segments. 777 00:34:31,820 --> 00:34:34,420 We've got high-risk IoT and a low-risk IoT, 778 00:34:34,420 --> 00:34:36,740 so high-risk would be your things like building management 779 00:34:36,740 --> 00:34:41,300 and life safety systems, 780 00:34:41,300 --> 00:34:45,460 and then low-risk would be printers and other IoT, 781 00:34:45,460 --> 00:34:47,420 like the conference room phones and things like that. 782 00:34:47,420 --> 00:34:49,820 And I think we've seen some compromises in the industry 783 00:34:49,820 --> 00:34:50,980 on those types of devices, 784 00:34:50,980 --> 00:34:53,660 so how do we ensure that we can segment those away 785 00:34:53,660 --> 00:34:55,060 in a good and effective way? 786 00:34:55,060 --> 00:34:56,940 And what we found is it's actually 787 00:34:56,940 --> 00:34:58,700 probably a little bit more difficult than we thought it was, 788 00:34:58,700 --> 00:35:00,900 but we're working through that. 789 00:35:00,900 --> 00:35:03,380 And I could probably talk about challenges for a while. 790 00:35:03,380 --> 00:35:04,980 Maybe we'll leave it there then, 791 00:35:04,980 --> 00:35:09,860 but we'll just... Otherwise, the podcast will just get too long. 792 00:35:09,860 --> 00:35:11,700 So over the last few years or so, 793 00:35:11,700 --> 00:35:12,900 especially certainly the last few months, 794 00:35:12,900 --> 00:35:15,540 there's been some very high-profile attacks. 795 00:35:15,540 --> 00:35:16,940 Without naming any names, 796 00:35:16,940 --> 00:35:19,180 I mean, how could zero trust have helped mitigate 797 00:35:19,180 --> 00:35:23,700 or reduced the severity of some of these pretty public attacks? 798 00:35:23,700 --> 00:35:24,980 That's actually a great question, 799 00:35:24,980 --> 00:35:27,780 and something we were challenged by Brett Arson or R.R.C. 800 00:35:27,780 --> 00:35:29,740 So was exactly that, 801 00:35:29,740 --> 00:35:32,180 and some of the ones that happened earlier this year 802 00:35:32,180 --> 00:35:35,460 or last year at the end of the calendar year, right? 803 00:35:35,460 --> 00:35:39,500 We wanted to kind of prove like zero trust worked. 804 00:35:39,500 --> 00:35:45,540 What we actually proved was zero trust itself 805 00:35:45,540 --> 00:35:49,780 didn't really necessarily do anything specific to protect us, 806 00:35:49,780 --> 00:35:53,540 but what it did do is reduce the blast radius. 807 00:35:53,540 --> 00:35:54,900 And a lot of the reasons for that 808 00:35:54,900 --> 00:35:56,900 is because of the telemetry that we were getting, 809 00:35:56,900 --> 00:35:59,540 because of having all these devices being enrolled now, 810 00:35:59,540 --> 00:36:01,700 Microsoft Defender on all of these devices 811 00:36:01,700 --> 00:36:03,020 and getting all of that telemetry, 812 00:36:03,020 --> 00:36:06,300 and like I said, the machine learning that was happening, 813 00:36:06,300 --> 00:36:09,420 you start to see things occurring in your environment, 814 00:36:09,420 --> 00:36:10,820 and all of a sudden you recognize 815 00:36:10,820 --> 00:36:11,940 that you have an attacker there, 816 00:36:11,940 --> 00:36:14,620 and that attacker is now getting to a particular system 817 00:36:14,620 --> 00:36:17,820 and going from there to someplace else. 818 00:36:17,820 --> 00:36:20,580 And you can then start using the rest of the telemetry 819 00:36:20,580 --> 00:36:22,460 that you have to really sort of isolate 820 00:36:22,460 --> 00:36:23,860 and figure out what's going on 821 00:36:23,860 --> 00:36:30,340 and getting down to ensuring that you're able to, 822 00:36:30,340 --> 00:36:32,780 like I said, sort of reduce that blast radius. 823 00:36:32,780 --> 00:36:35,180 And what we found again was for everywhere 824 00:36:35,180 --> 00:36:38,260 where we had a managed device and we had MDE enabled 825 00:36:38,260 --> 00:36:42,660 and we were MFA enabled, there was no risk 826 00:36:42,660 --> 00:36:45,700 that we were protected, but where we weren't, 827 00:36:45,700 --> 00:36:48,020 we had a system that wasn't managed 828 00:36:48,020 --> 00:36:50,300 that happened to have access into the network 829 00:36:50,300 --> 00:36:53,020 that was unknown to the security team 830 00:36:53,020 --> 00:36:54,780 and the attacker got in, 831 00:36:54,780 --> 00:36:58,700 but because the user had limited access to the environment, 832 00:36:58,700 --> 00:37:00,620 they actually didn't get very far. 833 00:37:00,620 --> 00:37:03,140 So some of that stuff is publicly known, 834 00:37:03,140 --> 00:37:05,460 so I'm not saying anything that's breaking me into jail. 835 00:37:05,460 --> 00:37:07,700 I won't mention names of the attacks or anything like that, 836 00:37:07,700 --> 00:37:11,180 but that's where I think Zero Trust comes in 837 00:37:11,180 --> 00:37:12,300 as an effective thing, right? 838 00:37:12,300 --> 00:37:16,500 Is I think one of the things that our marketing team says 839 00:37:16,500 --> 00:37:18,660 is assume breach, and I think most of the industry 840 00:37:18,660 --> 00:37:21,540 has used that for defense and depth as well. 841 00:37:21,540 --> 00:37:24,620 And honestly, you have to assume breach, right? 842 00:37:24,620 --> 00:37:26,220 They're there, we just don't know they're there 843 00:37:26,220 --> 00:37:27,140 until we find them. 844 00:37:27,140 --> 00:37:28,780 And I think that's exactly what we found 845 00:37:28,780 --> 00:37:30,300 with what we did with Zero Trust 846 00:37:30,300 --> 00:37:33,300 is the more we have the Zero Trust model deployed, 847 00:37:33,300 --> 00:37:34,860 the better we are with the visibility 848 00:37:34,860 --> 00:37:36,340 to understand where they could be 849 00:37:36,340 --> 00:37:38,980 and how to mitigate it from there. 850 00:37:38,980 --> 00:37:41,260 So let's switch gears for a moment. 851 00:37:41,260 --> 00:37:42,980 Like how do you think about, 852 00:37:42,980 --> 00:37:44,300 because security's always had a, 853 00:37:44,300 --> 00:37:47,220 shall we say contentious relationship with productivity. 854 00:37:49,100 --> 00:37:50,860 Some people see it as the opposite. 855 00:37:50,860 --> 00:37:53,620 So how do y'all think about that 856 00:37:53,620 --> 00:37:55,460 as you're going through and kind of building 857 00:37:55,460 --> 00:37:59,300 a strategy architecture, et cetera, for Microsoft's IT? 858 00:37:59,300 --> 00:38:03,460 Yeah, for us, I think it's not one of the core pillars 859 00:38:03,460 --> 00:38:06,180 in the Zero Trust architecture that we have, 860 00:38:06,180 --> 00:38:09,220 but employee experience for us internally 861 00:38:09,220 --> 00:38:12,060 is part of our core set of pillars. 862 00:38:12,060 --> 00:38:16,060 And I think it's something we take very responsibly. 863 00:38:16,060 --> 00:38:18,100 And I think there's a couple of ways to look at it. 864 00:38:18,100 --> 00:38:21,260 One is at the end of the day, you've got to get users 865 00:38:21,260 --> 00:38:22,860 to buy into what you're trying to do 866 00:38:22,860 --> 00:38:24,820 from a security perspective. 867 00:38:24,820 --> 00:38:26,780 You can make all the decisions in the world 868 00:38:26,780 --> 00:38:28,180 and you can lock down your environment 869 00:38:28,180 --> 00:38:29,460 as tight as you wanna get, 870 00:38:29,460 --> 00:38:31,380 but if there's a lack of understanding, 871 00:38:31,380 --> 00:38:33,660 if there's a lack of knowledge, 872 00:38:33,660 --> 00:38:37,060 then I think that you're potentially 873 00:38:37,060 --> 00:38:38,340 breaking yourself into, 874 00:38:38,340 --> 00:38:39,660 or locking yourself into a way 875 00:38:39,660 --> 00:38:41,300 that you're making users unproductive 876 00:38:41,300 --> 00:38:43,100 because they don't understand why you're doing it 877 00:38:43,100 --> 00:38:46,060 or how they can get to the things that they need to get to 878 00:38:46,060 --> 00:38:47,900 because you've locked it down so much. 879 00:38:47,900 --> 00:38:49,420 And there's that balance, right? 880 00:38:49,420 --> 00:38:52,220 So again, keeping yourself secure, 881 00:38:52,220 --> 00:38:53,580 but then making yourself productive. 882 00:38:53,580 --> 00:38:56,300 And by doing that, you're doing things like 883 00:38:56,300 --> 00:38:59,820 giving easy access, allowing them to connect to places 884 00:38:59,820 --> 00:39:01,860 that they need to connect to from wherever there are, 885 00:39:01,860 --> 00:39:02,820 it doesn't have to be in office, 886 00:39:02,820 --> 00:39:05,460 it doesn't have to be their home, 887 00:39:05,460 --> 00:39:07,900 it could be a coffee shop, it could be their folks house, 888 00:39:07,900 --> 00:39:09,740 wherever they're at, if they need to get access 889 00:39:09,740 --> 00:39:10,580 to that resource, 890 00:39:10,580 --> 00:39:12,700 ensure that you have a way for them to get access to that, 891 00:39:12,700 --> 00:39:14,620 securely, single sign on, 892 00:39:14,620 --> 00:39:19,380 making the experiences of them logging in easy and simple 893 00:39:19,380 --> 00:39:21,940 that pulls in the password list story as well, right? 894 00:39:21,940 --> 00:39:25,420 And I mean, we are Microsoft, we are a Windows shop 895 00:39:25,420 --> 00:39:26,740 and we do have Windows Hello. 896 00:39:27,860 --> 00:39:29,540 Think about the times you walk up to your computer, 897 00:39:29,540 --> 00:39:32,740 you smile at it, you frown at it, you get mad at it 898 00:39:32,740 --> 00:39:34,860 and still unlocks your computer 899 00:39:34,860 --> 00:39:36,780 and lets you start working, 900 00:39:36,780 --> 00:39:39,060 grumpy on a Monday morning without a lot of cup of coffee 901 00:39:39,060 --> 00:39:40,700 and it still knows who you are. 902 00:39:40,700 --> 00:39:43,020 I think we could point to some events in the past 903 00:39:43,020 --> 00:39:47,540 where we hadn't necessarily been as focused on productivity, 904 00:39:47,540 --> 00:39:51,220 but we've had events where folks have had to go home 905 00:39:51,220 --> 00:39:52,460 and they weren't as productive, 906 00:39:52,460 --> 00:39:55,580 but lately, last year was almost too easy for us 907 00:39:55,580 --> 00:39:58,780 because folks went home and realized just how productive 908 00:39:58,780 --> 00:40:00,580 they could be without having to be in an office 909 00:40:00,580 --> 00:40:03,580 because of what we did to get us there, right? 910 00:40:03,580 --> 00:40:05,900 We had the ease of the VPN, 911 00:40:05,900 --> 00:40:09,700 we had the simple Windows Hello getting in, 912 00:40:09,700 --> 00:40:11,300 you had access because you were on a managed 913 00:40:11,300 --> 00:40:13,900 and healthy device, your identities, 914 00:40:13,900 --> 00:40:17,140 you didn't know we're being looked at and protected. 915 00:40:17,140 --> 00:40:20,540 We removed the requirements for resetting passwords, 916 00:40:20,540 --> 00:40:22,540 it's almost been two years now. 917 00:40:22,540 --> 00:40:25,700 You guys remember, we have to reset our passwords 918 00:40:25,700 --> 00:40:28,300 every 70 days, I think at one point, 919 00:40:28,300 --> 00:40:30,260 that now you don't have to reset your password 920 00:40:30,260 --> 00:40:33,220 and you probably, unless you're like me 921 00:40:33,220 --> 00:40:35,300 and you're using a non-window system from time to time, 922 00:40:35,300 --> 00:40:38,940 you probably don't even know what your password is anymore. 923 00:40:38,940 --> 00:40:40,780 So also making it simple for them to reset it 924 00:40:40,780 --> 00:40:41,820 if they had to. 925 00:40:41,820 --> 00:40:44,980 I think there's a lot there to ensure that. 926 00:40:44,980 --> 00:40:46,500 And I think the flip side of that too 927 00:40:46,500 --> 00:40:49,420 is have the listening systems in place, right? 928 00:40:49,420 --> 00:40:51,980 Make sure that you're listening to what the users are saying 929 00:40:51,980 --> 00:40:55,060 when they're complaining or not. 930 00:40:55,060 --> 00:40:57,060 Have those things in place to hear them 931 00:40:57,060 --> 00:40:59,300 and listen to them to say, okay, 932 00:40:59,300 --> 00:41:00,980 we're getting a lot of folks that are complaining 933 00:41:00,980 --> 00:41:03,500 about this new policy, what is it that we did 934 00:41:03,500 --> 00:41:04,740 that is making them complain? 935 00:41:04,740 --> 00:41:06,260 Okay, getting that understanding, 936 00:41:06,260 --> 00:41:08,180 okay, we pushed malware, anti-malware tools 937 00:41:08,180 --> 00:41:10,900 to a mobile device, okay, why are they upset? 938 00:41:10,900 --> 00:41:13,460 Okay, let's figure out how we fix that 939 00:41:13,460 --> 00:41:16,700 and then make it more clear why we're doing it. 940 00:41:16,700 --> 00:41:18,740 What are the reasons why we're putting this 941 00:41:18,740 --> 00:41:20,020 on your personal device? 942 00:41:20,020 --> 00:41:22,820 What is it that you're accepting by us doing it? 943 00:41:22,820 --> 00:41:25,700 Being very clear on what you can and can't do. 944 00:41:25,700 --> 00:41:28,860 Our terms of service we renew about every three to six months 945 00:41:28,860 --> 00:41:31,340 because we just want to ensure that every agreement 946 00:41:31,340 --> 00:41:34,300 we're making with our employees is accurate. 947 00:41:34,300 --> 00:41:35,980 Here are the things we're absolutely gonna do 948 00:41:35,980 --> 00:41:37,740 on your machine, here's the things we're absolutely not 949 00:41:37,740 --> 00:41:39,820 gonna do on your machine, here's the telemetry 950 00:41:39,820 --> 00:41:42,860 that we have access to, here's how we use it. 951 00:41:42,860 --> 00:41:44,500 Being very clear about those things too 952 00:41:44,500 --> 00:41:46,860 becomes part of that promise. 953 00:41:46,860 --> 00:41:49,300 And I think zero trust can always be taken the wrong way 954 00:41:49,300 --> 00:41:51,780 because folks think you don't trust me, 955 00:41:51,780 --> 00:41:53,700 but what we're trying to do is build that trust 956 00:41:53,700 --> 00:41:56,940 and know that they help them understand that in order 957 00:41:56,940 --> 00:41:58,700 to trust we have to verify, right? 958 00:41:58,700 --> 00:42:01,980 And I think that's where you have to get that balanced 959 00:42:01,980 --> 00:42:04,660 in order to make them understand both the productivity 960 00:42:04,660 --> 00:42:06,020 and the security side. 961 00:42:06,020 --> 00:42:11,020 So let's say a listener is new to zero trust. 962 00:42:11,580 --> 00:42:15,620 What now, how would you recommend that they got started 963 00:42:15,620 --> 00:42:17,580 because it's a big thing, right? 964 00:42:17,580 --> 00:42:20,660 So have you got any tips for where someone should start 965 00:42:20,660 --> 00:42:23,020 if it's new to them? 966 00:42:23,020 --> 00:42:24,340 Yeah, great question. 967 00:42:24,340 --> 00:42:26,460 And I think first off, one thing I'll say is 968 00:42:26,460 --> 00:42:28,620 it's not a short journey, it's a long journey. 969 00:42:28,620 --> 00:42:31,100 We've been on this road since before we called it zero trust 970 00:42:31,100 --> 00:42:32,540 for the six years I've been here 971 00:42:32,540 --> 00:42:33,360 and I think they started, 972 00:42:33,360 --> 00:42:34,540 they may have started the year before that. 973 00:42:34,540 --> 00:42:36,900 So, and not to scare people, 974 00:42:36,900 --> 00:42:38,620 I mean, we're a fairly large organization, 975 00:42:38,620 --> 00:42:42,540 but it takes time to get to where we are even in our state. 976 00:42:42,540 --> 00:42:46,020 So the first thing I would say is really just 977 00:42:46,020 --> 00:42:47,540 what is it that you're looking, 978 00:42:47,540 --> 00:42:48,900 what is it you're trying to do, right? 979 00:42:48,900 --> 00:42:51,100 And for us, what we always tell customers 980 00:42:51,100 --> 00:42:53,100 when we talk about it is collect telemetry 981 00:42:53,100 --> 00:42:55,080 and evaluate your risks and then set your goals. 982 00:42:55,080 --> 00:42:58,020 What is it the goal that you're trying to do? 983 00:42:58,020 --> 00:43:00,140 I think the easy button for starting this 984 00:43:00,140 --> 00:43:02,900 is really moving your identities to the cloud identities. 985 00:43:02,900 --> 00:43:05,340 So getting into Azure Active Directory 986 00:43:05,340 --> 00:43:09,540 and you could do that by migrating to Office 365. 987 00:43:09,540 --> 00:43:11,300 That's a great way, that's what we did. 988 00:43:11,300 --> 00:43:13,500 We started our migrations several years back 989 00:43:13,500 --> 00:43:15,500 and then got onto Azure Active Directory 990 00:43:15,500 --> 00:43:17,020 and then started from there. 991 00:43:17,020 --> 00:43:19,540 That and then just enabling MFA. 992 00:43:19,540 --> 00:43:21,100 I mean, if you wanted the simple button, 993 00:43:21,100 --> 00:43:23,540 that's your simple button as far as I'm concerned, right? 994 00:43:23,540 --> 00:43:25,740 That gets you into the zero trust story 995 00:43:25,740 --> 00:43:27,700 and then you can start making some additional decisions 996 00:43:27,700 --> 00:43:29,020 from there. 997 00:43:29,020 --> 00:43:31,820 Pick a hero app for us, it was Office 365. 998 00:43:31,820 --> 00:43:34,180 It could be a line of business application. 999 00:43:34,180 --> 00:43:36,380 It could be something just simple 1000 00:43:36,380 --> 00:43:39,500 that a lot of your users are using. 1001 00:43:39,500 --> 00:43:41,500 Or if you have a particular risk profile, 1002 00:43:41,500 --> 00:43:44,540 that an application that those users are using, 1003 00:43:44,540 --> 00:43:47,620 start with those and then set simple policies. 1004 00:43:47,620 --> 00:43:49,220 Don't overwhelm them. 1005 00:43:49,220 --> 00:43:52,620 For us, it's basically six things. 1006 00:43:52,620 --> 00:43:56,300 Are the devices up to date with their operating system patches? 1007 00:43:56,300 --> 00:43:58,260 Are they threatened risk-free? 1008 00:43:58,260 --> 00:43:59,660 Are they encrypted? 1009 00:43:59,660 --> 00:44:02,060 Evaluating the integrity of the device? 1010 00:44:02,060 --> 00:44:05,020 If it's jailbroken, do they have secure boot enabled? 1011 00:44:05,020 --> 00:44:06,820 And then we do some app control things 1012 00:44:06,820 --> 00:44:08,780 where we may push an application to a device 1013 00:44:08,780 --> 00:44:11,260 or we may restrict an application from a device. 1014 00:44:11,260 --> 00:44:13,540 I think that's actually five things, not six. 1015 00:44:13,540 --> 00:44:15,100 But like I said, start simple. 1016 00:44:15,100 --> 00:44:19,940 Don't take the 8,000 group policies that we used to have 1017 00:44:19,940 --> 00:44:21,980 and try to force those onto a device and say, 1018 00:44:21,980 --> 00:44:23,980 you're healthy if you meet all 8,000 of these. 1019 00:44:23,980 --> 00:44:25,620 Because honestly, we probably don't even remember what 1020 00:44:25,620 --> 00:44:26,500 those 8,000 were. 1021 00:44:26,500 --> 00:44:29,420 And they're probably an overlap of about another 4,000. 1022 00:44:29,420 --> 00:44:32,420 I think that's how I would suggest. 1023 00:44:32,420 --> 00:44:33,460 Don't overthink it. 1024 00:44:33,460 --> 00:44:34,420 Start simple. 1025 00:44:34,420 --> 00:44:35,340 Start with telemetry. 1026 00:44:35,340 --> 00:44:36,620 Start understanding your risk. 1027 00:44:36,620 --> 00:44:39,380 Pick a hero app on board the AAD. 1028 00:44:39,380 --> 00:44:42,100 Start applying in FAA where you can. 1029 00:44:42,100 --> 00:44:43,020 And once you do that, 1030 00:44:43,020 --> 00:44:45,820 you're actually a long way down the road. 1031 00:44:46,660 --> 00:44:49,940 We always ask our guests for their final thought. 1032 00:44:49,940 --> 00:44:52,020 If there's something that you want to leave our listeners 1033 00:44:52,020 --> 00:44:56,940 with a one piece of advice or a thought, what would it be? 1034 00:44:56,940 --> 00:44:58,780 Yeah, I think, again, I'll just reiterate it. 1035 00:44:58,780 --> 00:45:00,460 It's not a quick fix. 1036 00:45:00,460 --> 00:45:02,140 It's not an application you deploy. 1037 00:45:02,140 --> 00:45:05,020 It's not a button that you push for zero trust. 1038 00:45:05,020 --> 00:45:08,380 It's a journey and really everybody's journey is different. 1039 00:45:08,380 --> 00:45:09,940 Our journey is where we are 1040 00:45:09,940 --> 00:45:12,300 because we've been on this for a while. 1041 00:45:12,300 --> 00:45:14,180 If you're just starting out, it's your journey. 1042 00:45:14,180 --> 00:45:17,060 But again, understanding the risk in your environment, 1043 00:45:17,060 --> 00:45:20,540 understanding what it is you're really trying to protect, 1044 00:45:20,540 --> 00:45:23,020 starting simple and going from there. 1045 00:45:23,020 --> 00:45:24,980 I think that's the key. 1046 00:45:24,980 --> 00:45:27,100 Don't think this is just something you're gonna fix 1047 00:45:27,100 --> 00:45:28,580 overnight and go. 1048 00:45:28,580 --> 00:45:31,220 It's a journey and it takes pretty much everybody 1049 00:45:31,220 --> 00:45:33,300 to really kind of lean in and do it. 1050 00:45:33,300 --> 00:45:36,060 Whether it's your security teams, your leadership teams, 1051 00:45:36,060 --> 00:45:39,380 your employees, it's a journey for everybody. 1052 00:45:40,220 --> 00:45:43,420 Well, thanks ever so much for joining us, Michael. 1053 00:45:43,420 --> 00:45:45,300 He had to drop off the end of this recording. 1054 00:45:45,300 --> 00:45:47,260 So I'm gonna wrap it up and say, 1055 00:45:47,260 --> 00:45:49,780 thanks everyone for listening, stay safe, 1056 00:45:49,780 --> 00:45:50,860 and we'll see you next time. 1057 00:45:50,860 --> 00:45:53,580 Thanks for listening to the Azure Security Podcast. 1058 00:45:53,580 --> 00:45:57,300 You can find show notes and other resources at our website, 1059 00:45:57,300 --> 00:45:59,460 azsecuritypodcast.net. 1060 00:46:00,380 --> 00:46:01,940 If you have any questions, 1061 00:46:01,940 --> 00:46:04,180 please find us on Twitter at azuresetpod. 1062 00:46:05,100 --> 00:46:08,060 Background music is from ccmixter.com 1063 00:46:08,060 --> 00:46:33,060 and licensed under the Creative Commons license.