1 00:00:00,000 --> 00:00:06,200 Welcome to the Azure Security Podcast, 2 00:00:06,200 --> 00:00:09,360 where we discuss topics relating to security, privacy, 3 00:00:09,360 --> 00:00:13,680 reliability, and compliance on the Microsoft Cloud Platform. 4 00:00:14,160 --> 00:00:17,400 Hey everybody, welcome to Episode 43. 5 00:00:17,400 --> 00:00:18,900 This week we have everybody here. 6 00:00:18,900 --> 00:00:21,980 We have Sarah Gladys, Mark, and myself, Michael. 7 00:00:21,980 --> 00:00:23,600 We have a guest here this week, 8 00:00:23,600 --> 00:00:26,480 Liz Kim, who's here to talk to us about Azure Policy. 9 00:00:26,480 --> 00:00:28,600 But before we get to Liz, 10 00:00:28,600 --> 00:00:30,200 let's take a quick lap around the news. 11 00:00:30,200 --> 00:00:31,000 I'll kick things off. 12 00:00:31,000 --> 00:00:33,360 A couple of things caught my eye over the last couple of weeks. 13 00:00:33,360 --> 00:00:35,440 First one, it's interesting, 14 00:00:35,440 --> 00:00:37,400 it's in App Service and Azure Functions. 15 00:00:37,400 --> 00:00:39,960 They now have the ability to configure 16 00:00:39,960 --> 00:00:42,560 basically an arbitrary OpenID connector. 17 00:00:42,560 --> 00:00:45,000 Historically, you could only authenticate to say, 18 00:00:45,000 --> 00:00:46,720 Azure AD, Facebook, Google, or Twitter. 19 00:00:46,720 --> 00:00:48,560 Actually, I see now they've got Apple in there as well. 20 00:00:48,560 --> 00:00:49,720 It's interesting. 21 00:00:49,720 --> 00:00:51,840 But now you can essentially set up 22 00:00:51,840 --> 00:00:53,560 any OpenID connector you wish, 23 00:00:53,560 --> 00:00:55,200 which is really cool to see. 24 00:00:55,200 --> 00:00:57,160 It gives a lot of flexibility there. 25 00:00:57,160 --> 00:00:58,720 I've been doing a lot of work over the last few weeks, 26 00:00:58,720 --> 00:01:01,880 actually, in Azure Functions and OpenID Connect, 27 00:01:01,880 --> 00:01:03,320 and OAuth 2.0, 28 00:01:03,320 --> 00:01:05,120 getting right into the bowels of 29 00:01:05,120 --> 00:01:08,480 sort of spelunking OAuth 2.0 tokens. 30 00:01:08,480 --> 00:01:09,960 Definitely wouldn't recommend it. 31 00:01:09,960 --> 00:01:11,680 But anyway, it's great to see that we can now 32 00:01:11,680 --> 00:01:15,080 essentially configure any kind of OpenID connector. 33 00:01:15,080 --> 00:01:17,720 The other thing that I noticed is, 34 00:01:17,720 --> 00:01:19,960 I think I actually touched on this a few weeks ago, 35 00:01:19,960 --> 00:01:22,600 but we now have some new virtual machines 36 00:01:22,600 --> 00:01:25,400 that support confidential compute. 37 00:01:25,400 --> 00:01:27,520 These are called the Azure, you know, wait for it. 38 00:01:27,520 --> 00:01:32,560 They have the DCAS version 5 and the ECAS version 5. 39 00:01:32,560 --> 00:01:36,520 These support things like always encrypted memory. 40 00:01:36,520 --> 00:01:39,520 They support things like virtual TPMs, 41 00:01:39,520 --> 00:01:41,000 trusted platform module. 42 00:01:41,000 --> 00:01:44,440 They also support things like secure encrypted virtualization, 43 00:01:44,440 --> 00:01:46,320 secure nested paging. 44 00:01:46,320 --> 00:01:48,600 Try saying that one quickly a few times. 45 00:01:48,600 --> 00:01:49,960 But this is great to see. 46 00:01:49,960 --> 00:01:52,960 They're both AMD and Intel CPUs. 47 00:01:52,960 --> 00:01:53,960 So this is really great to see. 48 00:01:53,960 --> 00:01:56,680 Again, this is all about encryption of data in use, 49 00:01:56,680 --> 00:01:58,240 not just encryption of data at rest 50 00:01:58,240 --> 00:01:59,240 or encryption of data on the wire. 51 00:01:59,240 --> 00:02:02,960 So I'm a huge fan of the whole confidential compute initiative, 52 00:02:02,960 --> 00:02:06,200 and it's good to see that we have these new VMs. 53 00:02:06,200 --> 00:02:08,520 The last item I wanted to bring up in public preview, 54 00:02:08,520 --> 00:02:11,520 there is now an Azure Bastion native client. 55 00:02:11,520 --> 00:02:12,360 This is actually really cool. 56 00:02:12,360 --> 00:02:14,480 I've been sort of experimenting with it just recently, 57 00:02:14,480 --> 00:02:17,520 but you can basically connect to your target 58 00:02:17,520 --> 00:02:22,040 Azure virtual machines via Bastion from the Azure CLI, 59 00:02:22,040 --> 00:02:23,520 like from the command line. 60 00:02:23,520 --> 00:02:25,040 Like on a native client. 61 00:02:25,040 --> 00:02:27,200 So I'll just open up Windows Terminal, 62 00:02:27,200 --> 00:02:28,640 because I know everyone's using Windows Terminal. 63 00:02:28,640 --> 00:02:31,680 You've ditched command prompts and using Windows Terminal now. 64 00:02:31,680 --> 00:02:34,080 I can open up Terminal, connect to Azure 65 00:02:34,080 --> 00:02:35,200 with a safe connection, 66 00:02:35,200 --> 00:02:37,440 and I can go straight through Azure Bastion. 67 00:02:37,440 --> 00:02:38,560 This is really nice. 68 00:02:38,560 --> 00:02:40,560 You can also log into Azure Active Directory, 69 00:02:40,560 --> 00:02:44,720 join virtual machines using your AAD credentials. 70 00:02:44,720 --> 00:02:46,640 Okay, so let's see. 71 00:02:46,640 --> 00:02:49,040 What has caught my eye this time? 72 00:02:49,040 --> 00:02:50,400 Defender for Cloud, 73 00:02:50,400 --> 00:02:54,560 what the product previously formerly known as 74 00:02:54,560 --> 00:02:57,040 Azure Defender and Azure Security Center, 75 00:02:57,040 --> 00:03:00,400 there's a ton of GA updates, the name change. 76 00:03:00,400 --> 00:03:02,160 It's always nice to remind people of that. 77 00:03:02,160 --> 00:03:05,600 But really cool is the native CSPM, 78 00:03:05,600 --> 00:03:07,600 which is Cloud Security Posture Management, 79 00:03:07,600 --> 00:03:09,440 if you're not familiar with that acronym, 80 00:03:09,440 --> 00:03:13,120 for AWS and Threat Protection for Amazon EKS, 81 00:03:13,120 --> 00:03:15,040 which is their Kubernetes service, 82 00:03:15,040 --> 00:03:18,000 and EC2, which is their virtual machines. 83 00:03:18,000 --> 00:03:21,200 So now if you're using some AWS, 84 00:03:21,200 --> 00:03:23,040 but you've also got Defender for Cloud, 85 00:03:23,040 --> 00:03:25,920 then you can actually look at their posture management 86 00:03:25,920 --> 00:03:28,560 for those products, which is very cool. 87 00:03:28,560 --> 00:03:31,760 So you can do it across Azure and other clouds. 88 00:03:31,760 --> 00:03:34,480 We've also expanded the security control assessments 89 00:03:34,480 --> 00:03:37,600 with the Azure Security Benchmark version three. 90 00:03:38,320 --> 00:03:41,360 So if you're using Hygiene in Defender for Cloud, 91 00:03:41,360 --> 00:03:44,480 there's an update to the security benchmark. 92 00:03:44,480 --> 00:03:48,880 Also the Sentinel connector bi-directional alert synchronization. 93 00:03:49,440 --> 00:03:52,560 So basically if there's an alert raised in Defender for Cloud, 94 00:03:52,560 --> 00:03:54,560 it will also raise it in Sentinel for you 95 00:03:54,560 --> 00:03:56,080 and sync between the two. 96 00:03:56,080 --> 00:03:57,680 That's now GA. 97 00:03:57,680 --> 00:03:59,920 So for those of you who are waiting for it to go GA, 98 00:03:59,920 --> 00:04:00,560 it is there. 99 00:04:02,080 --> 00:04:04,880 We've also got new recommendations around AKS, 100 00:04:04,880 --> 00:04:06,400 the Azure Kubernetes service. 101 00:04:07,280 --> 00:04:09,760 Our recommendations have now been, 102 00:04:09,760 --> 00:04:12,720 the security recommendations are mapped to Mitre Attack Framework, 103 00:04:12,720 --> 00:04:13,680 that's gone GA. 104 00:04:13,680 --> 00:04:16,000 So a lot of GA things here as well. 105 00:04:16,000 --> 00:04:18,720 I'll link in the show notes because I'll just go on forever. 106 00:04:18,720 --> 00:04:20,400 There's a lot of things that have gone GA. 107 00:04:20,400 --> 00:04:23,680 So if you're one of those businesses that doesn't use things 108 00:04:23,680 --> 00:04:24,800 until they've gone GA, 109 00:04:24,800 --> 00:04:26,960 there's a lot of new things in Defender for Cloud. 110 00:04:27,680 --> 00:04:30,800 Next, I definitely mentioned this when it went public preview, 111 00:04:30,800 --> 00:04:32,480 but now it's GA again. 112 00:04:32,480 --> 00:04:35,120 So for those of you who are waiting for things to go GA, 113 00:04:35,120 --> 00:04:40,240 AKS, you can now create AKS clusters without local user accounts. 114 00:04:40,240 --> 00:04:44,480 So of course, local user accounts are generally not a good thing 115 00:04:44,480 --> 00:04:45,280 on anything. 116 00:04:45,840 --> 00:04:50,160 We want them to be synced up to a centralized identity provider. 117 00:04:50,880 --> 00:04:54,160 So now that is available in AKS. 118 00:04:54,160 --> 00:04:55,840 Going on to our public preview though, 119 00:04:56,400 --> 00:04:58,160 ExpressRoute Private Peering, 120 00:04:58,160 --> 00:05:00,960 which I am definitely going to struggle to say for the rest of this, 121 00:05:00,960 --> 00:05:05,120 is now supporting the use of BGP communities with virtual networks. 122 00:05:05,120 --> 00:05:08,720 So if you're using BGP communities, 123 00:05:08,720 --> 00:05:11,920 you can now actually get the ExpressRoute Private Peering 124 00:05:11,920 --> 00:05:16,000 to use that as well, which is very nice, 125 00:05:16,000 --> 00:05:18,000 particularly if you have a large environment. 126 00:05:18,000 --> 00:05:21,920 There's also GA for the centralized management of keys 127 00:05:21,920 --> 00:05:23,440 for encrypting Azure disks. 128 00:05:23,440 --> 00:05:27,200 So you can now manage Azure Key Vault centrally 129 00:05:27,200 --> 00:05:30,720 in a single subscription and the key stored in Key Vault 130 00:05:30,720 --> 00:05:33,360 to encrypt managed disks and snapshots 131 00:05:33,360 --> 00:05:36,080 and use those keys to encrypt managed disks and snapshots 132 00:05:36,080 --> 00:05:38,800 and other subscriptions in your organization, 133 00:05:38,800 --> 00:05:40,720 which is really nice because it means that, of course, 134 00:05:40,720 --> 00:05:43,600 you can centrally manage your security policy. 135 00:05:44,080 --> 00:05:45,120 Azure App Service, 136 00:05:45,120 --> 00:05:48,720 they've got now a diagnostic settings feature that's gone GA. 137 00:05:48,720 --> 00:05:51,120 So what that means is if you're using Azure App Service, 138 00:05:51,120 --> 00:05:54,960 the Azure diagnostic settings is now generally available. 139 00:05:54,960 --> 00:05:58,160 Diagnostic settings can be sent to log analytics, 140 00:05:58,160 --> 00:06:00,880 they can be sent to a storage account, 141 00:06:00,880 --> 00:06:04,400 and of course, it can be sent to Sentinel as well. 142 00:06:04,400 --> 00:06:07,440 So the kind of logs that are coming out of the Azure App Service 143 00:06:07,440 --> 00:06:11,600 are the App Service Console logs, App Service HTTP logs, 144 00:06:11,600 --> 00:06:14,000 App Service Environment Platform logs, 145 00:06:14,000 --> 00:06:17,600 Audit logs, File Audit logs, Service App logs, 146 00:06:17,600 --> 00:06:21,120 Service App IPsec audit logs, and Service Platform logs. 147 00:06:21,120 --> 00:06:23,920 So definitely get logging those somewhere 148 00:06:23,920 --> 00:06:27,360 because you should probably be logging them 149 00:06:27,360 --> 00:06:30,560 for operational and or security operations 150 00:06:30,560 --> 00:06:32,560 if you're using Azure App Service. 151 00:06:32,560 --> 00:06:35,280 And then Logic Apps, love a bit of Logic Apps. 152 00:06:35,280 --> 00:06:38,800 Of course, we've got the Fall or Autumn, 153 00:06:38,800 --> 00:06:43,200 I'm going to say Autumn 2021 release of Azure Logic Apps. 154 00:06:43,200 --> 00:06:45,280 So we're always building on the cool things 155 00:06:45,280 --> 00:06:46,320 you can do with Logic Apps. 156 00:06:46,320 --> 00:06:48,400 Of course, you can use it throughout, 157 00:06:48,400 --> 00:06:51,920 there's various different products that use Logic Apps, 158 00:06:51,920 --> 00:06:53,760 including my baby Sentinel. 159 00:06:53,760 --> 00:06:57,120 Some of the cool things we're doing is that you can now use 160 00:06:57,120 --> 00:07:00,800 SQL as a storage provider rather than just a storage account. 161 00:07:00,800 --> 00:07:02,800 We're also having more things within Logic Apps 162 00:07:02,800 --> 00:07:05,600 support managed identity rather than having to use 163 00:07:05,600 --> 00:07:07,600 a specific user account. 164 00:07:07,600 --> 00:07:12,240 And we're also making the Logic Apps designer better. 165 00:07:12,240 --> 00:07:14,640 It's getting a major refresh. 166 00:07:14,640 --> 00:07:17,040 And we're also having some more plans. 167 00:07:17,040 --> 00:07:19,760 So there is a consumption plan and a standard plan, 168 00:07:19,760 --> 00:07:21,760 and you're going to be able to export between the two, 169 00:07:21,760 --> 00:07:24,640 which is something you couldn't previously do. 170 00:07:24,640 --> 00:07:28,400 So definitely go and check out the new things in Logic Apps 171 00:07:28,400 --> 00:07:30,880 if it's something you use. 172 00:07:30,880 --> 00:07:33,520 And then finally, of course, we will move on to my baby, 173 00:07:33,520 --> 00:07:35,040 which is Sentinel. 174 00:07:35,040 --> 00:07:36,640 A couple of things that's worth highlighting, 175 00:07:36,640 --> 00:07:39,920 of course, lots of things were announced at Ignite last month. 176 00:07:39,920 --> 00:07:42,480 But a couple of things I wanted to highlight is you can now 177 00:07:42,480 --> 00:07:45,680 ingest GitHub logs into your Sentinel workspace. 178 00:07:45,680 --> 00:07:51,040 So if you're using GitHub and you want to do threat monitoring 179 00:07:51,040 --> 00:07:53,520 on it, as you should, if you are using it, 180 00:07:53,520 --> 00:07:56,480 we've now got a native solution to be able to do that. 181 00:07:56,480 --> 00:07:59,200 And the other thing that's gone public preview is that is 182 00:07:59,200 --> 00:08:02,400 definitely worth mentioning because it's very, very popular, 183 00:08:02,400 --> 00:08:06,400 is the Amazon Web Services S3 connector. 184 00:08:06,400 --> 00:08:10,560 So if you've got logs going into S3, into your AWS S3 bucket, 185 00:08:10,560 --> 00:08:13,440 we now have a connector that can pick them up off there. 186 00:08:13,440 --> 00:08:18,240 So we can bring in VPC flow logs, guard duty, and cloud trail. 187 00:08:18,240 --> 00:08:20,960 Now, we do have, and we have had for some time, 188 00:08:20,960 --> 00:08:25,120 a different AWS cloud trail connector that just uses the 189 00:08:25,120 --> 00:08:27,120 API coming from AWS. 190 00:08:27,120 --> 00:08:30,720 But I know I've worked with customers who that connector 191 00:08:30,720 --> 00:08:31,920 doesn't work for them. 192 00:08:31,920 --> 00:08:35,520 Sometimes there are limits on the AWS cloud trail API 193 00:08:35,520 --> 00:08:38,240 that is a limitation on the AWS side. 194 00:08:38,240 --> 00:08:41,680 And sometimes we've had customers that can't get all the logs 195 00:08:41,680 --> 00:08:45,120 out properly because they just generate too many cloud trail 196 00:08:45,120 --> 00:08:45,600 logs. 197 00:08:45,600 --> 00:08:48,800 So it's really great now because we completely bypass that API 198 00:08:48,800 --> 00:08:50,320 with this new connector. 199 00:08:50,320 --> 00:08:52,640 I know a lot of customers have been waiting for it. 200 00:08:52,640 --> 00:08:55,200 So go and have a look. 201 00:08:55,200 --> 00:08:57,600 And then the last thing, which is there's actually 202 00:08:57,600 --> 00:09:00,000 some more sensual things, but this is what I know that a lot 203 00:09:00,000 --> 00:09:01,600 of people were asking for. 204 00:09:01,600 --> 00:09:05,760 We now have our Windows forwarded events connector. 205 00:09:05,760 --> 00:09:09,120 Now, it did have a different iteration a while back, 206 00:09:09,120 --> 00:09:11,600 but now our Windows event collection and Windows event 207 00:09:11,600 --> 00:09:14,640 forwarding is all supported through this new data connector. 208 00:09:14,640 --> 00:09:18,000 You also have to use the Azure Monitor agent, the AMA, 209 00:09:18,000 --> 00:09:19,200 in order to do this. 210 00:09:19,200 --> 00:09:21,600 But I know a lot of customers who are not familiar with 211 00:09:21,600 --> 00:09:24,480 Windows, a lot of customers wanted us to be able to support 212 00:09:24,480 --> 00:09:26,720 Windows event forwarding because they'd already got that 213 00:09:26,720 --> 00:09:30,000 solution set up and then it was better than having to 214 00:09:30,000 --> 00:09:31,760 install an agent everywhere. 215 00:09:31,760 --> 00:09:33,280 So it is now here. 216 00:09:33,280 --> 00:09:34,400 So go check that out. 217 00:09:34,400 --> 00:09:37,120 It is still public preview, but I know a lot of folks are 218 00:09:37,120 --> 00:09:40,160 waiting for it because a lot of you already have Windows 219 00:09:40,160 --> 00:09:42,800 web stuff and web infrastructure. 220 00:09:42,800 --> 00:09:45,360 So now you can go and do that. 221 00:09:45,360 --> 00:09:48,560 And that was a very big news chunk from me. 222 00:09:48,560 --> 00:09:49,520 That's the best that look. 223 00:09:49,520 --> 00:09:51,040 That's the longest news you've ever had. 224 00:09:51,040 --> 00:09:53,200 I think it's the longest news anyone's ever had. 225 00:09:53,200 --> 00:09:53,760 I know. 226 00:09:53,760 --> 00:09:57,600 I just wanted so much news before Christmas. 227 00:09:57,600 --> 00:09:59,120 Yeah, so I'll go quick. 228 00:09:59,120 --> 00:10:01,440 So yeah, the one thing I just want to highlight sort of as a 229 00:10:01,440 --> 00:10:05,360 meta point within a lot of Sarah's news, like I love that 230 00:10:05,360 --> 00:10:08,960 we're GA-ing features that are, you know, have both, you know, 231 00:10:08,960 --> 00:10:12,960 Azure and AWS support like the Defender for Kubernetes stuff 232 00:10:12,960 --> 00:10:13,840 right out the gate. 233 00:10:13,840 --> 00:10:15,200 I think that's awesome. 234 00:10:15,200 --> 00:10:18,320 And it really reflects, you know, how Microsoft is really 235 00:10:18,320 --> 00:10:21,040 supporting what customers are running, which is multi-cloud. 236 00:10:21,040 --> 00:10:23,920 The big thing on my side is something that I'm working on. 237 00:10:23,920 --> 00:10:26,960 It's, it may be released by the time you hear this podcast, 238 00:10:26,960 --> 00:10:30,000 really trying to get it out in the next few days within 239 00:10:30,000 --> 00:10:33,200 recording this, the new cyber reference architecture with 240 00:10:33,200 --> 00:10:37,040 the updated product names and a few fun little surprises on 241 00:10:37,040 --> 00:10:39,200 some sequences that we added there. 242 00:10:39,200 --> 00:10:40,880 We'll be coming out very shortly. 243 00:10:40,880 --> 00:10:44,880 And so definitely check that out, the AKMS slash MCRA. 244 00:10:44,880 --> 00:10:47,920 Let's try saying that 12 times fast. 245 00:10:47,920 --> 00:10:51,920 And so that is coming very soon and possibly out by the time 246 00:10:51,920 --> 00:10:52,640 you hear me. 247 00:10:52,640 --> 00:10:58,000 I'm so glad that Sarah and Michael and even Mark provided 248 00:10:58,000 --> 00:11:01,200 so much information because I just came back from vacation 249 00:11:01,200 --> 00:11:03,760 and I forgot everything that I knew before. 250 00:11:03,760 --> 00:11:07,440 But this week I've been working heavily with Defender for 251 00:11:07,440 --> 00:11:08,240 Identity. 252 00:11:08,240 --> 00:11:12,400 I found out that soon we will have automation for incident 253 00:11:12,400 --> 00:11:15,440 response going in public preview. 254 00:11:15,440 --> 00:11:20,080 Although the changes will not take effect immediately, 255 00:11:20,080 --> 00:11:25,200 there's research going on for changes that this automation 256 00:11:25,200 --> 00:11:27,440 will provide to speed up. 257 00:11:27,440 --> 00:11:31,520 For example, if the automation wants to disable a user or 258 00:11:31,520 --> 00:11:35,520 reset a password or perform some other type of task. 259 00:11:35,520 --> 00:11:41,200 An option if the analysts do not want to wait for the changes 260 00:11:41,200 --> 00:11:46,480 to take effect is to use Azure AD Identity Protection, 261 00:11:46,480 --> 00:11:51,840 which opens seeing certain risks such as anonymous IP 262 00:11:51,840 --> 00:11:55,920 address that use a typical travel on familiar signing 263 00:11:55,920 --> 00:11:59,920 like credentials or credentials being found to be 264 00:11:59,920 --> 00:12:01,760 sold on the dark web. 265 00:12:01,760 --> 00:12:06,800 Password spray or others, then certain actions will take 266 00:12:06,800 --> 00:12:12,080 place such as prompting for Azure AD MFA or resetting the 267 00:12:12,080 --> 00:12:13,280 password itself. 268 00:12:13,280 --> 00:12:17,360 The one thing for this is that you need Azure AD Identity 269 00:12:17,360 --> 00:12:22,000 Protection, which is part of Azure ADP2 license. 270 00:12:22,000 --> 00:12:25,600 In addition, you could consider using a conditional access 271 00:12:25,600 --> 00:12:27,440 continuum access evaluation. 272 00:12:27,440 --> 00:12:31,440 So, open seeing certain risks, you could trigger 273 00:12:31,440 --> 00:12:36,080 re-verification of the session and this will happen whether 274 00:12:36,080 --> 00:12:42,080 the user just signed in like 10 minutes ago or it ended 275 00:12:42,080 --> 00:12:46,240 during those 10 minutes, the health of that session has 276 00:12:46,240 --> 00:12:46,640 changed. 277 00:12:46,640 --> 00:12:50,960 So, please take a look about those automation that 278 00:12:50,960 --> 00:12:54,960 Defender for Identity will be providing soon. 279 00:12:54,960 --> 00:12:58,720 I think I heard that they're turning them on by the end 280 00:12:58,720 --> 00:12:59,600 of the year. 281 00:12:59,600 --> 00:13:03,360 In talking about signing risks, we're adding new 282 00:13:03,360 --> 00:13:07,920 proactive detections to stay ahead of both common and 283 00:13:07,920 --> 00:13:09,520 emerging attacks vectors. 284 00:13:10,400 --> 00:13:13,440 As mentioned earlier, we checked on anonymous IP, 285 00:13:13,440 --> 00:13:17,520 others are typical travel and so on, but now we are adding 286 00:13:17,520 --> 00:13:20,960 detection for anomalous talking, talking issues 287 00:13:20,960 --> 00:13:25,440 anomaly on familiar signing properties for session 288 00:13:25,440 --> 00:13:26,880 cookies and others. 289 00:13:26,880 --> 00:13:30,800 Basically, we are trying to address talking related 290 00:13:30,800 --> 00:13:35,520 attacks like the ones observed with solar winds. 291 00:13:36,320 --> 00:13:40,480 And finally, I wanted to briefly talk about OT and IoT. 292 00:13:41,280 --> 00:13:44,960 Microsoft recently announced a partnership with CoreLight, 293 00:13:45,680 --> 00:13:50,560 which is one of the industry open network detections and 294 00:13:50,560 --> 00:13:55,200 response platform for IoT to integrate with Defender for 295 00:13:55,200 --> 00:13:55,760 IoT. 296 00:13:56,960 --> 00:13:59,440 The reason that I wanted to focus on that is that 297 00:13:59,440 --> 00:14:05,360 one of the problems with IoT industry or many vendors is 298 00:14:05,360 --> 00:14:07,840 that they have close network solution. 299 00:14:08,880 --> 00:14:13,360 So, in order to have and to incorporate for OT and IoT 300 00:14:13,360 --> 00:14:19,120 devices, sometimes you must buy just the full platform of 301 00:14:19,120 --> 00:14:20,320 those vendors. 302 00:14:20,320 --> 00:14:23,600 Well, Microsoft with the partnerships that are 303 00:14:23,600 --> 00:14:28,640 is doing with CoreLight, now not only can provide 304 00:14:28,640 --> 00:14:33,520 detection of IoT devices through the network 305 00:14:33,520 --> 00:14:38,080 sensor, but also now it can get information from 306 00:14:38,080 --> 00:14:39,920 partners like CoreLight. 307 00:14:39,920 --> 00:14:43,520 In addition, for those of you that are not aware, 308 00:14:43,520 --> 00:14:48,240 Defender for Endpoint also monitors and reports on any 309 00:14:48,240 --> 00:14:49,840 OT IoT devices. 310 00:14:49,840 --> 00:14:55,200 So, we're trying to provide a full coverage that not only 311 00:14:55,200 --> 00:15:00,160 enables OT IoT, but also then there could be correlation 312 00:15:00,160 --> 00:15:05,200 between IT and reduced blind spot that attacker may 313 00:15:05,200 --> 00:15:07,760 take advantage when trying to jump from one 314 00:15:07,760 --> 00:15:08,960 environment to another. 315 00:15:09,840 --> 00:15:11,600 Yeah, this is the longest news section I think we've 316 00:15:11,600 --> 00:15:11,920 ever had. 317 00:15:12,400 --> 00:15:15,040 We're running at almost 20 minutes as long as we've 318 00:15:15,040 --> 00:15:15,520 ever had. 319 00:15:16,160 --> 00:15:17,760 So, now they got that out of the way. 320 00:15:17,760 --> 00:15:18,800 Let's introduce our guest. 321 00:15:18,800 --> 00:15:21,840 This week we have Liz Kim, who is here to talk to us 322 00:15:21,840 --> 00:15:23,040 about Azure Policy. 323 00:15:23,040 --> 00:15:24,640 So, Liz, thank you so much for joining us on the 324 00:15:24,640 --> 00:15:25,440 podcast. 325 00:15:25,440 --> 00:15:27,680 We'd like to spend a moment to introduce yourself to 326 00:15:27,680 --> 00:15:28,160 our listeners. 327 00:15:28,640 --> 00:15:30,320 Thank you for including me here. 328 00:15:30,320 --> 00:15:31,520 I'm so excited to be here. 329 00:15:32,160 --> 00:15:33,120 I'm Liz. 330 00:15:33,120 --> 00:15:35,760 I'm a program manager on the Azure Control Plane 331 00:15:35,760 --> 00:15:36,560 team. 332 00:15:36,560 --> 00:15:39,440 The Control Plane team essentially has ARM and 333 00:15:39,440 --> 00:15:42,000 all the governance services like Azure Policy, 334 00:15:42,000 --> 00:15:44,720 Azure Resource Graph, Management, GRIPS, Change 335 00:15:44,720 --> 00:15:47,440 History, Tags, those number of things. 336 00:15:48,240 --> 00:15:51,600 I'm responsible for the Azure Policy product. 337 00:15:51,600 --> 00:15:54,880 I've been driving it since the very beginning of the 338 00:15:55,440 --> 00:15:56,320 launch. 339 00:15:56,320 --> 00:15:59,760 We launched it as a public preview about four years of 340 00:15:59,760 --> 00:16:02,640 I think we're right on the four year mark since our 341 00:16:02,640 --> 00:16:02,960 launch. 342 00:16:03,680 --> 00:16:07,120 And I've been with Microsoft for eight and a half 343 00:16:07,120 --> 00:16:07,520 years. 344 00:16:07,520 --> 00:16:11,200 So, before Azure Policy, I worked on Azure Log Analytics 345 00:16:11,200 --> 00:16:13,360 and before then I was on a system center. 346 00:16:14,080 --> 00:16:14,800 Very nice. 347 00:16:14,800 --> 00:16:16,960 So, I'm going to be brutally honest before we get 348 00:16:16,960 --> 00:16:18,160 stuck into this. 349 00:16:18,160 --> 00:16:20,400 I'm a huge Azure Policy nerd. 350 00:16:20,400 --> 00:16:24,960 And this podcast may actually devolve into just a 351 00:16:24,960 --> 00:16:27,120 Liz and Michael discussion. 352 00:16:27,120 --> 00:16:29,440 So, unless someone else pipes up with questions, 353 00:16:29,440 --> 00:16:30,560 I'm just going to keep on going. 354 00:16:30,560 --> 00:16:32,960 I'm a huge Azure Policy fan. 355 00:16:32,960 --> 00:16:35,280 I just adore the... 356 00:16:35,280 --> 00:16:36,560 I just think it's fantastic. 357 00:16:36,560 --> 00:16:38,320 I mean, from a governance perspective, the fact that 358 00:16:38,320 --> 00:16:40,160 I can put really strict rules in place. 359 00:16:40,160 --> 00:16:42,160 I mean, one of my favorite rules by far is 360 00:16:43,040 --> 00:16:46,800 preventing, say for example, people spinning up 361 00:16:46,800 --> 00:16:50,000 resources in regions that they don't want to 362 00:16:50,000 --> 00:16:51,200 spin resources up. 363 00:16:51,200 --> 00:16:53,680 So, if you're in East US 2 and West US and you 364 00:16:53,680 --> 00:16:55,120 don't want someone accidentally spinning up a 365 00:16:55,120 --> 00:16:59,040 resource in say Germany, then you can put policy 366 00:16:59,040 --> 00:17:00,080 in place to restrict that. 367 00:17:00,080 --> 00:17:01,760 But while... 368 00:17:01,760 --> 00:17:04,800 So, anyway, the point is, I'm just a huge nerd 369 00:17:04,800 --> 00:17:05,760 when it comes to policy. 370 00:17:05,760 --> 00:17:07,360 I'm just a huge, huge fan. 371 00:17:07,920 --> 00:17:09,600 So, let's just start things off with the most 372 00:17:09,600 --> 00:17:11,600 simple thing because I think people need to 373 00:17:11,600 --> 00:17:12,720 understand exactly what policy is. 374 00:17:12,720 --> 00:17:13,840 And it's actually interesting when I speak to a 375 00:17:13,840 --> 00:17:14,560 lot of customers. 376 00:17:14,560 --> 00:17:16,000 It's interesting how many customers don't even 377 00:17:16,000 --> 00:17:16,960 know policy exists. 378 00:17:17,760 --> 00:17:19,840 That being said, I've also come across some 379 00:17:19,840 --> 00:17:21,840 customers who actually have had... 380 00:17:21,840 --> 00:17:22,640 I'll be honest with you. 381 00:17:23,520 --> 00:17:25,280 Let's just say an interesting experience with 382 00:17:25,280 --> 00:17:25,600 policy. 383 00:17:25,600 --> 00:17:28,560 And 99 times out of 100 is because they're 384 00:17:28,560 --> 00:17:29,360 doing it wrong. 385 00:17:29,360 --> 00:17:31,040 So, I'd like to sort of address some of those 386 00:17:31,040 --> 00:17:32,960 issues if we can as we move through the podcast. 387 00:17:33,600 --> 00:17:35,600 So, let's just start off with the absolute most 388 00:17:35,600 --> 00:17:36,560 basic of questions. 389 00:17:36,560 --> 00:17:39,120 And what on earth is Azure policy? 390 00:17:39,120 --> 00:17:40,560 And when would you use it? 391 00:17:41,120 --> 00:17:44,960 So, Azure policy is essentially about 392 00:17:44,960 --> 00:17:47,840 controlling your resource configurations 393 00:17:47,840 --> 00:17:51,040 and assessing the compliance results at scale. 394 00:17:51,920 --> 00:17:55,680 You would be able to block resources that are 395 00:17:55,680 --> 00:17:58,800 non-compliant or auto-remediate these resources 396 00:17:58,800 --> 00:18:01,200 and then also get a compliance assessment 397 00:18:01,840 --> 00:18:04,720 of all your existing resources on whether 398 00:18:04,720 --> 00:18:07,280 they're compliant or non-compliant against 399 00:18:07,280 --> 00:18:11,840 each of the policy that you have applied 400 00:18:11,840 --> 00:18:13,280 on your Azure environment. 401 00:18:13,840 --> 00:18:15,680 I said resource configurations earlier, 402 00:18:15,680 --> 00:18:18,240 but we are also expanding on controlling the 403 00:18:18,800 --> 00:18:20,480 resource operations as well. 404 00:18:20,480 --> 00:18:23,040 And so, in the future, we would be able to 405 00:18:23,040 --> 00:18:26,240 control the operations that you do such as 406 00:18:26,240 --> 00:18:29,680 delete or move operations at scale as well. 407 00:18:30,320 --> 00:18:33,360 Liz, can you explain some of the common use cases? 408 00:18:34,080 --> 00:18:34,960 Yeah, absolutely. 409 00:18:34,960 --> 00:18:37,920 So, for any customers who are exploring with 410 00:18:37,920 --> 00:18:41,360 Azure policy, generally I recommend on them 411 00:18:41,360 --> 00:18:44,320 exploring the built-in initiatives that we 412 00:18:44,320 --> 00:18:45,280 have today. 413 00:18:45,280 --> 00:18:47,520 And by built-in initiative, what we mean is that 414 00:18:48,400 --> 00:18:51,200 on day zero, when you go to Azure policy experience, 415 00:18:51,200 --> 00:18:54,560 we actually have a lot of policies already in there 416 00:18:54,560 --> 00:18:56,400 for you to easily get started with. 417 00:18:57,120 --> 00:18:59,120 And so, examples of the things that we have in 418 00:18:59,120 --> 00:19:02,240 there, for example, would be we have one for you to 419 00:19:03,520 --> 00:19:07,040 enable all of the monitoring agent across your 420 00:19:07,040 --> 00:19:08,880 VM and VMSS. 421 00:19:09,760 --> 00:19:14,640 Or we also have one for NIST 800 regulatory 422 00:19:14,640 --> 00:19:18,960 compliance requirements to evaluate not all, 423 00:19:18,960 --> 00:19:22,320 but a subset of the controls that are required 424 00:19:22,320 --> 00:19:25,600 for NIST, as well as for things like, 425 00:19:26,320 --> 00:19:30,560 you might want to control your VM skews for your 426 00:19:30,560 --> 00:19:32,560 non-production environment. 427 00:19:32,560 --> 00:19:33,280 That's our deal. 428 00:19:33,280 --> 00:19:36,240 So, a best way for you to really explore the 429 00:19:37,040 --> 00:19:39,200 explore policy would be through the built-in 430 00:19:39,200 --> 00:19:39,840 initiatives. 431 00:19:40,720 --> 00:19:43,520 And lastly, I think tags is also a common 432 00:19:43,520 --> 00:19:46,560 use as well to make sure that you have the right 433 00:19:46,560 --> 00:19:47,680 tags applied. 434 00:19:47,680 --> 00:19:51,120 You can also use it to automatically inherit 435 00:19:51,120 --> 00:19:53,760 your tags from the resource group or from the 436 00:19:53,760 --> 00:19:54,960 subscription. 437 00:19:55,760 --> 00:19:59,520 And so, you could also use policy to make sure that 438 00:19:59,520 --> 00:20:00,640 those tags are in place. 439 00:20:01,440 --> 00:20:04,720 Can you just give us a quick overview of perhaps 440 00:20:04,720 --> 00:20:06,640 one of the initiatives, one of the example 441 00:20:06,640 --> 00:20:07,760 initiatives that you have? 442 00:20:07,760 --> 00:20:09,280 I'm going to be honest with you, when I've sort of 443 00:20:09,280 --> 00:20:11,520 worked with customers, most of the time we've just 444 00:20:11,520 --> 00:20:14,400 gone straight in and just start deploying policy. 445 00:20:14,400 --> 00:20:16,640 I mean, I planned it out a little bit, but I know 446 00:20:16,640 --> 00:20:19,200 some customers who have used the initiatives, 447 00:20:19,200 --> 00:20:20,640 but I actually haven't. 448 00:20:20,640 --> 00:20:22,160 So, can you give us an example of what one of 449 00:20:22,160 --> 00:20:22,960 these things might look like? 450 00:20:23,600 --> 00:20:26,000 Yeah, so initiative, actually, let me define an 451 00:20:26,000 --> 00:20:26,720 initiative first. 452 00:20:27,600 --> 00:20:30,640 Initiative is just a grouping of policies. 453 00:20:31,280 --> 00:20:35,200 A policy controls a specific configuration zone 454 00:20:35,200 --> 00:20:37,760 given a resource, and then you can group it for 455 00:20:37,760 --> 00:20:43,520 enabling it for a bigger effort going on. 456 00:20:43,520 --> 00:20:46,880 And so, an example of an initiative might be 457 00:20:47,520 --> 00:20:50,560 there's one before making sure that you have all of 458 00:20:50,560 --> 00:20:54,240 the monitoring related agents enabled. 459 00:20:54,240 --> 00:20:57,760 And so, that essentially consists of a number of 460 00:20:57,760 --> 00:21:00,880 policies to make sure that you have the MA agent 461 00:21:00,880 --> 00:21:06,400 on your VM and your VMSS dependency agent, 462 00:21:06,400 --> 00:21:08,400 making sure that you cover both Windows and 463 00:21:08,400 --> 00:21:10,400 Linux VMs, that's what I'll be able to do. 464 00:21:10,400 --> 00:21:12,400 So, that could be an example of an initiative. 465 00:21:12,400 --> 00:21:15,920 Another initiative that we have is, for example, 466 00:21:15,920 --> 00:21:18,400 the Azure Security Benchmark Initiative as well, 467 00:21:18,400 --> 00:21:21,520 that covers all the security related policies 468 00:21:21,520 --> 00:21:23,120 in that initiative as well. 469 00:21:23,120 --> 00:21:24,560 That's nice, didn't know about that. 470 00:21:24,560 --> 00:21:25,680 Hey, Mike, did you know about that? 471 00:21:25,680 --> 00:21:27,120 Do you know that there's an initiative for the 472 00:21:27,120 --> 00:21:29,120 Azure Security Benchmark? 473 00:21:29,120 --> 00:21:32,400 Is that the one that's associated with almost an 474 00:21:32,400 --> 00:21:34,720 Azure Security Center with Defender for Cloud? 475 00:21:34,720 --> 00:21:36,720 Yeah, exactly. 476 00:21:36,720 --> 00:21:38,720 So, if customers are on Azure Defender, 477 00:21:38,720 --> 00:21:40,720 it's actually already assigned on the 478 00:21:40,720 --> 00:21:42,720 customer's environment. 479 00:21:42,720 --> 00:21:44,720 We went through a migration from the Security 480 00:21:44,720 --> 00:21:46,720 Center Initiative to the Security Benchmark 481 00:21:46,720 --> 00:21:48,720 Initiative. 482 00:21:48,720 --> 00:21:50,720 So, it's already assigned to most of the 483 00:21:50,720 --> 00:21:52,720 customer environments. 484 00:21:52,720 --> 00:21:54,720 Yeah, it's good to know. 485 00:21:54,720 --> 00:21:56,720 I did not know that, but it's actually really good 486 00:21:56,720 --> 00:21:58,720 All right, let's get into some real nitty-gritty 487 00:21:58,720 --> 00:22:00,720 So, I mentioned before that there are a bunch 488 00:22:00,720 --> 00:22:02,720 of customers on policy and look, I'm going to be, 489 00:22:02,720 --> 00:22:04,720 I'm going to be upfront. 490 00:22:04,720 --> 00:22:06,720 I mean, it's been a bit of a mixed bag. 491 00:22:06,720 --> 00:22:08,720 And the reason is 99 times over 100, if it's a mixed 492 00:22:08,720 --> 00:22:10,720 bag is because some things are not being planned 493 00:22:10,720 --> 00:22:12,720 very well or people don't necessarily understand 494 00:22:12,720 --> 00:22:14,720 the implications of what they're doing and then 495 00:22:14,720 --> 00:22:16,720 things start to break. 496 00:22:16,720 --> 00:22:18,720 And a lot of it boils down to two, from my 497 00:22:18,720 --> 00:22:20,720 perspective anyway, if there's more to this, 498 00:22:20,720 --> 00:22:22,720 please let me know. 499 00:22:22,720 --> 00:22:24,720 There's two aspects to this. 500 00:22:24,720 --> 00:22:26,720 One is at what level in the hierarchy is an 501 00:22:26,720 --> 00:22:28,720 appropriate place to deploy policy? 502 00:22:28,720 --> 00:22:30,720 That's number one. 503 00:22:30,720 --> 00:22:32,720 The way I look at it, there's two aspects, right? 504 00:22:32,720 --> 00:22:34,720 You can deploy it really, really high up, say, 505 00:22:34,720 --> 00:22:36,720 you know, a subscription or management group 506 00:22:36,720 --> 00:22:38,720 or something. 507 00:22:38,720 --> 00:22:40,720 And that gives you like a single point of management 508 00:22:40,720 --> 00:22:42,720 or fewer points of management. 509 00:22:42,720 --> 00:22:44,720 The downside is you're going to push policy down 510 00:22:44,720 --> 00:22:46,720 to things where policy might not be applicable. 511 00:22:46,720 --> 00:22:48,720 I've always said to customers, there's really, 512 00:22:48,720 --> 00:22:50,720 in my opinion, there's like two sets of lower 513 00:22:50,720 --> 00:22:52,720 case P policies, some that are good ideas 514 00:22:52,720 --> 00:22:54,720 and some that you're willing to die on the 515 00:22:54,720 --> 00:22:56,720 hill for. 516 00:22:56,720 --> 00:22:58,720 In other words, some things that you're really 517 00:22:58,720 --> 00:23:00,720 willing to do, for example, restricting 518 00:23:00,720 --> 00:23:02,720 to specific regions, right? 519 00:23:02,720 --> 00:23:04,720 We're going to deploy this thing in, 520 00:23:04,720 --> 00:23:06,720 I don't know, let's just say, you know, 521 00:23:06,720 --> 00:23:08,720 ECUS 2 and US West 2. 522 00:23:08,720 --> 00:23:10,720 And that's it. 523 00:23:10,720 --> 00:23:12,720 We don't want to push it anywhere else in 524 00:23:12,720 --> 00:23:14,720 case of sovereignty issues. 525 00:23:14,720 --> 00:23:16,720 That is one I'm willing to die on the hill 526 00:23:16,720 --> 00:23:18,720 for. 527 00:23:18,720 --> 00:23:20,720 But some may not be so overly 528 00:23:20,720 --> 00:23:22,720 energetic about and they may affect 529 00:23:22,720 --> 00:23:24,720 some particular applications. 530 00:23:24,720 --> 00:23:26,720 So again, you can have it really, really high, 531 00:23:26,720 --> 00:23:28,720 you have to do absolutely everything underneath it 532 00:23:28,720 --> 00:23:30,720 and run the risk of potentially breaking things. 533 00:23:30,720 --> 00:23:32,720 Let's be honest, depending on what you're doing. 534 00:23:32,720 --> 00:23:34,720 The other option is to push it far down, 535 00:23:34,720 --> 00:23:36,720 like to resource groups or even individual 536 00:23:36,720 --> 00:23:38,720 resources. 537 00:23:38,720 --> 00:23:40,720 But now you've got a management's explosion, right? 538 00:23:40,720 --> 00:23:42,720 Because now you've got all these things to manage 539 00:23:42,720 --> 00:23:44,720 and who can manage them and what sort of roles 540 00:23:44,720 --> 00:23:46,720 do those people have? 541 00:23:46,720 --> 00:23:48,720 So it's this trade-off you've got to make. 542 00:23:48,720 --> 00:23:50,720 And a lot of it also boils down to the other sort 543 00:23:50,720 --> 00:23:52,720 of axis, which is the action, right? 544 00:23:52,720 --> 00:23:54,720 So there's different actions that you can perform 545 00:23:54,720 --> 00:23:56,720 and probably the two that most people think about 546 00:23:56,720 --> 00:23:58,720 are the audit action, which is basically 547 00:23:58,720 --> 00:24:00,720 don't block it, but just say, hey, 548 00:24:00,720 --> 00:24:02,720 this event happened and it would, you know, 549 00:24:02,720 --> 00:24:04,720 it violates policy. And then the other one is deny. 550 00:24:04,720 --> 00:24:06,720 And at that point, you're blocking 551 00:24:06,720 --> 00:24:08,720 something and that's what can cause, 552 00:24:08,720 --> 00:24:10,720 you know, from my perspective anyway, 553 00:24:10,720 --> 00:24:12,720 the combination of pushing a policy really high 554 00:24:12,720 --> 00:24:14,720 and then pushing deny all the way 555 00:24:14,720 --> 00:24:16,720 down through all the subscriptions. 556 00:24:16,720 --> 00:24:18,720 So for example, you decide to deny 557 00:24:18,720 --> 00:24:20,720 a public IP address to a 558 00:24:20,720 --> 00:24:22,720 storage account. Well, what happens 559 00:24:22,720 --> 00:24:24,720 if you actually do have a valid reason 560 00:24:24,720 --> 00:24:26,720 to have a public IP address 561 00:24:26,720 --> 00:24:28,720 on a storage account, which can happen. 562 00:24:28,720 --> 00:24:30,720 So I realize kind of a, 563 00:24:30,720 --> 00:24:32,720 I'm not sure if there's a question in there, 564 00:24:32,720 --> 00:24:34,720 but it's like, so what's 565 00:24:34,720 --> 00:24:36,720 your experience there? I mean, am I, 566 00:24:36,720 --> 00:24:38,720 you know, doing it wrong? 567 00:24:38,720 --> 00:24:40,720 Are customers doing it wrong? 568 00:24:40,720 --> 00:24:42,720 Is there some more nuance to this 569 00:24:42,720 --> 00:24:44,720 that I'm not familiar with? 570 00:24:44,720 --> 00:24:46,720 So you touched on a lot of different topics. 571 00:24:46,720 --> 00:24:48,720 Let me try to respond on 572 00:24:48,720 --> 00:24:50,720 one topic at a time. So I think 573 00:24:50,720 --> 00:24:52,720 first of all, you touched on the kind of the scope 574 00:24:52,720 --> 00:24:54,720 at which the policy gets applied. 575 00:24:54,720 --> 00:24:56,720 Our general recommendation 576 00:24:56,720 --> 00:24:58,720 is that you apply it at as a high 577 00:24:58,720 --> 00:25:00,720 of a scope as is applicable 578 00:25:00,720 --> 00:25:02,720 and then use 579 00:25:02,720 --> 00:25:04,720 exemptions to, exemptions 580 00:25:04,720 --> 00:25:06,720 or exclusion to 581 00:25:06,720 --> 00:25:08,720 exclude the sub one, 582 00:25:08,720 --> 00:25:10,720 sub resources or sub scope that are 583 00:25:10,720 --> 00:25:12,720 not applicable. 584 00:25:12,720 --> 00:25:14,720 And so if you're trying to 585 00:25:14,720 --> 00:25:16,720 block all outbound 586 00:25:16,720 --> 00:25:18,720 port, for example, on your non-production 587 00:25:18,720 --> 00:25:20,720 environment, then apply that policy on your 588 00:25:20,720 --> 00:25:22,720 non-production management group. 589 00:25:22,720 --> 00:25:24,720 And then if some resources or 590 00:25:24,720 --> 00:25:26,720 subscriptions need 591 00:25:26,720 --> 00:25:28,720 exemption, you can create an exemption at that 592 00:25:28,720 --> 00:25:30,720 scope. That essentially 593 00:25:30,720 --> 00:25:32,720 essentially allows you to be able 594 00:25:32,720 --> 00:25:34,720 to have the control over those 595 00:25:34,720 --> 00:25:36,720 environments and, you know, 596 00:25:36,720 --> 00:25:38,720 still have the flexibility 597 00:25:38,720 --> 00:25:40,720 for those special snowflakes. 598 00:25:40,720 --> 00:25:42,720 And Michael, another thing 599 00:25:42,720 --> 00:25:44,720 that I, you touched on that I would also 600 00:25:44,720 --> 00:25:46,720 love to dive into is kind of the 601 00:25:46,720 --> 00:25:48,720 different effects or different 602 00:25:48,720 --> 00:25:50,720 enforcement types that we have, right? 603 00:25:50,720 --> 00:25:52,720 So you touched on kind of the audit 604 00:25:52,720 --> 00:25:54,720 thing, audit policy effect, which allows 605 00:25:54,720 --> 00:25:56,720 you to create the resources 606 00:25:56,720 --> 00:25:58,720 but we'll just flag it as non-compliant 607 00:25:58,720 --> 00:26:00,720 and give back the compliance 608 00:26:00,720 --> 00:26:02,720 result that is non-compliant 609 00:26:02,720 --> 00:26:04,720 or we will deny it. 610 00:26:04,720 --> 00:26:06,720 So you won't even be able to create 611 00:26:06,720 --> 00:26:08,720 that resource. First of all, 612 00:26:08,720 --> 00:26:10,720 before you apply any deny policies, 613 00:26:10,720 --> 00:26:12,720 our recommendation is 614 00:26:12,720 --> 00:26:14,720 first to always use this on audit first 615 00:26:14,720 --> 00:26:16,720 and then switch over to a deny 616 00:26:16,720 --> 00:26:18,720 so that you at least have an idea of 617 00:26:18,720 --> 00:26:20,720 kind of what are the things that you're going to be 618 00:26:20,720 --> 00:26:22,720 blocking. We also, 619 00:26:22,720 --> 00:26:24,720 you know, recommend customers to use 620 00:26:24,720 --> 00:26:26,720 our non-compliance reasons message 621 00:26:26,720 --> 00:26:28,720 so that, you know, when someone gets 622 00:26:28,720 --> 00:26:30,720 blocked, they have a friendly message to 623 00:26:30,720 --> 00:26:32,720 read as to, you know, like 624 00:26:32,720 --> 00:26:34,720 where they can get more info or where they 625 00:26:34,720 --> 00:26:36,720 can get exemptions, what the policy 626 00:26:36,720 --> 00:26:38,720 is for, that sort of deal. 627 00:26:38,720 --> 00:26:40,720 We also have 628 00:26:40,720 --> 00:26:42,720 auto remediation effects 629 00:26:42,720 --> 00:26:44,720 as well for customers 630 00:26:44,720 --> 00:26:46,720 who really want to make sure that, 631 00:26:46,720 --> 00:26:48,720 for example, I'm just going to use 632 00:26:48,720 --> 00:26:50,720 the earlier example on the update 633 00:26:50,720 --> 00:26:52,720 that Sarah gave on the AKS 634 00:26:52,720 --> 00:26:54,720 disabled local auth, right? 635 00:26:54,720 --> 00:26:56,720 Let's say that you always 636 00:26:56,720 --> 00:26:58,720 want to make sure that 637 00:26:58,720 --> 00:27:00,720 the local auth is disabled by default 638 00:27:00,720 --> 00:27:02,720 but you don't necessarily want 639 00:27:02,720 --> 00:27:04,720 the engineers to be bothered 640 00:27:04,720 --> 00:27:06,720 by it or to be, you know, 641 00:27:06,720 --> 00:27:08,720 you want these things to just happen by default 642 00:27:08,720 --> 00:27:10,720 without engineers having to be blocked 643 00:27:10,720 --> 00:27:12,720 and manually change it. 644 00:27:12,720 --> 00:27:14,720 We also have an auto remediation capability 645 00:27:14,720 --> 00:27:16,720 as well. And the cool 646 00:27:16,720 --> 00:27:18,720 thing that we do with modify effects 647 00:27:18,720 --> 00:27:20,720 specifically is that 648 00:27:20,720 --> 00:27:22,720 we actually intercept the request 649 00:27:22,720 --> 00:27:24,720 appended so that 650 00:27:24,720 --> 00:27:26,720 it has the right property value 651 00:27:26,720 --> 00:27:28,720 and then we let the request 652 00:27:28,720 --> 00:27:30,720 go through so that it's 653 00:27:30,720 --> 00:27:32,720 actually created. So by the time 654 00:27:32,720 --> 00:27:34,720 it's created, it has the right 655 00:27:34,720 --> 00:27:36,720 property value already in place. 656 00:27:36,720 --> 00:27:38,720 So, you know, there's no security 657 00:27:38,720 --> 00:27:40,720 vulnerability that you expose 658 00:27:40,720 --> 00:27:42,720 by using a auto remediation capability. 659 00:27:42,720 --> 00:27:44,720 All right. So that gave me 660 00:27:44,720 --> 00:27:46,720 a bunch of questions. 661 00:27:46,720 --> 00:27:48,720 So first of all, if I switch everything to 662 00:27:48,720 --> 00:27:50,720 audit, so action equals audit, 663 00:27:50,720 --> 00:27:52,720 where is that order report? 664 00:27:52,720 --> 00:27:54,720 Is it in Defender for Cloud? 665 00:27:54,720 --> 00:27:56,720 Was it formerly Azure Security Sensor or is it somewhere else? 666 00:27:56,720 --> 00:27:58,720 It needs to be in like a central place, right? 667 00:27:58,720 --> 00:28:00,720 So I can easily get to it. 668 00:28:00,720 --> 00:28:02,720 So there's two types of data that we produce for audit. 669 00:28:02,720 --> 00:28:04,720 There's events 670 00:28:04,720 --> 00:28:06,720 information. So, you know, like when some 671 00:28:06,720 --> 00:28:08,720 resource gets created and if it's 672 00:28:08,720 --> 00:28:10,720 audited, we'll drop an event 673 00:28:10,720 --> 00:28:12,720 and that goes into Azure 674 00:28:12,720 --> 00:28:14,720 Activity Log. 675 00:28:14,720 --> 00:28:16,720 And then there's also the compliance 676 00:28:16,720 --> 00:28:18,720 state that we produce as well, right? 677 00:28:18,720 --> 00:28:20,720 So we'll say, oh, this resource is 678 00:28:20,720 --> 00:28:22,720 non-compliant and 679 00:28:22,720 --> 00:28:24,720 that non-compliance data is available 680 00:28:24,720 --> 00:28:26,720 through the, first of all, 681 00:28:26,720 --> 00:28:28,720 we have our API, 682 00:28:28,720 --> 00:28:30,720 Policy Insights API that you can get the 683 00:28:30,720 --> 00:28:32,720 data from. We also route 684 00:28:32,720 --> 00:28:34,720 all that data over to Azure Resource 685 00:28:34,720 --> 00:28:36,720 Graph as well. And so 686 00:28:36,720 --> 00:28:38,720 you can query Azure Resource Graph for all 687 00:28:38,720 --> 00:28:40,720 of this data. Oh, that's cool. 688 00:28:40,720 --> 00:28:42,720 Yeah, the resource graph angle, that's really 689 00:28:42,720 --> 00:28:44,720 cool. Okay, the other question I have that's 690 00:28:44,720 --> 00:28:46,720 following from that, I've got, by the way, I'll have one more after 691 00:28:46,720 --> 00:28:48,720 this, is what happens if I 692 00:28:48,720 --> 00:28:50,720 let's say I have some storage accounts that have 693 00:28:50,720 --> 00:28:52,720 a public IP address 694 00:28:52,720 --> 00:28:54,720 and I decide at 695 00:28:54,720 --> 00:28:56,720 say the subscription level to deny 696 00:28:56,720 --> 00:28:58,720 public IP addresses for storage accounts. 697 00:28:58,720 --> 00:29:00,720 What happens to the existing storage 698 00:29:00,720 --> 00:29:02,720 accounts? A great question. 699 00:29:02,720 --> 00:29:04,720 So we don't actually 700 00:29:06,720 --> 00:29:08,720 it's not like we delete the existing 701 00:29:08,720 --> 00:29:10,720 resources by default, right? 702 00:29:10,720 --> 00:29:12,720 So what we'll do is we will go 703 00:29:12,720 --> 00:29:14,720 and first scan all your existing 704 00:29:14,720 --> 00:29:16,720 resources. 705 00:29:16,720 --> 00:29:18,720 And for every resource that you have, we'll 706 00:29:18,720 --> 00:29:20,720 give a compliance data, compliant or non-compliant 707 00:29:20,720 --> 00:29:22,720 and we produce that as a report. 708 00:29:22,720 --> 00:29:24,720 On the existing resources 709 00:29:24,720 --> 00:29:26,720 they will, 710 00:29:26,720 --> 00:29:28,720 we will not take any enforcement until 711 00:29:28,720 --> 00:29:30,720 that resource goes through an 712 00:29:30,720 --> 00:29:32,720 update. So you know the next time that resource 713 00:29:32,720 --> 00:29:34,720 goes through a put or patch request 714 00:29:34,720 --> 00:29:36,720 we will do the enforcement of deny 715 00:29:36,720 --> 00:29:38,720 but otherwise we will let that resource 716 00:29:38,720 --> 00:29:40,720 be. If you rolled out 717 00:29:40,720 --> 00:29:42,720 a remediation policy like a modify 718 00:29:42,720 --> 00:29:44,720 or deploy if not exist effects 719 00:29:44,720 --> 00:29:46,720 then you will also have an option 720 00:29:46,720 --> 00:29:48,720 of rolling out remediation 721 00:29:48,720 --> 00:29:50,720 on existing resources 722 00:29:50,720 --> 00:29:52,720 and that, again 723 00:29:52,720 --> 00:29:54,720 I recommend that you do a gradual rollout 724 00:29:54,720 --> 00:29:56,720 on these 725 00:29:56,720 --> 00:29:58,720 remediations and so 726 00:29:58,720 --> 00:30:00,720 we have multiple knobs available in 727 00:30:00,720 --> 00:30:02,720 there so that you can just start 728 00:30:02,720 --> 00:30:04,720 remediating for resources in a particular 729 00:30:04,720 --> 00:30:06,720 region first, sub scope 730 00:30:06,720 --> 00:30:08,720 first, we just released 731 00:30:10,720 --> 00:30:12,720 maybe two weeks ago or so 732 00:30:12,720 --> 00:30:14,720 on being able to do a per millilay rollout 733 00:30:14,720 --> 00:30:16,720 as well so you can do a percentage based 734 00:30:16,720 --> 00:30:18,720 rollout as well. And so you can 735 00:30:18,720 --> 00:30:20,720 also do a remediation on existing resources 736 00:30:20,720 --> 00:30:22,720 but that again is 737 00:30:22,720 --> 00:30:24,720 a user action based. 738 00:30:24,720 --> 00:30:26,720 We don't touch the existing resources 739 00:30:26,720 --> 00:30:28,720 when you roll out deny policies 740 00:30:28,720 --> 00:30:30,720 unless it goes through an update. 741 00:30:30,720 --> 00:30:32,720 When you say an update 742 00:30:32,720 --> 00:30:34,720 so if I have a storage account 743 00:30:34,720 --> 00:30:36,720 that has a public IP address and there's a policy 744 00:30:36,720 --> 00:30:38,720 that says no public IP address is on storage 745 00:30:38,720 --> 00:30:40,720 accounts, when you say it goes through 746 00:30:40,720 --> 00:30:42,720 an update, do you mean like if I modify 747 00:30:42,720 --> 00:30:44,720 like a setting on that storage account? 748 00:30:44,720 --> 00:30:46,720 Yeah, exactly. Perfect. 749 00:30:46,720 --> 00:30:48,720 That's actually really cool so that leads to my 750 00:30:48,720 --> 00:30:50,720 last question. Well my last question 751 00:30:50,720 --> 00:30:52,720 is all the other questions. So 752 00:30:52,720 --> 00:30:54,720 you said that you can have like an 753 00:30:54,720 --> 00:30:56,720 exemption or an exception like below 754 00:30:56,720 --> 00:30:58,720 like say for example the subscription. So for example 755 00:30:58,720 --> 00:31:00,720 let's say I have a resource group. 756 00:31:00,720 --> 00:31:02,720 What are the machinations of that? 757 00:31:02,720 --> 00:31:04,720 How do I set that up? 758 00:31:04,720 --> 00:31:06,720 So let's say I've got 759 00:31:06,720 --> 00:31:08,720 company A 760 00:31:08,720 --> 00:31:10,720 and they've got a subscription 761 00:31:10,720 --> 00:31:12,720 and then there's a resource group 762 00:31:12,720 --> 00:31:14,720 that handles something really funky and really specific 763 00:31:14,720 --> 00:31:16,720 and the development team says we want to be able 764 00:31:16,720 --> 00:31:18,720 to set our own policies. 765 00:31:18,720 --> 00:31:20,720 Obviously we'll use some of the policies 766 00:31:20,720 --> 00:31:22,720 from the subscription where it makes sense 767 00:31:22,720 --> 00:31:24,720 but there's like a couple of policies in there that do not make 768 00:31:24,720 --> 00:31:26,720 sense and will actually stop us from doing our business 769 00:31:26,720 --> 00:31:28,720 requirements. So we want to be able to 770 00:31:28,720 --> 00:31:30,720 override those. So what are the 771 00:31:30,720 --> 00:31:32,720 two parts. One is what does that process 772 00:31:32,720 --> 00:31:34,720 look like and second, who can do that? 773 00:31:34,720 --> 00:31:36,720 So let me answer the letter per first 774 00:31:36,720 --> 00:31:38,720 and then we'll get to the first part. 775 00:31:38,720 --> 00:31:40,720 So let's say in your example that the policies 776 00:31:40,720 --> 00:31:42,720 on the management group level. 777 00:31:42,720 --> 00:31:44,720 Someone who has an access 778 00:31:44,720 --> 00:31:46,720 to the resource group like a you know as 779 00:31:46,720 --> 00:31:48,720 an owner on the resource group or owner on the 780 00:31:48,720 --> 00:31:50,720 subscription will not be 781 00:31:50,720 --> 00:31:52,720 able to create exemptions on that resource group. 782 00:31:52,720 --> 00:31:54,720 We 783 00:31:54,720 --> 00:31:56,720 do a link access check to make sure that 784 00:31:56,720 --> 00:31:58,720 whoever is creating exemption 785 00:31:58,720 --> 00:32:00,720 also has permission 786 00:32:00,720 --> 00:32:02,720 on the assignment as well which in this 787 00:32:02,720 --> 00:32:04,720 example would be management group scope. 788 00:32:04,720 --> 00:32:06,720 So the application team 789 00:32:06,720 --> 00:32:08,720 will essentially need to go request 790 00:32:08,720 --> 00:32:10,720 the exemptions to the 791 00:32:10,720 --> 00:32:12,720 Cloud Center of Excellence team or 792 00:32:12,720 --> 00:32:14,720 Cloud Architect team, Security Architect team 793 00:32:14,720 --> 00:32:16,720 whoever has access at that management group 794 00:32:16,720 --> 00:32:18,720 scope. In terms of 795 00:32:18,720 --> 00:32:20,720 how you go about doing that 796 00:32:20,720 --> 00:32:22,720 we generally 797 00:32:22,720 --> 00:32:24,720 from what we've observed customers 798 00:32:24,720 --> 00:32:26,720 generally have a 799 00:32:26,720 --> 00:32:28,720 some kind of a ticketing processes 800 00:32:28,720 --> 00:32:30,720 or tools 801 00:32:30,720 --> 00:32:32,720 they have in place that 802 00:32:32,720 --> 00:32:34,720 they integrate the exemption 803 00:32:34,720 --> 00:32:36,720 creations into. 804 00:32:36,720 --> 00:32:38,720 And so that's actually the reason why 805 00:32:38,720 --> 00:32:40,720 we introduce exemption as a separate 806 00:32:40,720 --> 00:32:42,720 resource type. Aside from 807 00:32:42,720 --> 00:32:44,720 the not 808 00:32:44,720 --> 00:32:46,720 scopes or the exclusions we already had 809 00:32:46,720 --> 00:32:48,720 which was a property on the assignment. 810 00:32:48,720 --> 00:32:50,720 So we introduce exemption as a separate resource type 811 00:32:50,720 --> 00:32:52,720 precisely so that it's easy 812 00:32:52,720 --> 00:32:54,720 to plug into the existing tools 813 00:32:54,720 --> 00:32:56,720 that customers have 814 00:32:56,720 --> 00:32:58,720 and all that tool will do is essentially 815 00:32:58,720 --> 00:33:00,720 once that exemption cost has been approved 816 00:33:00,720 --> 00:33:02,720 create the exemption 817 00:33:02,720 --> 00:33:04,720 resource at that scope 818 00:33:04,720 --> 00:33:06,720 at that resource group scope. 819 00:33:06,720 --> 00:33:08,720 And so the process 820 00:33:08,720 --> 00:33:10,720 side of the story is generally 821 00:33:10,720 --> 00:33:12,720 customers already have a tool that they 822 00:33:12,720 --> 00:33:14,720 leverage today and then 823 00:33:14,720 --> 00:33:16,720 they create the exemptions once approved. 824 00:33:16,720 --> 00:33:18,720 Can you talk to us a little bit 825 00:33:18,720 --> 00:33:20,720 Liz about 826 00:33:20,720 --> 00:33:22,720 some of the new things coming up 827 00:33:22,720 --> 00:33:24,720 or stuff we've recently released 828 00:33:24,720 --> 00:33:26,720 because well you know with every single 829 00:33:26,720 --> 00:33:28,720 Microsoft product we have 830 00:33:28,720 --> 00:33:30,720 we've always got tons of new things 831 00:33:30,720 --> 00:33:32,720 happening so 832 00:33:32,720 --> 00:33:34,720 what's exciting and new in the policy world? 833 00:33:34,720 --> 00:33:36,720 Yeah so we have a lot 834 00:33:36,720 --> 00:33:38,720 going on on the 835 00:33:38,720 --> 00:33:40,720 Azure Policy space I think 836 00:33:40,720 --> 00:33:42,720 first of all I touched on 837 00:33:42,720 --> 00:33:44,720 the ARG integration 838 00:33:44,720 --> 00:33:46,720 a little bit earlier but 839 00:33:46,720 --> 00:33:48,720 we are putting more and more of the 840 00:33:48,720 --> 00:33:50,720 Azure Policy resource types into 841 00:33:50,720 --> 00:33:52,720 Azure Resource Graph so 842 00:33:52,720 --> 00:33:54,720 we just finished on putting 843 00:33:54,720 --> 00:33:56,720 in the policy assignment definitions 844 00:33:56,720 --> 00:33:58,720 and 845 00:33:58,720 --> 00:34:00,720 definition sets into 846 00:34:00,720 --> 00:34:02,720 Resource Graph so you can join that data 847 00:34:02,720 --> 00:34:04,720 with compliance data and produce you know full 848 00:34:04,720 --> 00:34:06,720 report. That work is going on 849 00:34:06,720 --> 00:34:08,720 and then up next on our ARG integration 850 00:34:08,720 --> 00:34:10,720 is putting in exemptions resource. 851 00:34:10,720 --> 00:34:12,720 Customers have an interest in 852 00:34:12,720 --> 00:34:14,720 putting together a view to figure out 853 00:34:14,720 --> 00:34:16,720 whether the exemptions that are 854 00:34:16,720 --> 00:34:18,720 approaching expiration for example 855 00:34:18,720 --> 00:34:20,720 and so you would be able 856 00:34:20,720 --> 00:34:22,720 to produce that report through 857 00:34:22,720 --> 00:34:24,720 Azure Resource Graph. 858 00:34:24,720 --> 00:34:26,720 We also have some 859 00:34:26,720 --> 00:34:28,720 investments going in on being 860 00:34:28,720 --> 00:34:30,720 able to do more with 861 00:34:30,720 --> 00:34:32,720 the policy expression 862 00:34:32,720 --> 00:34:34,720 on the policy language 863 00:34:34,720 --> 00:34:36,720 I mentioned earlier 864 00:34:36,720 --> 00:34:38,720 but we are about to release a denied 865 00:34:38,720 --> 00:34:40,720 delete policy. 866 00:34:40,720 --> 00:34:42,720 That essentially is kind of our 867 00:34:42,720 --> 00:34:44,720 first step in introducing 868 00:34:44,720 --> 00:34:46,720 a policy that's able to manage 869 00:34:46,720 --> 00:34:48,720 the operations on the resource 870 00:34:48,720 --> 00:34:50,720 with denied delete you can 871 00:34:50,720 --> 00:34:52,720 essentially protect your critical resources 872 00:34:52,720 --> 00:34:54,720 to avoid accidental deletion on those. 873 00:34:54,720 --> 00:34:56,720 So the denied delete 874 00:34:56,720 --> 00:34:58,720 sounds a lot like 875 00:34:58,720 --> 00:35:00,720 resource locks. Is it similar 876 00:35:00,720 --> 00:35:02,720 to that? Is it new functionality? Does it provide 877 00:35:02,720 --> 00:35:04,720 extra functionality that resource locks don't normally 878 00:35:04,720 --> 00:35:06,720 provide? Yeah so 879 00:35:06,720 --> 00:35:08,720 it's essentially just like resource 880 00:35:08,720 --> 00:35:10,720 lock but at scale 881 00:35:10,720 --> 00:35:12,720 so you would be 882 00:35:12,720 --> 00:35:14,720 able to apply it across all of your 883 00:35:14,720 --> 00:35:16,720 management group to protect 884 00:35:16,720 --> 00:35:18,720 your resources 885 00:35:18,720 --> 00:35:20,720 and also another benefit that it provides 886 00:35:20,720 --> 00:35:22,720 is that the resource owner 887 00:35:22,720 --> 00:35:24,720 or subscription owner would not be able 888 00:35:24,720 --> 00:35:26,720 to override it. 889 00:35:26,720 --> 00:35:28,720 Resource lock is something that 890 00:35:28,720 --> 00:35:30,720 the owner could just delete that lock and do 891 00:35:30,720 --> 00:35:32,720 the operation that they wanted 892 00:35:32,720 --> 00:35:34,720 but policy would essentially make it so that 893 00:35:34,720 --> 00:35:36,720 they have to go request the exemption 894 00:35:36,720 --> 00:35:38,720 for them to override it. 895 00:35:38,720 --> 00:35:40,720 Yeah I've always seen resource locks 896 00:35:40,720 --> 00:35:42,720 as a bit of a... 897 00:35:42,720 --> 00:35:44,720 they've served their purpose but they're hardly as 898 00:35:44,720 --> 00:35:46,720 robust as something that's 899 00:35:46,720 --> 00:35:48,720 more complete like this which is good to see. 900 00:35:48,720 --> 00:35:50,720 You know, denied delete is 901 00:35:50,720 --> 00:35:52,720 the first thing that we're starting off with 902 00:35:52,720 --> 00:35:54,720 and then you'll also see us 903 00:35:54,720 --> 00:35:56,720 expanding to other operations like blocking 904 00:35:56,720 --> 00:35:58,720 move operation 905 00:35:58,720 --> 00:36:00,720 or controlling things that can be done 906 00:36:00,720 --> 00:36:02,720 through post API. 907 00:36:02,720 --> 00:36:04,720 So that's sort of a deal as well. 908 00:36:04,720 --> 00:36:06,720 The other sets of 909 00:36:06,720 --> 00:36:08,720 the investments that are coming on board 910 00:36:08,720 --> 00:36:10,720 is 911 00:36:10,720 --> 00:36:12,720 I'm going to touch on two things that I'm most 912 00:36:12,720 --> 00:36:14,720 excited about. 913 00:36:14,720 --> 00:36:16,720 One is we've had 914 00:36:16,720 --> 00:36:18,720 customer asks on wanting to 915 00:36:18,720 --> 00:36:20,720 extend policy valuations 916 00:36:20,720 --> 00:36:22,720 to also reference their own 917 00:36:22,720 --> 00:36:24,720 data sets. Right, so for example 918 00:36:24,720 --> 00:36:26,720 you know a lot of customers have policy that 919 00:36:26,720 --> 00:36:28,720 controls the 920 00:36:28,720 --> 00:36:30,720 tax to make sure that you have call center ID 921 00:36:30,720 --> 00:36:32,720 but that cost center ID may not 922 00:36:32,720 --> 00:36:34,720 be a valid ID that you put 923 00:36:34,720 --> 00:36:36,720 in. Right, and so 924 00:36:36,720 --> 00:36:38,720 essentially what we are supporting through 925 00:36:38,720 --> 00:36:40,720 custom data policy is that you can 926 00:36:40,720 --> 00:36:42,720 upload that data over to Azure 927 00:36:42,720 --> 00:36:44,720 and reference that data 928 00:36:44,720 --> 00:36:46,720 so that we can look 929 00:36:46,720 --> 00:36:48,720 that up at runtime 930 00:36:48,720 --> 00:36:50,720 and do an enforcement accordingly. 931 00:36:50,720 --> 00:36:52,720 That is another investment 932 00:36:52,720 --> 00:36:54,720 that is going on 933 00:36:54,720 --> 00:36:56,720 and then we also have additional 934 00:36:56,720 --> 00:36:58,720 investments for 935 00:36:58,720 --> 00:37:00,720 being able to declare policy 936 00:37:00,720 --> 00:37:02,720 enforcements to be done on the 937 00:37:02,720 --> 00:37:04,720 dependent resource types as well. 938 00:37:04,720 --> 00:37:06,720 So you know we have some behaviors in Azure 939 00:37:06,720 --> 00:37:08,720 where 940 00:37:08,720 --> 00:37:10,720 storage accounts, sorry functions make dependency 941 00:37:10,720 --> 00:37:12,720 on storage accounts and so 942 00:37:12,720 --> 00:37:14,720 storage account gets created 943 00:37:14,720 --> 00:37:16,720 by default or you know 944 00:37:16,720 --> 00:37:18,720 Databricks creates a bunch of resources 945 00:37:18,720 --> 00:37:20,720 in the resource group. So we are also 946 00:37:20,720 --> 00:37:22,720 we're also looking into 947 00:37:22,720 --> 00:37:24,720 a mechanism for you to 948 00:37:24,720 --> 00:37:26,720 control those resource 949 00:37:26,720 --> 00:37:28,720 types and what the behavior needs to be 950 00:37:28,720 --> 00:37:30,720 for those dependent resource types 951 00:37:30,720 --> 00:37:32,720 in Azure. 952 00:37:32,720 --> 00:37:34,720 Probably the last pillar of investments we 953 00:37:34,720 --> 00:37:36,720 do is around the life cycle of 954 00:37:36,720 --> 00:37:38,720 policy. The area 955 00:37:38,720 --> 00:37:40,720 of investments that we are going to release 956 00:37:40,720 --> 00:37:42,720 next semester 957 00:37:42,720 --> 00:37:44,720 which is our upcoming six month is 958 00:37:44,720 --> 00:37:46,720 first of all we have version management going out. 959 00:37:46,720 --> 00:37:48,720 I think a lot of 960 00:37:48,720 --> 00:37:50,720 customers have been waiting on the version management. 961 00:37:50,720 --> 00:37:52,720 It's going to support 962 00:37:52,720 --> 00:37:54,720 both the custom definitions and assignments 963 00:37:54,720 --> 00:37:56,720 but it will 964 00:37:56,720 --> 00:37:58,720 also support and build things as well. 965 00:37:58,720 --> 00:38:00,720 So now you will have an option 966 00:38:00,720 --> 00:38:02,720 to 967 00:38:02,720 --> 00:38:04,720 choose when you 968 00:38:04,720 --> 00:38:06,720 migrate between the versions 969 00:38:06,720 --> 00:38:08,720 on the built-ins as well. So version management 970 00:38:08,720 --> 00:38:10,720 is something that we are super excited about. 971 00:38:10,720 --> 00:38:12,720 We also have some 972 00:38:12,720 --> 00:38:14,720 additional investments to make it easier 973 00:38:14,720 --> 00:38:16,720 for customers to do a gradual 974 00:38:16,720 --> 00:38:18,720 rollout of the policies 975 00:38:18,720 --> 00:38:20,720 for you know doing 976 00:38:20,720 --> 00:38:22,720 resource location by location basis 977 00:38:22,720 --> 00:38:24,720 or 978 00:38:24,720 --> 00:38:26,720 specific tags. 979 00:38:26,720 --> 00:38:28,720 So we have what we call a selector 980 00:38:28,720 --> 00:38:30,720 on the assignments and exemptions 981 00:38:30,720 --> 00:38:32,720 that will be released in the upcoming 982 00:38:32,720 --> 00:38:34,720 semester as well. 983 00:38:34,720 --> 00:38:36,720 I worked with a customer a few years ago 984 00:38:36,720 --> 00:38:38,720 they would have killed for versioning 985 00:38:38,720 --> 00:38:40,720 of policies. 986 00:38:40,720 --> 00:38:42,720 It's not really versioning 987 00:38:42,720 --> 00:38:44,720 it's actually a version number. This is 988 00:38:44,720 --> 00:38:46,720 policy version number two. 989 00:38:46,720 --> 00:38:48,720 You may want to say something like 990 00:38:48,720 --> 00:38:50,720 for this particular environment we are not going to roll out version one 991 00:38:50,720 --> 00:38:52,720 of the policy but for this other environment 992 00:38:52,720 --> 00:38:54,720 we will roll out version two because of potential 993 00:38:54,720 --> 00:38:56,720 compatibility issues or something like that. 994 00:38:56,720 --> 00:38:58,720 So man that's great 995 00:38:58,720 --> 00:39:00,720 to hear. I didn't even know about that. 996 00:39:00,720 --> 00:39:02,720 As soon as you said I kept thinking about this customer 997 00:39:02,720 --> 00:39:04,720 so that's really great 998 00:39:04,720 --> 00:39:06,720 to hear. So one thing we always ask 999 00:39:06,720 --> 00:39:08,720 our guest is if there was one 1000 00:39:08,720 --> 00:39:10,720 single thought you'd like to leave our listeners with what would it be? 1001 00:39:10,720 --> 00:39:12,720 I think the main thing 1002 00:39:12,720 --> 00:39:14,720 is to explore with the different 1003 00:39:14,720 --> 00:39:16,720 enforcement effects that we have 1004 00:39:16,720 --> 00:39:18,720 in policy. I think the power 1005 00:39:18,720 --> 00:39:20,720 behind what policy can do 1006 00:39:20,720 --> 00:39:22,720 at the end of the day is all 1007 00:39:22,720 --> 00:39:24,720 about what policy 1008 00:39:24,720 --> 00:39:26,720 language can express. 1009 00:39:26,720 --> 00:39:28,720 I would just start 1010 00:39:28,720 --> 00:39:30,720 exploring on what are the 1011 00:39:30,720 --> 00:39:32,720 enforcement effects that we support 1012 00:39:32,720 --> 00:39:34,720 to get an idea of what are possible 1013 00:39:34,720 --> 00:39:36,720 things that you would leverage as your policy for. 1014 00:39:36,720 --> 00:39:38,720 Nice. 1015 00:39:38,720 --> 00:39:40,720 One thing I mentioned at the very beginning 1016 00:39:40,720 --> 00:39:42,720 I'm just a huge fan of it as your policy. 1017 00:39:42,720 --> 00:39:44,720 When you look at controls 1018 00:39:44,720 --> 00:39:46,720 like preventive controls and detective 1019 00:39:46,720 --> 00:39:48,720 controls and responsive controls 1020 00:39:48,720 --> 00:39:50,720 I mean as your policy can kind of fit all three 1021 00:39:50,720 --> 00:39:52,720 of those areas. But from a 1022 00:39:52,720 --> 00:39:54,720 preventive control it really is 1023 00:39:54,720 --> 00:39:56,720 a such a magnificent defense 1024 00:39:56,720 --> 00:39:58,720 when it's designed correctly and used 1025 00:39:58,720 --> 00:40:00,720 correctly. I like the idea 1026 00:40:00,720 --> 00:40:02,720 that you had of having it at the 1027 00:40:02,720 --> 00:40:04,720 highest possible level and then using 1028 00:40:04,720 --> 00:40:06,720 exceptions below that. For those 1029 00:40:06,720 --> 00:40:08,720 areas where you do need 1030 00:40:08,720 --> 00:40:10,720 to sort of deviate from the policy 1031 00:40:10,720 --> 00:40:12,720 and then with the 1032 00:40:12,720 --> 00:40:14,720 policy version coming out 1033 00:40:14,720 --> 00:40:16,720 that's really going to solve 1034 00:40:16,720 --> 00:40:18,720 so many customer headaches. 1035 00:40:18,720 --> 00:40:20,720 So yes, thank you so much for joining us 1036 00:40:20,720 --> 00:40:22,720 this week Liz. I really appreciate you taking 1037 00:40:22,720 --> 00:40:24,720 the time. I know everyone else on the podcast 1038 00:40:24,720 --> 00:40:26,720 did as well. I learned a lot. 1039 00:40:26,720 --> 00:40:28,720 Again, I've used policy for a long 1040 00:40:28,720 --> 00:40:30,720 time but I learned a lot 1041 00:40:30,720 --> 00:40:32,720 on this podcast. That's always 1042 00:40:32,720 --> 00:40:34,720 a good thing to see. 1043 00:40:34,720 --> 00:40:36,720 To all our listeners out there 1044 00:40:36,720 --> 00:40:38,720 this is our last podcast for 1045 00:40:38,720 --> 00:40:40,720 2021. Hopefully 1046 00:40:40,720 --> 00:40:42,720 2022 is going to be a little 1047 00:40:42,720 --> 00:40:44,720 bit better than 2021. I know everyone's had 1048 00:40:44,720 --> 00:40:46,720 a bit of a rough time. 1049 00:40:46,720 --> 00:40:48,720 I know everyone on the podcast that we've had 1050 00:40:48,720 --> 00:40:50,720 has been exceedingly busy. 1051 00:40:50,720 --> 00:40:52,720 I'm off diving in a couple of days 1052 00:40:52,720 --> 00:40:54,720 with my wife. 1053 00:40:54,720 --> 00:40:56,720 I've only taken actually one week vacation 1054 00:40:56,720 --> 00:40:58,720 this year so I'm going to make up for 1055 00:40:58,720 --> 00:41:00,720 a little bit over this break. 1056 00:41:00,720 --> 00:41:02,720 So anyway, to all of you out there, thank 1057 00:41:02,720 --> 00:41:04,720 you so much for listening in this year. 1058 00:41:04,720 --> 00:41:06,720 We've had a great year. The podcast has 1059 00:41:06,720 --> 00:41:08,720 really grown over the last 1060 00:41:08,720 --> 00:41:10,720 over the last 12 months. 1061 00:41:10,720 --> 00:41:12,720 It's way above anything that 1062 00:41:12,720 --> 00:41:14,720 we ever expected. The feedback 1063 00:41:14,720 --> 00:41:16,720 we've had has been nothing but positive. 1064 00:41:16,720 --> 00:41:18,720 We've had fantastic guests. 1065 00:41:18,720 --> 00:41:20,720 A lot of people have learned a lot 1066 00:41:20,720 --> 00:41:22,720 through this podcast. So for that 1067 00:41:22,720 --> 00:41:24,720 I'm very, very thankful. 1068 00:41:24,720 --> 00:41:26,720 So again, for all of you out there, 1069 00:41:26,720 --> 00:41:28,720 thank you so much for listening. Take care of yourself. 1070 00:41:28,720 --> 00:41:30,720 Take some time with your family 1071 00:41:30,720 --> 00:41:32,720 and we'll see you next year. Thanks again. 1072 00:41:32,720 --> 00:41:34,720 Thanks for listening to the Azure Security 1073 00:41:34,720 --> 00:41:36,720 Podcast. You can find 1074 00:41:36,720 --> 00:41:38,720 show notes and other resources at our 1075 00:41:38,720 --> 00:41:40,720 website azsecuritypodcast.net. 1076 00:41:42,720 --> 00:41:44,720 If you have any questions, please 1077 00:41:44,720 --> 00:41:46,720 find us on Twitter at azuresecpod. 1078 00:41:46,720 --> 00:41:48,720 Background music is from ccmixter.com 1079 00:41:48,720 --> 00:41:50,720 and licensed under the 1080 00:41:50,720 --> 00:42:10,720 Creative Commons license.