1 00:00:00,000 --> 00:00:06,200 Welcome to the Azure Security Podcast, 2 00:00:06,200 --> 00:00:09,360 where we discuss topics relating to security, privacy, 3 00:00:09,360 --> 00:00:13,720 reliability, and compliance on the Microsoft Cloud Platform. 4 00:00:13,720 --> 00:00:17,800 Hey everybody, welcome to episode 63 5 00:00:17,800 --> 00:00:19,080 This week it won't be a full house, 6 00:00:19,080 --> 00:00:23,600 but Mike lives in Florida and so he's dealing with Hurricane Ian. 7 00:00:23,600 --> 00:00:25,840 Actually, I spoke to him last night, he's doing fine. 8 00:00:25,840 --> 00:00:29,600 They've got a little bit of damage but nothing life-threatening. 9 00:00:29,600 --> 00:00:31,280 That's great to hear. 10 00:00:31,280 --> 00:00:33,760 So it's myself, Michael Gladys and Sarah. 11 00:00:33,760 --> 00:00:35,520 We also have a guest, Nick Ryder, 12 00:00:35,520 --> 00:00:38,800 who's here to talk to us about Entrepomissions Management. 13 00:00:38,800 --> 00:00:40,120 But before we get to Nick, 14 00:00:40,120 --> 00:00:42,040 let's take a little lap around the news. 15 00:00:42,040 --> 00:00:43,560 Sarah, why don't you kick things off? 16 00:00:43,560 --> 00:00:46,400 I have just one thing to talk about today, 17 00:00:46,400 --> 00:00:49,760 which is AKS stuff. 18 00:00:49,760 --> 00:00:51,960 Apart from my baby Sentinel, 19 00:00:51,960 --> 00:00:55,520 I love a bit of AKS or Azure Kubernetes Service. 20 00:00:55,520 --> 00:00:57,360 There's a public preview now of 21 00:00:57,360 --> 00:01:02,560 API server VNet integration for private clusters in AKS. 22 00:01:02,560 --> 00:01:05,600 So what that means is it's enabling network communications 23 00:01:05,600 --> 00:01:08,240 between the API server and the cluster nodes 24 00:01:08,240 --> 00:01:10,440 without a private link or a tunnel. 25 00:01:10,440 --> 00:01:13,640 So if you're trying to keep things nice and secure 26 00:01:13,640 --> 00:01:16,720 and not exposed publicly and you're doing private clusters, 27 00:01:16,720 --> 00:01:19,760 this is definitely something for you to go look at. 28 00:01:19,760 --> 00:01:22,360 And it's just that one from me today. 29 00:01:22,360 --> 00:01:26,080 Well, I have three that I've been playing with. 30 00:01:26,080 --> 00:01:28,920 The first one is conditional access. 31 00:01:28,920 --> 00:01:30,760 In some deployments, 32 00:01:30,760 --> 00:01:35,240 organizations may need to restrict authentication sessions, 33 00:01:35,240 --> 00:01:41,280 such as a resource being accessed from a managed or shared device, 34 00:01:41,280 --> 00:01:45,520 or maybe having high impact users logging in 35 00:01:45,520 --> 00:01:50,400 or critical applications and sensitive information being accessed. 36 00:01:50,400 --> 00:01:57,120 Well, certain organizations want to change the length of that session 37 00:01:57,120 --> 00:01:59,560 when it occurs. 38 00:01:59,560 --> 00:02:04,400 So customers now may have the availability or the ability 39 00:02:04,400 --> 00:02:09,560 to force reauthentication just to those users 40 00:02:09,560 --> 00:02:14,280 so they get a request for a refresh authentication 41 00:02:14,280 --> 00:02:19,080 each time a user performs certain of these actions. 42 00:02:19,080 --> 00:02:24,480 Forced reauthentication supports requiring a user to reauthenticate 43 00:02:24,480 --> 00:02:28,200 during in-tune device enrollment, 44 00:02:28,200 --> 00:02:34,400 password change for risky users and risky sign-ins. 45 00:02:34,400 --> 00:02:39,080 To configure this, you just go to Azure AD Security Conditional Access 46 00:02:39,080 --> 00:02:40,360 as normal, right? 47 00:02:40,360 --> 00:02:44,680 And under sessions, you have the sign-in frequency 48 00:02:44,680 --> 00:02:50,480 where you want to configure the periodic authentication timeframe. 49 00:02:50,480 --> 00:02:55,560 I'm providing a link named Configure Authentication Session Management 50 00:02:55,560 --> 00:02:58,520 with Conditional Access in our podcast, 51 00:02:58,520 --> 00:03:02,360 so go there for additional information. 52 00:03:02,360 --> 00:03:06,200 The other news that I am really excited about 53 00:03:06,200 --> 00:03:10,840 is regarding Azure AD Access Review. 54 00:03:10,840 --> 00:03:14,680 For those of you that are not familiar with this, 55 00:03:14,680 --> 00:03:18,920 basically, it's a way to schedule reviews of access 56 00:03:18,920 --> 00:03:23,840 to specific resources of applications or even groups. 57 00:03:23,840 --> 00:03:28,680 Well, now you could create a multi-stage access review. 58 00:03:28,680 --> 00:03:33,800 In a single-stage review, all reviewers make a decision 59 00:03:33,800 --> 00:03:37,080 within some defined period of time. 60 00:03:37,080 --> 00:03:42,280 And the last reviewer to make the decision basically wins. 61 00:03:42,280 --> 00:03:48,280 In the multi-stage, you have two or three reviewers, one after the other, 62 00:03:48,280 --> 00:03:53,640 and you can allow them to see the previous reviewer answers. 63 00:03:53,640 --> 00:04:00,120 That way, they're making a collaborative decision about the access 64 00:04:00,120 --> 00:04:04,120 that will remain in place. 65 00:04:04,120 --> 00:04:08,680 And the last new that I wanted to talk about is investigative alerts 66 00:04:08,680 --> 00:04:11,960 in Microsoft 365 Defender. 67 00:04:11,960 --> 00:04:14,680 Alerts are the basics of all incidents, 68 00:04:14,680 --> 00:04:17,480 and often, actually, every single time 69 00:04:17,480 --> 00:04:21,640 are aggregated together to form incidents. 70 00:04:21,640 --> 00:04:25,240 They provide a broader context to the attack, 71 00:04:25,240 --> 00:04:28,840 and they show as part of the incident. 72 00:04:28,840 --> 00:04:32,840 However, there are many instances that certain alerts 73 00:04:32,840 --> 00:04:35,560 need to be investigated individually. 74 00:04:35,560 --> 00:04:40,600 So there's an alert queue and broader capabilities 75 00:04:40,600 --> 00:04:45,560 to investigate these alerts are being provided 76 00:04:45,560 --> 00:04:48,840 under the Microsoft 365 Defender. 77 00:04:48,840 --> 00:04:50,360 Back to you, Michael. 78 00:04:50,360 --> 00:04:51,800 Yeah, I got a few items. 79 00:04:51,800 --> 00:04:54,120 The first one is in public preview, 80 00:04:54,120 --> 00:04:57,320 policy analytics for Azure Firewall. 81 00:04:57,320 --> 00:04:58,920 Policy analytics for Azure Firewall 82 00:04:58,920 --> 00:05:03,320 is all about trying to get ahead of changes 83 00:05:03,320 --> 00:05:08,120 that creep in over time with Azure Firewall rules. 84 00:05:08,120 --> 00:05:10,280 It's in public preview, and the whole point of it 85 00:05:10,280 --> 00:05:12,680 is to give you insights into changes 86 00:05:12,680 --> 00:05:16,840 you might want to make based on changes in utilization 87 00:05:16,840 --> 00:05:18,520 when using the product. 88 00:05:18,520 --> 00:05:21,800 Next one in my own backyard, public preview 89 00:05:21,800 --> 00:05:24,600 for Azure AD authentication with Azure Database 90 00:05:24,600 --> 00:05:27,080 for MySQL flexible server. 91 00:05:27,080 --> 00:05:29,080 Great to see. 92 00:05:29,080 --> 00:05:33,640 Historically, MySQL has had its own authentication mechanism, 93 00:05:33,640 --> 00:05:36,280 so it's great to see that it now works with Azure AD 94 00:05:36,280 --> 00:05:38,280 authentication as well, which is, again, 95 00:05:38,280 --> 00:05:41,240 that means it's one less credential for customers 96 00:05:41,240 --> 00:05:44,360 to manage, and one less credential is one less thing 97 00:05:44,360 --> 00:05:45,880 to secure, and one less thing to secure 98 00:05:45,880 --> 00:05:46,840 means you're more secure. 99 00:05:46,840 --> 00:05:49,240 So that's a really great thing to see. 100 00:05:49,240 --> 00:05:51,840 Next one is, in general, availability. 101 00:05:51,840 --> 00:05:54,040 It's Azure policy, built-in definitions 102 00:05:54,040 --> 00:05:56,200 for Azure NetApps files. 103 00:05:56,200 --> 00:05:58,200 I'm a huge fan of Azure policy. 104 00:05:58,200 --> 00:06:00,680 This is where you can put a policy in place that says, 105 00:06:00,680 --> 00:06:05,560 hey, if you deploy a storage account, it must use TLS. 106 00:06:05,560 --> 00:06:08,600 Or if you deploy a Cosmos DB instance, 107 00:06:08,600 --> 00:06:13,840 you can't have network access or internet access, 108 00:06:13,840 --> 00:06:14,800 those kinds of things. 109 00:06:14,800 --> 00:06:16,760 And then when you put these rules in place, 110 00:06:16,760 --> 00:06:18,960 you must deploy something that matches that policy, 111 00:06:18,960 --> 00:06:20,760 and also you can't drift away from it. 112 00:06:20,760 --> 00:06:22,400 So I'm a huge fan of Azure policy, 113 00:06:22,400 --> 00:06:25,520 and it's great to see Azure NetApp files getting 114 00:06:25,520 --> 00:06:27,240 the same love and treatment. 115 00:06:27,240 --> 00:06:30,680 Second to last one is, public preview is encryption scopes 116 00:06:30,680 --> 00:06:33,480 on hierarchical namespace storage accounts. 117 00:06:33,480 --> 00:06:37,080 So hierarchical namespaces are supported with Azure Data Lake 118 00:06:37,080 --> 00:06:40,200 Gen2 storage accounts, so ADLS Gen2. 119 00:06:40,200 --> 00:06:44,440 So you can have folders like Canon, most file systems. 120 00:06:44,440 --> 00:06:49,440 But now what you can do, this has been available in Blob Store, 121 00:06:49,440 --> 00:06:51,240 but now it's available in ADLS Gen2. 122 00:06:51,240 --> 00:06:53,240 So you can actually have different encryption scopes 123 00:06:53,240 --> 00:06:55,320 on different parts of the file system. 124 00:06:55,320 --> 00:06:56,960 They may think, well, OK. 125 00:06:56,960 --> 00:06:59,560 So well, the main reason for that is you 126 00:06:59,560 --> 00:07:05,400 might have, say, I don't know, HR and Legal have the same storage 127 00:07:05,400 --> 00:07:08,320 account, but you might want to give them their own encryption 128 00:07:08,320 --> 00:07:08,960 keys. 129 00:07:08,960 --> 00:07:11,800 And that way, it's sort of plausible deniability. 130 00:07:11,800 --> 00:07:14,040 The HR guys can't read the stuff that's 131 00:07:14,040 --> 00:07:16,840 held over on Legal because they don't have access to the keys. 132 00:07:16,840 --> 00:07:21,080 So again, encryption scopes has been available in Blob Store, 133 00:07:21,080 --> 00:07:25,200 but it's great to see ADLS Gen2 getting the same love. 134 00:07:25,200 --> 00:07:27,920 And while on the topic of ADLS Gen2, 135 00:07:27,920 --> 00:07:30,200 there's now immutable storage. 136 00:07:30,200 --> 00:07:32,640 So again, this has been available in Blob Store. 137 00:07:32,640 --> 00:07:35,360 And immutable storage is really important for certain kinds 138 00:07:35,360 --> 00:07:38,560 of workloads, especially from legal and compliance requirements. 139 00:07:38,560 --> 00:07:40,200 So you can actually store some data 140 00:07:40,200 --> 00:07:42,480 and, say, have a 90-day lock on it, 141 00:07:42,480 --> 00:07:45,560 which means that the data cannot be deleted. 142 00:07:45,560 --> 00:07:49,040 And for 90 days, there's all sorts of other rules 143 00:07:49,040 --> 00:07:50,560 that you can put in places as well. 144 00:07:50,560 --> 00:07:54,240 So it's nice to see Azure Data Lake Storage getting 145 00:07:54,240 --> 00:07:56,880 the same love as your Blob Store did. 146 00:07:56,880 --> 00:07:58,640 So yeah, immutable storage is now generally 147 00:07:58,640 --> 00:08:01,080 available for ADLS Gen2. 148 00:08:01,080 --> 00:08:04,080 So with that, and then getting the news out of the way, 149 00:08:04,080 --> 00:08:05,920 let's turn our attention to our guest. 150 00:08:05,920 --> 00:08:08,760 So this week, we have Nick Wright, as I mentioned. 151 00:08:08,760 --> 00:08:12,720 He is here to talk to us about Entrapermissions Management. 152 00:08:12,720 --> 00:08:14,480 Nick, thank you so much for joining us this week. 153 00:08:14,480 --> 00:08:16,400 Would you take a moment and tell us 154 00:08:16,400 --> 00:08:17,920 a little bit about yourself? 155 00:08:17,920 --> 00:08:18,760 Thank you, Michael. 156 00:08:18,760 --> 00:08:22,360 My name is Nick Wright, and I'm an experienced product manager. 157 00:08:22,360 --> 00:08:24,360 And I work with customers worldwide, 158 00:08:24,360 --> 00:08:27,280 strategizing, designing, and discussing 159 00:08:27,280 --> 00:08:29,440 their identity solutions around Microsoft 160 00:08:29,440 --> 00:08:32,200 Entra and identity as a whole. 161 00:08:32,200 --> 00:08:34,920 I have global experience serving government clients, 162 00:08:34,920 --> 00:08:40,640 as well as commercial customers, advising security services, 163 00:08:40,640 --> 00:08:42,560 consulting, and working with teams 164 00:08:42,560 --> 00:08:45,280 to bring them a business-focused approach that 165 00:08:45,280 --> 00:08:50,280 incorporates processes, control innovation technology, 166 00:08:50,280 --> 00:08:52,480 and security for a brighter future. 167 00:08:52,480 --> 00:08:55,560 I'm mainly skilled in identity and security strategy. 168 00:08:55,560 --> 00:08:57,720 And currently, my focus in Microsoft 169 00:08:57,720 --> 00:09:01,760 is in cloud infrastructure and title management in that space. 170 00:09:01,760 --> 00:09:04,720 And I'm part of the identity network and access product 171 00:09:04,720 --> 00:09:05,680 group. 172 00:09:05,680 --> 00:09:08,120 What is Entrapermissions Management? 173 00:09:08,120 --> 00:09:09,080 I know the name. 174 00:09:09,080 --> 00:09:10,360 I saw the announcements. 175 00:09:10,360 --> 00:09:11,800 But I'm going to be honest with you. 176 00:09:11,800 --> 00:09:16,920 I probably don't know enough of as much about it 177 00:09:16,920 --> 00:09:19,000 as I probably should. 178 00:09:19,000 --> 00:09:22,640 But I'm sure I'm not the only person listening who's 179 00:09:22,640 --> 00:09:23,760 thinking the same thing. 180 00:09:23,760 --> 00:09:30,000 So can you tell us, elevator pitch, what it is, why we should care? 181 00:09:30,000 --> 00:09:31,880 Oh, absolutely. 182 00:09:31,880 --> 00:09:34,040 So Entrapermissions Management really 183 00:09:34,040 --> 00:09:38,280 is one of the new products that is coming under the Microsoft 184 00:09:38,280 --> 00:09:40,680 Entra umbrella. 185 00:09:40,680 --> 00:09:45,600 So the Microsoft Entra is the cloud identity series 186 00:09:45,600 --> 00:09:49,320 of products that encompasses Azure Active Directory, 187 00:09:49,320 --> 00:09:51,680 Entrapermissions Management, and Verified ID. 188 00:09:51,680 --> 00:09:55,840 So what is Entrapermissions Management, as you asked? 189 00:09:55,840 --> 00:09:58,040 Permissions Management is a cloud infrastructure 190 00:09:58,040 --> 00:10:00,000 and title management solution that 191 00:10:00,000 --> 00:10:03,080 provides comprehensive visibility into permissions 192 00:10:03,080 --> 00:10:07,520 assigned to all identities, whether it's users and workloads, 193 00:10:07,520 --> 00:10:11,880 actions, and resources across cloud infrastructures. 194 00:10:11,880 --> 00:10:16,120 It detects right sizes and monitors unused and excessive 195 00:10:16,120 --> 00:10:19,120 permissions and enables zero trust security 196 00:10:19,120 --> 00:10:23,200 through least privilege access in Microsoft Azure, Amazon 197 00:10:23,200 --> 00:10:25,960 web services, and Google Cloud platforms. 198 00:10:25,960 --> 00:10:29,200 Entrapermissions Management was an acquisition. 199 00:10:29,200 --> 00:10:33,400 We acquired Cloud Knox in July of 2021. 200 00:10:33,400 --> 00:10:36,000 That is, they were a security company that 201 00:10:36,000 --> 00:10:39,880 was doing this cloud infrastructure entitlement 202 00:10:39,880 --> 00:10:41,860 management solution. 203 00:10:41,860 --> 00:10:46,600 And that's how we integrate them into the Microsoft ecosystem 204 00:10:46,600 --> 00:10:49,960 by bringing them into the Microsoft Entra umbrella. 205 00:10:49,960 --> 00:10:52,200 I'm really excited about this. 206 00:10:52,200 --> 00:10:54,640 Can you explain if this is only for Azure, 207 00:10:54,640 --> 00:10:58,720 or can you use it in other environments? 208 00:10:58,720 --> 00:11:05,800 In addition, is this only for users or any other accounts? 209 00:11:05,800 --> 00:11:06,920 I'm glad you asked that. 210 00:11:06,920 --> 00:11:10,880 So Entrapermissions Management is not only for Azure. 211 00:11:10,880 --> 00:11:13,880 This is one of our multi-cloud solutions 212 00:11:13,880 --> 00:11:18,120 that basically spans across three main clouds. 213 00:11:18,120 --> 00:11:21,920 As I mentioned, Microsoft Azure, Amazon web services, 214 00:11:21,920 --> 00:11:25,280 and Google Cloud platform. 215 00:11:25,280 --> 00:11:28,600 It's not only for users because this product actually 216 00:11:28,600 --> 00:11:30,800 manages resources as well. 217 00:11:30,800 --> 00:11:34,800 And we're able to get visibility into those resources. 218 00:11:34,800 --> 00:11:37,400 So I didn't actually add this portion 219 00:11:37,400 --> 00:11:39,960 to what actually Entrapermissions Management 220 00:11:39,960 --> 00:11:44,000 is, but what is the problem that Entrapermissions Management 221 00:11:44,000 --> 00:11:45,200 really solves? 222 00:11:45,200 --> 00:11:48,280 Well, what we've noticed is that unmanaged permissions 223 00:11:48,280 --> 00:11:51,320 are expanding the attack surfaces that organizations 224 00:11:51,320 --> 00:11:55,560 have to date, such that permissions that are granted, 225 00:11:55,560 --> 00:11:57,480 most people give so many permissions 226 00:11:57,480 --> 00:12:01,520 so a lot of users, service principles, automations, 227 00:12:01,520 --> 00:12:03,800 versus the permissions that are used, 228 00:12:03,800 --> 00:12:06,080 it's a great delta that's there. 229 00:12:06,080 --> 00:12:08,360 And that's what we call the permissions gap. 230 00:12:08,360 --> 00:12:10,480 And what we know is that there's 231 00:12:10,480 --> 00:12:13,520 lack of comprehensive visibility into identities, 232 00:12:13,520 --> 00:12:16,960 permissions, and resources across many organizations. 233 00:12:16,960 --> 00:12:21,320 And we also know that the increased complexity of IAM 234 00:12:21,320 --> 00:12:23,480 and security teams to manage permissions 235 00:12:23,480 --> 00:12:26,920 across multi-cloud environments is a very, very hard thing 236 00:12:26,920 --> 00:12:28,320 to do. 237 00:12:28,320 --> 00:12:31,120 And lastly, increased risk of breach 238 00:12:31,120 --> 00:12:33,920 from accidental or malicious permission misuse 239 00:12:33,920 --> 00:12:37,080 is something that's happening in many, many organizations 240 00:12:37,080 --> 00:12:37,960 today. 241 00:12:37,960 --> 00:12:41,120 So like I said, the product is not only for users. 242 00:12:41,120 --> 00:12:44,840 It actually covers all cloud infrastructure entitlements 243 00:12:44,840 --> 00:12:47,720 across the three clouds that I mentioned earlier. 244 00:12:47,720 --> 00:12:52,760 And you can basically even look into your service principles, 245 00:12:52,760 --> 00:12:55,360 what we call workload identities, 246 00:12:55,360 --> 00:13:00,240 or any automations that you have set up within your environment. 247 00:13:00,240 --> 00:13:04,040 I'm really happy about this, especially with service principle, 248 00:13:04,040 --> 00:13:08,520 because after solar winds and there's other attacks that 249 00:13:08,520 --> 00:13:13,200 have been taking advantage of service principles, 250 00:13:13,200 --> 00:13:14,560 permissions, right? 251 00:13:14,560 --> 00:13:19,160 So just providing this privilege, 252 00:13:19,160 --> 00:13:24,240 I think it will help out greatly many applications 253 00:13:24,240 --> 00:13:26,400 and customers. 254 00:13:26,400 --> 00:13:27,200 So I've got to ask. 255 00:13:27,200 --> 00:13:28,920 So I mean, how does this thing, I mean, obviously, 256 00:13:28,920 --> 00:13:32,800 I expect to explain all the nuts and bolts, but at a high level. 257 00:13:32,800 --> 00:13:34,520 How does it work? 258 00:13:34,520 --> 00:13:38,200 And how do you define even an excessive permission? 259 00:13:38,200 --> 00:13:39,880 We have the Kim service. 260 00:13:39,880 --> 00:13:42,240 So cloud infrastructure entitlement management, 261 00:13:42,240 --> 00:13:44,360 the short form, we say Kim. 262 00:13:44,360 --> 00:13:46,600 So we have a Kim service, which gives access 263 00:13:46,600 --> 00:13:50,840 to that customer's Azure, AWS, or GCP account. 264 00:13:50,840 --> 00:13:53,640 And that service principle facilitates a collection. 265 00:13:53,640 --> 00:13:57,760 And that collection starts by getting all the data that's 266 00:13:57,760 --> 00:14:02,640 mainly the resources within that customer or that environment 267 00:14:02,640 --> 00:14:04,520 that have environments infrastructure. 268 00:14:04,520 --> 00:14:08,360 The data goes through our AI models and gets evaluated. 269 00:14:08,360 --> 00:14:11,760 And then we manage the permissions and entitlements. 270 00:14:11,760 --> 00:14:14,120 So Entropermissions Management defines 271 00:14:14,120 --> 00:14:17,640 those excessive permissions as an aggregated metric that 272 00:14:17,640 --> 00:14:20,720 evaluates the level of risk associated to permissions 273 00:14:20,720 --> 00:14:24,440 across identities and resources by comparing those permissions 274 00:14:24,440 --> 00:14:28,080 granted versus the permissions that are used or exercised 275 00:14:28,080 --> 00:14:32,720 for that user, the non-human identity, or a workload. 276 00:14:32,720 --> 00:14:36,240 So in the product, we call this measure or this metric 277 00:14:36,240 --> 00:14:37,600 permission creep index. 278 00:14:37,600 --> 00:14:39,440 Let's call it PCI for short. 279 00:14:39,440 --> 00:14:42,520 The permission creep index is calculated by a formula 280 00:14:42,520 --> 00:14:46,680 with two terms multiplied together for a given identity. 281 00:14:46,680 --> 00:14:51,800 A factor score between 0 to 100 based on high risk permissions, 282 00:14:51,800 --> 00:14:55,800 an identity has not used within the last 90 days. 283 00:14:55,800 --> 00:14:59,960 And a factor score between 0, 100 based on how many resources 284 00:14:59,960 --> 00:15:04,440 the identity can impact across the entire authorization system. 285 00:15:04,440 --> 00:15:08,520 So that is how we define those excessive permissions. 286 00:15:08,520 --> 00:15:09,920 So it's interesting you should bring up 287 00:15:09,920 --> 00:15:12,480 the whole notion of excessive permissions, right? 288 00:15:12,480 --> 00:15:16,080 Because permission creepers is just huge. 289 00:15:16,080 --> 00:15:17,680 I've certainly seen some customers 290 00:15:17,680 --> 00:15:20,200 try to manage this themselves. 291 00:15:20,200 --> 00:15:24,760 And honestly, it's just a losing battle. 292 00:15:24,760 --> 00:15:27,760 I had a customer write some code, an Azure function, 293 00:15:27,760 --> 00:15:30,480 and they grounded it. 294 00:15:30,480 --> 00:15:32,200 Some access to Azure. 295 00:15:32,200 --> 00:15:34,920 And there were gravel permissions on absolutely every single 296 00:15:34,920 --> 00:15:37,560 object and every user account. 297 00:15:37,560 --> 00:15:40,720 Like every 30 minutes or so, it just became un-maintainable, 298 00:15:40,720 --> 00:15:42,280 though. 299 00:15:42,280 --> 00:15:43,680 They have a report at the end of the day 300 00:15:43,680 --> 00:15:45,920 that showed added permissions, deleted permissions, 301 00:15:45,920 --> 00:15:47,120 sort of delta in the drift. 302 00:15:47,120 --> 00:15:49,680 But they didn't know how to make sense of it. 303 00:15:49,680 --> 00:15:52,600 So it's great to see a product like this come along, 304 00:15:52,600 --> 00:15:54,920 especially from a scalability perspective. 305 00:15:54,920 --> 00:15:58,000 Is there a way to tell how many users have excessive permissions? 306 00:15:58,000 --> 00:16:02,640 Can you get an overall vision of sort of the permission posture, 307 00:16:02,640 --> 00:16:04,120 so to speak, of the environment? 308 00:16:04,120 --> 00:16:06,160 And then can you actually do the minimization as well? 309 00:16:06,160 --> 00:16:07,960 Like can you actually reduce permissions while you're doing it? 310 00:16:07,960 --> 00:16:10,400 Or is it just really just the one-way thing? 311 00:16:10,400 --> 00:16:13,720 Yeah, so the product actually goes really, really deep here, 312 00:16:13,720 --> 00:16:14,200 Michael. 313 00:16:14,200 --> 00:16:17,960 So let's start with just what the console looks like. 314 00:16:17,960 --> 00:16:21,040 So immediately when you actually launch the Entra 315 00:16:21,040 --> 00:16:23,520 Permissions Management product, the first thing 316 00:16:23,520 --> 00:16:28,720 within the dashboard that you'll see is you'll get a graph. 317 00:16:28,720 --> 00:16:31,640 Basically, you get a dashboard that shows you this permission creep 318 00:16:31,640 --> 00:16:33,200 index that I mentioned. 319 00:16:33,200 --> 00:16:35,280 And within that permission creep index, 320 00:16:35,280 --> 00:16:40,560 we give you an aggregation of all your users' applications 321 00:16:40,560 --> 00:16:43,960 and manage identities in a fashion that we give you 322 00:16:43,960 --> 00:16:48,920 your total users, and we rank them from high to medium and low. 323 00:16:48,920 --> 00:16:50,080 Why are we ranking them? 324 00:16:50,080 --> 00:16:53,200 We're ranking them to give you visibility to say, hey, 325 00:16:53,200 --> 00:16:57,200 you have high risk users within your environment. 326 00:16:57,200 --> 00:17:02,200 And this all is calculated with our machine learning algorithm 327 00:17:02,200 --> 00:17:04,640 that's in the background that does this data collection 328 00:17:04,640 --> 00:17:07,560 and throws it into this nice dashboard for you 329 00:17:07,560 --> 00:17:09,720 to just get a snapshot of what's actually 330 00:17:09,720 --> 00:17:11,360 happening within your environment. 331 00:17:11,360 --> 00:17:14,880 And like I mentioned, we do this for applications, manage 332 00:17:14,880 --> 00:17:16,080 identities as well. 333 00:17:16,080 --> 00:17:20,240 And this PCI trend, we give you a graph of that, 334 00:17:20,240 --> 00:17:25,480 meaning if a user is over-permissioned 335 00:17:25,480 --> 00:17:28,800 and you are able to right-size them using one 336 00:17:28,800 --> 00:17:31,080 of our other tabs and functionalities, which 337 00:17:31,080 --> 00:17:34,720 we call remediation, we can talk about that a little later, 338 00:17:34,720 --> 00:17:37,760 you can see that trend of that PCI score actually 339 00:17:37,760 --> 00:17:40,480 decreased, meaning that your environment is actually 340 00:17:40,480 --> 00:17:41,960 getting better. 341 00:17:41,960 --> 00:17:44,000 And so basically what's happening here 342 00:17:44,000 --> 00:17:48,240 is that whenever the EPM product collects data 343 00:17:48,240 --> 00:17:50,120 for a given enterprise and provides 344 00:17:50,120 --> 00:17:53,200 that comprehensive report, within the console 345 00:17:53,200 --> 00:17:56,720 you can find what we call permissions analytics report. 346 00:17:56,720 --> 00:17:59,160 This provides you with cross-cloud visibility 347 00:17:59,160 --> 00:18:02,600 such that you get a multi-dimensional view of all 348 00:18:02,600 --> 00:18:05,600 your permissions risk within your organization. 349 00:18:05,600 --> 00:18:10,160 So can you focus on the most risky permissions? 350 00:18:10,160 --> 00:18:12,000 Yeah, for sure, for sure, Sarah. 351 00:18:12,000 --> 00:18:16,120 So as I mentioned earlier, even within our dashboard, 352 00:18:16,120 --> 00:18:19,040 another functionality that we give you right away 353 00:18:19,040 --> 00:18:20,840 after the data collection has happened, 354 00:18:20,840 --> 00:18:22,560 like I mentioned, the data collection 355 00:18:22,560 --> 00:18:26,280 happens across your multi-cloud footprint. 356 00:18:26,280 --> 00:18:28,440 And within that, we actually give you 357 00:18:28,440 --> 00:18:30,920 a quick snapshot of all the identities 358 00:18:30,920 --> 00:18:33,200 that you have and all the resources that you have 359 00:18:33,200 --> 00:18:35,120 and give you the findings. 360 00:18:35,120 --> 00:18:37,960 So for example, within the identity findings, 361 00:18:37,960 --> 00:18:41,320 we are able to give you your inactive applications 362 00:18:41,320 --> 00:18:45,000 that are identities or workload identities, 363 00:18:45,000 --> 00:18:48,800 inactive users, over-permission active users, 364 00:18:48,800 --> 00:18:51,720 super users, inactive serverless functions, 365 00:18:51,720 --> 00:18:53,320 over-permission active apps. 366 00:18:53,320 --> 00:18:54,560 You see what's going on here. 367 00:18:54,560 --> 00:18:55,680 That's what we kind of do for you. 368 00:18:55,680 --> 00:18:57,360 And then on the resource side, we also 369 00:18:57,360 --> 00:18:59,640 give you a snapshot of all your findings 370 00:18:59,640 --> 00:19:02,560 based on the different permissions that are used 371 00:19:02,560 --> 00:19:04,600 versus the permissions that are granted. 372 00:19:04,600 --> 00:19:08,640 Examples could be your block container accessible, 373 00:19:08,640 --> 00:19:11,400 is your block containers accessible externally, 374 00:19:11,400 --> 00:19:13,600 or your open network security groups, 375 00:19:13,600 --> 00:19:16,240 what's going on there, they're over-permissive, 376 00:19:16,240 --> 00:19:19,840 or even for your managed keys, they're over-permissive. 377 00:19:19,840 --> 00:19:22,840 We give you these findings in a very quick snapshot 378 00:19:22,840 --> 00:19:25,360 so you have a place to actually start 379 00:19:25,360 --> 00:19:29,040 to see how you can actually manage this permissions risk 380 00:19:29,040 --> 00:19:32,160 that most organizations deal with today. 381 00:19:32,160 --> 00:19:35,600 So I was playing with some demo portal. 382 00:19:35,600 --> 00:19:40,240 And if I understood correctly, basically, 383 00:19:40,240 --> 00:19:47,800 the system or the service is viewing all the permissions 384 00:19:47,800 --> 00:19:52,440 that are being used and is building a report based on that 385 00:19:52,440 --> 00:19:54,560 and then give you guidance. 386 00:19:54,560 --> 00:20:01,240 Now, say that I go and remediate those permissions. 387 00:20:01,240 --> 00:20:06,920 And if we move some permissions that now, next week, 388 00:20:06,920 --> 00:20:08,160 I may need. 389 00:20:08,160 --> 00:20:12,000 What happens and how do I deal with that? 390 00:20:12,000 --> 00:20:17,600 Because suddenly, my role change and I need more permissions. 391 00:20:17,600 --> 00:20:20,400 Yeah, so actually, let's take a step back really quick. 392 00:20:20,400 --> 00:20:24,160 Let me just give a quick snippet of some of the features 393 00:20:24,160 --> 00:20:27,120 and functionalities of the Entrapremissions Management 394 00:20:27,120 --> 00:20:27,840 product. 395 00:20:27,840 --> 00:20:30,400 So like I mentioned, we've talked about the dashboard 396 00:20:30,400 --> 00:20:33,440 and it gives you that quick view into what's 397 00:20:33,440 --> 00:20:37,720 happening within your cross-cloud environment. 398 00:20:37,720 --> 00:20:39,440 Well, we also have an analytics tab. 399 00:20:39,440 --> 00:20:41,680 That analytics tab is where, like I mentioned, 400 00:20:41,680 --> 00:20:44,080 all the machine learning algorithms 401 00:20:44,080 --> 00:20:46,560 that we've done with your data, it basically 402 00:20:46,560 --> 00:20:50,200 gives you all the different dash data 403 00:20:50,200 --> 00:20:53,000 that you have of your digital footprint 404 00:20:53,000 --> 00:20:55,520 with some of what your users are doing, 405 00:20:55,520 --> 00:20:57,040 some of the groups that you've created, 406 00:20:57,040 --> 00:20:59,720 what's happening with them, how people 407 00:20:59,720 --> 00:21:01,120 get permissions. 408 00:21:01,120 --> 00:21:05,480 And we give you even a nice chart to trace back 409 00:21:05,480 --> 00:21:09,000 to how a user actually got a specific permission. 410 00:21:09,000 --> 00:21:11,440 And we go into the details of those permissions, right? 411 00:21:11,440 --> 00:21:15,720 Whether it's read, write, delete, certain things 412 00:21:15,720 --> 00:21:19,000 that are in this specific role, we break those down for you. 413 00:21:19,000 --> 00:21:22,520 And then one of our other features, remediation, 414 00:21:22,520 --> 00:21:24,960 is what you're talking about here specifically. 415 00:21:24,960 --> 00:21:27,880 Well, within our Remediation tab or the feature 416 00:21:27,880 --> 00:21:29,800 of Enter Permissions Management, we 417 00:21:29,800 --> 00:21:32,880 have a functionality called Permissions on Demand. 418 00:21:32,880 --> 00:21:36,040 So you mentioned, OK, now that you've 419 00:21:36,040 --> 00:21:39,640 right-sized or used the principle of least privilege 420 00:21:39,640 --> 00:21:43,640 with a specific user or workload or non-human identity, 421 00:21:43,640 --> 00:21:46,280 what happens if you need those permissions back? 422 00:21:46,280 --> 00:21:48,000 Well, with permissions on demand, 423 00:21:48,000 --> 00:21:52,360 you can actually follow the flow that we got there 424 00:21:52,360 --> 00:21:54,800 and actually request those permissions. 425 00:21:54,800 --> 00:21:56,720 And the way that we do that is we actually 426 00:21:56,720 --> 00:22:00,640 give you granular control such that because of the data 427 00:22:00,640 --> 00:22:02,960 collection that has happened in your environment, 428 00:22:02,960 --> 00:22:07,240 we are able to determine that a user has been only 429 00:22:07,240 --> 00:22:09,920 using specific permissions over time. 430 00:22:09,920 --> 00:22:12,800 And so all those permissions they've been using over time 431 00:22:12,800 --> 00:22:15,760 and they're requesting for a specific permission 432 00:22:15,760 --> 00:22:17,960 that they're going to be using, they 433 00:22:17,960 --> 00:22:19,760 can go in there and request that. 434 00:22:19,760 --> 00:22:23,080 And an authorizer or an approver can go in there and approve it. 435 00:22:23,080 --> 00:22:24,520 It's a simple workflow. 436 00:22:24,520 --> 00:22:26,120 It's very easy to use. 437 00:22:26,120 --> 00:22:28,800 You can do it for almost all your users today. 438 00:22:28,800 --> 00:22:33,400 And that's how we basically right-size every user. 439 00:22:33,400 --> 00:22:36,080 And that's what we're really trying to do with this product 440 00:22:36,080 --> 00:22:38,360 is we want to give you those controls. 441 00:22:38,360 --> 00:22:42,240 So for example, within Azure, we call, 442 00:22:42,240 --> 00:22:43,720 what is a role within Azure? 443 00:22:43,720 --> 00:22:46,760 Well, a role within Azure is a set of permissions 444 00:22:46,760 --> 00:22:50,840 that are given to a specific name that Azure uses to say, 445 00:22:50,840 --> 00:22:55,720 OK, for example, if I have the contributor role, 446 00:22:55,720 --> 00:22:57,400 I have a whole bunch of permissions 447 00:22:57,400 --> 00:23:00,920 that are embedded into my specific role 448 00:23:00,920 --> 00:23:03,080 that I'm actually inheriting. 449 00:23:03,080 --> 00:23:06,760 Within AWS and GCP, they call it different things. 450 00:23:06,760 --> 00:23:10,280 AWS, the way permissioning is done within AWS 451 00:23:10,280 --> 00:23:12,240 is different from the way Azure does it. 452 00:23:12,240 --> 00:23:15,600 However, the product is very smart 453 00:23:15,600 --> 00:23:18,240 that it actually gives you that granular control 454 00:23:18,240 --> 00:23:22,920 and you're able to go in and request that specific permission 455 00:23:22,920 --> 00:23:26,040 that you need, whether it's read, write, delete, 456 00:23:26,040 --> 00:23:29,000 or a specific function that you're going to do. 457 00:23:29,000 --> 00:23:33,640 And with our workflow, you're able to get approval 458 00:23:33,640 --> 00:23:34,480 and go do your job. 459 00:23:34,480 --> 00:23:36,040 And then whenever you're done, we also 460 00:23:36,040 --> 00:23:39,640 have time-based functionality with this, 461 00:23:39,640 --> 00:23:42,320 such that whenever you're done with that permission, 462 00:23:42,320 --> 00:23:43,440 it takes it away. 463 00:23:43,440 --> 00:23:45,120 And you can go ahead and buy your business 464 00:23:45,120 --> 00:23:47,200 and know that that user is not going 465 00:23:47,200 --> 00:23:49,440 to be over-permissioned in the future. 466 00:23:49,440 --> 00:23:50,800 This whole permissions creep thing 467 00:23:50,800 --> 00:23:54,120 is just such a big, big, big deal. 468 00:23:54,120 --> 00:23:56,400 I've seen instances with customers 469 00:23:56,400 --> 00:23:58,360 where I'm not going to say that there's been a breach, 470 00:23:58,360 --> 00:23:59,240 like an internal breach. 471 00:23:59,240 --> 00:24:00,360 I'm not going to say that at all. 472 00:24:00,360 --> 00:24:03,480 But someone's had access, they really shouldn't have had access 473 00:24:03,480 --> 00:24:04,400 to. 474 00:24:04,400 --> 00:24:09,960 And it was because of permission that they no longer require. 475 00:24:09,960 --> 00:24:15,200 So that's a really, really fascinating product. 476 00:24:15,200 --> 00:24:18,360 So I do have to ask, so how does this compare and contrast? 477 00:24:18,360 --> 00:24:19,640 I think I know the answer. 478 00:24:19,640 --> 00:24:21,520 So how does this compare and contrast 479 00:24:21,520 --> 00:24:24,400 to, say, Azure Active Directory Privileged Identity Management, 480 00:24:24,400 --> 00:24:28,200 PIM, or Azure AD Access Review? 481 00:24:28,200 --> 00:24:32,000 Let's start with PIM, Privileged Identity Management. 482 00:24:32,000 --> 00:24:36,360 So the functionality of PIM was created 483 00:24:36,360 --> 00:24:40,120 to help you get just-in-time access for Azure Identities 484 00:24:40,120 --> 00:24:41,440 and resources. 485 00:24:41,440 --> 00:24:45,520 So the features of PIM include, like I said, just-in-time. 486 00:24:45,520 --> 00:24:49,520 We currently support Azure Active Directory, our back roles, 487 00:24:49,520 --> 00:24:52,760 custom Azure Active Directory roles. 488 00:24:52,760 --> 00:24:55,560 You have an approval to activate a Privileged Role 489 00:24:55,560 --> 00:24:56,520 Assignment. 490 00:24:56,520 --> 00:24:59,840 With PIM, you can enforce multifactorial authentication 491 00:24:59,840 --> 00:25:02,880 and justification for role activation, 492 00:25:02,880 --> 00:25:07,240 basically providing you a way to have eligible roles 493 00:25:07,240 --> 00:25:09,880 that you can basically get access to. 494 00:25:09,880 --> 00:25:13,720 And within PIM, you can use access reviews with PIM 495 00:25:13,720 --> 00:25:17,320 where you can take out a user whenever they're not 496 00:25:17,320 --> 00:25:20,400 using that specific Azure Active Directory role. 497 00:25:20,400 --> 00:25:23,400 And we also provide you with an audit history download 498 00:25:23,400 --> 00:25:26,080 for internal and external audit. 499 00:25:26,080 --> 00:25:29,840 But the difference here within with Enter Permissions 500 00:25:29,840 --> 00:25:32,800 Management is, number one, it is a PIM solution. 501 00:25:32,800 --> 00:25:37,120 We extend these additional capabilities along with PIM. 502 00:25:37,120 --> 00:25:39,880 So Enter Permissions Management basically 503 00:25:39,880 --> 00:25:43,520 comes alongside PIM to provide a solution that 504 00:25:43,520 --> 00:25:47,080 gives you the customer a comprehensive visibility 505 00:25:47,080 --> 00:25:50,760 and control over permissions for any identity and resource 506 00:25:50,760 --> 00:25:53,840 in those three clouds that I mentioned within Azure, AWS, 507 00:25:53,840 --> 00:25:55,000 and GCP. 508 00:25:55,000 --> 00:26:00,440 It makes it so simple and so easy to basically go from AWS 509 00:26:00,440 --> 00:26:02,960 to Azure and GCP in a split second. 510 00:26:02,960 --> 00:26:04,680 And we give you that control. 511 00:26:04,680 --> 00:26:06,520 So let me give you a scenario here, right? 512 00:26:06,520 --> 00:26:09,480 Whether you have JIT from Multicloud as an example. 513 00:26:09,480 --> 00:26:14,360 Customers can use Azure AD PIM, but if they're looking 514 00:26:14,360 --> 00:26:17,840 for a way to get that granular visibility into what 515 00:26:17,840 --> 00:26:19,880 that PIM role is doing, that's what 516 00:26:19,880 --> 00:26:23,480 Kim is there to actually show you for that JIT assignment. 517 00:26:23,480 --> 00:26:29,560 Also, one additional difference is with PIM, well, 518 00:26:29,560 --> 00:26:33,400 you have access reviews that does review some of those accesses 519 00:26:33,400 --> 00:26:34,920 and take them away. 520 00:26:34,920 --> 00:26:37,560 However, with Enter Permissions Management, 521 00:26:37,560 --> 00:26:41,520 the customer can actually assess those accesses 522 00:26:41,520 --> 00:26:45,680 or those roles specifically as they're tied to infrastructure 523 00:26:45,680 --> 00:26:53,040 entitlements and use the product to detect anomalous behavior. 524 00:26:53,040 --> 00:26:55,800 So one of the things that we like to say within the product 525 00:26:55,800 --> 00:26:59,760 group is whenever a credential is compromised, 526 00:26:59,760 --> 00:27:02,040 if that credential is right size, 527 00:27:02,040 --> 00:27:06,160 there's not much a bad actor can do with those credentials 528 00:27:06,160 --> 00:27:09,520 because, well, they only have access to a few things. 529 00:27:09,520 --> 00:27:14,480 And so with PIM is just an elevation of a role 530 00:27:14,480 --> 00:27:17,320 that the user has access to. 531 00:27:17,320 --> 00:27:19,680 But with PIM, it's a compliment to PIM 532 00:27:19,680 --> 00:27:22,760 to give you that visibility, to give you that remediation 533 00:27:22,760 --> 00:27:24,440 and right sizing capability. 534 00:27:24,440 --> 00:27:27,000 And finally, it monitors, it gives you 535 00:27:27,000 --> 00:27:30,680 a way to get alerts, to detect anomalous behavior, 536 00:27:30,680 --> 00:27:34,440 to basically generate reports and make it easy for you 537 00:27:34,440 --> 00:27:37,560 to know what is really happening with those users, 538 00:27:37,560 --> 00:27:39,720 their permissions, and what they're doing with that 539 00:27:39,720 --> 00:27:41,240 according to the resources that you 540 00:27:41,240 --> 00:27:44,960 have for your cloud infrastructure entitlements. 541 00:27:44,960 --> 00:27:49,440 So in other words, what you're saying is basically, 542 00:27:49,440 --> 00:27:51,760 you look at the least privilege, 543 00:27:51,760 --> 00:27:55,120 you look at those excessive permissions, 544 00:27:55,120 --> 00:28:01,520 a custom role is created, which can be used in PIM 545 00:28:01,520 --> 00:28:05,440 in order to request temporary access. 546 00:28:05,440 --> 00:28:07,720 Is that the way it works? 547 00:28:07,720 --> 00:28:09,240 So not necessarily, right? 548 00:28:09,240 --> 00:28:13,640 So remember, I mentioned, enter permissions management 549 00:28:13,640 --> 00:28:17,360 solution really looks at cloud infrastructure entitlement. 550 00:28:17,360 --> 00:28:20,960 So it actually focuses more on the Azure roles 551 00:28:20,960 --> 00:28:24,560 versus the Azure Active Directory roles, where, 552 00:28:24,560 --> 00:28:27,240 for example, PIM can be used to elevate to Azure Active 553 00:28:27,240 --> 00:28:31,480 Directory and also to Azure roles for those resources. 554 00:28:31,480 --> 00:28:34,880 The difference here is that with cloud infrastructure 555 00:28:34,880 --> 00:28:37,280 entitlements, that is tied directly 556 00:28:37,280 --> 00:28:41,600 to specific resources that is within a subscription within 557 00:28:41,600 --> 00:28:45,560 Azure, within the account for AWS, 558 00:28:45,560 --> 00:28:49,120 and then within the project for Google Cloud. 559 00:28:49,120 --> 00:28:51,560 And so what that is trying to do there 560 00:28:51,560 --> 00:28:56,280 is to ensure that that user or non-human identities access 561 00:28:56,280 --> 00:28:59,920 to a specific resource is captured 562 00:28:59,920 --> 00:29:03,400 and that we actually know to the granularity 563 00:29:03,400 --> 00:29:09,520 layer of exactly what permissions that user actually has. 564 00:29:09,520 --> 00:29:13,280 And so that is the intricate details 565 00:29:13,280 --> 00:29:15,280 that this product actually gives you 566 00:29:15,280 --> 00:29:17,600 and gives you the control and the power 567 00:29:17,600 --> 00:29:21,480 to ensure that as long as you have visibility, 568 00:29:21,480 --> 00:29:24,320 you know what a user is capable of doing 569 00:29:24,320 --> 00:29:25,800 with certain permissions. 570 00:29:25,800 --> 00:29:29,560 And it gives you a way to right size users because over time, 571 00:29:29,560 --> 00:29:32,040 like I said, those permissions grow. 572 00:29:32,040 --> 00:29:35,600 And you can right size users because we've done the research 573 00:29:35,600 --> 00:29:39,600 and I can tell you, it's been over 90% of users 574 00:29:39,600 --> 00:29:42,480 are over permissioned today. 575 00:29:42,480 --> 00:29:44,360 And how we know that is because we 576 00:29:44,360 --> 00:29:46,880 do these risk assessments for lots and lots 577 00:29:46,880 --> 00:29:49,400 of different customers and lots of different people. 578 00:29:49,400 --> 00:29:52,120 And we've noticed that the permissions that are used 579 00:29:52,120 --> 00:29:54,400 versus the permissions that are granted, 580 00:29:54,400 --> 00:29:58,440 there's a huge delta there, as I called it, the permissions gap. 581 00:29:58,440 --> 00:30:01,880 And so how do you make sure that permissions gap 582 00:30:01,880 --> 00:30:05,200 is actually controlled or managed? 583 00:30:05,200 --> 00:30:07,400 Well, that's what the product comes in. 584 00:30:07,400 --> 00:30:10,640 You can actually right size those users to start. 585 00:30:10,640 --> 00:30:12,160 And after you right size them, you 586 00:30:12,160 --> 00:30:14,280 put them through a continuous monitoring. 587 00:30:14,280 --> 00:30:17,320 What the tool gives you the capability to do 588 00:30:17,320 --> 00:30:20,400 so that you can continuously see what's happening there 589 00:30:20,400 --> 00:30:24,200 and actually build a robust identity security platform 590 00:30:24,200 --> 00:30:25,480 for your organization. 591 00:30:25,480 --> 00:30:26,640 I have a question for you. 592 00:30:26,640 --> 00:30:28,240 Do you ever have customers run this tool 593 00:30:28,240 --> 00:30:30,560 and be absolutely terrified at the result? 594 00:30:30,560 --> 00:30:31,320 Oh, absolutely. 595 00:30:31,320 --> 00:30:34,080 I mean, I think that's one of the first things 596 00:30:34,080 --> 00:30:37,880 that we actually notice when we engage with a customer. 597 00:30:37,880 --> 00:30:40,880 And whenever they see their environment 598 00:30:40,880 --> 00:30:46,160 and notice how many over permissive users exist, 599 00:30:46,160 --> 00:30:48,560 I mean, I think that's the first thing everyone's like, wow, 600 00:30:48,560 --> 00:30:49,960 I didn't know I had that. 601 00:30:49,960 --> 00:30:54,160 And almost every customer I have engaged with has said that 602 00:30:54,160 --> 00:30:57,360 and said, oh, I didn't realize I had all of these over 603 00:30:57,360 --> 00:30:58,080 permissions. 604 00:30:58,080 --> 00:31:00,440 And I didn't realize over 90 days, 605 00:31:00,440 --> 00:31:02,440 these are the only permissions my users 606 00:31:02,440 --> 00:31:06,440 and my managed identities, my non-human identities, 607 00:31:06,440 --> 00:31:08,680 workload identities, or whatever. 608 00:31:08,680 --> 00:31:10,960 That is why do they have all these permissions? 609 00:31:10,960 --> 00:31:12,760 And if they're not using it, they're 610 00:31:12,760 --> 00:31:15,320 only using just a fraction of it. 611 00:31:15,320 --> 00:31:19,120 So my course is said if people get 612 00:31:19,120 --> 00:31:24,920 as scared about the solution, how do you foresee 613 00:31:24,920 --> 00:31:27,920 organization managing? 614 00:31:27,920 --> 00:31:32,920 Because many customers what I have seen with our services 615 00:31:32,920 --> 00:31:37,120 is that they use it, they implement the capabilities, 616 00:31:37,120 --> 00:31:38,840 and they leave it. 617 00:31:38,840 --> 00:31:41,920 Do you see that this is a continuous improvement 618 00:31:41,920 --> 00:31:44,400 type of service? 619 00:31:44,400 --> 00:31:49,760 What are the recommendations for how people in process 620 00:31:49,760 --> 00:31:51,600 should be involved in there? 621 00:31:51,600 --> 00:31:52,480 Oh, absolutely. 622 00:31:52,480 --> 00:31:54,480 This is something that I would recommend 623 00:31:54,480 --> 00:31:58,920 every organization do on a bi-weekly or monthly basis, 624 00:31:58,920 --> 00:32:01,360 depending on their workload and their work streams. 625 00:32:01,360 --> 00:32:04,480 Because it's very, very important to understand 626 00:32:04,480 --> 00:32:06,000 what users are doing. 627 00:32:06,000 --> 00:32:10,480 I think the focus has been for many, many organizations today 628 00:32:10,480 --> 00:32:13,080 to just look at, hey, I know I'm managing, 629 00:32:13,080 --> 00:32:17,040 I have an identity governance service or solution that 630 00:32:17,040 --> 00:32:20,480 can do access reviews, that can see, oh, this person 631 00:32:20,480 --> 00:32:23,080 has these right-sized roles. 632 00:32:23,080 --> 00:32:24,840 Well, within those right-sized roles, 633 00:32:24,840 --> 00:32:28,360 there are permissions in there that maybe that user does not 634 00:32:28,360 --> 00:32:29,200 need. 635 00:32:29,200 --> 00:32:33,240 And so what I foresee happening is, 636 00:32:33,240 --> 00:32:36,080 as Zero Trust has been growing and a lot of enterprises 637 00:32:36,080 --> 00:32:38,360 that are adopting the Zero Trust methodology 638 00:32:38,360 --> 00:32:41,360 and actually enforcing the principle of least privilege, 639 00:32:41,360 --> 00:32:43,400 what I foresee happening is you'll 640 00:32:43,400 --> 00:32:46,520 see many people actually talk about the permissions that some 641 00:32:46,520 --> 00:32:47,920 of these roles actually have. 642 00:32:47,920 --> 00:32:50,480 And that is where enter permissions management can 643 00:32:50,480 --> 00:32:53,680 help you be successful and help you actually manage 644 00:32:53,680 --> 00:32:56,800 these unmanaged permissions and actually determine 645 00:32:56,800 --> 00:33:00,280 the permissions risks that most organizations and enterprises 646 00:33:00,280 --> 00:33:02,200 have today. 647 00:33:02,200 --> 00:33:04,440 All right, well, let's start to wrap this thing up. 648 00:33:04,440 --> 00:33:07,560 So one thing we always ask our guests 649 00:33:07,560 --> 00:33:11,080 is if you had just one thought to leave our listeners with, 650 00:33:11,080 --> 00:33:12,440 what would it be? 651 00:33:12,440 --> 00:33:16,120 My thought here is, I believe every enterprise 652 00:33:16,120 --> 00:33:18,720 in every organization out there today 653 00:33:18,720 --> 00:33:22,600 actually has over-permission within their environment. 654 00:33:22,600 --> 00:33:25,720 And my thought here is, we've studied and observed 655 00:33:25,720 --> 00:33:27,640 these trends that demonstrate the fact 656 00:33:27,640 --> 00:33:31,040 that these organizations have to consider permissions management 657 00:33:31,040 --> 00:33:33,880 as a central piece of their Zero Trust security. 658 00:33:33,880 --> 00:33:38,000 And so I'll just say, go get a free risk assessment done. 659 00:33:38,000 --> 00:33:42,560 With this product, we do a 90-day free trial 660 00:33:42,560 --> 00:33:45,520 that we actually give you to just see what's happening. 661 00:33:45,520 --> 00:33:47,280 And you'll get that comprehensive visibility 662 00:33:47,280 --> 00:33:48,520 that I talked about. 663 00:33:48,520 --> 00:33:53,320 And when you onboard and see what's going on in your environment, 664 00:33:53,320 --> 00:33:55,480 that should give you enough reason 665 00:33:55,480 --> 00:33:59,480 to consider how you actually manage your permissions 666 00:33:59,480 --> 00:34:00,680 within your clouds. 667 00:34:00,680 --> 00:34:02,840 And as we already know, most enterprises 668 00:34:02,840 --> 00:34:06,760 are growing into a multi-cloud strategy where they're not 669 00:34:06,760 --> 00:34:08,880 only operating on just one cloud, 670 00:34:08,880 --> 00:34:12,760 they're operating on three or more clouds. 671 00:34:12,760 --> 00:34:17,440 So go get yourself a free permissions management trial 672 00:34:17,440 --> 00:34:20,200 and see what's going on within your environment. 673 00:34:20,200 --> 00:34:22,320 And remind me again, what is Kim's then for? 674 00:34:22,320 --> 00:34:24,520 Cloud Infrastructure Entitlement Management. 675 00:34:24,520 --> 00:34:25,200 There you go. 676 00:34:25,200 --> 00:34:27,120 Hey, so Nick, thank you so much for joining us this week. 677 00:34:27,120 --> 00:34:28,560 I know you're obviously really, really busy. 678 00:34:28,560 --> 00:34:29,840 You know, the product's relatively new, 679 00:34:29,840 --> 00:34:34,120 so I have no doubt you've got a lot of talks with customers. 680 00:34:34,120 --> 00:34:36,720 So again, I really appreciate you taking the time. 681 00:34:36,720 --> 00:34:39,200 And to all our listeners out there, thank you for listening. 682 00:34:39,200 --> 00:34:40,920 We hope you found this of interest. 683 00:34:40,920 --> 00:34:43,520 Stay safe, especially those in Florida. 684 00:34:43,520 --> 00:34:44,960 And we'll see you next time. 685 00:34:44,960 --> 00:34:47,840 Thanks for listening to the Azure Security Podcast. 686 00:34:47,840 --> 00:34:51,600 You can find show notes and other resources at our website, 687 00:34:51,600 --> 00:34:54,680 azsecuritypodcast.net. 688 00:34:54,680 --> 00:34:56,960 If you have any questions, please find us 689 00:34:56,960 --> 00:34:59,400 on Twitter at Azure Setpod. 690 00:34:59,400 --> 00:35:03,160 Background music is from ccmixter.com and licensed 691 00:35:03,160 --> 00:35:15,840 under the Creative Commons license.