1 00:00:00,000 --> 00:00:06,200 Welcome to the Azure Security Podcast, 2 00:00:06,200 --> 00:00:09,380 where we discuss topics relating to security, privacy, 3 00:00:09,380 --> 00:00:13,720 reliability, and compliance on the Microsoft Cloud Platform. 4 00:00:13,720 --> 00:00:17,000 Hey everybody, welcome to Episode 66. 5 00:00:17,000 --> 00:00:21,120 This week, it's myself, Michael, Sarah, and Mark. 6 00:00:21,120 --> 00:00:22,640 Gladly, they've taken a little bit of a break. 7 00:00:22,640 --> 00:00:25,300 We have a guest this week, Joey Snow, 8 00:00:25,300 --> 00:00:28,760 who's here to talk to us about some identity stuff. 9 00:00:28,760 --> 00:00:31,280 Rather than talking about identity in terms of people, 10 00:00:31,280 --> 00:00:34,080 we're talking about workload identities. 11 00:00:34,080 --> 00:00:35,580 So with that, 12 00:00:35,580 --> 00:00:37,840 let's take a little lap around the news first. 13 00:00:37,840 --> 00:00:39,440 Mark, why don't you kick things off? 14 00:00:39,440 --> 00:00:43,720 So a couple of interesting things that we released recently. 15 00:00:43,720 --> 00:00:47,040 For those of you that are ancient like Michael and myself, 16 00:00:47,040 --> 00:00:51,240 you may remember something called the Immutable Laws of Security. 17 00:00:51,240 --> 00:00:53,840 In the process of switching over from 18 00:00:53,840 --> 00:00:56,920 TechNet to the modern docs now LearnSite, 19 00:00:56,920 --> 00:01:00,480 some of that stuff was dropped into an archive and really hard to find. 20 00:01:00,480 --> 00:01:03,160 So as we were in the process of resurrecting it, 21 00:01:03,160 --> 00:01:04,680 we brought it back. 22 00:01:04,680 --> 00:01:06,520 We also realized that there was this need for 23 00:01:06,520 --> 00:01:11,040 a new layer or a new altitude of them around cybersecurity risk, 24 00:01:11,040 --> 00:01:16,280 because we saw some really key truths that needed to be understood, 25 00:01:16,280 --> 00:01:18,600 that debunk some myths. 26 00:01:18,600 --> 00:01:21,120 So we put those up there. 27 00:01:21,120 --> 00:01:23,840 So just the AKMS slash security laws, 28 00:01:23,840 --> 00:01:25,520 of course the links will be in the show notes. 29 00:01:25,520 --> 00:01:30,040 We cover a lot of things like not keeping up is falling behind. 30 00:01:30,040 --> 00:01:35,400 Disrupting attacker ROI is really the goal of security. 31 00:01:35,400 --> 00:01:37,600 Don't solve a technology problem, 32 00:01:37,600 --> 00:01:42,400 don't solve a people or process problem with a technology solution, 33 00:01:42,400 --> 00:01:44,720 because it won't work, things like that. 34 00:01:44,720 --> 00:01:46,640 So that's out there. 35 00:01:46,640 --> 00:01:49,800 Really love to get some feedback on that and see what you all think. 36 00:01:49,800 --> 00:01:52,720 Another thing that we're working on is the opposite. 37 00:01:52,720 --> 00:01:56,600 So the opposite of a best practice is anti-patterns. 38 00:01:56,600 --> 00:02:00,680 Because sometimes those are really illuminating. 39 00:02:00,680 --> 00:02:02,520 Like, hey, I didn't realize we were doing it wrong, 40 00:02:02,520 --> 00:02:05,480 but now that you describe it that way, that does sound dumb. 41 00:02:05,480 --> 00:02:08,200 So we've been really collecting some of those. 42 00:02:08,200 --> 00:02:10,320 I've got a little LinkedIn post going on, 43 00:02:10,320 --> 00:02:13,400 so I'll send that out for the folks that are 44 00:02:13,400 --> 00:02:15,720 interested and have some to contribute. 45 00:02:15,720 --> 00:02:18,960 Some of my favorites are collection is not detection, 46 00:02:18,960 --> 00:02:22,840 and we got a whole slew of them for patching there. 47 00:02:22,840 --> 00:02:26,120 Then compliant is not secure. 48 00:02:26,120 --> 00:02:28,400 I can't tell you how many people I've met that think that, 49 00:02:28,400 --> 00:02:30,600 hey, we're compliant, so therefore we're secure. 50 00:02:30,600 --> 00:02:33,080 Gotcha. Not really. 51 00:02:33,080 --> 00:02:34,960 But just all sorts of things. 52 00:02:34,960 --> 00:02:38,000 There's also the user world of we're using the same password, 53 00:02:38,000 --> 00:02:40,560 all throughout the sock and identity world and all that. 54 00:02:40,560 --> 00:02:42,480 So we figured there's a lot of good ones out there, 55 00:02:42,480 --> 00:02:45,040 and we'd love to get your thoughts on ideas on that. 56 00:02:45,040 --> 00:02:47,760 Then the last one I just wanted to highlight real 57 00:02:47,760 --> 00:02:50,440 quick is around the CISO workshop. 58 00:02:50,440 --> 00:02:55,320 So that is something that we've had the videos posted for a couple months now, 59 00:02:55,320 --> 00:02:57,760 and we've been training some folks internally, 60 00:02:57,760 --> 00:02:59,440 getting them all ready to deliver. 61 00:02:59,440 --> 00:03:02,400 So this is something that we actually do deliver, 62 00:03:02,400 --> 00:03:09,200 not just as that one recorded time on the internet that you can enjoy in perpetuity. 63 00:03:09,200 --> 00:03:12,360 But also we do that delivery with customers, 64 00:03:12,360 --> 00:03:17,120 for its CISOs, CIOs, security directors, IT directors. 65 00:03:17,120 --> 00:03:19,120 Oftentimes bringing teams together, 66 00:03:19,120 --> 00:03:22,840 helping them connect and build a common strategy, 67 00:03:22,840 --> 00:03:26,760 understand the latest trends in Zero Trust and how do you actually apply that? 68 00:03:26,760 --> 00:03:28,720 What does it really mean to a program, 69 00:03:28,720 --> 00:03:31,920 to a strategy to all those elements? 70 00:03:31,920 --> 00:03:35,280 So that one as well as our end-to-end security architecture, 71 00:03:35,280 --> 00:03:38,040 the architecture design session one, 72 00:03:38,040 --> 00:03:41,680 are actually something that we're starting to do deliveries on. 73 00:03:41,680 --> 00:03:45,000 Shadowing and reverse shadowing and leading a couple of those. 74 00:03:45,000 --> 00:03:47,560 So, hey, you might get lucky and get me there, 75 00:03:47,560 --> 00:03:49,960 or unlucky as the case might be. 76 00:03:49,960 --> 00:03:52,440 But that's really all I got this week. 77 00:03:52,440 --> 00:03:54,160 So I guess it's my turn then. 78 00:03:54,160 --> 00:03:56,520 So I've just got one bit of news. 79 00:03:56,520 --> 00:04:01,080 I love AKS and Kubernetes nearly as much as I love Sentinel. 80 00:04:01,080 --> 00:04:04,400 Just a quick one, there's a public preview of being able to 81 00:04:04,400 --> 00:04:08,560 rotate your SSH keys in your existing AKS node pools. 82 00:04:08,560 --> 00:04:11,960 So of course you should be using SSH. 83 00:04:11,960 --> 00:04:14,600 It is the default in AKS now. 84 00:04:14,600 --> 00:04:17,840 You have the default for Linux VMs in Azure, 85 00:04:17,840 --> 00:04:21,800 but you can now rotate those keys on existing node pools 86 00:04:21,800 --> 00:04:24,040 and you don't have to re-image the node. 87 00:04:24,040 --> 00:04:25,920 So that's very good, 88 00:04:25,920 --> 00:04:29,920 doing your good security hygiene and best practices, 89 00:04:29,920 --> 00:04:31,200 much, much easier. 90 00:04:31,200 --> 00:04:33,760 And that's just me for this week. 91 00:04:33,760 --> 00:04:34,640 Yeah, I got a few items. 92 00:04:34,640 --> 00:04:39,720 So the first one is, as your front door now supports managed identities, 93 00:04:39,720 --> 00:04:42,640 and I've probably brought this topic up on every single episode, 94 00:04:42,640 --> 00:04:46,520 it's really great to see more and more PaaS services 95 00:04:46,520 --> 00:04:49,400 support managed identity so that way you don't have to manage 96 00:04:49,400 --> 00:04:51,680 your credential and accessing other resources. 97 00:04:51,680 --> 00:04:56,360 So for example, if you had to access a storage account or a key vault 98 00:04:56,360 --> 00:04:58,760 and you can use the managed identity of the front door instance 99 00:04:58,760 --> 00:05:00,640 to restrict access to that resource. 100 00:05:00,640 --> 00:05:03,040 And the nice thing is that the actual credential 101 00:05:03,040 --> 00:05:07,040 is actually handled by AAD rather than your application. 102 00:05:07,040 --> 00:05:10,960 So great to see you as your front door now supporting managed identities, 103 00:05:10,960 --> 00:05:12,920 but that is in public preview. 104 00:05:12,920 --> 00:05:14,200 Next one in general availability, 105 00:05:14,200 --> 00:05:16,560 I did not even know this one was coming. 106 00:05:16,560 --> 00:05:18,760 And this is actually really awesome to see. 107 00:05:18,760 --> 00:05:22,440 And that is that there's now the ability to view the tables 108 00:05:22,440 --> 00:05:24,800 that make up log analytics. 109 00:05:24,800 --> 00:05:28,280 Historically, the tables have always been sort of hidden away from you. 110 00:05:28,280 --> 00:05:30,040 You didn't actually realize that you know, 111 00:05:30,040 --> 00:05:33,120 certain data was being collected in tables underneath, 112 00:05:33,120 --> 00:05:36,000 and then you could then use log analytics to query over those tables. 113 00:05:36,000 --> 00:05:38,120 Well, now you can see the tables. 114 00:05:38,120 --> 00:05:40,000 You can see what the fields are. 115 00:05:40,000 --> 00:05:42,200 You can see basically everything, you know, 116 00:05:42,200 --> 00:05:45,280 that the schema that makes up the table. 117 00:05:45,280 --> 00:05:47,560 You can even create and delete new tables if you wanted to. 118 00:05:47,560 --> 00:05:49,920 I'm not saying that's a great idea, but you can. 119 00:05:49,920 --> 00:05:51,840 So this is great to see you because it's sort of, 120 00:05:51,840 --> 00:05:52,840 I don't know about you guys, 121 00:05:52,840 --> 00:05:56,080 but I like to know kind of how things work. 122 00:05:56,080 --> 00:05:58,080 And when things are sort of hidden away from me like that, 123 00:05:58,080 --> 00:06:00,960 I don't know, it just, the penny doesn't drop sometimes. 124 00:06:00,960 --> 00:06:03,560 So it's fantastic to see there's no NGA. 125 00:06:03,560 --> 00:06:05,240 You can now actually look at the tables 126 00:06:05,240 --> 00:06:08,320 that make up your log analytics workspaces. 127 00:06:08,320 --> 00:06:11,720 The last one is also NGA, 128 00:06:11,720 --> 00:06:15,000 is we've now defaulted to a rule set 2.1 129 00:06:15,000 --> 00:06:17,600 for Azure Web Application Firewall. 130 00:06:17,600 --> 00:06:21,280 So these new rules basically are aligned 131 00:06:21,280 --> 00:06:25,520 with the OWASP core rule set 3.3.2. 132 00:06:25,520 --> 00:06:28,080 And they also include some other protections 133 00:06:28,080 --> 00:06:30,520 that have come from our own internal Microsoft 134 00:06:30,520 --> 00:06:33,040 Threats Intelligence team, the Mystic team. 135 00:06:33,040 --> 00:06:34,960 So you should be looking at that new rule set. 136 00:06:34,960 --> 00:06:37,440 And if it makes sense for you guys, 137 00:06:37,440 --> 00:06:39,240 we'd go ahead and turn it on. 138 00:06:39,240 --> 00:06:42,600 Okay, so I get to kick this interview off 139 00:06:42,600 --> 00:06:45,040 with our guest this time. 140 00:06:45,040 --> 00:06:46,640 I'm gonna let him introduce himself, 141 00:06:46,640 --> 00:06:50,560 but funnily enough, he is in fact my boss at Microsoft. 142 00:06:50,560 --> 00:06:54,080 So that's why we're all gonna be on our best behavior. 143 00:06:54,080 --> 00:06:57,240 But this week we have Joey Snow. 144 00:06:57,240 --> 00:06:59,800 Joey, do you want to introduce yourself? 145 00:06:59,800 --> 00:07:02,680 Yeah, but I promise I'm not gonna be on my best behavior. 146 00:07:02,680 --> 00:07:05,600 I mean, that's just so abnormal to me. 147 00:07:05,600 --> 00:07:07,640 So hey, and thanks for having me. 148 00:07:07,640 --> 00:07:08,720 I'm Joey Snow. 149 00:07:08,720 --> 00:07:12,440 I am a Principal Cloud Advocate Lead. 150 00:07:12,440 --> 00:07:17,200 So basically I lead a team of security advocates, 151 00:07:17,200 --> 00:07:20,440 which is NetNew inside the advocacy world 152 00:07:20,440 --> 00:07:24,640 where we very similar to what a developer advocate does 153 00:07:24,640 --> 00:07:26,880 and our operations advocates do where we go out 154 00:07:26,880 --> 00:07:30,240 and advocate on behalf of Microsoft 155 00:07:30,240 --> 00:07:32,960 and then back into Microsoft, 156 00:07:32,960 --> 00:07:35,560 particularly around our security products. 157 00:07:35,560 --> 00:07:38,440 Wow, I had no idea that's what you did, Joey. 158 00:07:38,440 --> 00:07:41,320 No, not so ever. 159 00:07:41,320 --> 00:07:42,960 I had no idea. 160 00:07:42,960 --> 00:07:45,040 But this week you're gonna talk to us 161 00:07:45,040 --> 00:07:46,760 about workload identities. 162 00:07:46,760 --> 00:07:50,000 So, you know, let's start with a basic question. 163 00:07:50,000 --> 00:07:52,880 Like, what the heck is a workload identity? 164 00:07:52,880 --> 00:07:55,280 How's it different from a managed identity? 165 00:07:55,280 --> 00:07:57,640 Like, tell us all the things. 166 00:07:57,640 --> 00:08:00,480 First, like what is a workload identity? 167 00:08:00,480 --> 00:08:02,480 So the best way to think about this 168 00:08:02,480 --> 00:08:05,600 is to break up identities into kind of two things. 169 00:08:05,600 --> 00:08:07,640 You've got like human identities, right? 170 00:08:07,640 --> 00:08:09,240 So those are like your employees, 171 00:08:09,240 --> 00:08:12,160 your external users, those user identities. 172 00:08:12,160 --> 00:08:15,200 And then you have machine identities. 173 00:08:15,200 --> 00:08:18,400 So things that could be like, you know, 174 00:08:18,400 --> 00:08:20,800 a device identity or an IoT, 175 00:08:20,800 --> 00:08:23,200 robot process automation is an example. 176 00:08:23,200 --> 00:08:25,920 But another piece of a machine identity 177 00:08:25,920 --> 00:08:27,640 could be a workload identity. 178 00:08:27,640 --> 00:08:31,960 And we think of these things like application to application 179 00:08:31,960 --> 00:08:33,720 or service to service calls. 180 00:08:33,720 --> 00:08:36,320 Things that run in the middle of the night. 181 00:08:36,320 --> 00:08:38,560 An example of folks who've been around long enough, 182 00:08:38,560 --> 00:08:40,040 there's an exchange service account 183 00:08:40,040 --> 00:08:41,520 that we created back in the days 184 00:08:41,520 --> 00:08:43,240 of doing on-premises exchange 185 00:08:43,240 --> 00:08:45,080 or the old school service accounts, 186 00:08:45,080 --> 00:08:47,720 the Microsoft service accounts that we have, 187 00:08:47,720 --> 00:08:51,440 are an example of a workload identity. 188 00:08:51,440 --> 00:08:54,520 Things like your data backup services are using 189 00:08:54,520 --> 00:08:57,120 to gain access to the systems to run at night. 190 00:08:57,120 --> 00:09:00,640 Your CRM systems typically have them security software. 191 00:09:00,640 --> 00:09:05,640 So it's just an example of, you know, applications. 192 00:09:06,160 --> 00:09:08,680 You asked about the managed identity piece. 193 00:09:08,680 --> 00:09:11,960 A managed identity can actually be part of a workload identity 194 00:09:11,960 --> 00:09:14,480 and it's actually a better way of handling it 195 00:09:14,480 --> 00:09:16,280 than we have in the past. 196 00:09:16,280 --> 00:09:17,680 Again, yeah, I wonder how I get to ask 197 00:09:17,680 --> 00:09:20,080 some of the most basic questions, but here we go. 198 00:09:20,080 --> 00:09:22,600 I mean, what, I mean, ultimately, you know, 199 00:09:22,600 --> 00:09:26,120 what is the problem statement here for workload identities 200 00:09:26,120 --> 00:09:29,280 and what sort of problem are we really trying to solve here? 201 00:09:29,280 --> 00:09:33,440 So really what it comes down to is that 202 00:09:33,440 --> 00:09:37,480 non-human identity attacks are on the rise in the world. 203 00:09:37,480 --> 00:09:41,720 When you look at things like ransomware, data exfiltration, 204 00:09:41,720 --> 00:09:46,720 when you look at leveraging applications to impersonate, 205 00:09:47,680 --> 00:09:49,200 you know, a known application 206 00:09:49,200 --> 00:09:52,280 that then can become compromised and impersonate things, 207 00:09:53,240 --> 00:09:57,040 takeover systems or be used for, you know, lateral movement. 208 00:09:57,040 --> 00:10:02,040 But really it comes down to we have spent a lot of time 209 00:10:02,480 --> 00:10:03,960 over the last couple of years 210 00:10:03,960 --> 00:10:08,480 in really focusing on human identities, right? 211 00:10:08,480 --> 00:10:12,280 We're monitoring human identities, we're enabling MFA 212 00:10:12,280 --> 00:10:15,520 and we have those principles around that. 213 00:10:15,520 --> 00:10:19,120 What we have not been doing is spending a ton of time 214 00:10:19,120 --> 00:10:22,440 on what's happening in the background, in these applications. 215 00:10:22,440 --> 00:10:24,240 So we're really only paying attention to the things 216 00:10:24,240 --> 00:10:28,320 that we see, it's kind of like this streetlight effect, right? 217 00:10:28,320 --> 00:10:30,360 So as we've hardened user identities, 218 00:10:30,360 --> 00:10:33,840 well, our attackers are basically going, well, that's hard. 219 00:10:33,840 --> 00:10:36,720 And attackers don't like things that are hard and difficult, 220 00:10:36,720 --> 00:10:38,920 at least in most cases. 221 00:10:38,920 --> 00:10:42,800 So when we make our user accounts less susceptible 222 00:10:42,800 --> 00:10:45,760 to things like phishing and passwords, brain other things, 223 00:10:45,760 --> 00:10:48,640 the attackers are shifting their focus to other things. 224 00:10:48,640 --> 00:10:50,080 And so now it's like, hey, look, 225 00:10:50,080 --> 00:10:51,560 we need to start paying attention to this. 226 00:10:51,560 --> 00:10:55,640 There's a lot of bad behaviors that we had done in the past, 227 00:10:55,640 --> 00:10:58,640 just go back to the early days of the service account. 228 00:11:00,280 --> 00:11:02,080 You really didn't have to worry about them too much, right? 229 00:11:02,080 --> 00:11:03,120 Cause we had our four walls 230 00:11:03,120 --> 00:11:05,120 and nothing was exposed to the internet. 231 00:11:05,120 --> 00:11:06,520 Now things have changed. 232 00:11:06,520 --> 00:11:10,720 So this whole thing about workload identity, 233 00:11:10,720 --> 00:11:14,640 so I've been around Windows security for way too long, 234 00:11:14,640 --> 00:11:16,800 Sarah keep, don't you say anything? 235 00:11:16,800 --> 00:11:20,920 But it's interesting cause you run Windows applications 236 00:11:20,920 --> 00:11:23,040 as an example under some kind of identity. 237 00:11:23,040 --> 00:11:23,880 You always do. 238 00:11:23,880 --> 00:11:26,280 So for example, it could be a service 239 00:11:26,280 --> 00:11:28,680 and you can run a service as like a service account, 240 00:11:28,680 --> 00:11:31,880 which is actually like network service, local service, 241 00:11:31,880 --> 00:11:34,280 heaven forbid system account. 242 00:11:34,280 --> 00:11:37,280 They can also run a specialized user account, right? 243 00:11:37,280 --> 00:11:39,960 With specific group memberships and privileges. 244 00:11:39,960 --> 00:11:43,040 And that concept has been around for a long, long, long time. 245 00:11:43,040 --> 00:11:44,600 Even in the same in Linux, right? 246 00:11:44,600 --> 00:11:47,240 You can run, say for example, the Apache demon, 247 00:11:47,240 --> 00:11:51,120 you can run the main HTTPD process as roots 248 00:11:51,120 --> 00:11:53,080 because you need to open up port 80. 249 00:11:53,080 --> 00:11:55,800 Then you can have other HTTPD demons running 250 00:11:55,800 --> 00:11:56,880 as say nobody, right? 251 00:11:56,880 --> 00:11:58,920 And they don't need to run elevated. 252 00:11:58,920 --> 00:12:02,280 And I've seen this so many times, 253 00:12:02,280 --> 00:12:04,480 it's like your opinion on it, 254 00:12:04,480 --> 00:12:06,720 where you're reviewing like a design or something 255 00:12:06,720 --> 00:12:09,320 and you see a service running as, say as an admin 256 00:12:09,320 --> 00:12:11,920 or even a global admin, right? 257 00:12:11,920 --> 00:12:14,080 Like a domain admin as opposed to a local admin 258 00:12:14,080 --> 00:12:15,920 or perhaps even a system account, 259 00:12:15,920 --> 00:12:17,720 which are highly elevated accounts. 260 00:12:17,720 --> 00:12:19,600 And if that process is compromised, 261 00:12:19,600 --> 00:12:22,480 then the attacker is now running a system or as root 262 00:12:22,480 --> 00:12:26,000 or as global admin or local admin or something, 263 00:12:26,000 --> 00:12:28,400 which is, it can be absolutely catastrophic. 264 00:12:28,400 --> 00:12:30,720 So, just like your opinion, 265 00:12:30,720 --> 00:12:32,240 and it's just something that you see 266 00:12:32,240 --> 00:12:33,960 where people just say, well, we run this account 267 00:12:33,960 --> 00:12:36,920 because we run it as domain admin 268 00:12:36,920 --> 00:12:38,800 because it's always run as domain admin 269 00:12:38,800 --> 00:12:40,480 and everything kind of works. 270 00:12:40,480 --> 00:12:41,560 Well, of course everything works 271 00:12:41,560 --> 00:12:43,600 because you run as domain admin or a system. 272 00:12:43,600 --> 00:12:45,800 The problem is, so does the attackers code, right? 273 00:12:45,800 --> 00:12:48,120 The attackers code runs as a system or as domain admin, 274 00:12:48,120 --> 00:12:51,240 and it just works because the process 275 00:12:51,240 --> 00:12:54,400 that they've compromised is running elevated. 276 00:12:54,400 --> 00:12:56,440 Is that something that you see a lot as well? 277 00:12:56,440 --> 00:13:01,200 I mean, is that part and parcel of attacks that go on? 278 00:13:01,200 --> 00:13:03,200 Yeah, it very much is. 279 00:13:03,200 --> 00:13:06,880 It's very much a common area of concern, right? 280 00:13:06,880 --> 00:13:10,120 Where things have been no shock to anyone. 281 00:13:10,120 --> 00:13:11,960 Things are over permissioned. 282 00:13:11,960 --> 00:13:15,640 That's because the nature of how we've been kind of 283 00:13:15,640 --> 00:13:17,120 dealing with security, right? 284 00:13:17,120 --> 00:13:20,560 Security tends to be bolted on and added on at the end 285 00:13:20,560 --> 00:13:24,840 instead of becoming part of building an application 286 00:13:24,840 --> 00:13:29,840 or building out a service or part of just that natural process 287 00:13:31,400 --> 00:13:34,160 where it's born with security in mind 288 00:13:34,160 --> 00:13:36,000 and designed in that way a lot of times, 289 00:13:36,000 --> 00:13:37,880 things just kind of get tossed over the fence 290 00:13:37,880 --> 00:13:40,240 and it's like up to the security folks 291 00:13:40,240 --> 00:13:42,880 or the operations folks to then secure it afterwards. 292 00:13:42,880 --> 00:13:46,880 And you go back to applications that were designed 293 00:13:46,880 --> 00:13:50,440 in the 90s and the early 2000s that still exist today 294 00:13:50,440 --> 00:13:53,280 where things, it's like a user. 295 00:13:53,280 --> 00:13:55,040 A user insists that they have to be running 296 00:13:55,040 --> 00:13:55,880 as domain admin. 297 00:13:55,880 --> 00:14:00,200 That's not the way it should be done anymore. 298 00:14:00,200 --> 00:14:03,560 And so yeah, over resource or sorry, over permissioned 299 00:14:05,200 --> 00:14:08,480 identities or workload service accounts 300 00:14:08,480 --> 00:14:11,280 are absolutely a big problem. 301 00:14:11,280 --> 00:14:14,120 A lot of it has to do with managing it. 302 00:14:14,120 --> 00:14:16,840 You mentioned that service accounts could be user accounts. 303 00:14:16,840 --> 00:14:19,720 That's not a good thing. 304 00:14:19,720 --> 00:14:23,240 There's a reason why Microsoft created back 305 00:14:23,240 --> 00:14:27,160 for the on-premises piece, the managed service accounts, 306 00:14:27,160 --> 00:14:30,080 where basically there's not a username and password 307 00:14:30,080 --> 00:14:31,760 that has to be cycled. 308 00:14:31,760 --> 00:14:33,520 If that password got out in the wild, 309 00:14:33,520 --> 00:14:36,800 then I don't have my entire infrastructure at risk. 310 00:14:36,800 --> 00:14:38,760 And then you start looking at things like 311 00:14:38,760 --> 00:14:41,280 if you've got to have certificates 312 00:14:41,280 --> 00:14:43,440 or you need to have a username password combination 313 00:14:43,440 --> 00:14:46,280 using things like Azure Key Vault to store that, 314 00:14:46,280 --> 00:14:48,440 where at least it's in a single place. 315 00:14:48,440 --> 00:14:51,440 And then you can, earlier you mentioned managed identities, 316 00:14:51,440 --> 00:14:54,440 where you can leverage those managed identities on top of 317 00:14:54,440 --> 00:14:56,640 because with managed identities, 318 00:14:56,640 --> 00:14:58,080 you don't have to manage these credentials. 319 00:14:58,080 --> 00:14:59,800 In fact, the credentials aren't even available 320 00:14:59,800 --> 00:15:02,480 for you to do anything with. 321 00:15:02,480 --> 00:15:05,640 And then it allows you to use that managed identity 322 00:15:05,640 --> 00:15:09,240 to authenticate to the resources so long as those 323 00:15:09,240 --> 00:15:12,120 managed identities can leverage Azure Active Directory 324 00:15:12,120 --> 00:15:15,320 authentication and when we're talking about the Microsoft view 325 00:15:15,320 --> 00:15:17,000 of managed identity. 326 00:15:17,000 --> 00:15:20,000 So yeah, it's very much about that. 327 00:15:20,000 --> 00:15:23,160 It has a lot to do when we start looking at things 328 00:15:23,160 --> 00:15:24,520 that indicate security concerns 329 00:15:24,520 --> 00:15:26,240 from a workload identity place, 330 00:15:26,240 --> 00:15:28,120 we're looking at things like permissions, 331 00:15:28,120 --> 00:15:31,880 we're looking at things like when our change is being made 332 00:15:31,880 --> 00:15:34,760 to the application, what type of changes are being made, 333 00:15:34,760 --> 00:15:36,160 what are the credential types, 334 00:15:36,160 --> 00:15:38,840 and then configuration changes, 335 00:15:38,840 --> 00:15:43,120 things like changing URIs or log out URLs modifying 336 00:15:43,120 --> 00:15:46,840 or changes to who owns an application and environment, 337 00:15:46,840 --> 00:15:50,520 assuming that you actually know who owns the applications 338 00:15:50,520 --> 00:15:51,360 in your environment, 339 00:15:51,360 --> 00:15:55,280 which is another key thing that people want to take a look at. 340 00:15:55,280 --> 00:15:56,720 You know, it's interesting to bring up the whole thing 341 00:15:56,720 --> 00:16:00,360 about users requiring admin access and so on. 342 00:16:00,360 --> 00:16:04,280 One of my pet peeves is developers thinking they need 343 00:16:04,280 --> 00:16:07,200 admin access just to develop software. 344 00:16:07,200 --> 00:16:09,400 Most of the time you just don't, you really just don't. 345 00:16:09,400 --> 00:16:11,520 I've heard people say, well, I need to debug my application 346 00:16:11,520 --> 00:16:13,200 and Windows debug is a privilege 347 00:16:13,200 --> 00:16:15,760 and only admins have debug privilege. 348 00:16:15,760 --> 00:16:19,880 That is true, but the debug privilege in Windows 349 00:16:19,880 --> 00:16:21,840 doesn't mean you can debug code. 350 00:16:21,840 --> 00:16:24,600 What it means is debugging a process 351 00:16:24,600 --> 00:16:27,280 that's not running as you, that is totally different. 352 00:16:27,280 --> 00:16:29,360 Like if you was like single stepping through some code 353 00:16:29,360 --> 00:16:31,360 that you've written, like a console app 354 00:16:31,360 --> 00:16:32,200 or something like that, 355 00:16:32,200 --> 00:16:35,040 and you don't need debug privilege whatsoever. 356 00:16:35,040 --> 00:16:38,560 Even if you say debugging a service in Windows, 357 00:16:38,560 --> 00:16:40,680 which is running at a different identity, 358 00:16:40,680 --> 00:16:43,640 you can actually grant your accounts as a user 359 00:16:43,640 --> 00:16:45,160 the debug privilege. 360 00:16:45,160 --> 00:16:47,600 So you're still a user, but you have a dangerous privilege. 361 00:16:47,600 --> 00:16:50,280 Debugged privilege is a dangerous privilege, 362 00:16:50,280 --> 00:16:52,280 but you're at least not an admin. 363 00:16:52,280 --> 00:16:53,400 Yeah, I see this all the time. 364 00:16:53,400 --> 00:16:55,600 And honestly, I get into a few little, 365 00:16:55,600 --> 00:16:57,480 let's just call them discussions with developers 366 00:16:57,480 --> 00:16:58,680 and development managers. 367 00:16:58,680 --> 00:17:02,180 You know, when I see a lot of developers running his admin, 368 00:17:02,180 --> 00:17:05,160 I realize a bit of a soapbox points of view there, 369 00:17:05,160 --> 00:17:08,120 but yeah, if you're an admin, if you're a developer, 370 00:17:08,120 --> 00:17:10,480 please just don't run as admin. 371 00:17:10,480 --> 00:17:15,480 No, and listen, we've seen the likes of 25 plus million 372 00:17:17,160 --> 00:17:19,880 log-in credentials that get stolen 373 00:17:19,880 --> 00:17:22,920 through things like malicious applications. 374 00:17:22,920 --> 00:17:24,680 So your credentials taken, 375 00:17:24,680 --> 00:17:26,480 and you've got these elevated credentials 376 00:17:26,480 --> 00:17:28,960 because you insist that you need to have that. 377 00:17:28,960 --> 00:17:33,800 That's just an easier way for attackers to do things. 378 00:17:33,800 --> 00:17:37,360 And as I mentioned earlier, the easier it is for them 379 00:17:37,360 --> 00:17:40,120 to do it, the more they're going to target that environment. 380 00:17:40,120 --> 00:17:44,360 When you put things like MFA and having lower credentials, 381 00:17:44,360 --> 00:17:47,320 and when you need to elevate into those other things, 382 00:17:47,320 --> 00:17:50,160 doing things in just in time, where it's, 383 00:17:50,160 --> 00:17:52,320 you know, there may be a process where you have to, 384 00:17:52,320 --> 00:17:55,920 you know, maybe have an MFA challenge in response, 385 00:17:55,920 --> 00:17:57,360 but it's time bound. 386 00:17:57,360 --> 00:17:59,560 So at the end of that, I don't forget 387 00:17:59,560 --> 00:18:02,880 that I need to log out of that elevated process. 388 00:18:02,880 --> 00:18:04,800 It's just good security hygiene. 389 00:18:04,800 --> 00:18:06,840 Yeah, and the way I kind of think of that space 390 00:18:06,840 --> 00:18:10,280 is like that, you know, infamous Spider-Man quote 391 00:18:10,280 --> 00:18:13,800 of with great power comes great responsibility, right? 392 00:18:13,800 --> 00:18:18,200 And ultimately, you know, there's this sort of, 393 00:18:18,200 --> 00:18:20,600 I mean, I've developed this sort of allergy to permissions. 394 00:18:20,600 --> 00:18:22,960 I do not want any privileges or permissions 395 00:18:22,960 --> 00:18:24,120 that I don't need. 396 00:18:24,120 --> 00:18:25,720 I once had a customer offer, you know, 397 00:18:25,720 --> 00:18:29,040 in my couple hundred thousand user environment, 398 00:18:29,040 --> 00:18:30,600 do you want enterprise admin rights? 399 00:18:30,600 --> 00:18:32,880 You know, and I'm like, no. 400 00:18:32,880 --> 00:18:35,880 So, you know, I mean, and we just have to sort of teach that, 401 00:18:35,880 --> 00:18:37,680 I think, to a lot of those developers that, 402 00:18:37,680 --> 00:18:40,280 hey, you don't want it to be your account 403 00:18:40,280 --> 00:18:42,760 that caused the data breach, the disk, the ransomware, 404 00:18:42,760 --> 00:18:45,840 whatever the bad thing was. 405 00:18:47,000 --> 00:18:49,200 So like one of the things I wanted to ask you a little bit 406 00:18:49,200 --> 00:18:51,280 about more Joey is, you know, 407 00:18:51,280 --> 00:18:52,960 some of the non-human identity attacks. 408 00:18:52,960 --> 00:18:54,080 If you want a couple of examples, 409 00:18:54,080 --> 00:18:56,480 is there some other angles or some other kind of attacks 410 00:18:56,480 --> 00:18:57,680 that you've seen? 411 00:18:58,640 --> 00:19:01,560 Yeah, so kind of traditional threats 412 00:19:01,560 --> 00:19:04,560 that we see leveraging application identities is, 413 00:19:05,920 --> 00:19:07,080 I kind of mentioned it earlier 414 00:19:07,080 --> 00:19:09,400 where you've got a compromised application. 415 00:19:09,400 --> 00:19:10,920 There's a legitimate application 416 00:19:10,920 --> 00:19:14,280 that exists in the environment and it's been hijacked. 417 00:19:15,280 --> 00:19:17,760 Another example of application identity threats 418 00:19:17,760 --> 00:19:21,240 is where there's an application that's been placed 419 00:19:21,240 --> 00:19:23,640 into the environment that is malicious. 420 00:19:23,640 --> 00:19:27,080 So it's created by an attacker just to do bad things. 421 00:19:27,080 --> 00:19:29,160 And the reality is, is malicious apps 422 00:19:29,160 --> 00:19:31,160 don't belong in any environment, right? 423 00:19:31,160 --> 00:19:33,240 They need to be eliminated. 424 00:19:33,240 --> 00:19:34,680 And then we need to go back and understand 425 00:19:34,680 --> 00:19:37,600 what happened to allow that in here. 426 00:19:37,600 --> 00:19:40,680 And then the most popular thing 427 00:19:40,680 --> 00:19:44,440 is a misconfigured application, right? 428 00:19:44,440 --> 00:19:47,320 So that means that there is some sort of a configuration, 429 00:19:47,320 --> 00:19:50,120 whether that reside inside or outside 430 00:19:50,120 --> 00:19:53,240 of the identity service or within the application 431 00:19:53,240 --> 00:19:56,600 that has made it susceptible to compromise. 432 00:19:56,600 --> 00:19:59,920 And we've seen tons of examples of these types of things. 433 00:19:59,920 --> 00:20:04,400 If you look at things like supply chain compromises, right? 434 00:20:04,400 --> 00:20:08,040 Where something gets placed into a legitimate application 435 00:20:08,040 --> 00:20:11,960 and then it hides everything else that they're doing, 436 00:20:11,960 --> 00:20:16,960 including adding in a malicious application. 437 00:20:18,120 --> 00:20:21,520 You look at things like consent phishing, 438 00:20:21,520 --> 00:20:24,160 which is a technique that tricks a user 439 00:20:24,160 --> 00:20:26,920 into granting a third party application 440 00:20:26,920 --> 00:20:28,440 access to their account. 441 00:20:28,440 --> 00:20:31,000 And they can either impersonate the user directly 442 00:20:31,000 --> 00:20:35,040 or they can use that victim account to phish other people. 443 00:20:36,200 --> 00:20:41,200 They can use things like some directories 444 00:20:41,880 --> 00:20:46,640 and some configurations allow anyone 445 00:20:46,640 --> 00:20:49,760 to consent to an application being added 446 00:20:49,760 --> 00:20:51,040 into the directory service. 447 00:20:51,040 --> 00:20:53,800 That's bad behavior, we need to not do that. 448 00:20:53,800 --> 00:20:57,400 We really need to manage who can actually add applications 449 00:20:57,400 --> 00:20:59,760 into things like Azure Active Directory. 450 00:20:59,760 --> 00:21:04,760 And then there's kind of the, it still baffles my mind 451 00:21:04,760 --> 00:21:07,720 but you have a look at developers 452 00:21:07,720 --> 00:21:11,800 are still putting credentials into code. 453 00:21:11,800 --> 00:21:13,240 And then they're taking that code 454 00:21:13,240 --> 00:21:16,600 and they're checking it into public code repositories. 455 00:21:16,600 --> 00:21:17,680 Yeah, but the good news is, I mean, 456 00:21:17,680 --> 00:21:19,560 there is tooling around, right? 457 00:21:19,560 --> 00:21:20,960 That can actually find some of these things. 458 00:21:20,960 --> 00:21:23,360 I mean, it's great to see tools like GitHub 459 00:21:23,360 --> 00:21:24,840 automatically scanning repos, 460 00:21:24,840 --> 00:21:26,280 looking for that kind of problem, 461 00:21:26,280 --> 00:21:28,960 but people shouldn't be doing it in the first place. 462 00:21:28,960 --> 00:21:30,800 So Joey, do we see a delineation 463 00:21:30,800 --> 00:21:33,720 between how people manage their user accounts 464 00:21:33,720 --> 00:21:35,960 and how they manage workload accounts? 465 00:21:35,960 --> 00:21:38,200 And then I suppose ultimately, 466 00:21:38,200 --> 00:21:41,440 do we have some kind of tooling to help with this? 467 00:21:41,440 --> 00:21:46,200 And so first and foremost, you don't need to, 468 00:21:46,200 --> 00:21:47,040 so do we have tooling? 469 00:21:47,040 --> 00:21:47,880 Yes, absolutely. 470 00:21:47,880 --> 00:21:50,240 When you talk about some of the stuff that has, 471 00:21:50,240 --> 00:21:52,400 we talked about it at Ignite around, 472 00:21:53,520 --> 00:21:56,400 workload identities and workload identity protection, 473 00:21:56,400 --> 00:21:59,880 but the reality is, is regardless of the tooling 474 00:21:59,880 --> 00:22:01,480 that you have, there's some simple things 475 00:22:01,480 --> 00:22:03,280 that people can do. 476 00:22:03,280 --> 00:22:07,080 So the first thing is understand one, 477 00:22:07,080 --> 00:22:10,040 what are the application identities in your environment 478 00:22:10,040 --> 00:22:12,120 and to who owns that? 479 00:22:12,120 --> 00:22:13,760 So when things go south, 480 00:22:13,760 --> 00:22:16,600 you know who you can call in and partner with. 481 00:22:16,600 --> 00:22:19,040 I was doing a presentation down in Houston 482 00:22:19,040 --> 00:22:21,120 and chatting with a user group 483 00:22:21,120 --> 00:22:23,720 and doing this talk on workload identities. 484 00:22:23,720 --> 00:22:25,880 And I asked who understood, you know, 485 00:22:25,880 --> 00:22:26,960 the apps in their environment. 486 00:22:26,960 --> 00:22:28,800 I think I saw three people in the back of the room 487 00:22:28,800 --> 00:22:29,960 raise their hands. 488 00:22:29,960 --> 00:22:32,160 And afterward, people were coming up to me going, 489 00:22:32,160 --> 00:22:34,160 this is one of the first things I'm going to be doing 490 00:22:34,160 --> 00:22:35,400 when I get back to the office. 491 00:22:35,400 --> 00:22:38,160 Because again, all of that attention 492 00:22:38,160 --> 00:22:39,800 has been paid on user identities 493 00:22:39,800 --> 00:22:42,600 and nobody's been looking at what exists in this space. 494 00:22:42,600 --> 00:22:46,320 Is this, because this is a, you know, a ripe attack surface 495 00:22:46,320 --> 00:22:51,320 if you're running say a service from, you know, 2001 496 00:22:51,480 --> 00:22:53,720 that's running as a domain admin, nobody knew. 497 00:22:53,720 --> 00:22:55,440 It's got elevated credentials. 498 00:22:55,440 --> 00:22:58,720 The password probably exists inside of some document 499 00:22:58,720 --> 00:23:00,280 that's sitting on a server. 500 00:23:00,280 --> 00:23:03,320 So if, you know, somebody gains access to that, 501 00:23:03,320 --> 00:23:05,360 there's the data and there's another way 502 00:23:05,360 --> 00:23:08,200 that you can continue to elevate up 503 00:23:08,200 --> 00:23:10,640 and move across things. 504 00:23:10,640 --> 00:23:12,840 So, you know, it's understanding what exists there. 505 00:23:12,840 --> 00:23:15,080 And then really applications, 506 00:23:15,080 --> 00:23:18,720 they're pretty easy to kind of track. 507 00:23:18,720 --> 00:23:20,920 Their activities, you know, 508 00:23:20,920 --> 00:23:23,720 they typically exist in a specific location, 509 00:23:23,720 --> 00:23:26,200 whether it be an IP address or a particular country 510 00:23:26,200 --> 00:23:27,560 or particular region. 511 00:23:27,560 --> 00:23:30,520 And they typically have very predictable patterns. 512 00:23:30,520 --> 00:23:32,040 They run at certain times. 513 00:23:32,040 --> 00:23:34,080 So they're very easy to keep tabs on. 514 00:23:34,080 --> 00:23:36,880 So it's not one of these, once you identify them, 515 00:23:36,880 --> 00:23:41,600 it's a matter of, okay, hey, these application identities, 516 00:23:41,600 --> 00:23:43,560 we can move to more of a managed identity 517 00:23:43,560 --> 00:23:44,760 where we're not thinking about it 518 00:23:44,760 --> 00:23:47,040 where, you know, secrets are being rolled 519 00:23:47,040 --> 00:23:48,920 and we don't have to pay attention to it. 520 00:23:48,920 --> 00:23:50,240 But maybe there's some older apps 521 00:23:50,240 --> 00:23:51,880 that exist in the environment. 522 00:23:51,880 --> 00:23:54,640 So instead of trying to solve for everything, 523 00:23:54,640 --> 00:23:57,120 move what you can to managed identities 524 00:23:57,120 --> 00:23:59,080 or, you know, using things like KeyVault 525 00:23:59,080 --> 00:24:02,240 or, you know, those type of services. 526 00:24:02,240 --> 00:24:05,000 And then if you've got some of these other things, 527 00:24:05,000 --> 00:24:06,760 take a look at what you can gain 528 00:24:06,760 --> 00:24:10,080 from things like sign-in logs and audit logs, 529 00:24:10,080 --> 00:24:11,640 where you're only looking at, say, 530 00:24:11,640 --> 00:24:12,800 yeah, we've got these three apps. 531 00:24:12,800 --> 00:24:14,000 We've got to keep tabs on them. 532 00:24:14,000 --> 00:24:14,840 All right, great. 533 00:24:14,840 --> 00:24:17,000 Well, we know that it runs on this server 534 00:24:17,000 --> 00:24:18,960 and this data center in this region 535 00:24:18,960 --> 00:24:22,200 and that it runs between these hours. 536 00:24:22,200 --> 00:24:24,400 Like a backup service that runs, you know, 537 00:24:24,400 --> 00:24:26,600 typically predictable hours. 538 00:24:26,600 --> 00:24:27,960 And then just keep your eye out 539 00:24:27,960 --> 00:24:30,560 for anything that's unexpected, right? 540 00:24:30,560 --> 00:24:32,120 The credential type has changed. 541 00:24:32,120 --> 00:24:34,440 Wait, wait, we used to use this, you know, 542 00:24:34,440 --> 00:24:37,400 certificate based auth and now it's moved to a user password. 543 00:24:37,400 --> 00:24:39,640 That's like a hello red alert. 544 00:24:39,640 --> 00:24:43,800 What is that resource accessing 545 00:24:43,800 --> 00:24:46,080 and should it be accessing that resource? 546 00:24:46,080 --> 00:24:47,840 They're really predictable. 547 00:24:47,840 --> 00:24:51,160 So you can see anomalies very, very easily. 548 00:24:51,160 --> 00:24:53,720 And, you know, look at, oh, hey, look, 549 00:24:53,720 --> 00:24:55,600 this application is all of a sudden 550 00:24:55,600 --> 00:24:58,080 trying to grant itself higher permissions 551 00:24:58,080 --> 00:25:01,440 or higher privileges or an end user 552 00:25:01,440 --> 00:25:04,080 is granting an application consent to do something. 553 00:25:05,480 --> 00:25:08,600 These are all things we can kind of take a look at. 554 00:25:08,600 --> 00:25:12,280 And when changes are made to application credentials, 555 00:25:12,280 --> 00:25:15,520 are they made outside of business hours 556 00:25:15,520 --> 00:25:17,480 or outside of the normal process? 557 00:25:17,480 --> 00:25:18,680 Who made the change? 558 00:25:18,680 --> 00:25:20,600 Who was the owner of that? 559 00:25:20,600 --> 00:25:23,440 Again, it comes back to knowing these things. 560 00:25:23,440 --> 00:25:26,840 And then finally, when we start looking at bad behavior 561 00:25:26,840 --> 00:25:29,120 like credentials and code and so on and so forth, 562 00:25:29,120 --> 00:25:31,720 you mentioned there's tons of scanning tools in it. 563 00:25:31,720 --> 00:25:33,720 Some of it is built in. 564 00:25:33,720 --> 00:25:36,440 There's open source available ones. 565 00:25:36,440 --> 00:25:37,920 There's on-prem versions. 566 00:25:37,920 --> 00:25:39,040 There's cloud ones. 567 00:25:39,040 --> 00:25:40,480 They're customizable. 568 00:25:40,480 --> 00:25:42,400 You can build your own or you can use some 569 00:25:42,400 --> 00:25:44,720 of the more scalable vendor-owned tools 570 00:25:44,720 --> 00:25:46,560 to kind of do some of that work. 571 00:25:46,560 --> 00:25:49,760 Yeah, you know, I really want to stress something. 572 00:25:49,760 --> 00:25:51,480 You know, you mentioned key vault, managed identities, 573 00:25:51,480 --> 00:25:52,520 and I really want to stress this 574 00:25:52,520 --> 00:25:55,000 because I think it's just so important. 575 00:25:55,000 --> 00:25:57,240 So managed identities for clients' authentication 576 00:25:57,240 --> 00:25:58,600 are absolutely the way to go 577 00:25:58,600 --> 00:26:01,000 because AAD handles credentials. 578 00:26:01,000 --> 00:26:01,840 You don't have to. 579 00:26:01,840 --> 00:26:04,160 There's nothing you need to store somewhere. 580 00:26:04,160 --> 00:26:07,320 And honestly, even if you're storing it in key vault, 581 00:26:07,320 --> 00:26:08,960 key vault just turns a crypto problem 582 00:26:08,960 --> 00:26:10,400 into an authorization problem. 583 00:26:10,400 --> 00:26:11,640 That's all it does. 584 00:26:11,640 --> 00:26:13,760 So how do you access the secret in key vault? 585 00:26:13,760 --> 00:26:15,440 Right, you got to authenticate it to key vault 586 00:26:15,440 --> 00:26:16,520 to be able to access the secret. 587 00:26:16,520 --> 00:26:19,200 So then, you know, key vault can apply its RBAC policy 588 00:26:19,200 --> 00:26:21,520 to determine whether you have access or not. 589 00:26:21,520 --> 00:26:25,360 So if you're running a process that needs to access key vault, 590 00:26:25,360 --> 00:26:27,880 then you need to run that process 591 00:26:27,880 --> 00:26:29,240 if you can as a managed identity. 592 00:26:29,240 --> 00:26:32,920 The good news is, you know, more and more pass services 593 00:26:32,920 --> 00:26:33,840 are even IaaS. 594 00:26:33,840 --> 00:26:36,200 I mean, VMs can run as a managed identity, 595 00:26:36,200 --> 00:26:38,600 but you really, you know, if you're architecting something 596 00:26:38,600 --> 00:26:43,000 on Azure, there are my two rules of thumb. 597 00:26:43,000 --> 00:26:45,000 Server authentication is always TLS. 598 00:26:45,000 --> 00:26:48,800 Anything but TLS is varying degrees of wrongness from TLS. 599 00:26:48,800 --> 00:26:51,920 I mean, I'll give you SSH as long as it's done correctly. 600 00:26:51,920 --> 00:26:53,480 And then for clients' authentication, 601 00:26:53,480 --> 00:26:55,120 it's managed identities. 602 00:26:55,120 --> 00:26:57,360 I'm not really too concerned about whether it's a system 603 00:26:57,360 --> 00:26:59,440 managed identity or a user managed identity, 604 00:26:59,440 --> 00:27:02,000 but the correct answer is managed identities 605 00:27:02,000 --> 00:27:03,640 because if an attacker gets in the environment, 606 00:27:03,640 --> 00:27:04,840 there is no credential. 607 00:27:04,840 --> 00:27:06,520 The credential is not there. 608 00:27:06,520 --> 00:27:08,280 It is completely managed by AAD, 609 00:27:08,280 --> 00:27:10,880 which is over there somewhere, 610 00:27:10,880 --> 00:27:12,920 that the attacker has no line of sight on. 611 00:27:12,920 --> 00:27:14,480 So I really want to stress that. 612 00:27:14,480 --> 00:27:17,040 It's just critically important. 613 00:27:17,040 --> 00:27:19,720 It really comes down to treating your workload identities 614 00:27:19,720 --> 00:27:21,800 like you do a user account. 615 00:27:21,800 --> 00:27:23,720 Use really good security principles. 616 00:27:23,720 --> 00:27:26,360 Try to use those strong credentials, as you were mentioning. 617 00:27:26,360 --> 00:27:29,680 If you've got to use certificates, use X509 certs, 618 00:27:29,680 --> 00:27:33,240 and make sure that these credentials have short lifespans, 619 00:27:33,240 --> 00:27:36,160 and that they're not committed into code repositories, 620 00:27:36,160 --> 00:27:37,880 and they're stored securely, 621 00:27:37,880 --> 00:27:39,880 you have to do credential rotation. 622 00:27:39,880 --> 00:27:41,560 It's good health. 623 00:27:41,560 --> 00:27:43,080 Use least privilege. 624 00:27:43,080 --> 00:27:45,640 Don't be running as admins if you don't need to run it. 625 00:27:45,640 --> 00:27:49,640 Don't give a service right access 626 00:27:49,640 --> 00:27:51,680 if it just needs to read something. 627 00:27:52,760 --> 00:27:55,240 And then have that, as I mentioned, 628 00:27:55,240 --> 00:27:57,320 this life cycle management. 629 00:27:57,320 --> 00:28:01,160 Use just in time elevation, type techniques, 630 00:28:01,160 --> 00:28:03,040 and then monitor. 631 00:28:03,040 --> 00:28:04,680 Look at these applications. 632 00:28:04,680 --> 00:28:08,360 If you've got apps that have poor hygiene, 633 00:28:08,360 --> 00:28:11,560 and they need to run with highly privileged permissions, 634 00:28:11,560 --> 00:28:13,360 keep tabs on those. 635 00:28:13,360 --> 00:28:16,840 Have a look at what is actually happening, 636 00:28:16,840 --> 00:28:21,200 and then go back, figure out what you have. 637 00:28:21,200 --> 00:28:22,880 Take a look at what exists out there. 638 00:28:22,880 --> 00:28:26,160 There's probably some stale apps and credentials that are old, 639 00:28:26,160 --> 00:28:27,800 that have just been existing. 640 00:28:27,800 --> 00:28:29,360 Get those cleaned up. 641 00:28:29,360 --> 00:28:33,520 Make sure that the access that these accounts are using 642 00:28:34,880 --> 00:28:37,480 is the access that they need, so recertify them. 643 00:28:37,480 --> 00:28:39,480 And then, like I said before, 644 00:28:39,480 --> 00:28:41,840 if you can't lower those application permissions, 645 00:28:41,840 --> 00:28:44,760 like from ReadWriteAll to ReadAll, 646 00:28:44,760 --> 00:28:47,560 then monitor those things. 647 00:28:47,560 --> 00:28:48,800 Okay, I want to add something 648 00:28:48,800 --> 00:28:51,280 because you said something which I totally agree with, 649 00:28:51,280 --> 00:28:53,280 but I want to add some more. 650 00:28:53,280 --> 00:28:55,320 If you're communicating with a process 651 00:28:55,320 --> 00:28:57,320 that requires an extra five-nine certificate, 652 00:28:57,320 --> 00:28:58,720 and obviously the private key, 653 00:28:58,720 --> 00:29:00,440 and that's all it does, 654 00:29:00,440 --> 00:29:03,240 then you better make sure that that private key 655 00:29:03,240 --> 00:29:06,560 is locked down in some thing 656 00:29:06,560 --> 00:29:08,400 that uses a managed identity 657 00:29:08,400 --> 00:29:11,120 to access that particular credential. 658 00:29:11,120 --> 00:29:12,520 I really can't stress that enough 659 00:29:12,520 --> 00:29:14,440 because if you're using an extra five-nine certificate 660 00:29:14,440 --> 00:29:16,840 with private key, with obviously with a private key, 661 00:29:16,840 --> 00:29:19,160 you've got to store that private key somewhere, 662 00:29:19,160 --> 00:29:21,920 and you need to make sure that the account 663 00:29:21,920 --> 00:29:26,280 that needs that is using the correct authentication, 664 00:29:26,280 --> 00:29:29,200 and then obviously as you are back on top of that, 665 00:29:29,200 --> 00:29:32,320 that authentication mechanism better be AAD, 666 00:29:32,320 --> 00:29:34,720 which is using a managed identity. 667 00:29:34,720 --> 00:29:36,600 I'll get off my soapbox, 668 00:29:36,600 --> 00:29:38,360 but I really wanted to add that 669 00:29:38,360 --> 00:29:40,880 because I think that's just such an important point. 670 00:29:40,880 --> 00:29:42,920 Again, I get back to my two golden rules, 671 00:29:42,920 --> 00:29:44,760 serve authentication TLS. 672 00:29:44,760 --> 00:29:45,680 This is on Azure. 673 00:29:45,680 --> 00:29:47,320 Serve authentication is TLS. 674 00:29:47,320 --> 00:29:49,480 Client authentication is managed identities. 675 00:29:49,480 --> 00:29:51,000 And even if you're using a process 676 00:29:51,000 --> 00:29:53,360 that requires some other kind of credential, 677 00:29:53,360 --> 00:29:55,160 then govern access to that credential 678 00:29:55,160 --> 00:29:56,160 using managed identities. 679 00:29:56,160 --> 00:29:57,840 I'll get on my soapbox now. 680 00:29:57,840 --> 00:29:59,680 100%. 681 00:29:59,680 --> 00:30:00,640 Do it the safe way. 682 00:30:02,400 --> 00:30:05,920 So I've stayed pretty quiet for this episode, 683 00:30:05,920 --> 00:30:08,480 but which is unusual for me, 684 00:30:08,480 --> 00:30:10,480 but I think you struck, 685 00:30:12,440 --> 00:30:13,360 how do I put this? 686 00:30:13,360 --> 00:30:15,600 Struck a nerve with Michael and Mark there, 687 00:30:15,600 --> 00:30:19,480 so I wanted to let them say their things, Joey. 688 00:30:19,480 --> 00:30:21,840 But at the end of our episode, 689 00:30:21,840 --> 00:30:24,520 we always ask all of our guests 690 00:30:24,520 --> 00:30:26,280 for their final thought. 691 00:30:26,280 --> 00:30:28,920 Like if you're gonna leave our listeners with one thing, 692 00:30:28,920 --> 00:30:30,080 what would it be? 693 00:30:30,960 --> 00:30:32,120 Turn on MFA. 694 00:30:33,320 --> 00:30:34,160 Is that it? 695 00:30:35,640 --> 00:30:37,000 Is that it? 696 00:30:37,000 --> 00:30:39,840 Well, you'd think it would be that simple, wouldn't ya? 697 00:30:39,840 --> 00:30:42,160 And then you see attack after attack, 698 00:30:42,160 --> 00:30:44,800 after attack, after attack. 699 00:30:44,800 --> 00:30:48,120 And try to use phishing resistant MFA 700 00:30:48,120 --> 00:30:49,280 or other techniques, right? 701 00:30:49,280 --> 00:30:50,720 Stay away from SMS. 702 00:30:52,160 --> 00:30:54,000 Use number matching. 703 00:30:54,000 --> 00:30:58,560 We talked a little bit about how there was a bit of news 704 00:30:58,560 --> 00:31:01,000 out where Microsoft's going to be turning that on 705 00:31:01,000 --> 00:31:03,120 by default for folks in the near future, 706 00:31:03,120 --> 00:31:04,720 where we use number matching. 707 00:31:04,720 --> 00:31:07,760 MFA is not the end all, be all for everything 708 00:31:07,760 --> 00:31:09,320 if it's not configured correctly. 709 00:31:09,320 --> 00:31:11,680 But when it's configured correctly and it's used, 710 00:31:11,680 --> 00:31:14,120 it can protect a whole hell of a lot. 711 00:31:14,120 --> 00:31:17,400 Well, that was a short and simple final thought, 712 00:31:17,400 --> 00:31:19,320 which I always appreciate, 713 00:31:19,320 --> 00:31:20,680 short and simple final thoughts, 714 00:31:20,680 --> 00:31:22,640 because the whole point is that they're easy to remember, 715 00:31:22,640 --> 00:31:24,480 so thank you very much for that. 716 00:31:24,480 --> 00:31:26,520 So with that, let's bring this episode to an end. 717 00:31:26,520 --> 00:31:28,120 Jerry, thank you so much for joining us this week 718 00:31:28,120 --> 00:31:29,440 and to all our listeners out there. 719 00:31:29,440 --> 00:31:31,160 We hope you found this useful as well. 720 00:31:31,160 --> 00:31:33,240 Stay safe and we'll see you next time. 721 00:31:33,240 --> 00:31:36,120 Thanks for listening to the Azure Security Podcast. 722 00:31:36,120 --> 00:31:39,880 You can find show notes and other resources at our website, 723 00:31:39,880 --> 00:31:42,040 azsecuritypodcast.net. 724 00:31:42,920 --> 00:31:44,480 If you have any questions, 725 00:31:44,480 --> 00:31:46,760 please find us on Twitter at azuresecpod. 726 00:31:47,680 --> 00:31:50,640 Background music is from ccmixter.com 727 00:31:50,640 --> 00:31:53,440 and licensed under the Creative Commons license.