1 00:00:00,000 --> 00:00:09,600 Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, 2 00:00:09,600 --> 00:00:13,280 reliability and compliance on the Microsoft Cloud Platform. 3 00:00:13,280 --> 00:00:16,800 Hey everybody, welcome to Episode 74. 4 00:00:16,800 --> 00:00:20,280 This week we have myself, Michael and Mark. 5 00:00:20,280 --> 00:00:23,480 Sarah and Gladys are off right now doing some pretty busy stuff. 6 00:00:23,480 --> 00:00:26,960 And we also have a guest, Kemley, who is here to talk to us about some of the latest and 7 00:00:26,960 --> 00:00:29,920 greatest features in Azure policy. 8 00:00:29,920 --> 00:00:32,520 But before we get to Kemley, let's take a little lap around the news. 9 00:00:32,520 --> 00:00:33,760 Mike, why don't you kick things off? 10 00:00:33,760 --> 00:00:38,800 A couple things I share from my own observations and then some big news from a Microsoft perspective. 11 00:00:38,800 --> 00:00:44,360 One of the things that came up recently was an interesting discussion around what are 12 00:00:44,360 --> 00:00:48,560 the top attacks and the top things that we see and essentially how the attackers start 13 00:00:48,560 --> 00:00:49,560 getting in. 14 00:00:49,560 --> 00:00:55,360 Most of the attacks that we see fall into what I would call the front door, the new 15 00:00:55,360 --> 00:01:00,960 triad that we have to deal with, which is email, phishing attacks, identity theft, either 16 00:01:00,960 --> 00:01:05,720 as a first step or after they get the endpoint, and then of course, endpoint. 17 00:01:05,720 --> 00:01:10,600 So ultimately, the attackers, usually the way they get in your environment is by taking 18 00:01:10,600 --> 00:01:14,760 over the endpoint, taking over an identity or sending an email to do one of those two 19 00:01:14,760 --> 00:01:17,520 things and one of those three orders. 20 00:01:17,520 --> 00:01:23,000 There still are direct attacks on applications and services that are exposed to the internet, 21 00:01:23,000 --> 00:01:29,080 your data center backend stuff, but the sheer volume of them given the accessibility nowadays 22 00:01:29,080 --> 00:01:32,720 of all the different ways that people can work remotely, etc. 23 00:01:32,720 --> 00:01:37,040 It's really, really important to have good monitoring and security operations on those 24 00:01:37,040 --> 00:01:38,040 areas. 25 00:01:38,040 --> 00:01:40,760 So that was one of the things that I thought would be good to share. 26 00:01:40,760 --> 00:01:46,520 And then the other thing that we've seen that's almost always interesting to folks is one 27 00:01:46,520 --> 00:01:51,760 of the things we see in security a lot is a bottom-up or technology-centric type of 28 00:01:51,760 --> 00:01:53,120 approach. 29 00:01:53,120 --> 00:01:58,440 I trace a lot of this back to the roots of when security was heavily based on, hey, we 30 00:01:58,440 --> 00:02:03,440 bought this 19-inch rack appliance with a nice plastic color bezel and it does this 31 00:02:03,440 --> 00:02:05,640 X job and we need someone to run it. 32 00:02:05,640 --> 00:02:10,520 That's how people view the jobs, view the outcomes of security is based on the, hey, 33 00:02:10,520 --> 00:02:14,800 we have a technical security capability, let's drive this outcome. 34 00:02:14,800 --> 00:02:18,680 The thing that we're seeing more and more is that, especially as we get into zero trust 35 00:02:18,680 --> 00:02:24,360 and all these other ways of moving fast on the business and cloud and tech front, you 36 00:02:24,360 --> 00:02:30,240 got to rethink security and think about it from a top-down, outcome-driven first. 37 00:02:30,240 --> 00:02:32,800 What is the outcome we're trying to achieve? 38 00:02:32,800 --> 00:02:35,060 It's not about looking at logs. 39 00:02:35,060 --> 00:02:37,520 It's about detecting attackers. 40 00:02:37,520 --> 00:02:39,620 It's about getting rid of them quickly. 41 00:02:39,620 --> 00:02:44,240 It's not about necessarily finding them on the network, with the network being the active 42 00:02:44,240 --> 00:02:45,240 word. 43 00:02:45,240 --> 00:02:51,280 It's really important, I found, and really helpful to look at things through that frame. 44 00:02:51,280 --> 00:02:54,760 Obviously, we do still have to work with the technology and the logs and the data that 45 00:02:54,760 --> 00:02:59,840 we have, but with that North Star in mind, with that what are we trying to achieve from 46 00:02:59,840 --> 00:03:02,200 a security and risk perspective? 47 00:03:02,200 --> 00:03:05,360 Enough of Mark's meanderings. 48 00:03:05,360 --> 00:03:09,520 The news, the big one that we saw was security copilot. 49 00:03:09,520 --> 00:03:10,520 Microsoft announced this. 50 00:03:10,520 --> 00:03:13,800 It's in private preview, not public preview. 51 00:03:13,800 --> 00:03:18,000 A limited set of customers, design partners at this point in time. 52 00:03:18,000 --> 00:03:24,760 It is essentially taking that JetGPT types of technology, generative AI, I believe is 53 00:03:24,760 --> 00:03:31,040 the correct term for it, that allows essentially a human to have a conversation with the AI 54 00:03:31,040 --> 00:03:34,880 and then queries the data and make sense of it in a human way. 55 00:03:34,880 --> 00:03:40,600 Obviously, not perfect for every answer, but pretty darn good, pretty impressive. 56 00:03:40,600 --> 00:03:45,800 Basically applying that with a combination of some of the open, if I recall correctly, 57 00:03:45,800 --> 00:03:50,720 some of the open AI algorithms as well as some Microsoft-specific, security-specific 58 00:03:50,720 --> 00:03:54,040 ones, blended together. 59 00:03:54,040 --> 00:03:55,480 It's a really fascinating technology. 60 00:03:55,480 --> 00:04:00,120 Has a lot of potential as you chat with this copilot and ask it questions. 61 00:04:00,120 --> 00:04:03,800 It can do, hey, can you go reverse engineer this malware? 62 00:04:03,800 --> 00:04:04,800 Can you do this? 63 00:04:04,800 --> 00:04:06,080 Can you look for things like this? 64 00:04:06,080 --> 00:04:08,320 Really, really compelling, interesting technology. 65 00:04:08,320 --> 00:04:11,600 I think it actually will be transformative. 66 00:04:11,600 --> 00:04:18,120 I think of this as the way that mainframe gave way to desktop, gave way to enterprise, 67 00:04:18,120 --> 00:04:19,880 gave way to cloud. 68 00:04:19,880 --> 00:04:21,160 We never got rid of the old stuff. 69 00:04:21,160 --> 00:04:27,800 We just created a hybrid with this new generation of technology that did amazing things. 70 00:04:27,800 --> 00:04:28,800 I'm pretty excited about it. 71 00:04:28,800 --> 00:04:32,320 I think it has a lot of potential, clearly in early days because it's just private preview. 72 00:04:32,320 --> 00:04:36,320 But I think there's a lot of potential for it to really help. 73 00:04:36,320 --> 00:04:41,680 A lot of the work I've seen so far on it seems to be essentially helping people get value 74 00:04:41,680 --> 00:04:44,680 out of the tools and technology that is already there. 75 00:04:44,680 --> 00:04:49,400 There's all these great code, great capabilities that people have written. 76 00:04:49,400 --> 00:04:53,800 It seems to be just making it a lot easier for humans to find it, access it, and use 77 00:04:53,800 --> 00:05:00,320 it without having to memorize a user interface or where it is or write a script, etc. 78 00:05:00,320 --> 00:05:05,040 I really see it as unlocking the potential of humans to use the technology is the big 79 00:05:05,040 --> 00:05:09,720 theme I'm seeing with this generation of technology. 80 00:05:09,720 --> 00:05:14,960 For those that haven't seen it, I highly recommend checking out the Microsoft Secure video announcing 81 00:05:12,040 --> 00:05:25,880 I should bring up about the way chat GPT and generational AI is going to change things. 82 00:05:14,960 --> 00:05:17,760 this and demoing it, etc. 83 00:05:17,760 --> 00:05:19,240 It's pretty cool, impressive stuff. 84 00:05:19,240 --> 00:05:20,240 Over to you, Mike. 85 00:05:25,880 --> 00:05:29,800 One of my in-laws asked me a question. 86 00:05:29,800 --> 00:05:32,920 Is my job or his job going to be replaced by AI? 87 00:05:32,920 --> 00:05:37,560 I said, I don't think your job is going to be replaced by AI, but it may be replaced 88 00:05:37,560 --> 00:05:41,960 by someone using AI because it gives you that sort of little competitive edge. 89 00:05:41,960 --> 00:05:45,920 I'm very excited for all the generational AI work that's going on. 90 00:05:45,920 --> 00:05:47,920 I really, really am excited for it. 91 00:05:47,920 --> 00:05:52,760 I understand that there are some concerns, but for the most part, I think it's a net 92 00:05:52,760 --> 00:05:55,520 positive, but that's just a personal opinion. 93 00:05:55,520 --> 00:06:00,800 I would add one thing because we did a Q&A live during the announcement day. 94 00:06:00,800 --> 00:06:03,960 I was actually not in on the announcement prior to it. 95 00:06:03,960 --> 00:06:08,840 That was one of the first questions that we wanted to focus on right away was, listen, 96 00:06:08,840 --> 00:06:10,400 this is going to change jobs. 97 00:06:10,400 --> 00:06:14,200 This is going to make people more effective, but it's not just going to snap your fingers 98 00:06:14,200 --> 00:06:15,400 and replace a human with it. 99 00:06:15,400 --> 00:06:20,120 You just have to learn it just like you would any new technology, especially important transformative 100 00:06:20,120 --> 00:06:21,120 ones. 101 00:06:21,120 --> 00:06:22,120 Mike 102 00:06:22,120 --> 00:06:23,120 Accountants became better with spreadsheets. 103 00:06:23,120 --> 00:06:24,120 Mike 104 00:06:24,120 --> 00:06:25,120 Exactly. 105 00:06:25,120 --> 00:06:26,120 Mike 106 00:06:26,120 --> 00:06:28,320 Mathematicians became better with calculators and so did nerds. 107 00:06:28,320 --> 00:06:31,240 I don't think you've got to embrace it. 108 00:06:31,240 --> 00:06:32,240 You can't just ignore it. 109 00:06:32,240 --> 00:06:34,640 You either embrace it because if you don't embrace it, somebody else is going to embrace 110 00:06:34,640 --> 00:06:35,640 it. 111 00:06:35,640 --> 00:06:36,640 You just want to embrace it. 112 00:06:36,640 --> 00:06:37,640 Mike 113 00:06:37,640 --> 00:06:38,640 All right. 114 00:06:38,640 --> 00:06:39,640 Well, we've got to guess. 115 00:06:39,640 --> 00:06:40,640 Let's make sure we get past the news. 116 00:06:40,640 --> 00:06:41,640 Mike 117 00:06:41,640 --> 00:06:42,640 Yeah, let's do that. 118 00:06:42,640 --> 00:06:43,640 All right. 119 00:06:43,640 --> 00:06:44,640 Let's get back to a couple of items I have. 120 00:06:44,640 --> 00:06:45,640 The first one is not going to be, I'll be pretty quick. 121 00:06:45,640 --> 00:06:49,840 You can now configure disk encryption for Azure Cache for Redis using customer managed 122 00:06:49,840 --> 00:06:50,840 keys. 123 00:06:50,840 --> 00:06:54,320 To me, this is one of the triad of things that we're seeing is customer managed keys 124 00:06:54,320 --> 00:06:55,320 everywhere. 125 00:06:55,320 --> 00:06:58,840 We're seeing use of managed identities everywhere and we're seeing the use of private link and 126 00:06:58,840 --> 00:07:00,200 private endpoints everywhere. 127 00:07:00,200 --> 00:07:02,960 This is just one of those examples. 128 00:07:02,960 --> 00:07:07,000 Next one is for Azure SQL database auditing. 129 00:07:07,000 --> 00:07:09,720 We now support user managed identities. 130 00:07:09,720 --> 00:07:13,400 This allows you to restrict access or the destination. 131 00:07:13,400 --> 00:07:18,000 It's just that you put an RBAC policy on, say, a storage account and use a managed identity 132 00:07:18,000 --> 00:07:22,240 of the actual SQL instance to restrict the fact that this SQL instance can write to that 133 00:07:22,240 --> 00:07:23,960 particular storage account, for example. 134 00:07:23,960 --> 00:07:28,880 Again, another example of the triad, in this case, user managed identities. 135 00:07:28,880 --> 00:07:32,960 Next one is there are now some built-in policies for Azure Monitor. 136 00:07:32,960 --> 00:07:36,840 For example, you could deploy an environment and you can say, hey, if you've got Key Vault, 137 00:07:36,840 --> 00:07:41,520 then auditing must be turned on and you must audit this particular storage account, for 138 00:07:41,520 --> 00:07:42,800 example. 139 00:07:42,800 --> 00:07:45,600 This is really nice to see and it's fantastic that we have Kamli here to talk to us about 140 00:07:45,600 --> 00:07:48,520 some of the new aspects of Azure policy. 141 00:07:48,520 --> 00:07:52,000 Also, in general availability is Azure private link. 142 00:07:52,000 --> 00:07:53,640 Again, there's another one of my triad. 143 00:07:53,640 --> 00:07:58,320 Azure private link support for inbound traffic and Azure API management. 144 00:07:58,320 --> 00:08:03,280 Again, nice to see because now you can put a nice strong isolation boundary around your 145 00:08:03,280 --> 00:08:05,160 Azure API management instances. 146 00:08:05,160 --> 00:08:10,640 Staying on the topic of private link, Azure private link for Azure managed instance is 147 00:08:10,640 --> 00:08:11,640 now in preview. 148 00:08:11,640 --> 00:08:12,640 This is in my backyard. 149 00:08:12,640 --> 00:08:14,000 This is great to see this. 150 00:08:14,000 --> 00:08:17,560 We actually had a bunch of customers asking about this just recently. 151 00:08:17,560 --> 00:08:22,320 Just because of the way MI works, just because of the way managed instance works, people 152 00:08:22,320 --> 00:08:25,600 are wondering if they could put even tighter control around network traffic. 153 00:08:25,600 --> 00:08:31,080 Now you can with private link for Azure SQL managed instance. 154 00:08:31,080 --> 00:08:33,080 Next one is Azure Maps. 155 00:08:33,080 --> 00:08:37,480 I didn't even know it existed, to be absolutely honest with you, but here you go. 156 00:08:37,480 --> 00:08:39,540 Azure Maps is now HIPAA compliant. 157 00:08:39,540 --> 00:08:43,240 This is fantastic to see actually because if you've got some applications, some healthcare 158 00:08:43,240 --> 00:08:48,000 application and you want to do things like geocoding for customers or you want to calculate, 159 00:08:48,000 --> 00:08:50,720 say travel times and so on. 160 00:08:50,720 --> 00:08:54,360 You want to do all that geospatial kind of stuff. 161 00:08:54,360 --> 00:08:56,120 Now Azure Maps is HIPAA compliant. 162 00:08:56,120 --> 00:09:00,120 Now you can go ahead and actually use it in your healthcare applications. 163 00:09:00,120 --> 00:09:04,280 Encryption scopes and hierarchical namespace is now available. 164 00:09:04,280 --> 00:09:08,840 Encryption scopes has actually been available for a while, but not in hierarchical namespaces, 165 00:09:08,840 --> 00:09:10,680 but now it is. 166 00:09:10,680 --> 00:09:15,040 What this allows you to do is say, okay, that part of my namespace uses this particular 167 00:09:15,040 --> 00:09:19,760 key encryption key and that particular part of my namespace uses that particular key encryption 168 00:09:19,760 --> 00:09:20,760 key. 169 00:09:20,760 --> 00:09:24,080 You can actually store separate keys or key encryption keys in Key Vault and you can provide 170 00:09:24,080 --> 00:09:25,840 strong access policies around them and so on. 171 00:09:25,840 --> 00:09:30,280 Now you can actually start segregating your storage accounts by encryption scope. 172 00:09:30,280 --> 00:09:35,120 It's good to see that it's now available in hierarchical namespaces. 173 00:09:35,120 --> 00:09:36,920 Durable functions, back to managed identities. 174 00:09:36,920 --> 00:09:39,720 Durable functions now support managed identities for Azure Storage. 175 00:09:39,720 --> 00:09:41,240 Now you can have a durable function. 176 00:09:41,240 --> 00:09:45,720 I think I said that my function has read, write, delete access to that particular storage 177 00:09:45,720 --> 00:09:47,920 account and nothing else, for example. 178 00:09:47,920 --> 00:09:54,120 So again, this is a really good way of putting strong RBAC policies around solutions that 179 00:09:54,120 --> 00:09:57,280 are using durable functions and storage accounts. 180 00:09:57,280 --> 00:09:58,480 This is a new one as well. 181 00:09:58,480 --> 00:10:00,640 I was really kind of amazed to see this. 182 00:10:00,640 --> 00:10:04,200 I'm surprised it didn't exist. 183 00:10:04,200 --> 00:10:06,240 Immutable vaults for Azure Backup. 184 00:10:06,240 --> 00:10:09,120 So this allows you to have a backup that is immutable. 185 00:10:09,120 --> 00:10:11,600 In other words, it cannot be changed. 186 00:10:11,600 --> 00:10:15,940 It's not that there's an Azure policy around it or there's an RBAC control that prevents 187 00:10:15,940 --> 00:10:18,000 people from changing it. 188 00:10:18,000 --> 00:10:19,240 It actually cannot be changed. 189 00:10:19,240 --> 00:10:24,200 The APIs for actually manipulating, like writing and deleting, are not there. 190 00:10:24,200 --> 00:10:26,760 So it is truly immutable. 191 00:10:26,760 --> 00:10:28,600 So this is really fantastic to see. 192 00:10:28,600 --> 00:10:33,160 I think if anyone's using backup, I imagine that a certain set of point in time backups 193 00:10:33,160 --> 00:10:35,440 will certainly be immutable. 194 00:10:35,440 --> 00:10:41,440 And then the last one in the news department is ephemeral operating system disks now support 195 00:10:41,440 --> 00:10:45,000 encryption at host using customer managed keys. 196 00:10:45,000 --> 00:10:51,320 So if you have a VM, virtual machine, say an Ubuntu VM with ephemeral operating system 197 00:10:51,320 --> 00:10:53,600 disks, you can now encrypt those. 198 00:10:53,600 --> 00:10:56,840 So there's a whole bunch of different technologies that we have for encrypting data at rest in 199 00:10:56,840 --> 00:11:01,600 virtualized environments and VMs, one of which is encryption at host. 200 00:11:01,600 --> 00:11:05,920 And so now you can actually use customer managed keys where prior to this point in time, it 201 00:11:05,920 --> 00:11:07,480 was only platform managed keys. 202 00:11:07,480 --> 00:11:08,640 So that's great to see. 203 00:11:08,640 --> 00:11:11,800 And again, it's another one of my example of my triad. 204 00:11:11,800 --> 00:11:15,680 Customer managed keys everywhere, privately private endpoint and managed identities for 205 00:11:15,680 --> 00:11:17,120 client authentication. 206 00:11:17,120 --> 00:11:19,520 So fantastic to see so much progress being made. 207 00:11:19,520 --> 00:11:20,520 All right. 208 00:11:20,520 --> 00:11:22,200 So with that, that is the news out of the way. 209 00:11:22,200 --> 00:11:23,960 So let's turn our attention to our guest. 210 00:11:23,960 --> 00:11:28,440 This week we have Kemley, who's here to talk to us about some of the latest and greatest 211 00:11:28,440 --> 00:11:30,280 news in Azure policy. 212 00:11:30,280 --> 00:11:32,760 Kemley, welcome to the podcast. 213 00:11:32,760 --> 00:11:35,480 We'd like to take a moment and just introduce yourself to our listeners. 214 00:11:35,480 --> 00:11:36,920 Yeah, thank you. 215 00:11:36,920 --> 00:11:38,360 My name is Kemley. 216 00:11:38,360 --> 00:11:43,360 I am a PM, a product manager for Azure policy. 217 00:11:43,360 --> 00:11:48,200 Azure policy sits within Azure control plane and governance, meaning my greater team does 218 00:11:48,200 --> 00:11:55,120 everything from Azure resource manager core to Azure resource graph to tags and management 219 00:11:55,120 --> 00:11:56,120 groups. 220 00:11:56,120 --> 00:12:01,200 So a lot of the fun stuff when it comes to core arm functionality as well as governance. 221 00:12:01,200 --> 00:12:06,640 I've been at Microsoft for three years now, started out as an intern, came back full time 222 00:12:06,640 --> 00:12:10,280 and I've been working on Azure policy ever since. 223 00:12:10,280 --> 00:12:17,680 So within Azure policy, I specifically focus on what we call life cycle, meaning how are 224 00:12:17,680 --> 00:12:23,000 our Azure policy resources being created and assigned to customers environments. 225 00:12:23,000 --> 00:12:28,520 But talk about anything policy related or tags or governance related as well. 226 00:12:28,520 --> 00:12:29,920 Thank you for bringing me on. 227 00:12:29,920 --> 00:12:30,920 Yeah, you bet. 228 00:12:30,920 --> 00:12:33,400 I'm going to be honest, I'm a huge fan of Azure policy. 229 00:12:33,400 --> 00:12:36,540 I've always been a fan of Azure policy. 230 00:12:36,540 --> 00:12:40,320 But before we get stuck into some of the minutia and some of the new stuff, why don't you spend 231 00:12:40,320 --> 00:12:44,640 a couple of minutes and just explain to our listeners some of the basics of Azure policy 232 00:12:44,640 --> 00:12:46,400 and what it actually is. 233 00:12:46,400 --> 00:12:54,140 So Azure policy allows you to control and governance and govern your resources at scale. 234 00:12:54,140 --> 00:12:57,380 So there's three main pillars of policy. 235 00:12:57,380 --> 00:13:00,100 The first one is enforcement and compliance, right? 236 00:13:00,100 --> 00:13:05,040 Making sure that you're enforcing the standards that you want on your environment. 237 00:13:05,040 --> 00:13:08,880 So how these standards look like are kind of due policy definitions, right? 238 00:13:08,880 --> 00:13:13,120 We have built-in definitions for customers to use right out of the box. 239 00:13:13,120 --> 00:13:19,040 And we also have the ability to create custom definitions, which are JSON objects to instill 240 00:13:19,040 --> 00:13:23,320 your own standards that are particular for your environment. 241 00:13:23,320 --> 00:13:29,660 So we allow for real time evaluation and enforcement so we can do things like deny resources from 242 00:13:29,660 --> 00:13:30,660 being created. 243 00:13:30,660 --> 00:13:36,800 We could modify the resource request at the time it comes in to make sure that these resource 244 00:13:36,800 --> 00:13:39,680 creations stay in compliance. 245 00:13:39,680 --> 00:13:42,320 On top of enforcement, we also have compliance reporting. 246 00:13:42,320 --> 00:13:49,760 Meaning we do a periodic and on-demand compliance evaluations of all the resources in your environment 247 00:13:49,760 --> 00:13:54,000 and then report out whether those are compliant or non-compliant to the standards that you've 248 00:13:54,000 --> 00:13:55,480 assigned. 249 00:13:55,480 --> 00:14:00,080 All of this is available at scale, meaning you could apply this at a management group 250 00:14:00,080 --> 00:14:02,920 level, subscription level, however you may like. 251 00:14:02,920 --> 00:14:09,320 And you're able to have multiple policy definitions and aggregate those states through initiatives. 252 00:14:09,320 --> 00:14:13,520 And then kind of the last pillar, so the first pillar is enforcement and compliance, second 253 00:14:13,520 --> 00:14:14,720 at scale. 254 00:14:14,720 --> 00:14:18,080 And the third pillar is really remediation and automation. 255 00:14:18,080 --> 00:14:24,140 We have auto remediation for new resources coming in for particular effects within Azure 256 00:14:24,140 --> 00:14:30,120 policy definitions, but we also allow for remediation of existing resources at scale. 257 00:14:30,120 --> 00:14:35,040 And you could do a lot of automation with our integrations with the rent grid to trigger 258 00:14:35,040 --> 00:14:40,220 alerts or our integrations with Azure Resource Graph for querying of compliance states across 259 00:14:40,220 --> 00:14:41,800 your environment. 260 00:14:41,800 --> 00:14:48,200 So overall policy is a very important engine for your governance and control within your 261 00:14:48,200 --> 00:14:49,200 own environment. 262 00:14:49,200 --> 00:14:52,200 So one thing back in the day when I was in services, one thing I would actually mention 263 00:14:52,200 --> 00:14:56,480 to customers is if they're not using Azure policy, they're doing Azure wrong. 264 00:14:56,480 --> 00:14:58,560 I actually kind of stand by that today. 265 00:14:58,560 --> 00:15:02,260 I think it's such a critically important part of, like you say, compliance and governance 266 00:15:02,260 --> 00:15:04,440 for sure in Azure. 267 00:15:04,440 --> 00:15:05,440 So yeah. 268 00:15:05,440 --> 00:15:09,920 So why don't you give an example of how someone might use policies? 269 00:15:09,920 --> 00:15:13,240 Just pick a canonical example and let's just sort of throw it out there. 270 00:15:13,240 --> 00:15:15,760 So policies covers a lot of things. 271 00:15:15,760 --> 00:15:17,640 It just really depends on what you look at. 272 00:15:17,640 --> 00:15:23,040 A very basic or starter policy, I should say, is around tagging, right? 273 00:15:23,040 --> 00:15:25,760 Or let's do allowed locations, right? 274 00:15:25,760 --> 00:15:30,360 You only want your resources to be applied in certain locations. 275 00:15:30,360 --> 00:15:32,640 We have that definition available right off the bat. 276 00:15:32,640 --> 00:15:36,800 You go to your portal today or go through API, you'll see that built-in definition available. 277 00:15:36,800 --> 00:15:38,940 It's called allowed locations. 278 00:15:38,940 --> 00:15:41,800 You get that definition, you assign it. 279 00:15:41,800 --> 00:15:45,880 When you assign it, you're specifying that what scope do you want this to be assessed 280 00:15:45,880 --> 00:15:46,880 at? 281 00:15:46,880 --> 00:15:51,520 So management group level, subscription, resource, resource group, those are the four scopes 282 00:15:51,520 --> 00:15:52,520 available. 283 00:15:52,520 --> 00:15:55,880 We usually recommend to kind of adhere to the at-scale stories. 284 00:15:55,880 --> 00:15:57,340 You do it as high as possible. 285 00:15:57,340 --> 00:15:59,960 So we could do, let's say, management group level. 286 00:15:59,960 --> 00:16:02,720 And then you just specify what locations do you want to allow, right? 287 00:16:02,720 --> 00:16:08,640 So you could say, I only want the US, so West US, East US, those handful locations, or I 288 00:16:08,640 --> 00:16:10,200 only want the Asia locations, right? 289 00:16:10,200 --> 00:16:15,720 So you select a list of locations, you apply that assignment, and then policy sits within 290 00:16:15,720 --> 00:16:20,760 the front door of Azure Resource Manager, meaning any request that goes through ARM, 291 00:16:20,760 --> 00:16:22,360 it comes through policy first. 292 00:16:22,360 --> 00:16:26,420 And policy will assess that request and say, OK, where is this resource trying to be created? 293 00:16:26,420 --> 00:16:29,000 If it's in Asia, OK, cool, let it go forward. 294 00:16:29,000 --> 00:16:32,220 If it's, for example, in Europe, we'll say no, deny the request. 295 00:16:32,220 --> 00:16:35,640 The resource can't be created, and it's blocked. 296 00:16:35,640 --> 00:16:40,760 As you continue into the journey of policy, things can get really quite complex, and you 297 00:16:40,760 --> 00:16:45,640 can create a lot of different conditions and clauses as to what's allowed, what's not allowed. 298 00:16:45,640 --> 00:16:48,480 But the built-ins really allow for that easy flow in. 299 00:16:48,480 --> 00:16:54,680 Another set of examples that are really popular is allowed skew types for storage accounts, 300 00:16:54,680 --> 00:17:00,240 disabling public network access, having a certain IP ranges. 301 00:17:00,240 --> 00:17:05,240 Really the world is endless, because anything that goes through ARM is able to have a policy 302 00:17:05,240 --> 00:17:06,440 enforcement on top of it. 303 00:17:06,440 --> 00:17:10,320 It's interesting you should bring up the allowed locations one, because I work in the Azure 304 00:17:10,320 --> 00:17:12,520 Data Platform, and one of those products is Cosmos DB. 305 00:17:12,520 --> 00:17:17,360 We actually make it really easy to scale out or move your data all around the world. 306 00:17:17,360 --> 00:17:18,360 Very, very easy. 307 00:17:18,360 --> 00:17:21,680 In fact, to the point where if you had enough rights, you could just literally click on 308 00:17:21,680 --> 00:17:25,120 a button and move all your data to different parts of the world. 309 00:17:25,120 --> 00:17:27,680 So that way, the data is closest to your customers. 310 00:17:27,680 --> 00:17:29,480 But sometimes you might not want that, right? 311 00:17:29,480 --> 00:17:32,880 Because you don't want stuff to be pushed to Germany, where all of a sudden you may 312 00:17:32,880 --> 00:17:35,960 have potentially GDPR implications for doing that. 313 00:17:35,960 --> 00:17:39,480 By the way, I'm not an expert in compliance when it comes to all this, and you're not 314 00:17:39,480 --> 00:17:40,480 GDPR. 315 00:17:40,480 --> 00:17:42,080 But I think you've got to be very careful with things like that. 316 00:17:42,080 --> 00:17:46,160 So it's nice to have Azure Policy in place that just says, hey, we're going to work in 317 00:17:46,160 --> 00:17:51,760 North and South America, for example, and only allow certain regions and nowhere else. 318 00:17:51,760 --> 00:17:53,520 So I'm a huge fan of that one. 319 00:17:53,520 --> 00:17:57,320 Another one I'm a huge fan of is to do with Key Vault. 320 00:17:57,320 --> 00:18:02,720 So I can actually say only allow the HSM-backed Key Vaults. 321 00:18:02,720 --> 00:18:04,920 So that way, the keys are stored in hardware. 322 00:18:04,920 --> 00:18:06,280 They're not stored in software. 323 00:18:06,280 --> 00:18:09,880 Now, what was interesting about that one, though, is that back in the day, you could 324 00:18:09,880 --> 00:18:10,880 do that. 325 00:18:10,880 --> 00:18:13,480 You could only allow a hardware-backed HSM. 326 00:18:13,480 --> 00:18:16,760 The problem with it, though, is that even though you have a hardware HSM, you can still 327 00:18:16,760 --> 00:18:19,360 produce a soft key. 328 00:18:19,360 --> 00:18:26,000 So now there's another policy that says only allow what I call premium SKU Azure Key Vaults 329 00:18:26,000 --> 00:18:28,460 and only allow hardware-backed keys. 330 00:18:28,460 --> 00:18:34,280 So that way, no one can create software-backed keys at all or software Key Vaults. 331 00:18:34,280 --> 00:18:35,280 Yeah. 332 00:18:35,280 --> 00:18:41,080 To bring up an interesting point, you said you want, from a manageability and scalability 333 00:18:41,080 --> 00:18:43,520 perspective, to have policy as high as possible. 334 00:18:43,520 --> 00:18:51,600 So for example, a management group or a subscription, could I put a policy at a management group 335 00:18:51,600 --> 00:18:57,840 but allow a specific resource group in a subscription to not be dependent on that particular policy? 336 00:18:57,840 --> 00:19:02,160 I can apply a policy absolutely everywhere, but not in this little resource group over 337 00:19:02,160 --> 00:19:04,120 there because it's some special kind of special. 338 00:19:04,120 --> 00:19:05,800 Yes, you actually can. 339 00:19:05,800 --> 00:19:08,240 So policy has two mechanisms to go about it. 340 00:19:08,240 --> 00:19:14,600 We have both policy exclusions, which lives within the assignment, or policy exemptions, 341 00:19:14,600 --> 00:19:17,040 which is its own individual resource. 342 00:19:17,040 --> 00:19:24,360 So my question, if you're saying I want to exempt or exclude this resource group from 343 00:19:24,360 --> 00:19:27,880 this overarching policy, it would really depend on this scenario. 344 00:19:27,880 --> 00:19:33,560 So we see exclusions being used a lot, exclusions which lives within the assignments being used 345 00:19:33,560 --> 00:19:37,920 a lot for scopes that we're saying we never want to touch this. 346 00:19:37,920 --> 00:19:41,600 So let's say you're applying something at the root management group level, so across 347 00:19:41,600 --> 00:19:47,680 your whole tenant, and you say I want to kind of permanently exclude my non-prod environment. 348 00:19:47,680 --> 00:19:50,160 It doesn't matter, I don't need to govern it. 349 00:19:50,160 --> 00:19:52,000 I'm just going to let that be. 350 00:19:52,000 --> 00:19:55,600 So then in that case, you can use an exclusion to manage that. 351 00:19:55,600 --> 00:19:56,920 You can also use exemptions. 352 00:19:56,920 --> 00:20:01,760 The benefit of exemptions is that exemptions, because it's its own resource, can have its 353 00:20:01,760 --> 00:20:02,760 own life cycle. 354 00:20:02,760 --> 00:20:06,760 So you can create and delete exemptions as needed. 355 00:20:06,760 --> 00:20:12,120 You could also add a time of expiring, meaning that that resource would automatically, that 356 00:20:12,120 --> 00:20:17,840 exemption resource will expire, meaning whatever was exempted will then come back into enforcement. 357 00:20:17,840 --> 00:20:23,240 The cool thing of exemptions as well is that it comes up in the compliance state, so it 358 00:20:23,240 --> 00:20:28,020 will show you like that resource group is exempted, versus exclusions will not come 359 00:20:28,020 --> 00:20:29,280 up in compliance. 360 00:20:29,280 --> 00:20:31,960 It's just ignored by the assignment completely. 361 00:20:31,960 --> 00:20:34,000 But yeah, we do have the mechanism. 362 00:20:34,000 --> 00:20:41,000 It just depends on what kind of nooks and knobs you would need for that resource group. 363 00:20:41,000 --> 00:20:44,860 So one thing you mentioned before, which may have been missed by some people listening, 364 00:20:44,860 --> 00:20:49,120 you said that policy injects itself at the resource manager as your resource manager 365 00:20:49,120 --> 00:20:50,120 or ARM level. 366 00:20:50,120 --> 00:20:52,480 There's some really important implications about that, right? 367 00:20:52,480 --> 00:20:57,320 I mean, if you're deploying something or even changing something after the fact, I mean, 368 00:20:57,320 --> 00:21:00,080 the ARM middle layer there gets in the way, right? 369 00:21:00,080 --> 00:21:03,920 I mean, policy gets in the way regardless of, as long as you're going through ARM, policy 370 00:21:03,920 --> 00:21:09,760 gets in the way regardless, or more accurately, sounds a bit cynical, as your policy is enforced 371 00:21:09,760 --> 00:21:11,560 regardless as long as you're using ARM. 372 00:21:11,560 --> 00:21:12,560 Yes. 373 00:21:12,560 --> 00:21:17,600 So yeah, I like to say that policy sits at the, it does sit at the front door of Azure 374 00:21:17,600 --> 00:21:22,200 Resource Manager and it just monitors all the requests that come through ARM. 375 00:21:22,200 --> 00:21:27,240 So it doesn't matter what format that the customer is using to create resources. 376 00:21:27,240 --> 00:21:31,880 So it could be an ARM template, it could be through PowerShell or through the portal specifically, 377 00:21:31,880 --> 00:21:36,320 policy will sit there and make sure that everything that comes in is in compliance to whatever 378 00:21:36,320 --> 00:21:41,720 is standardized or whatever is assigned in the environment. 379 00:21:41,720 --> 00:21:48,840 It has some cool facts, such as when you use the policy effect called modify, we're empowered 380 00:21:48,840 --> 00:21:54,440 to look at these requests that come in and modify the request so it stays within compliance 381 00:21:54,440 --> 00:22:00,040 and engineers or the resource creators don't have to think about, hey, is this setting 382 00:22:00,040 --> 00:22:04,200 a set or did I put the correct tags that I do all this work? 383 00:22:04,200 --> 00:22:08,440 The modify effects that you can assign within your environment will automatically do that 384 00:22:08,440 --> 00:22:11,840 and modify those requests as they come into ARM. 385 00:22:11,840 --> 00:22:16,760 On top of that, we also have a great integration with the portal team and other product teams 386 00:22:16,760 --> 00:22:21,920 who are creating their own portal experiences and allowing for what we call the policy aware 387 00:22:21,920 --> 00:22:22,920 portal experience. 388 00:22:22,920 --> 00:22:28,960 You might have seen it as you create resources through policy, but you'll see these validation 389 00:22:28,960 --> 00:22:35,080 fail or these red boxes come up or you might even see some gray boxes and things that you 390 00:22:35,080 --> 00:22:39,760 can't unclick and that's all powered through policy and ensuring that whatever business 391 00:22:39,760 --> 00:22:44,360 standards are assigned in your environment continue through your flow and make it easier 392 00:22:44,360 --> 00:22:48,280 to create these resources so you don't select things that you're not supposed to or that 393 00:22:48,280 --> 00:22:50,600 are non-compliant or not allowed. 394 00:22:50,600 --> 00:22:56,840 So policy really injects itself at the beginning of the process to make sure we keep our environments 395 00:22:56,840 --> 00:22:58,640 as secure as possible. 396 00:22:58,640 --> 00:22:59,640 That's an interesting point. 397 00:22:59,640 --> 00:23:00,640 Yeah. 398 00:23:00,640 --> 00:23:04,360 I've seen some of the instances where the UI is grayed out because of policy, but again, 399 00:23:04,360 --> 00:23:08,920 if you were to write like a PowerShell script or an ARM template, you could basically set 400 00:23:08,920 --> 00:23:13,480 whatever you wanted in there, but the deployment or the update may get rejected, right? 401 00:23:13,480 --> 00:23:14,480 Because of policy. 402 00:23:14,480 --> 00:23:15,480 Yeah. 403 00:23:15,480 --> 00:23:16,480 Okay. 404 00:23:16,480 --> 00:23:17,480 Correct. 405 00:23:17,480 --> 00:23:19,920 There's an interesting verb you mentioned before which is deny, but as your policy 406 00:23:19,920 --> 00:23:21,400 is not just all about denying things, right? 407 00:23:21,400 --> 00:23:25,120 There's lots of other actions that policy can actually do. 408 00:23:25,120 --> 00:23:26,120 Yeah. 409 00:23:26,120 --> 00:23:30,760 So we have a lot of effects and we've actually added new ones that I'd be happy to talk about. 410 00:23:30,760 --> 00:23:37,520 So the ones that have existed for a while, we have append, audit, audit if not exist, 411 00:23:37,520 --> 00:23:40,760 deny, deploy if not exist, disabled and modified. 412 00:23:40,760 --> 00:23:43,200 I already talked a bit about modify. 413 00:23:43,200 --> 00:23:45,120 Deny is pretty self-explanatory. 414 00:23:45,120 --> 00:23:48,960 We will deny any requests that comes in if it's non-compliant. 415 00:23:48,960 --> 00:23:56,440 Audit and audit if not exist work hand in hand in that if we don't actually do any enforcement 416 00:23:56,440 --> 00:24:01,640 to request, but we audit meaning we report out all the compliance so you can continue 417 00:24:01,640 --> 00:24:05,480 to monitor that and see the compliance states of your resource. 418 00:24:05,480 --> 00:24:11,480 The two new effects that we have just introduced is deny action and manual. 419 00:24:11,480 --> 00:24:18,240 So deny action as the word entails denies any actions that happen on the environment. 420 00:24:18,240 --> 00:24:23,000 So historically policy has only looked at resource configuration. 421 00:24:23,000 --> 00:24:25,440 So is this resource configured correctly? 422 00:24:25,440 --> 00:24:30,000 Deny action is kind of the first step in policy looking at, well, what is the action that 423 00:24:30,000 --> 00:24:35,520 I want to do on these resources and how do I prevent those actions from succeeding? 424 00:24:35,520 --> 00:24:38,160 So the first action that we're looking at is delete. 425 00:24:38,160 --> 00:24:43,780 So you might have heard or you sometimes it's referred to as the deny delete effect because 426 00:24:43,780 --> 00:24:47,320 basically what we're doing is since we sit at that front door, we're looking, are there 427 00:24:47,320 --> 00:24:51,880 any delete calls that are going to this resource or scoped at this resource? 428 00:24:51,880 --> 00:24:57,200 And if we see that we will reject the delete call from coming in and block it, meaning 429 00:24:57,200 --> 00:25:00,000 the resource won't be able to be deleted. 430 00:25:00,000 --> 00:25:05,840 The cool thing about this is deny action works as any other effect in policy, meaning the 431 00:25:05,840 --> 00:25:09,120 JSON if condition is completely open. 432 00:25:09,120 --> 00:25:15,240 So you're able to add the functionality of deny deletion of anything that has this tag 433 00:25:15,240 --> 00:25:23,240 or deny the deletion of any virtual machines within my production environment and just 434 00:25:23,240 --> 00:25:24,720 that if flexibility. 435 00:25:24,720 --> 00:25:28,040 And it works exactly the same as any of the policy you create for definition, you assign 436 00:25:28,040 --> 00:25:32,720 it and you'd be able to see which resources are applicable. 437 00:25:32,720 --> 00:25:35,120 Currently deny action is in public preview. 438 00:25:35,120 --> 00:25:40,000 So you're able to go ahead and create those definitions and work on that. 439 00:25:40,000 --> 00:25:45,800 The missing piece for a general availability which is soon to come is the matching compliance 440 00:25:45,800 --> 00:25:47,320 state of protected. 441 00:25:47,320 --> 00:25:53,400 So any resource that is applicable to deny action will come up as protected. 442 00:25:53,400 --> 00:25:57,960 For right now for public preview, they come up as compliant, but you should see that compliance 443 00:25:57,960 --> 00:26:00,080 state change when we go GA. 444 00:26:00,080 --> 00:26:03,080 That deny delete, is that like a super duper management log? 445 00:26:03,080 --> 00:26:09,720 It is similar in the goal, but it just comes with the at scale story of policy. 446 00:26:09,720 --> 00:26:13,960 And you know, locks also allow you to deny update and deletion. 447 00:26:13,960 --> 00:26:19,560 Right now we're just, policy is only focused on the deletion, not on the update scenario. 448 00:26:19,560 --> 00:26:20,560 Very cool. 449 00:26:20,560 --> 00:26:21,560 Okay. 450 00:26:21,560 --> 00:26:22,560 Yeah. 451 00:26:22,560 --> 00:26:25,080 When I first saw them, man, that looks a lot like, you know, putting locks on resources, 452 00:26:25,080 --> 00:26:26,680 but I'm glad you explained the differences. 453 00:26:26,680 --> 00:26:27,920 I think that's very important. 454 00:26:27,920 --> 00:26:31,640 And certainly the scalability aspect is critically important as well. 455 00:26:31,640 --> 00:26:36,000 You know, resource locks, if someone has the permission to that resource, they can remove 456 00:26:36,000 --> 00:26:37,240 a resource lock. 457 00:26:37,240 --> 00:26:43,440 Versus a policy, you have to have policy permissions to remove or exempt yourself from that policy. 458 00:26:43,440 --> 00:26:44,440 Yeah. 459 00:26:44,440 --> 00:26:45,960 You could be a contributor at the resource group level, right? 460 00:26:45,960 --> 00:26:47,800 So now you can start removing locks. 461 00:26:47,800 --> 00:26:50,720 Being a contributor, say for example, at the resource group does not mean you have the 462 00:26:50,720 --> 00:26:53,360 ability to start, you know, tinkering around with policy. 463 00:26:53,360 --> 00:26:54,360 Yeah. 464 00:26:54,360 --> 00:26:56,640 Especially if these policies are assigned at like management. 465 00:26:56,640 --> 00:26:57,640 Exactly. 466 00:26:57,640 --> 00:26:58,640 Exactly. 467 00:26:58,640 --> 00:27:00,640 The subscription owners and those people can't change that stuff. 468 00:27:00,640 --> 00:27:01,640 They don't have the permissions to. 469 00:27:01,640 --> 00:27:02,640 All right. 470 00:27:02,640 --> 00:27:05,940 So that's sort of some of the new functionality in terms of some of the actions. 471 00:27:05,940 --> 00:27:10,600 So what else is kind of either on the cusp is available now or it's in GA and you know, 472 00:27:10,600 --> 00:27:13,000 what are the things you're looking at sort of further down the track? 473 00:27:13,000 --> 00:27:14,000 Yeah. 474 00:27:14,000 --> 00:27:18,840 So actually something that's quite top of mind for all of the Azure policy team is safe 475 00:27:18,840 --> 00:27:19,840 deployment. 476 00:27:19,840 --> 00:27:25,400 How do we safely deploy these policy definitions and assignments in customers environments 477 00:27:25,400 --> 00:27:30,840 so we don't do breaking changes or changes that might be negatively impactful? 478 00:27:30,840 --> 00:27:34,640 As we know, as we talked about effects, policies have quite a bit of enforcement and we want 479 00:27:34,640 --> 00:27:41,400 to make sure we do that carefully and by hand selected rollouts, right? 480 00:27:41,400 --> 00:27:47,000 Whether that be location based or resource based or eventually tag based, we need to 481 00:27:47,000 --> 00:27:50,160 make sure that we're doing it in a controlled mechanism. 482 00:27:50,160 --> 00:27:52,280 So it's safe deployment has been really important. 483 00:27:52,280 --> 00:27:56,440 We've actually released some stuff already for safe deployment. 484 00:27:56,440 --> 00:27:59,400 We have some other stuff coming up. 485 00:27:59,400 --> 00:28:02,400 Particularly we did updates through to policy assignments. 486 00:28:02,400 --> 00:28:08,280 So policy assignments now have a new property called resource selectors in which you could 487 00:28:08,280 --> 00:28:15,120 specify what resource locations and resource types you want that assignment to apply to. 488 00:28:15,120 --> 00:28:19,900 So in conjunction with the applicability that comes in with the definition, right? 489 00:28:19,900 --> 00:28:24,280 All those conditions that you have and with a scope, all that information, we will also 490 00:28:24,280 --> 00:28:29,740 accept any resource locations and resource types that you want us to narrow or focus 491 00:28:29,740 --> 00:28:31,620 on within selectors. 492 00:28:31,620 --> 00:28:35,880 So for example, we talked about allowed location definition, right? 493 00:28:35,880 --> 00:28:39,560 Let's say you're rolling out this allowed location, which is a deny, right? 494 00:28:39,560 --> 00:28:44,560 On your environment and you want to say, okay, I want to slowly roll this out, but I only 495 00:28:44,560 --> 00:28:48,360 want this to be on a handful of resource types first, right? 496 00:28:48,360 --> 00:28:51,320 I only want to, let's start with my storage accounts. 497 00:28:51,320 --> 00:28:53,640 So you would specify a resource selector. 498 00:28:53,640 --> 00:28:58,880 You'd say kind resource type and it's an array so you can keep on adding value. 499 00:28:58,880 --> 00:29:01,320 So you'll say, let's start with storage account. 500 00:29:01,320 --> 00:29:08,560 So we'll only enforce that allowed location assignment on those storage account resources. 501 00:29:08,560 --> 00:29:12,520 And then you can go in and then add virtual machines and then add Cosmos DB and then add 502 00:29:12,520 --> 00:29:17,060 you know, et cetera, et cetera amount of resource types. 503 00:29:17,060 --> 00:29:21,640 You can do the same with locations, slowly add in more locations to roll out that policy 504 00:29:21,640 --> 00:29:22,640 definition. 505 00:29:22,640 --> 00:29:25,440 Eventually, we're also looking to support tags. 506 00:29:25,440 --> 00:29:29,800 So it's something that the team's currently working on and how can we support a tag based 507 00:29:29,800 --> 00:29:34,560 rollout, meaning, you know, if you have all your resources tagged as ring one, ring two, 508 00:29:34,560 --> 00:29:41,320 ring three, you just tell us what tags to include and you can slowly roll that out. 509 00:29:41,320 --> 00:29:42,660 So that's selectors. 510 00:29:42,660 --> 00:29:48,000 Also within assignments, we've also added a new property called overrides. 511 00:29:48,000 --> 00:29:54,440 Overrides allows you to override values that are specified within the policy definition. 512 00:29:54,440 --> 00:29:59,080 So a common use case for this is, you know, hey, I see this built-in definition. 513 00:29:59,080 --> 00:30:00,080 I really like it. 514 00:30:00,080 --> 00:30:04,480 I want to use it, but it's only in the deny mode and I need it in audit, right? 515 00:30:04,480 --> 00:30:09,720 Or it's only in modify, I need it in audit or, you know, whichever way around that you 516 00:30:09,720 --> 00:30:11,820 need the effects to go. 517 00:30:11,820 --> 00:30:15,820 So with overrides, you're able to assign that built-in definition and just override the 518 00:30:15,820 --> 00:30:17,920 effect value. 519 00:30:17,920 --> 00:30:19,480 So you could roll it out that way. 520 00:30:19,480 --> 00:30:25,320 So if you want to go back to allowed locations, it's by default in deny effect. 521 00:30:25,320 --> 00:30:28,640 You could say I'm going to override that effect and I'm going to start out with audit. 522 00:30:28,640 --> 00:30:32,360 I can audit all my requests that are coming in, audit all my resources that currently 523 00:30:32,360 --> 00:30:37,560 exist, roll that out to my environment first, and then flip the switch and switch it to 524 00:30:37,560 --> 00:30:38,760 deny. 525 00:30:38,760 --> 00:30:44,280 The cool thing about overrides is that you could use selectors within overrides, meaning 526 00:30:44,280 --> 00:30:49,880 you can override the value for deny to only certain regions or to only certain resource 527 00:30:49,880 --> 00:30:50,880 types. 528 00:30:50,880 --> 00:30:55,760 Meaning as you roll out this new enforcement, you have a more controlled mechanism to where 529 00:30:55,760 --> 00:31:01,560 to apply the deny instead of applying it all, you know, straight up on the whole environment. 530 00:31:01,560 --> 00:31:03,280 And this is all within one assignment. 531 00:31:03,280 --> 00:31:07,240 You don't have to create any new assignments, same assignment ID, you're just updating that 532 00:31:07,240 --> 00:31:11,560 with whatever knobs that you need to have it in. 533 00:31:11,560 --> 00:31:14,120 So that's our first phase of safe deployment. 534 00:31:14,120 --> 00:31:19,360 As we continue to go into this process and work on it through all of our semesters, the 535 00:31:19,360 --> 00:31:24,480 next thing that we're looking at is how can we support versioning of policy definitions, 536 00:31:24,480 --> 00:31:26,160 specifically our built-in definitions. 537 00:31:26,160 --> 00:31:31,720 We've heard from our customers kind of the pain points in keeping track of updates to 538 00:31:31,720 --> 00:31:38,320 our definitions and what's new and what's going on within this built-in definition world. 539 00:31:38,320 --> 00:31:42,320 So we are looking to introduce versioning for these definitions and it's something that 540 00:31:42,320 --> 00:31:47,360 we're currently working on to be included kind of in that safe deployment process and 541 00:31:47,360 --> 00:31:53,480 the upgrade experience, as well as delving into how do we support things like deprecating 542 00:31:53,480 --> 00:31:57,800 policy parameters and rollbacks for changes within policy. 543 00:31:57,800 --> 00:32:04,080 So overall, safe deployment is really top of mind for us and how can we empower the 544 00:32:04,080 --> 00:32:07,320 enforcement of these organizational standards. 545 00:32:07,320 --> 00:32:13,480 So as we continue to empower, we also have to improve a lot of latency in the work around 546 00:32:13,480 --> 00:32:14,480 that. 547 00:32:14,480 --> 00:32:19,760 So we actually just rolled out a whole bunch of efforts that we had to reduce the latency 548 00:32:19,760 --> 00:32:22,120 and compliance view. 549 00:32:22,120 --> 00:32:27,800 So usually, typically we say 30 minutes for your compliance states to populate. 550 00:32:27,800 --> 00:32:30,600 I think now our average is down to 10 minutes. 551 00:32:30,600 --> 00:32:35,800 So you should be seeing those compliance states populate a lot quicker and having that latency 552 00:32:35,800 --> 00:32:36,800 reduced. 553 00:32:36,800 --> 00:32:41,480 We're also looking to reduce latency on policy enforcement and on global replication and working 554 00:32:41,480 --> 00:32:45,120 with the Azure Resource Manager team to ensure that. 555 00:32:45,120 --> 00:32:48,760 Other things that we're thinking of down the line, things like what if support, I talked 556 00:32:48,760 --> 00:32:55,720 a bit about versioning, having more UX around building these policies and also having like 557 00:32:55,720 --> 00:33:02,080 what's new page to keep up to date as to what policies are coming out and what policies 558 00:33:02,080 --> 00:33:03,640 have been changing. 559 00:33:03,640 --> 00:33:10,360 But overall, policy is always focused on increasing our language and expressions while trying 560 00:33:10,360 --> 00:33:12,400 to simplify the experience overall. 561 00:33:12,400 --> 00:33:16,800 I'm quite excited for what we're working on now and to see the future of policy. 562 00:33:16,800 --> 00:33:20,000 Yeah, I think for a lot of people, Azure policy is actually quite a bit bigger than they may 563 00:33:20,000 --> 00:33:21,000 have thought. 564 00:33:21,000 --> 00:33:24,840 There's a lot more moving parts to it than a lot of people may have thought. 565 00:33:24,840 --> 00:33:26,800 So this is great to see. 566 00:33:26,800 --> 00:33:28,600 It's definitely like peeling an onion. 567 00:33:28,600 --> 00:33:30,000 This has been awesome. 568 00:33:30,000 --> 00:33:31,000 I learned a lot. 569 00:33:31,000 --> 00:33:33,220 Again, I'm a huge fan of Azure policy. 570 00:33:33,220 --> 00:33:36,960 So it's great to see these improvements being made. 571 00:33:36,960 --> 00:33:41,680 But one thing we always ask our guests is if they had one final thought to leave our 572 00:33:41,680 --> 00:33:43,320 listeners with, what would it be? 573 00:33:43,320 --> 00:33:46,960 I think my final thought is governance should not be an afterthought. 574 00:33:46,960 --> 00:33:50,240 It should be one of the first thoughts in creating your environment. 575 00:33:50,240 --> 00:33:55,240 It's important to have that active control and policy is a great mechanism to have that 576 00:33:55,240 --> 00:34:00,920 and just govern at scale for all your Azure resources today, tomorrow and for the future. 577 00:34:00,920 --> 00:34:03,160 Kamli, thank you so much for joining us this week. 578 00:34:03,160 --> 00:34:07,560 Again, I always learn something on every episode, but I certainly learned a lot about some of 579 00:34:07,560 --> 00:34:08,560 the new stuff that's coming out. 580 00:34:08,560 --> 00:34:13,840 Again, I'm a huge fan of policy and I'll stick to what I said at the very beginning. 581 00:34:13,840 --> 00:34:16,200 If you're not using Azure policy, you're doing Azure wrong. 582 00:34:16,200 --> 00:34:17,400 That's just my personal opinion. 583 00:34:17,400 --> 00:34:20,600 So again, thank you so much for joining us. 584 00:34:20,600 --> 00:34:23,280 To all our listeners out there, I hope you found this podcast useful. 585 00:34:23,280 --> 00:34:27,080 Oh, by the way, if you want to wear Mark when someone put looks like someone put an axe 586 00:34:27,080 --> 00:34:29,640 through his fiber optic cable. 587 00:34:29,640 --> 00:34:32,000 That's why I had to sort of one man this towards the end. 588 00:34:32,000 --> 00:34:34,100 So anyway, thank you so much for listening. 589 00:34:34,100 --> 00:34:35,600 Take care and we'll see you next time. 590 00:34:35,600 --> 00:34:38,120 Thanks for listening to the Azure Security Podcast. 591 00:34:38,120 --> 00:34:45,400 You can find show notes and other resources at our website, azsecuritypodcast.net. 592 00:34:45,400 --> 00:34:50,240 If you have any questions, please find us on Twitter at Azure Setpod. 593 00:34:50,240 --> 00:35:08,640 Background music is from ccmixtor.com and licensed under the Creative Commons license.