1
00:00:00,000 --> 00:00:09,600
Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy,

2
00:00:09,600 --> 00:00:13,360
reliability and compliance on the Microsoft Cloud Platform.

3
00:00:13,360 --> 00:00:17,520
Hey everyone, welcome to episode 77.

4
00:00:17,520 --> 00:00:21,880
This week it's myself, Michael, with Gladys and Mark, and we have a guest, Anthony Shaw,

5
00:00:21,880 --> 00:00:27,600
who's here to talk to us about security implications of infrastructure as code.

6
00:00:27,600 --> 00:00:31,080
But before we get to our guest, why don't we take a little lap around the news.

7
00:00:31,080 --> 00:00:33,120
Mark, why don't you kick things off?

8
00:00:33,120 --> 00:00:36,880
One of the things that I've been thinking about a lot lately, and it's actually in our,

9
00:00:36,880 --> 00:00:41,080
we captured it in the security architecture design session, module three that released

10
00:00:41,080 --> 00:00:46,760
a month or two ago, the link between zero trust and security operations, or SOC as some

11
00:00:46,760 --> 00:00:48,460
people like to call it.

12
00:00:48,460 --> 00:00:52,080
So one of the things that we found that's really interesting is, you know, a lot of

13
00:00:52,080 --> 00:00:55,040
folks are familiar with, hey, why would we think about zero trust?

14
00:00:55,040 --> 00:01:00,240
Because hey, the firewall ain't going to protect your cloud apps, it's not going to protect

15
00:01:00,240 --> 00:01:04,400
the data and the systems that are outside of your traditional network perimeter, right?

16
00:01:04,400 --> 00:01:09,320
And so that dynamic and sort of the urge to work on access control, which is extremely

17
00:01:09,320 --> 00:01:14,240
rational and correct, is absolutely correct.

18
00:01:14,240 --> 00:01:18,640
The thing that is interesting is that a lot of folks aren't necessarily seeing that the

19
00:01:18,640 --> 00:01:23,760
same exact dynamic of, hey, we need to protect stuff wherever it happens to be, you know,

20
00:01:23,760 --> 00:01:28,440
working from home out in the cloud, et cetera, also is happening to the detect and respond

21
00:01:28,440 --> 00:01:34,320
part of the NIST cybersecurity framework lifecycle, you know, identify, protect, detect, respond,

22
00:01:34,320 --> 00:01:35,320
recover.

23
00:01:35,320 --> 00:01:41,800
Ultimately, you do need to also do threat detection and response and recovery of assets,

24
00:01:41,800 --> 00:01:45,200
even if it is a person working from home, even if it is in the cloud.

25
00:01:45,200 --> 00:01:50,680
And so the exact same underlying drivers for that are also affecting and forcing a change

26
00:01:50,680 --> 00:01:55,400
in the way people think about security operations, adding new tools, getting some asset specific

27
00:01:55,400 --> 00:02:02,960
stuff, XDR tools is the easiest way to deal with that, extended detection and response.

28
00:02:02,960 --> 00:02:07,000
Because if you got Defender for Endpoint agent on it or CrowdStrike or pick your favorite

29
00:02:07,000 --> 00:02:12,840
flavor, Defender for Cloud, obviously my favorite is Defender for Endpoint, just in case anyone's

30
00:02:12,840 --> 00:02:13,840
wondering.

31
00:02:13,840 --> 00:02:17,000
But you got Defender for Cloud that's getting asset specific around the various different

32
00:02:17,000 --> 00:02:25,640
things, Azure storage, SQL, multi-cloud, VMs, et cetera, lots and lots of stuff.

33
00:02:25,640 --> 00:02:29,800
But ultimately, that same thing is driven by that, hey, we need to protect at something

34
00:02:29,800 --> 00:02:32,840
other than the firewall edge.

35
00:02:32,840 --> 00:02:37,080
And taking an IDS and then blocking an IP, that's just not how it works anymore.

36
00:02:37,080 --> 00:02:40,360
And so it's just a lot of folks kind of miss that connection.

37
00:02:40,360 --> 00:02:44,120
So that's one of the key drivers, along with modern tooling and alignment with the business

38
00:02:44,120 --> 00:02:47,400
that we talk about in that architecture design session workshop.

39
00:02:47,400 --> 00:02:49,560
So it's been top of mind for me lately.

40
00:02:49,560 --> 00:02:52,120
So that's one of the things I've been focusing on.

41
00:02:52,120 --> 00:02:54,560
Defender for Endpoint is one of my favorites.

42
00:02:54,560 --> 00:02:59,920
And actually, because of that, the first new that I'm going to be talking about is related

43
00:02:59,920 --> 00:03:02,400
to Defender for Endpoint.

44
00:03:02,400 --> 00:03:08,080
Last year we announced the addition of device inventory view as part of Defender for Endpoint.

45
00:03:08,080 --> 00:03:13,480
And we've been integrating more and more, including Defender for IoT.

46
00:03:13,480 --> 00:03:20,480
To build on top of all this work, we are expanding our device discovery capability through the

47
00:03:20,480 --> 00:03:22,840
use of risk IQ.

48
00:03:22,840 --> 00:03:30,240
So now with this integration, we could discover internet facing devices.

49
00:03:30,240 --> 00:03:33,400
And this is in public preview.

50
00:03:33,400 --> 00:03:41,280
What I love about this is that besides the internal threat intelligence that we are using

51
00:03:41,280 --> 00:03:49,760
with our products, adding this capability enables us to see the services from a different

52
00:03:49,760 --> 00:03:53,160
perspective, from an external perspective.

53
00:03:53,160 --> 00:03:59,560
We have the capability of having better analysis of threats in the environment and mitigating

54
00:03:59,560 --> 00:04:01,680
those issues.

55
00:04:01,680 --> 00:04:07,840
The next news that I wanted to talk about is DDoS attack IP protection.

56
00:04:07,840 --> 00:04:14,120
Actually this is an enterprise grade DDoS protection at a more affordable price point.

57
00:04:14,120 --> 00:04:20,320
I am happy about this because I've seen DDoS increasing actually.

58
00:04:20,320 --> 00:04:26,060
There's several articles talking about how it's been becoming more frequent for organizations

59
00:04:26,060 --> 00:04:29,000
to have to deal with it, even personally.

60
00:04:29,000 --> 00:04:35,240
Actually I've been troubleshooting all the time my family internet and I see all those

61
00:04:35,240 --> 00:04:36,620
DDoS attacks.

62
00:04:36,620 --> 00:04:44,560
So I am really happy that they have created this more affordable type of solution.

63
00:04:44,560 --> 00:04:51,480
So if you have time, just review the links that we are providing to you as part of the

64
00:04:51,480 --> 00:04:53,200
podcast website.

65
00:04:53,200 --> 00:04:54,200
And that's all for me.

66
00:04:54,200 --> 00:04:55,880
Yeah, I've got a few items.

67
00:04:55,880 --> 00:05:02,680
The first one is we now in public preview, Microsoft Defender for APIs with Azure API

68
00:05:02,680 --> 00:05:03,680
Management.

69
00:05:03,680 --> 00:05:07,560
This is really cool, it interacts, obviously as the name suggests, it interacts with API

70
00:05:07,560 --> 00:05:13,640
Management and provides a whole other layer of defense on top of your APIs.

71
00:05:13,640 --> 00:05:17,840
I was actually talking to the program manager for it the other day and we're trying to get

72
00:05:17,840 --> 00:05:23,320
her on podcast to do an episode because I actually think it's a really cool technology.

73
00:05:23,320 --> 00:05:25,820
Next one is, this is kind of an interesting one.

74
00:05:25,820 --> 00:05:30,480
We now have in general availability the ability to ping your Azure load balancer.

75
00:05:30,480 --> 00:05:33,080
Now you may think, well, okay, that's not very exciting.

76
00:05:33,080 --> 00:05:37,360
Well, it actually kind of is because historically you had to do a TCP ping.

77
00:05:37,360 --> 00:05:39,600
You couldn't do an ICMP ping.

78
00:05:39,600 --> 00:05:42,760
Well, now you can.

79
00:05:42,760 --> 00:05:46,000
Obviously you need to, well, not obviously, but perhaps it sounds obvious, but you need

80
00:05:46,000 --> 00:05:51,880
to make sure that you have a network security group configured allowing ICMP traffic inbound.

81
00:05:51,880 --> 00:05:55,280
But other than that, yeah, it's great to see because ICMP is just so much more lightweight

82
00:05:55,280 --> 00:05:58,040
than doing a full TCP connection.

83
00:05:58,040 --> 00:06:02,880
Another one is Azure Cosmos DB for Postgres SQL now supports customer managed keys for

84
00:06:02,880 --> 00:06:03,880
data encryption.

85
00:06:03,880 --> 00:06:08,040
I've said this so many times, but I'll say it again, that there's three massive areas

86
00:06:08,040 --> 00:06:09,520
that we're seeing across the whole company.

87
00:06:09,520 --> 00:06:15,760
And that is managed identities for clients, using AAD credentials, customer managed keys,

88
00:06:15,760 --> 00:06:17,360
and using private endpoints.

89
00:06:17,360 --> 00:06:21,720
So this is great to see yet another product, in this case something in my backyard, Azure

90
00:06:21,720 --> 00:06:27,720
Cosmos DB, now supporting customer managed keys for data encryption at rest for the Postgres

91
00:06:27,720 --> 00:06:28,720
SQL interface.

92
00:06:28,720 --> 00:06:33,880
And last but by no means least, many because I just discovered this over the last few days.

93
00:06:33,880 --> 00:06:39,080
So if you're writing C sharp code, for example, or any kind of managed code, you may be familiar

94
00:06:39,080 --> 00:06:43,160
with the system.data.sqlclient assembly.

95
00:06:43,160 --> 00:06:48,960
Well that has been deprecated in favor of the Microsoft.data.sqlclient assembly.

96
00:06:48,960 --> 00:06:55,320
And there's a really good reason why you should start to migrate to Microsoft.data.sqlclient.

97
00:06:55,320 --> 00:07:01,280
And that is because in SQL Server 2022, we added a new option in encrypt.

98
00:07:01,280 --> 00:07:04,920
So encrypt used to be either false or true.

99
00:07:04,920 --> 00:07:05,920
It's a terrible name.

100
00:07:05,920 --> 00:07:09,480
It should really be like, you know, protect or something, because it's actually enforcing

101
00:07:09,480 --> 00:07:10,480
TLS.

102
00:07:10,480 --> 00:07:12,800
So encrypt equals false means obviously no TLS.

103
00:07:12,800 --> 00:07:14,360
Encrypt equals true means use TLS.

104
00:07:14,360 --> 00:07:17,240
Well now we have encrypt equals strict.

105
00:07:17,240 --> 00:07:21,960
And that disables the trust server certificate directive as well.

106
00:07:21,960 --> 00:07:25,120
It does a strict certificate check.

107
00:07:25,120 --> 00:07:31,000
The thing is the system.data.sqlclient assembly is essentially on life support.

108
00:07:31,000 --> 00:07:34,880
It won't see any major changes being made to it whatsoever.

109
00:07:34,880 --> 00:07:37,160
It doesn't know about encrypt equals strict.

110
00:07:37,160 --> 00:07:40,600
And so if you actually have some code and you want to use like this strict check, it's

111
00:07:40,600 --> 00:07:42,160
not going to work.

112
00:07:42,160 --> 00:07:48,760
So start to think about migrating your code over to using Microsoft.data.sqlclient because

113
00:07:48,760 --> 00:07:50,680
we support encrypt equals strict.

114
00:07:50,680 --> 00:07:51,960
There's other reasons in there as well.

115
00:07:51,960 --> 00:07:56,440
So for example, there's a new, we're trying to move everyone over to using MSAL, which

116
00:07:56,440 --> 00:08:03,960
is the OAuth 2 library versus ADAL, which is the Azure Active Directory library or the

117
00:08:03,960 --> 00:08:05,320
Active Directory library.

118
00:08:05,320 --> 00:08:10,200
So that's not supported in, ADAL is not supported in Microsoft.data.security.

119
00:08:10,200 --> 00:08:13,160
We've moved over to the more modern MSAL.

120
00:08:13,160 --> 00:08:16,440
So there's lots of good reasons to move to Microsoft.data.sqlclient.

121
00:08:16,440 --> 00:08:18,960
All right, that's the news out of the way.

122
00:08:18,960 --> 00:08:20,740
I hope that last one made sense.

123
00:08:20,740 --> 00:08:24,840
If you weren't listening, just use Microsoft.data.sqlclient rather than system.data.sqlclient.

124
00:08:24,840 --> 00:08:27,360
All right, now we've got the news out of the way.

125
00:08:27,360 --> 00:08:29,760
Let's move our attention to our guest.

126
00:08:29,760 --> 00:08:34,720
As I mentioned before, this week we have Anthony Shaw, who's here to talk to us about infrastructure

127
00:08:34,720 --> 00:08:38,040
as code, but through a security lens.

128
00:08:38,040 --> 00:08:40,960
So Anthony, thank you so much for joining us this week.

129
00:08:40,960 --> 00:08:44,040
We'd like to take a moment and just introduce yourself to our listeners.

130
00:08:44,040 --> 00:08:45,040
Hey, Michael.

131
00:08:45,040 --> 00:08:48,760
I normally listen to the podcast whilst walking my dog.

132
00:08:48,760 --> 00:08:54,060
So this is novel to be in my office instead, but I'm the Python Developer Advocate while

133
00:08:54,060 --> 00:08:57,640
I run the Python Developer Advocacy team at Microsoft.

134
00:08:57,640 --> 00:09:03,360
I've been here for a couple of years and worked in cloud for my whole career.

135
00:09:03,360 --> 00:09:06,320
My focus over the last eight years has been on Python.

136
00:09:06,320 --> 00:09:12,280
I've published a book called CPython Internals, which is about the Python compiler, also a

137
00:09:12,280 --> 00:09:14,300
fellow of the Python Software Foundation.

138
00:09:14,300 --> 00:09:20,040
So I've kind of gone quite deep on Python as a language over the last eight years, but

139
00:09:20,040 --> 00:09:23,200
essentially worked in cloud since I was in school.

140
00:09:23,200 --> 00:09:27,800
So security pops up a lot when you stick things on the internet.

141
00:09:27,800 --> 00:09:32,880
So early on when I was in technical support, basically going and mopping up all the spills

142
00:09:32,880 --> 00:09:39,600
of people publishing applications on the internet with poor or no security and then getting

143
00:09:39,600 --> 00:09:40,600
hacked.

144
00:09:40,600 --> 00:09:45,040
So that was leakage or just defacement or things like that, kind of working with those

145
00:09:45,040 --> 00:09:46,860
customers early on.

146
00:09:46,860 --> 00:09:51,800
So yeah, that's been an interest of mine, been application security specifically.

147
00:09:51,800 --> 00:09:57,080
Yeah, here to talk about infrastructure as code and kind of how developers now need to

148
00:09:57,080 --> 00:10:01,600
think not just about the application security, but actually start thinking about infrastructure

149
00:10:01,600 --> 00:10:06,880
security as well, because often the infrastructure as code template is actually an artifact

150
00:10:06,880 --> 00:10:08,020
of the code.

151
00:10:08,020 --> 00:10:10,160
So they're kind of spilling into each other.

152
00:10:10,160 --> 00:10:14,600
Yeah, I like the fact that you brought up this notion of infrastructure and kind of

153
00:10:14,600 --> 00:10:15,600
development.

154
00:10:15,600 --> 00:10:20,320
There's a class that I used to give inside of Microsoft just for personal reasons more

155
00:10:20,320 --> 00:10:27,760
than anything else, which was basically teaching infrastructure people how to use developer

156
00:10:27,760 --> 00:10:28,760
tools.

157
00:10:28,760 --> 00:10:32,980
Because even if you're not a developer and you're an infrastructure person, you've got

158
00:10:32,980 --> 00:10:36,120
to know how to use basic developer tools.

159
00:10:36,120 --> 00:10:40,640
And in many cases that might mean sitting in front of Visual Studio code.

160
00:10:40,640 --> 00:10:46,000
That definitely involves repositories and version control, knowing Git, potentially

161
00:10:46,000 --> 00:10:50,500
GitHub, depending on where you're storing your repos.

162
00:10:50,500 --> 00:10:54,760
So yeah, the time has come now where people, even if you're not a developer, you have to

163
00:10:54,760 --> 00:10:58,680
understand basic developer tooling.

164
00:10:58,680 --> 00:11:04,640
Because that's, and CI, CD pipelines as well, because that's basically the way the world

165
00:11:04,640 --> 00:11:05,640
is going.

166
00:11:05,640 --> 00:11:07,480
And you also pointed out Python.

167
00:11:07,480 --> 00:11:11,880
I mean, people often use Python for infrastructure as well.

168
00:11:11,880 --> 00:11:14,920
So congratulations, you've got to learn development all over again.

169
00:11:14,920 --> 00:11:20,000
Is that a fair comment or am I just like, just toot my own horn here?

170
00:11:20,000 --> 00:11:21,960
Yeah, no, absolutely.

171
00:11:21,960 --> 00:11:24,800
It's kind of whose responsibility is it?

172
00:11:24,800 --> 00:11:35,040
And I think when we talk about security, security is everybody's responsibility.

173
00:11:35,040 --> 00:11:42,160
That kind of overlooks that you need to have domain expertise and security, and not everybody

174
00:11:42,160 --> 00:11:43,800
can have that.

175
00:11:43,800 --> 00:11:49,360
When developers now are saying, okay, here's my application that I've been working on.

176
00:11:49,360 --> 00:11:51,640
Here's how you would deploy it to the cloud.

177
00:11:51,640 --> 00:11:57,440
And I can describe that in code now, in templates.

178
00:11:57,440 --> 00:11:59,400
When do they work with a security team?

179
00:11:59,400 --> 00:12:01,040
Do they do their own security reviews?

180
00:12:01,040 --> 00:12:06,680
Do they need to understand the security implications of what they've put in that template?

181
00:12:06,680 --> 00:12:10,160
And both the development team needs to understand those things.

182
00:12:10,160 --> 00:12:17,040
But also, I think, no matter what you're doing, whether it's, I mean, IT admins need to understand

183
00:12:17,040 --> 00:12:18,200
code nowadays.

184
00:12:18,200 --> 00:12:24,120
You're using PowerShell or another scripting language to do pretty much everything in AD

185
00:12:24,120 --> 00:12:27,880
tenants or in Azure tenants or in Office 365 tenants.

186
00:12:27,880 --> 00:12:30,600
So that is your interface to the cloud now.

187
00:12:30,600 --> 00:12:33,040
So you need to understand those programming tools.

188
00:12:33,040 --> 00:12:37,400
And you can't just have a shared drive where you put all the scripts and then everybody

189
00:12:37,400 --> 00:12:38,400
writes to it.

190
00:12:38,400 --> 00:12:40,140
You need to have some sort of version control.

191
00:12:40,140 --> 00:12:46,440
And then once you introduce version control like Git, then you should start to think about

192
00:12:46,440 --> 00:12:52,360
how do we automatically check the scripts that we have, the templates that we have,

193
00:12:52,360 --> 00:12:53,740
the code that we have.

194
00:12:53,740 --> 00:12:55,920
Because developers are used to doing this.

195
00:12:55,920 --> 00:13:01,480
They've been doing at least the CI part, not necessarily the CD part, for a long time.

196
00:13:01,480 --> 00:13:07,840
So when we check in code, push code up, all the tests should run automatically and say,

197
00:13:07,840 --> 00:13:10,920
oh, you changed this, but it broke this other thing.

198
00:13:10,920 --> 00:13:14,620
So we want to verify that as early as possible.

199
00:13:14,620 --> 00:13:17,340
And that's not just the test from a code perspective now.

200
00:13:17,340 --> 00:13:23,040
There's a lot of other things that we verify typically in a CI process, which would include

201
00:13:23,040 --> 00:13:27,800
style, like have we used names for variables that people don't like?

202
00:13:27,800 --> 00:13:30,800
But also, have we made spelling mistakes?

203
00:13:30,800 --> 00:13:34,640
We've added more and more automated tools in that process.

204
00:13:34,640 --> 00:13:38,840
And that's kind of where I see it bleeding into infrastructure security in particular.

205
00:13:38,840 --> 00:13:39,840
Yeah.

206
00:13:39,840 --> 00:13:45,040
And if I can add sort of my two cents on it, in a way, infrastructure people, which I am

207
00:13:45,040 --> 00:13:49,600
one, and so my questions will definitely be coming from that origin story.

208
00:13:49,600 --> 00:13:54,600
I'm definitely a security person now, but started my IT career in the infrastructure side.

209
00:13:54,560 --> 00:13:59,560
It's easy to forget sometimes, if you're not Michael Howard, that helped build Windows,

210
00:13:59,440 --> 00:14:04,440
that all those things that we're used to hitting setup exe and installing or clicking out and making a VM,

211
00:14:05,640 --> 00:14:10,640
that's all code that was all developed.

212
00:14:07,320 --> 00:14:12,320
And it's just that that line is getting a little bit fuzzier, where it used to be,

213
00:14:10,520 --> 00:14:15,520
hey, we got this CD out of the box from Microsoft and then we do the thing and occasionally run an update.

214
00:14:15,520 --> 00:14:20,520
I mean, it's code at the end of the day.

215
00:14:17,160 --> 00:14:22,160
And so it's just that as you need to do custom things and there isn't a pre-packaged SaaS app

216
00:14:22,320 --> 00:14:27,320
or box software in the old days, it's code.

217
00:14:26,800 --> 00:14:31,800
And so you need to be able to have a custom app that does that custom business requirement.

218
00:14:31,560 --> 00:14:36,560
And so I sort of see it as a little bit of a back to the future or a redefining the line between

219
00:14:37,320 --> 00:14:42,320
what is packaged for you and supported and maintained by a vendor versus

220
00:14:42,320 --> 00:14:47,320
what is really custom.

221
00:14:43,760 --> 00:14:48,760
You're going to have to potentially put in some code or copy paste somebody else's code

222
00:14:48,760 --> 00:14:53,760
and then make sure that that stuff is secure in the code rules kind of way versus the infrastructure rules kind of way.

223
00:14:54,040 --> 00:14:59,040
So you've been talking about infrastructure as code and security.

224
00:14:59,160 --> 00:15:04,160
What kind of issues are you seeing that are being addressed?

225
00:15:02,960 --> 00:15:07,960
Yeah, so there's five major things that we've been seeing when looking at the security

226
00:15:07,960 --> 00:15:12,960
of the infrastructure that's being defined in the code.

227
00:15:12,640 --> 00:15:17,640
The number one is the network security.

228
00:15:14,720 --> 00:15:19,720
So now that in the cloud, everything is essentially a software defined network.

229
00:15:20,640 --> 00:15:25,640
When you create networks between applications and databases or different data layers or when you're defining

230
00:15:28,000 --> 00:15:33,000
what is public, what is not, whether you have VPNs, things like that, all of that is a kind of a network definition.

231
00:15:33,000 --> 00:15:38,000
An application template can include its own network and its own network infrastructure.

232
00:15:38,720 --> 00:15:43,720
So what is the security of that network?

233
00:15:41,040 --> 00:15:46,040
And network security is its entire, it's a whole domain in itself and people do that for a profession and it's extremely complicated.

234
00:15:49,800 --> 00:15:54,800
So it's kind of unreasonable for a developer to suddenly go,

235
00:15:54,440 --> 00:15:59,440
oh, I'm going to define the network and the security spec.

236
00:15:57,400 --> 00:16:02,400
So network security is number one.

237
00:16:02,400 --> 00:16:07,400
And then there's the secret management.

238
00:16:04,800 --> 00:16:09,800
So you can, if you wanted to, hard code the secret for the database,

239
00:16:11,400 --> 00:16:16,400
the admin username and password.

240
00:16:12,840 --> 00:16:17,840
You can hard code that in the template if you wanted to, you shouldn't, but you can.

241
00:16:18,240 --> 00:16:23,240
And then you've also got secrets to pretty much everything else.

242
00:16:22,120 --> 00:16:27,120
So your monitoring infrastructure, your database backend, your caching.

243
00:16:26,640 --> 00:16:31,640
Every time you bolt on a service that is used by the application,

244
00:16:31,640 --> 00:16:36,640
you're able to authenticate that service.

245
00:16:33,240 --> 00:16:38,240
So that links into the third one, which is when and where do you use managed identity?

246
00:16:39,520 --> 00:16:44,520
And which service is compatible with that and can you connect that in?

247
00:16:43,400 --> 00:16:48,400
So managed identity kind of links into that as well.

248
00:16:47,400 --> 00:16:52,400
And then the next one is the actual code itself and who or what can change that code.

249
00:16:55,240 --> 00:17:00,240
Because once you've got the application up and running,

250
00:17:00,240 --> 00:17:05,240
you can change the code on a frequent basis.

251
00:17:02,640 --> 00:17:07,640
So you don't want just anybody to go and change the code in the production server

252
00:17:09,360 --> 00:17:14,360
or even the test environment.

253
00:17:11,440 --> 00:17:16,440
So how do you verify the code that gets published, who it is?

254
00:17:17,120 --> 00:17:22,120
Or often if it's an automation tool, like where that's coming from?

255
00:17:20,800 --> 00:17:25,800
And then make sure that somebody hasn't injected some strange code

256
00:17:25,000 --> 00:17:30,000
or even just by mistake sometimes managed to deploy to that environment.

257
00:17:30,000 --> 00:17:35,000
So that's the four major things that we're seeing,

258
00:17:33,360 --> 00:17:38,360
but there's a few other bits and pieces that are popping up as well.

259
00:17:37,120 --> 00:17:42,120
The fifth is what application security requirements do you put in around there?

260
00:17:42,840 --> 00:17:47,840
So what types of firewalls do you have?

261
00:17:45,960 --> 00:17:50,960
What kind of auditing do you have?

262
00:17:47,920 --> 00:17:52,920
So within the Azure Security Suite, then what do you include?

263
00:17:51,560 --> 00:17:56,560
I've got to pull the newbie card here, because I understand the concept of IEC

264
00:17:56,560 --> 00:18:01,560
and the automation power of it as a general point.

265
00:17:59,800 --> 00:18:04,800
Can you give us, me included, our audience an overview of what is IEC?

266
00:18:06,600 --> 00:18:11,600
What does it do and how does it work?

267
00:18:09,240 --> 00:18:14,240
Just a couple minutes, just quick explanation,

268
00:18:12,760 --> 00:18:17,760
just to make sure that we understand this.

269
00:18:14,440 --> 00:18:19,440
Because all that stuff sounded familiar,

270
00:18:15,960 --> 00:18:20,960
but I wasn't sure what framework to hang that in.

271
00:18:19,160 --> 00:18:24,160
Yeah, sure.

272
00:18:19,760 --> 00:18:24,760
So you traditionally used to have to deploy things,

273
00:18:24,760 --> 00:18:29,760
not infrastructure, by going through a GUI,

274
00:18:28,480 --> 00:18:33,480
like the portal or the installer.

275
00:18:30,440 --> 00:18:35,440
You talked about the old style installers on the desktop.

276
00:18:34,880 --> 00:18:39,880
And then you would have a set of instructions saying,

277
00:18:37,680 --> 00:18:42,680
okay, this is how you would install this product,

278
00:18:40,160 --> 00:18:45,160
or this is how you would configure it.

279
00:18:41,600 --> 00:18:46,600
So go in the portal, pick this option, change this dropdown.

280
00:18:46,520 --> 00:18:51,520
So when you're building an application, normally you would have a sandbox,

281
00:18:51,520 --> 00:18:56,520
so you would put all the products in place,

282
00:18:55,360 --> 00:19:00,360
configure all the services, get it working.

283
00:18:58,320 --> 00:19:03,320
And then when you want to repeat that process,

284
00:19:00,880 --> 00:19:05,880
you don't want to have to describe by hand

285
00:19:04,880 --> 00:19:09,880
what you need to click on and which options you need to pick.

286
00:19:07,680 --> 00:19:12,680
So what you can do with infrastructure as code

287
00:19:10,920 --> 00:19:15,920
is you can basically take a snapshot of that

288
00:19:14,280 --> 00:19:19,280
and then describe it in code.

289
00:19:19,280 --> 00:19:24,280
It's more like a template.

290
00:19:20,600 --> 00:19:25,600
So ARM templates is one method of doing it.

291
00:19:26,480 --> 00:19:31,480
Bicep is another.

292
00:19:28,240 --> 00:19:33,240
There are also non-Microsoft specific ones,

293
00:19:30,560 --> 00:19:35,560
like Terraform is an infrastructure as code tool.

294
00:19:34,760 --> 00:19:39,760
And basically what the infrastructure as code tool will do

295
00:19:37,680 --> 00:19:42,680
is it will look at the template,

296
00:19:39,080 --> 00:19:44,080
it will see that you've defined, let's say, a VNet and an app service.

297
00:19:44,560 --> 00:19:47,560
And maybe within that you've got some service principles.

298
00:19:47,560 --> 00:19:52,560
So you would define those in code

299
00:19:50,560 --> 00:19:55,560
and say what all of the parameters should be.

300
00:19:54,120 --> 00:19:59,120
And then the tool will look at your target environment.

301
00:19:57,920 --> 00:20:02,920
Let's say that's in Azure and you've got a tenant.

302
00:20:00,720 --> 00:20:05,720
And you say, okay, deploy this template to Azure.

303
00:20:03,400 --> 00:20:08,400
It will look at Azure and say,

304
00:20:05,440 --> 00:20:10,440
does that component already exist?

305
00:20:08,680 --> 00:20:13,680
No, okay, let's deploy that.

306
00:20:11,000 --> 00:20:16,000
And then it will check that all the settings

307
00:20:16,000 --> 00:20:21,000
makes a change in the portal

308
00:20:18,600 --> 00:20:23,600
and doesn't actually capture that in the template.

309
00:20:20,920 --> 00:20:25,920
The next time you run the template, it will override that.

310
00:20:23,040 --> 00:20:28,040
So basically it makes sure that what is in the template

311
00:20:26,720 --> 00:20:31,720
actually matches what is running in the environment.

312
00:20:29,680 --> 00:20:34,680
Gotcha.

313
00:20:30,040 --> 00:20:35,040
And does it enforce that over time

314
00:20:31,800 --> 00:20:36,800
or is it just sort of that initial setup for the app?

315
00:20:35,200 --> 00:20:40,200
It's just the initial one.

316
00:20:37,200 --> 00:20:42,200
If you run it again, it will override the settings.

317
00:20:42,200 --> 00:20:47,200
So it's something called idempotent.

318
00:20:47,000 --> 00:20:52,000
This is a very strange word,

319
00:20:48,880 --> 00:20:53,880
which is kind of common in DevOps tools

320
00:20:51,280 --> 00:20:56,280
where you basically describe something as code.

321
00:20:55,040 --> 00:21:00,040
The goal should be that the outcome will be the same

322
00:20:58,280 --> 00:21:03,280
no matter how many times you run it

323
00:21:00,320 --> 00:21:05,320
and no matter what the target looks like.

324
00:21:02,200 --> 00:21:07,200
So if the target doesn't exist,

325
00:21:04,000 --> 00:21:09,000
the outcome should be the same.

326
00:21:05,560 --> 00:21:10,560
If the target does exist but it's configured weirdly,

327
00:21:10,560 --> 00:21:15,560
that's kind of one of the principles

328
00:21:11,800 --> 00:21:16,800
of the infrastructure as code tools.

329
00:21:14,280 --> 00:21:19,280
Gotcha.

330
00:21:14,920 --> 00:21:19,920
So I think I've actually been exposed to this

331
00:21:17,280 --> 00:21:22,280
as sort of the portal jockey

332
00:21:18,840 --> 00:21:23,840
where it's a little button that I never really use

333
00:21:21,200 --> 00:21:26,200
that generates the technical configuration

334
00:21:25,080 --> 00:21:30,080
of things in the Azure portal.

335
00:21:27,520 --> 00:21:32,520
Yep.

336
00:21:28,360 --> 00:21:33,360
Awesome.

337
00:21:29,120 --> 00:21:34,120
Thank you.

338
00:21:29,560 --> 00:21:34,560
That helps a lot.

339
00:21:30,440 --> 00:21:35,440
Like Mark, I'm also learning about infrastructure as code.

340
00:21:35,080 --> 00:21:40,080
Actually I've been playing with Bicep lately.

341
00:21:40,080 --> 00:21:45,080
Can you give a brief explanation

342
00:21:42,480 --> 00:21:47,480
why would you choose to use Bicep or Terraform

343
00:21:47,960 --> 00:21:52,960
versus ARM templates

344
00:21:49,440 --> 00:21:54,440
in order to do infrastructure as code?

345
00:21:53,360 --> 00:21:58,360
Yeah.

346
00:21:54,520 --> 00:21:59,520
ARM is very, very verbose.

347
00:21:57,080 --> 00:22:02,080
So if you create an environment,

348
00:22:02,680 --> 00:22:07,680
kind of in principle when you're deploying applications

349
00:22:07,680 --> 00:22:12,680
it will be housed within a resource group.

350
00:22:09,680 --> 00:22:14,680
So you kind of use the resource group

351
00:22:11,840 --> 00:22:16,840
as the soft container or the boundary of the application.

352
00:22:16,960 --> 00:22:21,960
What you can do in Azure is you can pick on a resource group

353
00:22:19,440 --> 00:22:24,440
and say, okay, create a template

354
00:22:22,080 --> 00:22:27,080
for that entire resource group.

355
00:22:24,080 --> 00:22:29,080
So it'll say, okay, if you wanted to deploy everything

356
00:22:27,120 --> 00:22:32,120
in that resource group again,

357
00:22:28,920 --> 00:22:33,920
here's what it would look like as a template.

358
00:22:31,160 --> 00:22:36,160
And it will give you that in ARM.

359
00:22:36,160 --> 00:22:41,160
And in most applications it's going to be

360
00:22:38,160 --> 00:22:43,160
thousands if not tens of thousands of lines

361
00:22:41,160 --> 00:22:46,160
because there's a lot of settings in there.

362
00:22:43,160 --> 00:22:48,160
There's a lot of properties.

363
00:22:44,160 --> 00:22:49,160
It includes even things which you didn't override.

364
00:22:47,400 --> 00:22:52,400
So things which are the defaults

365
00:22:49,760 --> 00:22:54,760
but you didn't override them,

366
00:22:51,000 --> 00:22:56,000
it will include all of that stuff in the template.

367
00:22:54,280 --> 00:22:59,280
Now that's fine if you want to just save that

368
00:22:56,760 --> 00:23:01,760
and take a snapshot and then going forward.

369
00:22:59,360 --> 00:23:04,360
But to actually work with it as either a developer

370
00:23:04,360 --> 00:23:09,360
or an infrastructure expert,

371
00:23:06,080 --> 00:23:11,080
it's quite hard to read through

372
00:23:08,520 --> 00:23:13,520
and understand what's going on.

373
00:23:10,760 --> 00:23:15,760
I find ARM is actually more a language that Azure speaks.

374
00:23:16,000 --> 00:23:21,000
So Bicep is an abstraction on top of ARM.

375
00:23:20,440 --> 00:23:25,440
So basically it's a different syntax.

376
00:23:23,200 --> 00:23:28,200
It's designed for people to actually write templates

377
00:23:27,240 --> 00:23:32,240
for Bicep.

378
00:23:29,200 --> 00:23:34,200
And then Bicep templates actually compile into ARM.

379
00:23:34,200 --> 00:23:39,200
So you can actually use the abstraction layer

380
00:23:36,200 --> 00:23:41,200
on top of ARM so that you don't have to define

381
00:23:39,200 --> 00:23:44,200
all of the defaults.

382
00:23:41,200 --> 00:23:46,200
You don't have to define so many of the dependencies.

383
00:23:44,200 --> 00:23:49,200
And also you can set variables

384
00:23:46,200 --> 00:23:51,200
because let's say you've got a resource group

385
00:23:50,200 --> 00:23:55,200
and you've named everything.

386
00:23:52,200 --> 00:23:57,200
I don't know, I've got a notebook on my desk

387
00:23:55,200 --> 00:24:00,200
with a unicorn on it.

388
00:23:57,200 --> 00:24:02,200
You've named it the unicorn application.

389
00:24:02,200 --> 00:24:07,200
You want to call it something else.

390
00:24:03,200 --> 00:24:08,200
So you would say, okay, that is a variable.

391
00:24:05,800 --> 00:24:10,800
That's a thing which can change

392
00:24:07,200 --> 00:24:12,200
each time I deploy the template.

393
00:24:09,200 --> 00:24:14,200
So in Bicep you can say, okay, that is an input.

394
00:24:13,000 --> 00:24:18,000
So when you deploy that template,

395
00:24:14,400 --> 00:24:19,400
it will ask you what's the name you want to use

396
00:24:17,200 --> 00:24:22,200
and then it will go and populate all those fields.

397
00:24:19,400 --> 00:24:24,400
What I have learned is very little,

398
00:24:21,200 --> 00:24:26,200
but I was trying to basically assign some roles

399
00:24:26,200 --> 00:24:31,200
for each of the subscriptions that I'm working on.

400
00:24:31,200 --> 00:24:36,200
Do a policy assignment, Azure policy assignment.

401
00:24:34,200 --> 00:24:39,200
And what I like the most is how short it was

402
00:24:38,200 --> 00:24:43,200
to input all this.

403
00:24:40,200 --> 00:24:45,200
So it allowed me to implement a lot of security

404
00:24:44,200 --> 00:24:49,200
type of settings really fast.

405
00:24:47,200 --> 00:24:52,200
And I like re- type of command

406
00:24:50,200 --> 00:24:55,200
because it basically puts the beginning of the template

407
00:24:55,200 --> 00:25:00,200
and you have to fill up things.

408
00:24:58,200 --> 00:25:03,200
So if the listeners want, I recommend Bicep.

409
00:25:02,200 --> 00:25:07,200
I haven't played with TeraFone,

410
00:25:04,200 --> 00:25:09,200
but it's really easy to use.

411
00:25:08,200 --> 00:25:13,200
All right, so one thing you sort of touched on before

412
00:25:11,200 --> 00:25:16,200
was the sort of things that you look for

413
00:25:14,200 --> 00:25:19,200
when you're reviewing these templates.

414
00:25:17,200 --> 00:25:22,200
I mean, how do you do that?

415
00:25:18,200 --> 00:25:23,200
I mean, do you do it by hand?

416
00:25:19,200 --> 00:25:24,200
Do you have a tool to do it?

417
00:25:24,200 --> 00:25:29,200
Like you said before, you can end up with an ARM template

418
00:25:26,200 --> 00:25:31,200
or ARM templates that are thousands of lines long.

419
00:25:29,200 --> 00:25:34,200
So what's a quick way of doing that?

420
00:25:31,200 --> 00:25:36,200
Because you need to do it at scale eventually.

421
00:25:33,200 --> 00:25:38,200
So what are the best practices around that?

422
00:25:36,200 --> 00:25:41,200
So how we were doing it before

423
00:25:38,200 --> 00:25:43,200
was we would deploy the template

424
00:25:40,200 --> 00:25:45,200
and then go into Defender

425
00:25:43,200 --> 00:25:48,200
and do a review of that resource group.

426
00:25:46,200 --> 00:25:51,200
And that would then come back with,

427
00:25:48,200 --> 00:25:53,200
oh, this setting is not really ideal.

428
00:25:53,200 --> 00:25:58,200
We haven't used managed identity

429
00:25:54,200 --> 00:25:59,200
where you could have done

430
00:25:55,200 --> 00:26:00,200
or kind of highlights any kind of security risks

431
00:25:58,200 --> 00:26:03,200
and then prioritizes those.

432
00:26:00,200 --> 00:26:05,200
And what we would do is then go back

433
00:26:02,200 --> 00:26:07,200
and look at the template, make adjustments,

434
00:26:04,200 --> 00:26:09,200
deploy it again, run the audit again,

435
00:26:08,200 --> 00:26:13,200
and then see kind of what the differences were.

436
00:26:11,200 --> 00:26:16,200
So that's kind of the old way of doing it.

437
00:26:14,200 --> 00:26:19,200
There's a couple of challenges with that approach.

438
00:26:17,200 --> 00:26:22,200
I mean, the obvious one is you've deployed the infrastructure.

439
00:26:22,200 --> 00:26:27,200
The security issue that it's picked up is significant.

440
00:26:26,200 --> 00:26:31,200
I mean, we were doing that with test environments,

441
00:26:28,200 --> 00:26:33,200
so there's no exfiltration risk.

442
00:26:31,200 --> 00:26:36,200
I mean, there's no secure data on there,

443
00:26:33,200 --> 00:26:38,200
but still, you shouldn't really be deploying infrastructure

444
00:26:37,200 --> 00:26:42,200
to a public network and then seeing if it's insecure

445
00:26:40,200 --> 00:26:45,200
because that ship's kind of sailed already.

446
00:26:43,200 --> 00:26:48,200
So what we've been doing instead recently

447
00:26:45,200 --> 00:26:50,200
is using Defender for DevOps, which is in preview.

448
00:26:50,200 --> 00:26:55,200
So there's a tool called Template Analyzer.

449
00:26:53,200 --> 00:26:58,200
We've basically integrated that into our CI-CD process.

450
00:26:57,200 --> 00:27:02,200
So what we have in the repositories,

451
00:27:01,200 --> 00:27:06,200
the code repository for each of these applications

452
00:27:04,200 --> 00:27:09,200
that we're building is we've got the code,

453
00:27:07,200 --> 00:27:12,200
so the actual app itself, and then we've got a folder

454
00:27:10,200 --> 00:27:15,200
which has got all of the bicep templates.

455
00:27:13,200 --> 00:27:18,200
And then in GitHub Actions, but it works for Azure DevOps as well,

456
00:27:18,200 --> 00:27:23,200
we've got basically a workflow that would then go

457
00:27:21,200 --> 00:27:26,200
and verify that the application works,

458
00:27:24,200 --> 00:27:29,200
like runs all the tests and stuff like that.

459
00:27:27,200 --> 00:27:32,200
And then the next thing it does is runs Template Analyzer,

460
00:27:31,200 --> 00:27:36,200
and then it checks whether there are any security issues

461
00:27:34,200 --> 00:27:39,200
in the template before it has actually been deployed.

462
00:27:37,200 --> 00:27:42,200
So what that's picked up is a lot of the stuff

463
00:27:40,200 --> 00:27:45,200
which I've mentioned already,

464
00:27:42,200 --> 00:27:47,200
which is around how you're managing secrets,

465
00:27:47,200 --> 00:27:52,200
how code can be deployed,

466
00:27:50,200 --> 00:27:55,200
and then where managed identity is being used as well.

467
00:27:53,200 --> 00:27:58,200
So it actually highlights a lot of that stuff up front.

468
00:27:56,200 --> 00:28:01,200
The good thing about that is you've always got,

469
00:27:59,200 --> 00:28:04,200
in application testing, you've got this time to fix

470
00:28:03,200 --> 00:28:08,200
versus the cost of the fix.

471
00:28:05,200 --> 00:28:10,200
And the principle is the sooner you spot the bug

472
00:28:09,200 --> 00:28:14,200
after writing it, the cheaper and quicker it is to fix it.

473
00:28:14,200 --> 00:28:19,200
Make a bug in the code and you run the tests locally

474
00:28:17,200 --> 00:28:22,200
on your machine and it tells you that's broken,

475
00:28:19,200 --> 00:28:24,200
you can fix it and that takes five minutes.

476
00:28:22,200 --> 00:28:27,200
If you only discover the bug because you've shipped it

477
00:28:25,200 --> 00:28:30,200
to a million people and you have to patch it

478
00:28:28,200 --> 00:28:33,200
and ship a hot fix, that costs you a lot more money.

479
00:28:31,200 --> 00:28:36,200
So it's the same with this.

480
00:28:33,200 --> 00:28:38,200
Shift left, always cheaper, always better.

481
00:28:37,200 --> 00:28:42,200
Yeah, cheaper and faster.

482
00:28:42,200 --> 00:28:47,200
So if you have a security issue

483
00:28:45,200 --> 00:28:50,200
based on either the initial check-in of the template

484
00:28:48,200 --> 00:28:53,200
or a change, then people can make that adjustment.

485
00:28:51,200 --> 00:28:56,200
So if we've got a repository

486
00:28:54,200 --> 00:28:59,200
that's got the infrastructure defined

487
00:28:56,200 --> 00:29:01,200
and someone on the team comes in and makes a change

488
00:28:59,200 --> 00:29:04,200
to the infrastructure template,

489
00:29:01,200 --> 00:29:06,200
then the tool would run automatically

490
00:29:04,200 --> 00:29:09,200
and in their change request, in the pull request,

491
00:29:09,200 --> 00:29:15,200
they can apply, here's a link to the documentation.

492
00:29:12,200 --> 00:29:17,200
And then when you're reviewing that code change

493
00:29:15,200 --> 00:29:20,200
before even approving it and merging it in

494
00:29:18,200 --> 00:29:23,200
or even getting it anywhere near deploying it,

495
00:29:20,200 --> 00:29:25,200
you've already had a discussion about

496
00:29:23,200 --> 00:29:28,200
whether that is creating a security risk

497
00:29:27,200 --> 00:29:32,200
or if it's a false positive, then the reasons why

498
00:29:32,200 --> 00:29:37,200
and let's document that and it all gets captured

499
00:29:37,200 --> 00:29:42,200
in GitHub or alternatively within Azure DevOps.

500
00:29:42,200 --> 00:29:47,200
You know, there's actually a really good analogy here.

501
00:29:44,200 --> 00:29:49,200
I just thought about it.

502
00:29:45,200 --> 00:29:50,200
If you're deploying some resources

503
00:29:48,200 --> 00:29:53,200
and then running Microsoft Defender for cloud

504
00:29:51,200 --> 00:29:56,200
to see if you've got vulnerabilities,

505
00:29:52,200 --> 00:29:57,200
that's a lot like a dynamic analysis scan.

506
00:29:55,200 --> 00:30:00,200
But if you're actually looking at the code

507
00:29:58,200 --> 00:30:03,200
for potential issues,

508
00:30:00,200 --> 00:30:05,200
that's very similar to a static analysis scan.

509
00:30:05,200 --> 00:30:10,200
On my lifecycle, we actually require both.

510
00:30:08,200 --> 00:30:13,200
You've got to do a static analysis scan

511
00:30:09,200 --> 00:30:14,200
and a dynamic analysis scan

512
00:30:11,200 --> 00:30:16,200
because often they find different things.

513
00:30:13,200 --> 00:30:18,200
So would you recommend that people,

514
00:30:15,200 --> 00:30:20,200
even if they're, I don't know what the answer is,

515
00:30:17,200 --> 00:30:22,200
but here we go anyway,

516
00:30:19,200 --> 00:30:24,200
even if you are using Defender for DevOps,

517
00:30:21,200 --> 00:30:26,200
even if you are doing analysis

518
00:30:23,200 --> 00:30:28,200
of your infrastructure as code files,

519
00:30:27,200 --> 00:30:32,200
obviously Microsoft Defender for cloud

520
00:30:29,200 --> 00:30:34,200
is still important because there may be some things

521
00:30:34,200 --> 00:30:39,200
that the cloud can possibly pick those up.

522
00:30:36,200 --> 00:30:41,200
Both need to be done.

523
00:30:37,200 --> 00:30:42,200
And we actually kind of touched on the reason why

524
00:30:40,200 --> 00:30:45,200
a bit earlier.

525
00:30:42,200 --> 00:30:47,200
So I was saying the way the infrastructure as code works

526
00:30:45,200 --> 00:30:50,200
is the outcome should always be the same

527
00:30:47,200 --> 00:30:52,200
no matter how many times you run it.

528
00:30:49,200 --> 00:30:54,200
What it doesn't do,

529
00:30:50,200 --> 00:30:55,200
it doesn't monitor the infrastructure

530
00:30:52,200 --> 00:30:57,200
to see if there are changes.

531
00:30:54,200 --> 00:30:59,200
It only does that when you do the deployment.

532
00:30:56,200 --> 00:31:01,200
So if somebody went into the portal

533
00:31:01,200 --> 00:31:06,200
or the APIs or the Azure CLI

534
00:31:03,200 --> 00:31:08,200
and made a change which created a security risk,

535
00:31:06,200 --> 00:31:11,200
then Defender is going to pick that up.

536
00:31:09,200 --> 00:31:14,200
Alternatively, there are some more complex scenarios

537
00:31:12,200 --> 00:31:17,200
that Defender is also going to pick up.

538
00:31:14,200 --> 00:31:19,200
So there's only so many things

539
00:31:16,200 --> 00:31:21,200
that the template analyzer can do

540
00:31:18,200 --> 00:31:23,200
because it's still just looking at the template.

541
00:31:20,200 --> 00:31:25,200
It doesn't have as much context as Defender does.

542
00:31:23,200 --> 00:31:28,200
So you kind of need to use both.

543
00:31:25,200 --> 00:31:30,200
Very similar to using static code analysis

544
00:31:30,200 --> 00:31:35,200
to do application code reviews.

545
00:31:33,200 --> 00:31:38,200
You'd want to look at something statically

546
00:31:35,200 --> 00:31:40,200
and highlight that really early on,

547
00:31:37,200 --> 00:31:42,200
but you still need to have a security testing process

548
00:31:41,200 --> 00:31:46,200
to actually verify the application whilst it's running.

549
00:31:44,200 --> 00:31:49,200
Because there's only so many things

550
00:31:45,200 --> 00:31:50,200
that you can verify statically in code.

551
00:31:48,200 --> 00:31:53,200
And it's the same with templates.

552
00:31:50,200 --> 00:31:55,200
So it sounds like there might actually be

553
00:31:52,200 --> 00:31:57,200
multiple teams involved in this.

554
00:31:54,200 --> 00:31:59,200
Not just the security team, the IAC team,

555
00:31:59,200 --> 00:32:04,200
it would have to be the ones that fixed it

556
00:32:00,200 --> 00:32:05,200
because nobody likes someone else messing with their stuff.

557
00:32:03,200 --> 00:32:08,200
Are there other sort of specialties

558
00:32:06,200 --> 00:32:11,200
like would the developers get involved

559
00:32:07,200 --> 00:32:12,200
or infrastructure folks?

560
00:32:08,200 --> 00:32:13,200
I'm just kind of curious from a role-based perspective

561
00:32:11,200 --> 00:32:16,200
like what you typically see.

562
00:32:13,200 --> 00:32:18,200
What we're seeing is that the developers

563
00:32:15,200 --> 00:32:20,200
are very heavily involved in defining

564
00:32:17,200 --> 00:32:22,200
the infrastructure requirements.

565
00:32:20,200 --> 00:32:25,200
Because within the cloud,

566
00:32:23,200 --> 00:32:28,200
where everything is kind of platform as a service,

567
00:32:28,200 --> 00:32:33,200
the infrastructure components

568
00:32:29,200 --> 00:32:34,200
are actually closer to what the developer is used to doing

569
00:32:33,200 --> 00:32:38,200
rather than what a IT admin is used to doing,

570
00:32:36,200 --> 00:32:41,200
if that makes sense.

571
00:32:38,200 --> 00:32:43,200
So when you're defining what an application needs,

572
00:32:42,200 --> 00:32:47,200
you would say, okay, I've got a caching component.

573
00:32:45,200 --> 00:32:50,200
I've got the application itself.

574
00:32:47,200 --> 00:32:52,200
Which language is it running?

575
00:32:50,200 --> 00:32:55,200
What version?

576
00:32:51,200 --> 00:32:56,200
And then within the database,

577
00:32:56,200 --> 00:33:01,200
I'm just looking at the development of the infrastructure.

578
00:32:59,200 --> 00:33:04,200
So how am I configuring it?

579
00:33:01,200 --> 00:33:06,200
What performance requirements do I have?

580
00:33:04,200 --> 00:33:09,200
So a lot of that,

581
00:33:06,200 --> 00:33:11,200
the developer would have specific expertise in that.

582
00:33:09,200 --> 00:33:14,200
Then you've got more of a solution design

583
00:33:11,200 --> 00:33:16,200
and solution architecture role,

584
00:33:14,200 --> 00:33:19,200
which is looking at, okay,

585
00:33:16,200 --> 00:33:21,200
what are the requirements of the infrastructure

586
00:33:18,200 --> 00:33:23,200
in terms of performance and scalability,

587
00:33:23,200 --> 00:33:28,200
and then you've got the security aspect as well.

588
00:33:26,200 --> 00:33:31,200
So actually looking at the infrastructure

589
00:33:28,200 --> 00:33:33,200
and saying, okay, for that design,

590
00:33:31,200 --> 00:33:36,200
what security risks could we have?

591
00:33:33,200 --> 00:33:38,200
How are we mitigating them?

592
00:33:35,200 --> 00:33:40,200
And where are we doing that?

593
00:33:36,200 --> 00:33:41,200
The thing I really like about Bicep,

594
00:33:38,200 --> 00:33:43,200
if you're working with Bicep,

595
00:33:39,200 --> 00:33:44,200
is that a Bicep template in VS Code,

596
00:33:43,200 --> 00:33:48,200
so if you're using Visual Studio Code

597
00:33:45,200 --> 00:33:50,200
with the Bicep extension,

598
00:33:47,200 --> 00:33:52,200
when you're running a template,

599
00:33:52,200 --> 00:33:57,200
it's a lot easier.

600
00:33:55,200 --> 00:34:00,200
One is it's got a visualization tool,

601
00:33:57,200 --> 00:34:02,200
so it'll actually draw a infrastructure diagram

602
00:34:00,200 --> 00:34:05,200
of everything that's in the template automatically.

603
00:34:02,200 --> 00:34:07,200
So that's a really easy way of sharing with people,

604
00:34:05,200 --> 00:34:10,200
okay, this is what the infrastructure would look like,

605
00:34:07,200 --> 00:34:12,200
and then annotating that.

606
00:34:09,200 --> 00:34:14,200
Something else that you can do is,

607
00:34:11,200 --> 00:34:16,200
if you've got a piece of infrastructure

608
00:34:13,200 --> 00:34:18,200
that you want to turn into a template,

609
00:34:15,200 --> 00:34:20,200
instead of doing the entire resource group,

610
00:34:20,200 --> 00:34:25,200
you can say, can I just give you

611
00:34:22,200 --> 00:34:27,200
a specific resource in Azure,

612
00:34:24,200 --> 00:34:29,200
and can you create the template for just that?

613
00:34:27,200 --> 00:34:32,200
So for example, you've got Redis in Azure,

614
00:34:30,200 --> 00:34:35,200
which is a caching service,

615
00:34:32,200 --> 00:34:37,200
then you'd say, okay,

616
00:34:33,200 --> 00:34:38,200
I've actually got one of those running,

617
00:34:35,200 --> 00:34:40,200
I know that it's configured properly,

618
00:34:36,200 --> 00:34:41,200
so you can go from VS Code

619
00:34:38,200 --> 00:34:43,200
and say, okay, import that into my template.

620
00:34:40,200 --> 00:34:45,200
So yeah, that's kind of how

621
00:34:42,200 --> 00:34:47,200
the teams can start to work together

622
00:34:43,200 --> 00:34:48,200
is actually to review the templates

623
00:34:48,200 --> 00:34:53,200
and then to do the process,

624
00:34:50,200 --> 00:34:55,200
but the visualization tool

625
00:34:51,200 --> 00:34:56,200
was a nice way of kind of

626
00:34:53,200 --> 00:34:58,200
starting that conversation.

627
00:34:55,200 --> 00:35:00,200
Yeah, that sounds pretty slick.

628
00:34:56,200 --> 00:35:01,200
So before you gave us four or five examples

629
00:35:00,200 --> 00:35:05,200
of the kinds of things you look for,

630
00:35:02,200 --> 00:35:07,200
from my perspective, number one is always secrets.

631
00:35:05,200 --> 00:35:10,200
I'm always looking for secrets in anything,

632
00:35:07,200 --> 00:35:12,200
whether it's code or configuration files or whatever.

633
00:35:10,200 --> 00:35:15,200
But what about networking?

634
00:35:15,200 --> 00:35:21,200
The most common one that we come across is

635
00:35:18,200 --> 00:35:23,200
how the application code talks to a backend service

636
00:35:23,200 --> 00:35:28,200
like the database.

637
00:35:24,200 --> 00:35:29,200
So if you have a software-defined database

638
00:35:27,200 --> 00:35:32,200
like Azure SQL, Azure Database with Postgres or MySQL,

639
00:35:32,200 --> 00:35:37,200
or even Cosmos and Cosmos for Postgres,

640
00:35:35,200 --> 00:35:40,200
they're all kind of similar,

641
00:35:36,200 --> 00:35:41,200
you need a way over the network

642
00:35:41,200 --> 00:35:46,200
to connect to that database.

643
00:35:43,200 --> 00:35:48,200
And Azure's got its own networking infrastructure,

644
00:35:46,200 --> 00:35:51,200
so it can connect automatically to any database,

645
00:35:50,200 --> 00:35:55,200
but you don't necessarily want the database server

646
00:35:52,200 --> 00:35:57,200
to allow connections from absolutely everybody

647
00:35:56,200 --> 00:36:01,200
on the internet.

648
00:35:57,200 --> 00:36:02,200
It does have a layer 7 firewall.

649
00:36:00,200 --> 00:36:05,200
It's also got Azure SQL

650
00:36:02,200 --> 00:36:07,200
and Azure Database with Postgres and MySQL.

651
00:36:05,200 --> 00:36:10,200
Both have throttling capabilities,

652
00:36:10,200 --> 00:36:15,200
so if it does try and attack it

653
00:36:12,200 --> 00:36:17,200
to work out credentials, for example,

654
00:36:14,200 --> 00:36:19,200
it will throttle that over time.

655
00:36:16,200 --> 00:36:21,200
However, if somebody created a credential

656
00:36:20,200 --> 00:36:25,200
with some really weak username and password,

657
00:36:24,200 --> 00:36:29,200
then you've still got that on the internet

658
00:36:26,200 --> 00:36:31,200
and potentially you've got a big exfiltration risk.

659
00:36:30,200 --> 00:36:35,200
So what you should do in practice is make sure

660
00:36:34,200 --> 00:36:39,200
that only the application can connect to the database

661
00:36:39,200 --> 00:36:44,200
and try to authenticate.

662
00:36:41,200 --> 00:36:46,200
And the way that that should be done,

663
00:36:42,200 --> 00:36:47,200
it will be using a virtual network or a VNet.

664
00:36:45,200 --> 00:36:50,200
So in the template, you should define for your database

665
00:36:50,200 --> 00:36:55,200
that it is exposed on a VNet,

666
00:36:53,200 --> 00:36:58,200
and the only other thing which is on that VNet

667
00:36:55,200 --> 00:37:00,200
is the application which needs to connect to the database.

668
00:36:58,200 --> 00:37:03,200
The complication there is that developers sometimes

669
00:37:02,200 --> 00:37:07,200
want to connect to the database via

670
00:37:07,200 --> 00:37:12,200
a video or one of the Postgres management tools

671
00:37:10,200 --> 00:37:15,200
directly from their home computer or the office computer.

672
00:37:14,200 --> 00:37:19,200
So you've got to work out whether you want to put a gateway

673
00:37:18,200 --> 00:37:23,200
in there like a VPN or add a specific firewall role

674
00:37:23,200 --> 00:37:28,200
to NAT them in.

675
00:37:25,200 --> 00:37:30,200
But what I often see is that people just put Azure SQL

676
00:37:30,200 --> 00:37:35,200
or Postgres on the public internet

677
00:37:35,200 --> 00:37:40,200
and the portal that says allow all Azure IPs.

678
00:37:37,200 --> 00:37:42,200
Now that doesn't just mean for their tenant

679
00:37:41,200 --> 00:37:46,200
or even for their subscription,

680
00:37:43,200 --> 00:37:48,200
it means everybody who is on Azure.

681
00:37:45,200 --> 00:37:50,200
So basically that's opening yourself up to additional risk.

682
00:37:49,200 --> 00:37:54,200
So that's kind of one of the big network security issues

683
00:37:52,200 --> 00:37:57,200
I kind of see in the templates.

684
00:37:54,200 --> 00:37:59,200
So, Antoni, as a summary,

685
00:37:57,200 --> 00:38:02,200
can you provide some capabilities that can be implemented

686
00:38:02,200 --> 00:38:07,200
in infrastructure as code

687
00:38:04,200 --> 00:38:09,200
in order to better the security of the infrastructure?

688
00:38:08,200 --> 00:38:13,200
Yeah, absolutely.

689
00:38:09,200 --> 00:38:14,200
So I think if an application is self-contained,

690
00:38:14,200 --> 00:38:19,200
then the infrastructure template should include

691
00:38:18,200 --> 00:38:23,200
the service principles, the identities,

692
00:38:21,200 --> 00:38:26,200
and also the role permissions that are required

693
00:38:24,200 --> 00:38:29,200
for each of the components to be able to authenticate

694
00:38:26,200 --> 00:38:31,200
and connect with each other.

695
00:38:31,200 --> 00:38:36,200
So the code is it's all isolated

696
00:38:34,200 --> 00:38:39,200
and when you're looking at that and auditing that

697
00:38:36,200 --> 00:38:41,200
in the future, it's clear all of these role assignments

698
00:38:39,200 --> 00:38:44,200
belong to this application

699
00:38:41,200 --> 00:38:46,200
and this is the boundary of that application.

700
00:38:43,200 --> 00:38:48,200
So you're not having people manually doing role assignments

701
00:38:46,200 --> 00:38:51,200
and then you've got to all of a sudden

702
00:38:49,200 --> 00:38:54,200
worry about the configuration and auditing that.

703
00:38:51,200 --> 00:38:56,200
So if you want to have policies within your organization

704
00:38:55,200 --> 00:39:00,200
that say, okay, we definitely need these auditing features enabled,

705
00:39:00,200 --> 00:39:05,200
we're going to have only these kind of minimal role assignments,

706
00:39:04,200 --> 00:39:09,200
then you can put that stuff in the template

707
00:39:06,200 --> 00:39:11,200
and then whenever that template is deployed,

708
00:39:09,200 --> 00:39:14,200
you've already got all of your best practices,

709
00:39:11,200 --> 00:39:16,200
not just the ones that we at Microsoft define,

710
00:39:14,200 --> 00:39:19,200
but also the ones that you've got within your org.

711
00:39:16,200 --> 00:39:21,200
You've automatically got that stuff deployed and running.

712
00:39:20,200 --> 00:39:25,200
So you've basically rolled out your best practices

713
00:39:23,200 --> 00:39:28,200
from the beginning

714
00:39:24,200 --> 00:39:29,200
and it makes review a lot easier down the track.

715
00:39:29,200 --> 00:39:34,200
Anthony, one thing that we always ask our guests

716
00:39:33,200 --> 00:39:38,200
at the end of the episode is if you had just one

717
00:39:35,200 --> 00:39:40,200
little final thought you would leave our listeners with,

718
00:39:38,200 --> 00:39:43,200
what would it be?

719
00:39:40,200 --> 00:39:45,200
I'd recommend you check out the template analyzer tool

720
00:39:43,200 --> 00:39:48,200
in Defender for DevOps, which is in preview.

721
00:39:46,200 --> 00:39:51,200
It's a free tool, it's open source.

722
00:39:48,200 --> 00:39:53,200
Have a go with it, run it over some of your templates

723
00:39:50,200 --> 00:39:55,200
and then have a look at the results.

724
00:39:52,200 --> 00:39:57,200
That's my recommendation.

725
00:39:57,200 --> 00:40:02,200
Thank you so much for joining us this week.

726
00:39:59,200 --> 00:40:04,200
Always learn a lot on every single episode

727
00:40:01,200 --> 00:40:06,200
and this was absolutely, learned a great deal.

728
00:40:04,200 --> 00:40:09,200
I know all of us did.

729
00:40:06,200 --> 00:40:11,200
It's actually kind of interesting also from my perspective

730
00:40:08,200 --> 00:40:13,200
being a developer, Mark and Gladys,

731
00:40:10,200 --> 00:40:15,200
mainly being infrastructure folks,

732
00:40:12,200 --> 00:40:17,200
don't mean to offend anybody,

733
00:40:13,200 --> 00:40:18,200
but it's interesting that you're sort of stuck in the middle.

734
00:40:15,200 --> 00:40:20,200
But that's good to see, right?

735
00:40:17,200 --> 00:40:22,200
I mean, we're seeing the world move to using

736
00:40:19,200 --> 00:40:24,200
these development tools for managing their infrastructure.

737
00:40:24,200 --> 00:40:29,200
Thank you so much for joining us

738
00:40:25,200 --> 00:40:30,200
and to all our listeners out there.

739
00:40:27,200 --> 00:40:32,200
Thank you so much for joining us.

740
00:40:29,200 --> 00:40:34,200
Take care and we'll see you next time.

741
00:40:31,200 --> 00:40:36,200
Thanks for listening to the Azure Security Podcast.

742
00:40:33,200 --> 00:40:38,200
You can find show notes and other resources

743
00:40:36,200 --> 00:40:41,200
at our website, azsecuritypodcast.net.

744
00:40:40,200 --> 00:40:45,200
If you have any questions, please find us on Twitter

745
00:40:43,200 --> 00:40:48,200
at Azure Setpod.

746
00:40:45,200 --> 00:40:50,200
Background music is from ccmixtor.com

747
00:40:50,200 --> 00:40:56,200
and we'll see you next time on Azure Security Podcasts.