1
00:00:00,000 --> 00:00:09,600
Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy,

2
00:00:09,600 --> 00:00:13,800
reliability and compliance on the Microsoft Cloud Platform.

3
00:00:13,800 --> 00:00:15,680
Hey, everybody.

4
00:00:15,680 --> 00:00:18,020
Welcome to episode 78.

5
00:00:18,020 --> 00:00:21,320
This week is just myself, Michael and Gladys.

6
00:00:21,320 --> 00:00:25,360
Mark is busy this morning and Sarah is no longer in Singapore.

7
00:00:25,360 --> 00:00:29,320
She's actually in Norway this week at the NDC conference, which is a software developer

8
00:00:29,320 --> 00:00:30,320
conference.

9
00:00:30,320 --> 00:00:32,400
And with us this week, we have two guests.

10
00:00:32,400 --> 00:00:36,860
We have Marcelo and Neil, who are here to talk to us about the latest and greatest news

11
00:00:36,860 --> 00:00:39,160
in entry permissions management.

12
00:00:39,160 --> 00:00:42,400
But before we get to our guests, why don't we take a little lap around the news.

13
00:00:42,400 --> 00:00:44,200
Gladys, why don't you kick things off?

14
00:00:44,200 --> 00:00:50,680
I wanted to talk a little bit about things that we were discussing yesterday in Build.

15
00:00:50,680 --> 00:00:56,960
I don't know if a lot of people had time to watch it, but there was a lot of awesome news

16
00:00:56,960 --> 00:00:57,960
in there.

17
00:00:57,960 --> 00:01:03,800
In particular, the co-pilot type of services that we are providing.

18
00:01:03,800 --> 00:01:11,640
As we know, the volume and velocity of attacks require us to continuously create new ways

19
00:01:11,640 --> 00:01:18,200
to enable defenders to disrupt attackers' infiltration attempts.

20
00:01:18,200 --> 00:01:24,920
By bringing together a set of capabilities, whether it is Microsoft or different partners,

21
00:01:24,920 --> 00:01:31,680
this cross-service collaboration enables a lot of knowledge to be captured.

22
00:01:31,680 --> 00:01:40,360
Coupling these signals together with, we keep talking about the over 65 trillion daily signals

23
00:01:40,360 --> 00:01:48,520
that Microsoft has as part of the threat intelligence and the power of AI, Microsoft is enabling

24
00:01:48,520 --> 00:01:53,580
defense of the machine and speed and scale.

25
00:01:53,580 --> 00:01:58,240
So this technology elevates the human strengths.

26
00:01:58,240 --> 00:02:04,120
We have to understand that security co-pilot doesn't always get everything right.

27
00:02:04,120 --> 00:02:10,080
AI-generated content can always contain mistakes.

28
00:02:10,080 --> 00:02:16,600
But since security co-pilot is a closed-loop learning system, which means it is continuously

29
00:02:16,600 --> 00:02:25,000
learning from users and giving them the opportunity to give explicit feedback, it is continuously

30
00:02:25,000 --> 00:02:27,800
improving.

31
00:02:27,800 --> 00:02:33,800
With security co-pilot, basically you have a prompt bar and you could ask in natural

32
00:02:33,800 --> 00:02:40,760
language questions such as, are there incidents in my enterprise that provide me a summary

33
00:02:40,760 --> 00:02:44,320
of a particular vulnerability and so on.

34
00:02:44,320 --> 00:02:48,600
So there's a lot of information and a lot of videos that we're providing as part of

35
00:02:48,600 --> 00:02:49,600
Build.

36
00:02:49,600 --> 00:02:57,560
I'd recommend going either to our website that we have some links to the demos and the

37
00:02:57,560 --> 00:03:03,200
content or go to the Build website and watch the videos.

38
00:03:03,200 --> 00:03:10,080
The next thing that I wanted to talk about is protected actions in Azure AD.

39
00:03:10,080 --> 00:03:13,720
They're in preview, this feature.

40
00:03:13,720 --> 00:03:19,680
Something that an administrator wants to update the conditional access policies.

41
00:03:19,680 --> 00:03:26,640
You want to make sure that that administrator is not compromised or has not been hit by

42
00:03:26,640 --> 00:03:28,560
phishing attack.

43
00:03:28,560 --> 00:03:36,480
So now there's capability to first make sure that the administrator satisfied the phishing

44
00:03:36,480 --> 00:03:40,280
resistant MFA policy.

45
00:03:40,280 --> 00:03:46,000
In other words, they are using a stronger authentication methods like FIDO2 and Windows

46
00:03:46,000 --> 00:03:47,320
Hello.

47
00:03:47,320 --> 00:03:54,800
So now you have the capability to enforce that before they are able to make changes.

48
00:03:54,800 --> 00:03:59,960
And last, again, if you didn't have time to attend to the Build, go and do so.

49
00:03:59,960 --> 00:04:06,000
There's a lot of announcement, especially about Microsoft Entra capabilities, some of

50
00:04:06,000 --> 00:04:09,120
which we're going to discuss in a little bit.

51
00:04:09,120 --> 00:04:13,720
Yeah, it's funny, I was watching the broadcast yesterday from Microsoft Build and there's

52
00:04:13,720 --> 00:04:16,600
one figure that stood out to me.

53
00:04:16,600 --> 00:04:23,160
Scott Guthrie quoted that 46% of new code these days is written using AI.

54
00:04:23,160 --> 00:04:24,420
I absolutely believe that.

55
00:04:24,420 --> 00:04:29,000
Just looking at customers that I'm working with and also just people that I interact

56
00:04:29,000 --> 00:04:34,520
with on a daily basis, a lot of people are using the likes of ChatGPT and GitHub Copilot

57
00:04:34,520 --> 00:04:39,720
and Visual Studio Copilot to help them write just little bits of code or little snippets

58
00:04:39,720 --> 00:04:43,040
of code that take a lot of drudgery away.

59
00:04:43,040 --> 00:04:45,480
So that's a very interesting figure.

60
00:04:45,480 --> 00:04:51,840
Also, just if anyone's interested, I actually recorded a couple of videos for Build on SQL

61
00:04:51,840 --> 00:04:55,580
Server and Azure SQL Database, obviously around security.

62
00:04:55,580 --> 00:04:59,280
One is on basically threat modeling and how to build threat models around SQL Server and

63
00:04:59,280 --> 00:05:00,280
Azure SQL Database.

64
00:05:00,280 --> 00:05:05,200
The other one is all the cryptographic controls that are available in both Azure SQL Database

65
00:05:05,200 --> 00:05:07,720
and in SQL Server.

66
00:05:07,720 --> 00:05:14,600
But onto my news, first one is that Ledger is now in preview in Azure SQL Managed Instance.

67
00:05:14,600 --> 00:05:22,160
Ledger is the way that we can provide cryptographic guarantees around the integrity of data.

68
00:05:22,160 --> 00:05:23,960
That's why it's called Ledger.

69
00:05:23,960 --> 00:05:27,200
It's somewhat similar in the way it works with blockchain, but it's symmetric algorithms

70
00:05:27,200 --> 00:05:29,000
rather than asymmetric.

71
00:05:29,000 --> 00:05:33,440
And so the actual security guarantees actually come from using immutable storage at the backend

72
00:05:33,440 --> 00:05:36,640
for the series of hashes, which is called a Merkle tree.

73
00:05:36,640 --> 00:05:39,640
So that's available in preview today.

74
00:05:39,640 --> 00:05:47,320
Also in preview is Red Hat Enterprise Linux 9.2 is now supported on AMD confidential VMs.

75
00:05:47,320 --> 00:05:51,840
We talked about AZZI confidential VMs some weeks ago, but the nice thing is you can now

76
00:05:51,840 --> 00:05:57,240
run this instance of the operating system in one of these confidential VMs where the

77
00:05:57,240 --> 00:06:02,460
root of trust is all the way down into the actual chip, into the CPU itself, and no one

78
00:06:02,460 --> 00:06:10,160
has access within Azure or Microsoft has access to the internals of your confidential VMs.

79
00:06:10,160 --> 00:06:15,140
Everything that runs in there is isolated and encrypted while it's running.

80
00:06:15,140 --> 00:06:21,000
On the topic of confidential VMs, we now have the ability to support Azure Data Explorer.

81
00:06:21,000 --> 00:06:27,640
Very, very early on in the podcast, we actually talked to the folks who run Azure Data Explorer

82
00:06:27,640 --> 00:06:28,640
or ADX.

83
00:06:28,640 --> 00:06:35,120
And it's essentially a more cost efficient way of storing log analytics data.

84
00:06:35,120 --> 00:06:39,040
The nice thing about ADX as well is that it's your data, right?

85
00:06:39,040 --> 00:06:40,680
You can store it in your own storage accounts.

86
00:06:40,680 --> 00:06:47,560
Well, now you can use AMD confidential VMs to store that data and run the code that queries

87
00:06:47,560 --> 00:06:48,560
that data.

88
00:06:48,560 --> 00:06:53,720
So that way, if you've got confidential log data, again, the trust bound is all the way

89
00:06:53,720 --> 00:06:55,440
down into the CPU.

90
00:06:55,440 --> 00:06:58,120
So Azure operators don't have access to it at all.

91
00:06:58,120 --> 00:07:04,240
Still on the topic of confidential computing, we now have in general availability.

92
00:07:04,240 --> 00:07:09,600
We talked about this being in preview prior to this, but confidential containers in Azure

93
00:07:09,600 --> 00:07:11,780
container instances are now supported.

94
00:07:11,780 --> 00:07:15,780
So again, you can now run your containers in what's called the trusted execution environment.

95
00:07:15,780 --> 00:07:21,320
And once again, the router trust is all the way down into the CPU.

96
00:07:21,320 --> 00:07:26,880
Second to last one is Azure Key Vault access configuration has been updated.

97
00:07:26,880 --> 00:07:29,080
We're now preferring the Azure RBAC model.

98
00:07:29,080 --> 00:07:33,600
Now, if you're not familiar, Key Vault actually supports two access control models.

99
00:07:33,600 --> 00:07:37,040
The historical one, like the old one, which is called the Key Vault access model.

100
00:07:37,040 --> 00:07:41,320
The granularity was at either keys or certificates or secrets.

101
00:07:41,320 --> 00:07:42,320
And that was it.

102
00:07:42,320 --> 00:07:47,000
So you could put a policy on an individual key, for example.

103
00:07:47,000 --> 00:07:51,040
With Azure Key Vault RBAC, you can.

104
00:07:51,040 --> 00:07:52,840
And so that is now the preferred model.

105
00:07:52,840 --> 00:07:56,200
We're recommending that for multiple reasons.

106
00:07:56,200 --> 00:08:02,240
So for example, the central access management for admins, integration with privileged identity

107
00:08:02,240 --> 00:08:06,640
management, deny assignments, much more stringent access permissions.

108
00:08:06,640 --> 00:08:08,440
So it's really good to see that.

109
00:08:08,440 --> 00:08:15,080
And I would definitely prefer that over the original and frankly old Key Vault access

110
00:08:15,080 --> 00:08:16,080
model.

111
00:08:16,080 --> 00:08:19,840
And the last one, which really caught my eye from yesterday, one of the announcements

112
00:08:19,840 --> 00:08:23,320
at Build was Azure content safety.

113
00:08:23,320 --> 00:08:29,200
And so this is available as part of Azure AI as a new service.

114
00:08:29,200 --> 00:08:36,160
And it will do things like analysis of content to basically give you a reading as to how

115
00:08:36,160 --> 00:08:38,960
potentially unsafe this content is.

116
00:08:38,960 --> 00:08:46,320
So for example, racial slurs, sexual content, violence, self-harm, hate, all that sort of

117
00:08:46,320 --> 00:08:47,320
stuff.

118
00:08:47,320 --> 00:08:48,880
And so it will flag that for you.

119
00:08:48,880 --> 00:08:49,880
All right.

120
00:08:49,880 --> 00:08:51,520
So now I've got the news out of the way.

121
00:08:51,520 --> 00:08:53,960
Let's turn our attention to our guests.

122
00:08:53,960 --> 00:08:57,520
As I mentioned at the beginning, we have two guests, Neil and Marcelo, who are here to

123
00:08:57,520 --> 00:09:00,440
talk to us about entry permissions management.

124
00:09:00,440 --> 00:09:01,760
Gentlemen, welcome to the podcast.

125
00:09:01,760 --> 00:09:05,400
If you'd like to take a moment, would each of you like to introduce yourself to our listeners?

126
00:09:05,400 --> 00:09:06,400
Thanks, Michael.

127
00:09:06,400 --> 00:09:08,680
My name is Neil Walker.

128
00:09:08,680 --> 00:09:12,440
I'm on the Intra Global Black Belt team at Microsoft.

129
00:09:12,440 --> 00:09:15,320
I'm based just outside of the Boston area.

130
00:09:15,320 --> 00:09:18,760
I've been with Microsoft for just about two years now.

131
00:09:18,760 --> 00:09:23,800
And I came to Microsoft from a company called Cloud Knox Security, where I was the director

132
00:09:23,800 --> 00:09:26,360
of solutions architects there.

133
00:09:26,360 --> 00:09:29,660
And I came to Microsoft via the acquisition of Cloud Knox.

134
00:09:29,660 --> 00:09:32,200
So Michael, I appreciate you having me in this morning.

135
00:09:32,200 --> 00:09:33,200
Hello, everyone.

136
00:09:33,200 --> 00:09:35,600
Thank you for the invitation, first of all.

137
00:09:35,600 --> 00:09:37,040
Well, I'm Marcelo Di Iorio.

138
00:09:37,040 --> 00:09:39,200
I'm like Neil.

139
00:09:39,200 --> 00:09:43,160
We have the same role, different regions and countries.

140
00:09:43,160 --> 00:09:47,080
I joined Microsoft in 2008 when I was in Argentina.

141
00:09:47,080 --> 00:09:48,440
I'm now in Spain.

142
00:09:48,440 --> 00:09:50,000
I'm living in Madrid.

143
00:09:50,000 --> 00:09:52,640
I went through different roles during these years.

144
00:09:52,640 --> 00:09:56,880
But yeah, I'm now working as a GBB for entry permissions management.

145
00:09:56,880 --> 00:10:02,960
Guys, can you tell us a little bit about Microsoft entry permissions management?

146
00:10:02,960 --> 00:10:05,680
We have spoken a little bit before.

147
00:10:05,680 --> 00:10:06,680
Sure.

148
00:10:06,680 --> 00:10:12,600
So entry permissions management is, I mean, you know, to throw another acronym into the

149
00:10:12,600 --> 00:10:13,720
acronym stew, right?

150
00:10:13,720 --> 00:10:16,600
It's Cloud Infrastructure Entitlement Management.

151
00:10:16,600 --> 00:10:19,740
So CIEM is a multi-cloud offering.

152
00:10:19,740 --> 00:10:22,560
So we're not just an Azure solution, right?

153
00:10:22,560 --> 00:10:25,800
This covers Azure, AWS, Google Cloud today.

154
00:10:25,800 --> 00:10:29,160
And ultimately, what we're striving to do, what we're striving to draw out of customers'

155
00:10:29,160 --> 00:10:31,440
environments is activity, right?

156
00:10:31,440 --> 00:10:35,600
So we're looking at those AWS, Azure, Google Cloud environments.

157
00:10:35,600 --> 00:10:40,880
And we want to be able to provide a unified view and highlight every action performed

158
00:10:40,880 --> 00:10:43,840
by every identity against every resource, right?

159
00:10:43,840 --> 00:10:48,620
We want to do that by looking at some of that historical activity.

160
00:10:48,620 --> 00:10:53,480
So when we talk about the use cases, right, remember, we're doing a look back into all

161
00:10:53,480 --> 00:10:56,800
of that historical activity that these identities have utilized.

162
00:10:56,800 --> 00:11:02,160
So when we draw out some of those use cases, we're going to show use cases that really

163
00:11:02,160 --> 00:11:08,720
revolve around things like excessively permissioned identities, inactive identities, super identities,

164
00:11:08,720 --> 00:11:09,720
right?

165
00:11:09,720 --> 00:11:14,480
So we categorize all of these findings that we draw out by doing an analysis of all of

166
00:11:14,480 --> 00:11:15,480
the historical activity.

167
00:11:15,480 --> 00:11:20,440
And we make recommendations as to how you can effectively least privilege these identities

168
00:11:20,440 --> 00:11:21,940
in the environment, right?

169
00:11:21,940 --> 00:11:27,080
So at a higher level, right, you'll hear me constantly emphasize that we're modeling activity,

170
00:11:27,080 --> 00:11:28,080
right?

171
00:11:28,080 --> 00:11:32,760
That's what's different about cloud infrastructure entitlement management, that it's not just,

172
00:11:32,760 --> 00:11:34,800
you know, from a zero trust perspective, right?

173
00:11:34,800 --> 00:11:40,300
When we think about least privilege, our perspective is, well, how can you have least privilege

174
00:11:40,300 --> 00:11:43,860
if you're not actually focusing on what's been used, right?

175
00:11:43,860 --> 00:11:49,120
If Michael has a high risk permission that he's never used, why does he have it?

176
00:11:49,120 --> 00:11:51,160
How could he be least privileged, right?

177
00:11:51,160 --> 00:11:56,440
So from our standpoint, again, you'll hear Marcelo and myself talk about and emphasize

178
00:11:56,440 --> 00:12:01,600
the use of these activity-based insights to make the recommendations in EPM.

179
00:12:01,600 --> 00:12:05,920
One thing that I would like to add is that a typical question from customers when we

180
00:12:05,920 --> 00:12:12,200
explain or when we do these kind of introductions to a solution is that, are you going to replace

181
00:12:12,200 --> 00:12:16,480
PIM or is this going to replace PIM, I mean, privilege identity management?

182
00:12:16,480 --> 00:12:19,120
And the answer is no.

183
00:12:19,120 --> 00:12:21,600
These are very different solutions.

184
00:12:21,600 --> 00:12:26,840
I mean, first of all, PIM is not multi-cloud as EPM is.

185
00:12:26,840 --> 00:12:30,880
And the second is that even when you can do things like, for example, you can create custom

186
00:12:30,880 --> 00:12:37,200
roles with custom permissions, PIM is not multi-cloud and you don't have an easy way

187
00:12:37,200 --> 00:12:42,320
to have visibility on the permissions that you are using from those custom roles.

188
00:12:42,320 --> 00:12:47,040
And that's where you can benefit from EPM.

189
00:12:47,040 --> 00:12:52,320
So this, I would say this is the typical question from customers and these are the main differences

190
00:12:52,320 --> 00:12:55,760
between these two solutions.

191
00:12:55,760 --> 00:13:03,200
When I look at permissions management, I start kind of getting overwhelmed and I'm like,

192
00:13:03,200 --> 00:13:08,360
okay, in the past, this has taken a lot of effort.

193
00:13:08,360 --> 00:13:15,240
So can you tell us how would you go into reducing those permissions?

194
00:13:15,240 --> 00:13:24,200
And maybe even talk how we interface with other services that Microsoft has.

195
00:13:24,200 --> 00:13:27,200
Neil, do you want to go first?

196
00:13:27,200 --> 00:13:29,920
Yeah, no, I can take that.

197
00:13:29,920 --> 00:13:34,040
So from a least privilege perspective, when we make recommendations around how we would

198
00:13:34,040 --> 00:13:38,860
actually go about least privileging, and I know Gladys, you framed this in the context

199
00:13:38,860 --> 00:13:43,260
of if we're going to least privilege a user or a group, keep in mind this extends way

200
00:13:43,260 --> 00:13:44,520
beyond human identities.

201
00:13:44,520 --> 00:13:47,840
I just want to make sure that we emphasize that as well.

202
00:13:47,840 --> 00:13:49,560
This isn't just human identities.

203
00:13:49,560 --> 00:13:55,760
We're looking at service principles, managed identities, applications, AWS roles, Lambda

204
00:13:55,760 --> 00:13:57,440
functions, GCP service accounts.

205
00:13:57,440 --> 00:14:02,040
We look at all of the identities and we're looking at those historical usage patterns.

206
00:14:02,040 --> 00:14:06,920
So when we talk about least privilege, one of the remediation strategies, and again,

207
00:14:06,920 --> 00:14:12,240
this is just one strategy that you can take, is when you look at, let's just take a managed

208
00:14:12,240 --> 00:14:14,040
identity for example.

209
00:14:14,040 --> 00:14:19,160
In a lot of cases and a lot of use cases, those identities should have really a fixed

210
00:14:19,160 --> 00:14:22,000
set of permissions that they're using on a recurring basis.

211
00:14:22,000 --> 00:14:25,660
In certain use cases, those permissions may not change.

212
00:14:25,660 --> 00:14:31,120
So when you look at those identities and we talk about least privileging, if we look at

213
00:14:31,120 --> 00:14:36,360
the activity, we look at those usage patterns of the identity and we see that they have

214
00:14:36,360 --> 00:14:39,440
high risk permissions assigned that they've never used.

215
00:14:39,440 --> 00:14:43,960
When we talk about least privilege, what we can do, one of the steps that we can do is

216
00:14:43,960 --> 00:14:47,440
that we can look at the actual activity that they've used over time.

217
00:14:47,440 --> 00:14:52,400
So for example, we can do a 90 day look back, look at what the identity has actually been

218
00:14:52,400 --> 00:14:59,200
using, take that activity and create a role with just those permissions that they've actually

219
00:14:59,200 --> 00:15:00,200
been using.

220
00:15:00,200 --> 00:15:06,000
And we can do that with various levels of automation that we can talk a little bit further

221
00:15:06,000 --> 00:15:10,480
down the road in the conversation around what remediation looks like.

222
00:15:10,480 --> 00:15:14,240
But from a least privilege standpoint, it's whether you're looking at a user, a group,

223
00:15:14,240 --> 00:15:18,960
a service account, an AWS role, a resource, regardless of what you're looking at, one

224
00:15:18,960 --> 00:15:24,480
of the strategies and technologies that we'll provide is take the activity, basically take

225
00:15:24,480 --> 00:15:29,920
the use permissions that we've seen used over time, create a custom policy or role, depending

226
00:15:29,920 --> 00:15:34,360
on what cloud we're looking at, and be able to effectively least privilege the identity

227
00:15:34,360 --> 00:15:36,240
with that strategy.

228
00:15:36,240 --> 00:15:43,440
Just one interesting thing that I used to explain as part of what Neil was saying is

229
00:15:43,440 --> 00:15:49,280
that you can, of course, create roles, custom roles with your specific permissions or the

230
00:15:49,280 --> 00:15:50,840
permissions that you need to use.

231
00:15:50,840 --> 00:15:55,960
And of course, you can apply these to human, non-human identities, et cetera.

232
00:15:55,960 --> 00:15:59,200
But we also have something called templates.

233
00:15:59,200 --> 00:16:04,960
And I used to explain about this when we go through these permissions on demand or just

234
00:16:04,960 --> 00:16:06,560
in time capabilities.

235
00:16:06,560 --> 00:16:13,640
It's basically about doing requests for permissions that you may need.

236
00:16:13,640 --> 00:16:18,640
I mean, templates in this case, which are similar to roles, I would say.

237
00:16:18,640 --> 00:16:23,880
But the main difference, let's say, is that when you create a template, that template

238
00:16:23,880 --> 00:16:30,320
is going to be part of like a library that you have in the solution on EPM, and that

239
00:16:30,320 --> 00:16:33,880
you can use as part of your requests when you request something.

240
00:16:33,880 --> 00:16:38,720
For example, you can create a template that contains the permissions that you need for

241
00:16:38,720 --> 00:16:41,520
everything related to virtual machines deletion.

242
00:16:41,520 --> 00:16:47,120
Let's say that someone from your organization deletes virtual machines on a monthly basis,

243
00:16:47,120 --> 00:16:48,120
for instance.

244
00:16:48,120 --> 00:16:55,200
Well, this user can request these, or you can create a request for these, for example,

245
00:16:55,200 --> 00:17:00,560
to assign this template to the user on a specific day and time.

246
00:17:00,560 --> 00:17:06,120
For example, if the user is going to delete virtual machines every Friday morning, for

247
00:17:06,120 --> 00:17:11,520
instance, you can create a request that is going to be that where the result is going

248
00:17:11,520 --> 00:17:14,280
to be that we are going to provision that request.

249
00:17:14,280 --> 00:17:21,000
Sorry, we are going to provision those permissions by creating a custom role and for a specific

250
00:17:21,000 --> 00:17:24,240
amount of time, let's say, for example, for an hour.

251
00:17:24,240 --> 00:17:28,240
And after that period of time, we are going to deprovision that.

252
00:17:28,240 --> 00:17:35,480
And this is an interesting way to do things similar to PIM, let's say, again, from EPM,

253
00:17:35,480 --> 00:17:39,120
where you don't have to worry about long-standing permissions.

254
00:17:39,120 --> 00:17:42,560
So, you bring up long-standing permissions and that sort of stuff.

255
00:17:42,560 --> 00:17:48,360
But one thing that always interests me is when you look at access control, there are

256
00:17:48,360 --> 00:17:49,360
really two parts to it.

257
00:17:49,360 --> 00:17:51,760
There are the actual objects themselves that you are trying to protect, and you may use

258
00:17:51,760 --> 00:17:56,280
some access control lists or RBAC or ABAC or whatever policies or whatever technology

259
00:17:56,280 --> 00:17:58,600
you have to apply those policies.

260
00:17:58,600 --> 00:18:05,520
But then you also have principles, users, processes, and so on that have certain rights

261
00:18:05,520 --> 00:18:10,960
on the box or roles or privileges depending on what environment you are running in.

262
00:18:10,960 --> 00:18:11,960
Do we look at both?

263
00:18:11,960 --> 00:18:12,960
Does Entra look at both?

264
00:18:12,960 --> 00:18:19,720
Like you look at objects and say, these objects have a way to permissive access control, as

265
00:18:19,720 --> 00:18:25,680
well as looking at principles and saying, yes, these principles have way too many privileges.

266
00:18:25,680 --> 00:18:29,800
Does Entra Permissions Management actually look at both and give you information about

267
00:18:29,800 --> 00:18:32,200
both so you can take appropriate action?

268
00:18:32,200 --> 00:18:33,200
Yes.

269
00:18:33,200 --> 00:18:38,800
If you go to the analytics dashboard, you can see that, well, I think that Neil mentioned

270
00:18:38,800 --> 00:18:40,880
something about this at the beginning.

271
00:18:40,880 --> 00:18:43,360
We have visibility on human and non-human identities.

272
00:18:43,360 --> 00:18:49,800
That means normal users, I mean human identities, privilege and non-priorities identities, and

273
00:18:49,800 --> 00:18:52,920
also service principles or managed identities.

274
00:18:52,920 --> 00:18:59,040
So if you go to the analytics dashboard, you will see that you have visibility on the activity

275
00:18:59,040 --> 00:19:01,720
of any kind of account in reality.

276
00:19:01,720 --> 00:19:04,320
And you can right size them in the same way.

277
00:19:04,320 --> 00:19:10,360
And even before finishing my response, in terms of these requests or just in time or

278
00:19:10,360 --> 00:19:13,520
permissions on demand, you can do the same.

279
00:19:13,520 --> 00:19:18,320
I mean, you can create requests for both human and non-human identities.

280
00:19:18,320 --> 00:19:19,640
It's going to be exactly the same.

281
00:19:19,640 --> 00:19:24,400
Let's say that you are using a managed identity or a service principle that is being consumed

282
00:19:24,400 --> 00:19:29,160
by an application that is, again, going to delete virtual machines or going to do some

283
00:19:29,160 --> 00:19:30,280
kind of automation.

284
00:19:30,280 --> 00:19:33,320
You can create a request for this identity.

285
00:19:33,320 --> 00:19:37,560
And if you know when this identity is going to use those permissions, you can specify

286
00:19:37,560 --> 00:19:41,680
the date and time where you would like to assign these permissions.

287
00:19:41,680 --> 00:19:44,200
Could be a role, the template, et cetera.

288
00:19:44,200 --> 00:19:46,640
You used the term there, right sizing.

289
00:19:46,640 --> 00:19:49,280
So what does that actually mean in this context?

290
00:19:49,280 --> 00:19:55,120
So right sizing is a term we use when we talk about remediation.

291
00:19:55,120 --> 00:19:58,960
So right sizing could be, and I want to emphasize could be.

292
00:19:58,960 --> 00:20:04,120
Marcelo and I aren't suggesting that, OK, we're going to analyze every single user and

293
00:20:04,120 --> 00:20:08,240
create a custom role based on their activity for every single user.

294
00:20:08,240 --> 00:20:14,400
But right sizing is just a general term just to have a better fit set of permissions.

295
00:20:14,400 --> 00:20:18,680
One of the strategies to do that could be an activity-based role or policy.

296
00:20:18,680 --> 00:20:21,440
In certain use cases, that can make sense, right?

297
00:20:21,440 --> 00:20:26,080
Especially when we're talking about groups and service principles, AWS roles, and some

298
00:20:26,080 --> 00:20:31,200
of the other identities that lend themselves to those activity-based roles or policies.

299
00:20:31,200 --> 00:20:35,200
But right sizing just really means to find a better set of permissions, right?

300
00:20:35,200 --> 00:20:38,300
You have high-risk permissions that you're not using, right?

301
00:20:38,300 --> 00:20:41,640
Why leave those permanently assigned?

302
00:20:41,640 --> 00:20:46,880
You're just opening yourself up to unnecessary risk and not being used, take them away, right?

303
00:20:46,880 --> 00:20:51,160
Whether you use, whether you downsize that role, downsize that policy or create an activity-based

304
00:20:51,160 --> 00:20:54,520
policy or role, that's what we mean by right sizing.

305
00:20:54,520 --> 00:20:59,680
This leads perfectly to a question that I have, because you said that you're not going

306
00:20:59,680 --> 00:21:03,640
to create a role for every user, right?

307
00:21:03,640 --> 00:21:05,280
So how do you prioritize?

308
00:21:05,280 --> 00:21:07,840
How do you operationalize this?

309
00:21:07,840 --> 00:21:14,520
Again, you don't want to, in an organization that had hundreds, thousands of users, you

310
00:21:14,520 --> 00:21:18,520
don't want to create a role for each of these users.

311
00:21:18,520 --> 00:21:22,920
How do you bring it together so it's an enterprise-ready type of solution?

312
00:21:22,920 --> 00:21:25,320
Yeah, that's a great question, Gladys.

313
00:21:25,320 --> 00:21:30,800
So from an operational perspective, I'll answer that question in two different ways.

314
00:21:30,800 --> 00:21:38,520
So basically, we assess your Azure subscriptions, your AWS accounts, your Google Cloud projects.

315
00:21:38,520 --> 00:21:40,560
We assign risk.

316
00:21:40,560 --> 00:21:44,920
And this goes to your point, Gladys, when we talk to organizations, you need a way to

317
00:21:44,920 --> 00:21:49,800
prioritize these candidates for least privilege, these candidates that need attention, right?

318
00:21:49,800 --> 00:21:53,720
Because to your point, whether you're a single cloud or you're multi-cloud, you've likely

319
00:21:53,720 --> 00:21:58,560
got thousands, if not tens of thousands of these identities, human and non-human in your

320
00:21:58,560 --> 00:21:59,560
environment, right?

321
00:21:59,560 --> 00:22:01,220
How do I prioritize this?

322
00:22:01,220 --> 00:22:04,980
So from our standpoint, it all starts by modeling risk.

323
00:22:04,980 --> 00:22:11,520
So every subscription project account gets an overall risk score, right?

324
00:22:11,520 --> 00:22:15,640
Within those accounts, projects, subscriptions, right?

325
00:22:15,640 --> 00:22:18,080
Every identity has a risk score.

326
00:22:18,080 --> 00:22:23,280
And when we talk about operationalizing it, it starts with identifying the risk, right?

327
00:22:23,280 --> 00:22:24,280
Where do I start?

328
00:22:24,280 --> 00:22:25,280
Right?

329
00:22:25,280 --> 00:22:27,080
Well, the data is going to dictate that, right?

330
00:22:27,080 --> 00:22:32,120
So when we look at the data, we're going to assign risk, right?

331
00:22:32,120 --> 00:22:34,520
Let's just say you have an Azure subscription.

332
00:22:34,520 --> 00:22:36,360
It has a risk score that's in the red.

333
00:22:36,360 --> 00:22:41,560
I don't have a visual to support this, but we do gauge that risk score.

334
00:22:41,560 --> 00:22:45,360
So if you have a risk score that's in the red, you look at the subscription and you

335
00:22:45,360 --> 00:22:49,880
can see, well, what's contributing to this high risk, this risky subscription that I

336
00:22:49,880 --> 00:22:50,880
have out there?

337
00:22:50,880 --> 00:22:55,480
If I look at that, you know, we're looking at elements like inactivity, right?

338
00:22:55,480 --> 00:23:03,880
Do I have completely inactive service principles, users, groups, functions, right?

339
00:23:03,880 --> 00:23:09,200
Whatever the use case is, so we then will break this down in very prescriptive recommendations,

340
00:23:09,200 --> 00:23:12,760
identifying what those highest risk identities are.

341
00:23:12,760 --> 00:23:17,320
And then from an operational perspective, right, it really is dependent on the personas

342
00:23:17,320 --> 00:23:18,680
in the organization.

343
00:23:18,680 --> 00:23:23,160
And what I mean by that is, you know, every organization is different in the sense that

344
00:23:23,160 --> 00:23:28,800
you're, you know, you could have security teams, cloud infrastructure operations teams,

345
00:23:28,800 --> 00:23:29,800
identity teams, right?

346
00:23:29,800 --> 00:23:35,000
And so depending on the use cases and depending on who does what at the organization, we can

347
00:23:35,000 --> 00:23:40,240
make sure that we're funneling those alerts, those reports, all of that guidance to the

348
00:23:40,240 --> 00:23:44,520
appropriate personas at the organization to take action, right?

349
00:23:44,520 --> 00:23:51,000
But it starts by prioritizing the risk by using this risk score, making sure that, and

350
00:23:51,000 --> 00:23:56,520
then as you remediate, right, we'll actually show you how much progress you're making against

351
00:23:56,520 --> 00:23:57,520
the risk, right?

352
00:23:57,520 --> 00:24:02,480
You may have a subscription that, okay, well, from a risk score perspective, right, and

353
00:24:02,480 --> 00:24:08,520
the scales to 100, okay, on day one, you may have a subscription that has a score of a

354
00:24:08,520 --> 00:24:10,480
90, okay?

355
00:24:10,480 --> 00:24:13,680
That's got significant risk.

356
00:24:13,680 --> 00:24:18,840
And then as you start to remediate, as you start to operationalize this, you'll see over

357
00:24:18,840 --> 00:24:23,920
time, right, whether it's on day two, day 20, day 30, right, you're monitoring that

358
00:24:23,920 --> 00:24:28,760
risk score, right, and you're going to watch it go down as you're addressing these by making

359
00:24:28,760 --> 00:24:33,440
sure that the appropriate personas at the organization are getting the appropriate data

360
00:24:33,440 --> 00:24:37,060
and they're doing their part to least privilege these identities, right?

361
00:24:37,060 --> 00:24:42,800
Whether it's using our automated tools or they're using even a manual framework to start

362
00:24:42,800 --> 00:24:44,760
with, right, to least privilege these identities.

363
00:24:44,760 --> 00:24:51,200
So I know that was a long-winded answer, but we are very prescriptive in operationalizing

364
00:24:51,200 --> 00:24:55,920
this once you see the data, once you see the recommendation and roll-up reports, it's not

365
00:24:55,920 --> 00:24:57,800
as daunting as it sounds.

366
00:24:57,800 --> 00:25:03,560
So I mentioned that I've been seeing a lot of documentation out there of changes and

367
00:25:03,560 --> 00:25:12,340
of course, after we acquired the service, we kind of aligned it more to our type of

368
00:25:12,340 --> 00:25:14,060
capabilities.

369
00:25:14,060 --> 00:25:21,060
So what kind of new features or new capabilities have you added lately to the product?

370
00:25:21,060 --> 00:25:28,580
One of the most requested additions or features or capabilities is the Azure AD integration.

371
00:25:28,580 --> 00:25:33,720
We are dividing these releasing different phases, let's say.

372
00:25:33,720 --> 00:25:35,440
We are in phase one.

373
00:25:35,440 --> 00:25:37,640
This is in public preview now.

374
00:25:37,640 --> 00:25:44,080
And well, this first sprint is giving you some visibility into different roles and service

375
00:25:44,080 --> 00:25:47,760
principles and more things around Azure AD.

376
00:25:47,760 --> 00:25:55,040
That's the number one feature capability requested by customers, at least, let's say, in my experience

377
00:25:55,040 --> 00:26:00,360
and the experiences from colleagues.

378
00:26:00,360 --> 00:26:08,300
The other thing is that we recently announced the availability of PDF reports.

379
00:26:08,300 --> 00:26:14,600
So if you go to reports, you can export, you can create PDF reports with that.

380
00:26:14,600 --> 00:26:20,960
I would personally say with an excellent or very good executive format.

381
00:26:20,960 --> 00:26:25,880
I have many customers using these reports for internal presentations.

382
00:26:25,880 --> 00:26:30,560
Let's say, for example, if there are customers that want to promote the solution internally,

383
00:26:30,560 --> 00:26:38,600
they create these reports and use them as something that they use to present the results.

384
00:26:38,600 --> 00:26:44,680
Results first, if we are going through a POC or risk assessment, and second to catch the

385
00:26:44,680 --> 00:26:47,240
attention from the decision makers.

386
00:26:47,240 --> 00:26:49,880
I think there are a couple of additional things.

387
00:26:49,880 --> 00:26:53,080
Neil, do you remember if we have some more news?

388
00:26:53,080 --> 00:26:59,500
Yeah, I think the big thing that you're going to see over time is what Marcel alluded to

389
00:26:59,500 --> 00:27:08,200
around the Azure AD insights is just remember this was purpose-built for infrastructure.

390
00:27:08,200 --> 00:27:14,720
So we're doing an analysis on infrastructure in Azure, in Google Cloud, in AWS, and we've

391
00:27:14,720 --> 00:27:20,900
extended those capabilities by now doing a deeper inspection into Azure Active Directory.

392
00:27:20,900 --> 00:27:25,760
We have an initial phase in preview today where we're showing you the same perspectives

393
00:27:25,760 --> 00:27:27,520
that we're showing you at the infrastructure level.

394
00:27:27,520 --> 00:27:34,040
We're showing you from the Azure AD perspective as well, showing you your global administrators,

395
00:27:34,040 --> 00:27:39,720
your service principles, and giving you more insights specifically from Azure AD outside

396
00:27:39,720 --> 00:27:40,720
of the infrastructure.

397
00:27:40,720 --> 00:27:46,520
You're going to see more and more features added to that Azure Active Directory insights

398
00:27:46,520 --> 00:27:48,160
moving forward as well.

399
00:27:48,160 --> 00:27:52,320
And then lastly, what I wanted to say is you'll also see some upcoming announcements in the

400
00:27:52,320 --> 00:27:57,080
near term around some third-party integrations that we have coming up as well.

401
00:27:57,080 --> 00:28:03,080
A lot of the workflows that Marcel described, you may not necessarily want to drive some

402
00:28:03,080 --> 00:28:06,200
of those elevation workflows through the EPM console.

403
00:28:06,200 --> 00:28:10,680
We want to give you the flexibility to be able to drive some of those workflows through,

404
00:28:10,680 --> 00:28:13,000
let's just say, an ITSM platform.

405
00:28:13,000 --> 00:28:19,680
So you'll be seeing in the near term here some announcements around some upcoming APIs

406
00:28:19,680 --> 00:28:25,320
and connectors so that you can make use of the data, make use of the workflows outside

407
00:28:25,320 --> 00:28:27,320
of the EPM console.

408
00:28:27,320 --> 00:28:32,000
And like I said, some of those are going into preview in the coming weeks, and we'll share

409
00:28:32,000 --> 00:28:37,080
that data and more definitive target dates as we make those announcements.

410
00:28:37,080 --> 00:28:38,080
All right.

411
00:28:38,080 --> 00:28:39,800
Let's bring this episode to an end.

412
00:28:39,800 --> 00:28:44,120
So General, one thing we always ask our guests is if you had one final thought to leave our

413
00:28:44,120 --> 00:28:46,040
listeners with, what would it be?

414
00:28:46,040 --> 00:28:49,960
I'd like to share one final thought around Entry in general.

415
00:28:49,960 --> 00:28:54,520
So when your listeners leave this call and they go out and they start doing some homework

416
00:28:54,520 --> 00:28:57,640
around Entry Permissions Management, some of the other elements, you're going to run

417
00:28:57,640 --> 00:29:01,920
into, well, Entry isn't just Permissions Management.

418
00:29:01,920 --> 00:29:02,920
Right.

419
00:29:02,920 --> 00:29:09,680
It's a family of products that we've rebranded as part of the Microsoft Identity Portfolio.

420
00:29:09,680 --> 00:29:10,680
Right.

421
00:29:10,680 --> 00:29:14,680
So as you're doing that homework, if anyone has any, I just want to make sure that I allude

422
00:29:14,680 --> 00:29:19,720
to the fact that in addition to Permissions Management, there's other elements, identity

423
00:29:19,720 --> 00:29:24,080
related, AAD, verified ID, identity governance, workload IDs.

424
00:29:24,080 --> 00:29:25,080
Right.

425
00:29:25,080 --> 00:29:27,600
These all make up what is the Entry family.

426
00:29:27,600 --> 00:29:32,560
What we've been talking about today is specifically Entry Permissions Management.

427
00:29:32,560 --> 00:29:38,200
Just keep in mind, if as you're doing your analysis and you're doing your reading, if

428
00:29:38,200 --> 00:29:43,560
you have any questions specifically on any of the other elements in the stack, I know

429
00:29:43,560 --> 00:29:48,600
most of the listeners are probably somewhat familiar with Azure Active Directory, but

430
00:29:48,600 --> 00:29:54,360
if anyone has any questions on anything else you stumble on, verified ID, IGA, workload

431
00:29:54,360 --> 00:29:58,880
IDs, again, it's just something we can reach out and help you provide additional context

432
00:29:58,880 --> 00:29:59,880
around those as well.

433
00:29:59,880 --> 00:30:00,880
So.

434
00:30:00,880 --> 00:30:07,000
One more thing is that this is something that I used to tell to my customers, don't think

435
00:30:07,000 --> 00:30:08,960
that you are the exception.

436
00:30:08,960 --> 00:30:14,160
Unfortunately, many, many customers, when we enable, for example, when we do a POC or

437
00:30:14,160 --> 00:30:19,960
risk assessment, we see that the situations in terms of permissions gap is not good.

438
00:30:19,960 --> 00:30:25,560
We recently announced the availability of, there's a document called, well, I don't know

439
00:30:25,560 --> 00:30:32,680
if this is the exit title, but it's something like State of Cloud Permissions for this year,

440
00:30:32,680 --> 00:30:38,920
2023, where we say that 1% of the permissions assigned are being used.

441
00:30:38,920 --> 00:30:40,600
So this is a reality.

442
00:30:40,600 --> 00:30:44,900
This is something that I'm seeing in all my customers, no exceptions.

443
00:30:44,900 --> 00:30:52,640
So my advice for the people that are listening to these podcasts is that give it a try.

444
00:30:52,640 --> 00:30:59,660
Try to take this seriously because you can't imagine how many permissions you could have

445
00:30:59,660 --> 00:31:05,600
assigned or your identity would have assigned by the fact of, for example, having a single

446
00:31:05,600 --> 00:31:06,880
role assigned.

447
00:31:06,880 --> 00:31:11,480
So why not to give it a try and see what your situation is?

448
00:31:11,480 --> 00:31:15,240
You know, when I'm building threat models with customers or even internally, we always

449
00:31:15,240 --> 00:31:17,680
get back to two critical aspects.

450
00:31:17,680 --> 00:31:25,780
And one is permissions on objects and privileges slash roles slash capabilities that principles

451
00:31:25,780 --> 00:31:28,840
like users or processes have.

452
00:31:28,840 --> 00:31:33,240
I don't think anyone can really underestimate the value of tooling like Entra Permissions

453
00:31:33,240 --> 00:31:38,440
Management for understanding what your security posture is around authorization and access

454
00:31:38,440 --> 00:31:39,440
control.

455
00:31:39,440 --> 00:31:41,840
So gentlemen, thanks so much for joining us this week.

456
00:31:41,840 --> 00:31:44,560
And to all our listeners out there, we hope you found this useful.

457
00:31:44,560 --> 00:32:11,600
Stay safe and we'll see you next time.