Securing Identities at Scale: Conditional Access, Azure Security & Infrastructure as Code with Jonathan Hope [MVP]

1
00:00:00,000 --> 00:00:05,000
Welcome to another edition of the M365FM podcast.

2
00:00:05,000 --> 00:00:11,200
Today we are diving into one of the most critical topics in modern IT, identity security.

3
00:00:11,200 --> 00:00:17,440
As organizations continue moving workloads to Microsoft 365 and Azure, the MTS have become

4
00:00:17,440 --> 00:00:20,440
the new secret perimeter.

5
00:00:20,440 --> 00:00:27,480
Joining me today is Jonathan John Hope, Microsoft MVP, Microsoft C65 solution architect and specialist

6
00:00:27,480 --> 00:00:30,480
in identity and access management.

7
00:00:30,480 --> 00:00:37,520
John Ilay has spent more than the decade designing and operation, large scale infrastructure

8
00:00:37,520 --> 00:00:43,480
environments from enterprise VMware platforms to modern Azure native architectures.

9
00:00:43,480 --> 00:00:48,920
This expertise spans conditional access, Azure security, infrastructure has caught using

10
00:00:48,920 --> 00:00:53,360
bicep, governance and security identity at scale.

11
00:00:53,360 --> 00:01:00,800
Joe has also written extensively about Azure, often overlooked role in identity, protection

12
00:01:00,800 --> 00:01:02,200
and cloud security.

13
00:01:02,200 --> 00:01:05,360
Yeah, Joe, welcome to the M365 podcast.

14
00:01:05,360 --> 00:01:06,960
Hey, thank you, Marko.

15
00:01:06,960 --> 00:01:07,960
Appreciate it.

16
00:01:07,960 --> 00:01:08,960
Thank you for having me on.

17
00:01:08,960 --> 00:01:13,000
Yeah, that was quite an intro.

18
00:01:13,000 --> 00:01:17,720
Yeah, so yeah, no, I mean, a little bit about me.

19
00:01:17,720 --> 00:01:25,400
I do, I come from the managed service space where I worked for an MSP provider here in Virginia

20
00:01:25,400 --> 00:01:33,440
for about 15 years, started my way up from the help desk and worked into modernizing virtual

21
00:01:33,440 --> 00:01:34,440
servers.

22
00:01:34,440 --> 00:01:39,720
I specifically was a VMware engineer who then moved into the Microsoft side because let's

23
00:01:39,720 --> 00:01:45,960
be honest, B-Post was a thing back in the day and everyone wanted to jump on board.

24
00:01:45,960 --> 00:01:51,040
That quickly started to change what I was doing from an identity perspective and understanding

25
00:01:51,040 --> 00:01:59,160
Azure Active Directory, now, and try D. And today, I now work for an organization who sole

26
00:01:59,160 --> 00:02:02,400
focus is basically optimizing that space.

27
00:02:02,400 --> 00:02:06,560
So I work for a company called enforcer and one of the things that I love about is it gives

28
00:02:06,560 --> 00:02:10,960
me an opportunity to talk about things like these such as security identity at scale.

29
00:02:10,960 --> 00:02:13,440
So yeah, no, excited to be here.

30
00:02:13,440 --> 00:02:15,240
Yeah, thank you.

31
00:02:15,240 --> 00:02:22,120
Yeah, you spent many years in working with VM there before moving into Azure.

32
00:02:22,120 --> 00:02:29,080
Any lessons from traditional infrastructure still apply in today's cloud first world?

33
00:02:29,080 --> 00:02:32,240
Yeah, I mean, that's a great point.

34
00:02:32,240 --> 00:02:40,440
So ironically enough, I did actually just write a blog today around groups and the idea

35
00:02:40,440 --> 00:02:45,040
that you talk about a lot, which is governance and how groups can do that.

36
00:02:45,040 --> 00:02:46,800
I think there's a lot of tithers, right?

37
00:02:46,800 --> 00:02:51,200
I mean, the idea of least privilege still pertains on premise to the cloud.

38
00:02:51,200 --> 00:02:54,320
It shifts the structure and how that works, right?

39
00:02:54,320 --> 00:02:59,040
So today, we have to understand that, like, you know, not everything on-prem has to correlate

40
00:02:59,040 --> 00:03:01,920
to exact replica in the cloud.

41
00:03:01,920 --> 00:03:07,600
So we want to start to separate that from a governance standpoint and the idea of being

42
00:03:07,600 --> 00:03:14,060
able to really create kind of a secure structure in the cloud so that lateral movement

43
00:03:14,060 --> 00:03:17,240
isn't a thing where it can replicate back to the on-prem infrastructure.

44
00:03:17,240 --> 00:03:21,920
So there's definitely some cross-ervers, but I will say, you know, I'm trying more and

45
00:03:21,920 --> 00:03:27,500
more to kind of write about things that help people to understand how groups can be

46
00:03:27,500 --> 00:03:32,240
that conduit to get them from on-prem into a cloud first kind of organization.

47
00:03:32,240 --> 00:03:34,240
So yeah?

48
00:03:34,240 --> 00:03:41,040
And what are one point you say, or you realized identity was becoming the new primary

49
00:03:41,040 --> 00:03:43,040
security boundary?

50
00:03:43,040 --> 00:03:47,720
Yeah, no, I mean, I guess the idea, it's funny.

51
00:03:47,720 --> 00:03:53,600
So the company I work for, we tagline, right, the idea of the tenant is the new server.

52
00:03:53,600 --> 00:04:00,540
And for me, I think the realization really hit me around the COVID era, right, 2020.

53
00:04:00,540 --> 00:04:04,440
If we look at, if we look at what happened, I know for me, right?

54
00:04:04,440 --> 00:04:08,620
I came home and one day I was just working remotely every day.

55
00:04:08,620 --> 00:04:11,140
And it was, okay, we need to start leveraging teams more.

56
00:04:11,140 --> 00:04:15,260
You need to start, you know, okay, I need to put these files that I can't get access to

57
00:04:15,260 --> 00:04:17,740
that S&TP file sharing more on-prem.

58
00:04:17,740 --> 00:04:20,020
I need to put them over in one drive.

59
00:04:20,020 --> 00:04:27,460
And what I noticed is that those identities that used to be protected behind a firewall, they

60
00:04:27,460 --> 00:04:28,460
were on-premise.

61
00:04:28,460 --> 00:04:32,820
You set up a new site, you put your AD server on-prem, you get a firewall and place your

62
00:04:32,820 --> 00:04:34,300
good to go, right?

63
00:04:34,300 --> 00:04:37,220
That was no longer relevant.

64
00:04:37,220 --> 00:04:41,700
You move to this cloud-based authentication where the identities were accessible from anywhere,

65
00:04:41,700 --> 00:04:42,700
right?

66
00:04:42,700 --> 00:04:43,700
I could go work from Starbucks.

67
00:04:43,700 --> 00:04:44,900
I could work anywhere.

68
00:04:44,900 --> 00:04:51,060
And so as easy as it is for me to log into it, the idea is if you're not securing those

69
00:04:51,060 --> 00:04:55,460
effectively, you, anyone can log into them from anywhere.

70
00:04:55,460 --> 00:05:00,660
That is the point of cloud-native APIs and the ability to get to this stuff from anywhere.

71
00:05:00,660 --> 00:05:07,180
And so that, for me, I think was the realization that if we're not locking down these identities,

72
00:05:07,180 --> 00:05:11,260
then inevitably, we're just allowing the attackers to get in.

73
00:05:11,260 --> 00:05:16,740
And the one statement I hate hearing from a customer is, we got security defaults.

74
00:05:16,740 --> 00:05:22,620
I'm like, okay, well, let me be honest, Microsoft isn't necessarily secure by default.

75
00:05:22,620 --> 00:05:23,620
They're secure.

76
00:05:23,620 --> 00:05:25,460
They want collaboration.

77
00:05:25,460 --> 00:05:26,460
They don't care.

78
00:05:26,460 --> 00:05:27,460
They do care.

79
00:05:27,460 --> 00:05:28,460
Let's not say they don't care.

80
00:05:28,460 --> 00:05:33,420
They care about security, but if it hinders collaboration, then they choose to go with

81
00:05:33,420 --> 00:05:34,820
collaboration first.

82
00:05:34,820 --> 00:05:35,820
So, yeah.

83
00:05:35,820 --> 00:05:36,820
Yeah.

84
00:05:36,820 --> 00:05:37,820
I see.

85
00:05:37,820 --> 00:05:44,700
Often, it's the, I think companies often think we pay for all these security tools.

86
00:05:44,700 --> 00:05:46,660
So Microsoft time was for us.

87
00:05:46,660 --> 00:05:50,980
Yeah, it's a little bit risky thinking, I think.

88
00:05:50,980 --> 00:05:51,980
Yeah.

89
00:05:51,980 --> 00:05:52,980
Yeah.

90
00:05:52,980 --> 00:05:53,980
No, it is.

91
00:05:53,980 --> 00:05:59,420
I mean, you wouldn't put a server in place and then rely on the Comcast modem from your internet

92
00:05:59,420 --> 00:06:00,420
service provider.

93
00:06:00,420 --> 00:06:01,420
You would get a firewall, right?

94
00:06:01,420 --> 00:06:04,220
You would be precise about the technology.

95
00:06:04,220 --> 00:06:06,620
You would be intentional about what you're doing.

96
00:06:06,620 --> 00:06:08,860
So, same concept applies in the cloud.

97
00:06:08,860 --> 00:06:10,700
You've got to be intentional about it.

98
00:06:10,700 --> 00:06:19,780
And I also see the Steve, yeah, thinking the one time setup idea.

99
00:06:19,780 --> 00:06:24,780
I think that's also a little bit critical.

100
00:06:24,780 --> 00:06:31,980
But when you look back over your career, what are the major shifts that change the way

101
00:06:31,980 --> 00:06:35,940
organization approach security?

102
00:06:35,940 --> 00:06:37,220
What are your ways, organizations?

103
00:06:37,220 --> 00:06:42,540
I mean, I think for me, the concept of what we're talking about today is really one of the

104
00:06:42,540 --> 00:06:43,940
major shifts, right?

105
00:06:43,940 --> 00:06:49,700
I know when I started with B-Post and in getting into the Microsoft realm, conditional

106
00:06:49,700 --> 00:06:53,900
access wasn't necessarily as great as it is today, right?

107
00:06:53,900 --> 00:06:57,900
There were a lot of gaps in how it operated and things you could test, the what if wasn't

108
00:06:57,900 --> 00:06:59,140
really there.

109
00:06:59,140 --> 00:07:02,820
It just wasn't, it wasn't what it is today.

110
00:07:02,820 --> 00:07:09,500
As conditional access is expanded to me, conditional access has almost become the new modern firewall

111
00:07:09,500 --> 00:07:11,100
per se, right?

112
00:07:11,100 --> 00:07:16,780
It makes real time decisions on actual, you know, authorization and can you access the

113
00:07:16,780 --> 00:07:17,780
same, right?

114
00:07:17,780 --> 00:07:21,660
You've authenticated to the identity platform, but do you have the authorization to access

115
00:07:21,660 --> 00:07:22,660
these things?

116
00:07:22,660 --> 00:07:26,820
And if not, it's a real time engine that applies and a lot of people like to apply it like

117
00:07:26,820 --> 00:07:27,820
a firewall.

118
00:07:27,820 --> 00:07:30,100
My network guys used to be like, oh, so it's like a firewall rule.

119
00:07:30,100 --> 00:07:32,100
I'm like, not necessarily.

120
00:07:32,100 --> 00:07:34,340
Firewall rules have a priority and they go one by one.

121
00:07:34,340 --> 00:07:39,660
This is a exact, it challenges every policy all at the same time and it makes a real time

122
00:07:39,660 --> 00:07:40,660
decision on it, right?

123
00:07:40,660 --> 00:07:43,700
So there are differences, but I think very similar overlap.

124
00:07:43,700 --> 00:07:47,780
And I think that's one of the bigger things that has changed for me when it comes to securing

125
00:07:47,780 --> 00:07:52,380
the new talent as a chance today.

126
00:07:52,380 --> 00:07:56,700
We are also often here, identity as a new parameter.

127
00:07:56,700 --> 00:08:02,020
What do you think actually mean in practice?

128
00:08:02,020 --> 00:08:05,020
What was the question again that identity?

129
00:08:05,020 --> 00:08:11,300
Yeah, we often heard these, these, I think, phrase identities in a new parameter.

130
00:08:11,300 --> 00:08:14,820
What do you think actually mean in practice?

131
00:08:14,820 --> 00:08:15,820
Identity is a new parameter.

132
00:08:15,820 --> 00:08:16,820
Yeah.

133
00:08:16,820 --> 00:08:17,820
Oh, gosh, yeah, yeah, yeah.

134
00:08:17,820 --> 00:08:19,660
So as far as it being the new parameter, right?

135
00:08:19,660 --> 00:08:22,740
I mean, it is the entry point into everything.

136
00:08:22,740 --> 00:08:28,820
So I specifically, I think I did a post on it called identity as the new parameter and then

137
00:08:28,820 --> 00:08:32,020
data governance is the new blast radius, right?

138
00:08:32,020 --> 00:08:38,060
So the idea is that it ties back into everything that Microsoft reaches from defense and

139
00:08:38,060 --> 00:08:39,420
death to zero trust.

140
00:08:39,420 --> 00:08:45,860
If an identity can be compromised and someone can get claims into the tenant, the new server,

141
00:08:45,860 --> 00:08:48,540
they can sit there, they can lie, they can wait.

142
00:08:48,540 --> 00:08:50,740
That identity can then be used laterally, right?

143
00:08:50,740 --> 00:08:56,740
So I did an article last week on guest identities because it's often so overlooked.

144
00:08:56,740 --> 00:09:00,980
And the idea is guests can act like a Trojan horse.

145
00:09:00,980 --> 00:09:06,220
It's an identity that exists that we oftentimes just overlook, but the ideas are simple.

146
00:09:06,220 --> 00:09:11,220
If you can compromise that guest identity, which you don't have full necessary control around,

147
00:09:11,220 --> 00:09:15,420
and then you can do things like if you have weak guest restrictions, you can do things

148
00:09:15,420 --> 00:09:17,180
like enumerate groups.

149
00:09:17,180 --> 00:09:18,620
You can look at all the members.

150
00:09:18,620 --> 00:09:23,220
You can then look through those members and find someone who may have privileged roles within

151
00:09:23,220 --> 00:09:24,540
the organization.

152
00:09:24,540 --> 00:09:26,980
So it really is the parameter.

153
00:09:26,980 --> 00:09:31,260
You have to protect that because if you don't, that then leads to everything else that can

154
00:09:31,260 --> 00:09:35,700
happen inside the server, which is your data governance, getting access to your SharePoint

155
00:09:35,700 --> 00:09:36,700
sites.

156
00:09:36,700 --> 00:09:39,180
I mean, anything that you can think of inside, right?

157
00:09:39,180 --> 00:09:43,620
A lot of the conversations you have around governance are so critical because the idea is

158
00:09:43,620 --> 00:09:47,260
once they get in the house, what do they actually have access to?

159
00:09:47,260 --> 00:09:50,660
If you've got a really good data governance policy and a really good ability to lock that

160
00:09:50,660 --> 00:09:52,820
down, good to go.

161
00:09:52,820 --> 00:09:58,620
It's going to give the administrators time that they really need to be sure that, okay,

162
00:09:58,620 --> 00:10:00,100
hey, we had a breach.

163
00:10:00,100 --> 00:10:01,700
The identity has been compromised.

164
00:10:01,700 --> 00:10:03,580
Now let's act on to our playbook.

165
00:10:03,580 --> 00:10:07,860
Let's disable the account, revoke all sessions.

166
00:10:07,860 --> 00:10:10,620
Often occasion methods required need to be higher level.

167
00:10:10,620 --> 00:10:12,820
We want fish and resistant things like that.

168
00:10:12,820 --> 00:10:14,820
So, yep.

169
00:10:14,820 --> 00:10:20,700
How do identity, how do identities look like?

170
00:10:20,700 --> 00:10:24,500
How do you check a work in this space?

171
00:10:24,500 --> 00:10:27,140
You're getting more and more sophisticated.

172
00:10:27,140 --> 00:10:35,460
I mean, if you take a look over the past, the two main ways that they've tackled identities,

173
00:10:35,460 --> 00:10:40,300
the biggest one, I think it was a storm 9-0-4-2 or 9-2-4-2.

174
00:10:40,300 --> 00:10:44,220
The most recent one, they leveraged SSPR attack factors.

175
00:10:44,220 --> 00:10:51,060
So, one of the things a lot of companies don't think about is the idea of leveraging SSPR,

176
00:10:51,060 --> 00:10:55,340
something that is meant for good, being used for malicious intent.

177
00:10:55,340 --> 00:10:59,940
So, what they were able to do is, and there's also a very interesting update coming from Microsoft

178
00:10:59,940 --> 00:11:01,940
that I just posted about today on LinkedIn.

179
00:11:01,940 --> 00:11:06,820
Hopefully, everyone takes a look at that as how they're trying to lock that protocol down

180
00:11:06,820 --> 00:11:08,140
a little more.

181
00:11:08,140 --> 00:11:13,660
But the idea there was essentially just continuing to flood users with password reset

182
00:11:13,660 --> 00:11:18,140
requests and then gain access into the identity infrastructure through that.

183
00:11:18,140 --> 00:11:20,740
So, I mean, it's common all over.

184
00:11:20,740 --> 00:11:27,540
I mean, I look at probably one of the last breaches I tackled when I was with the MSP was

185
00:11:27,540 --> 00:11:29,620
specifically around this concept.

186
00:11:29,620 --> 00:11:34,500
It was a company that they were business standard because in the MSP space, we still have

187
00:11:34,500 --> 00:11:41,180
a lot of small mid-sized businesses that don't want, they don't fully understand or see

188
00:11:41,180 --> 00:11:45,740
the value and business premium and the ideas that we talked about with conditional access.

189
00:11:45,740 --> 00:11:50,020
And it was a company that was on business standard and they had, they suffered a business

190
00:11:50,020 --> 00:11:51,620
email compromise.

191
00:11:51,620 --> 00:11:55,740
What happened was, very simple, they sent an email to someone in the organization, that

192
00:11:55,740 --> 00:11:57,940
person clicked on it, they were finished, right?

193
00:11:57,940 --> 00:12:03,100
They put their credentials in, they gave this person access into the organization and

194
00:12:03,100 --> 00:12:05,100
then from there, two things happened.

195
00:12:05,100 --> 00:12:06,100
They had two things.

196
00:12:06,100 --> 00:12:09,740
They registered a malicious enterprise app to give them a foothold into the organization

197
00:12:09,740 --> 00:12:10,940
long term.

198
00:12:10,940 --> 00:12:15,420
They also, then were like, well, they may detect it and we may have to UFA.

199
00:12:15,420 --> 00:12:21,260
So they registered their own SMS authentication method and that's why it's important that

200
00:12:21,260 --> 00:12:23,660
from an authentication method, we disable these things.

201
00:12:23,660 --> 00:12:29,460
But what they did is they put a phone number in and they labeled it free food because

202
00:12:29,460 --> 00:12:31,340
it was, they were not easy to get into.

203
00:12:31,340 --> 00:12:34,140
They had actually been compromised multiple times.

204
00:12:34,140 --> 00:12:35,460
Yeah.

205
00:12:35,460 --> 00:12:37,540
So attackers have a sense of humor.

206
00:12:37,540 --> 00:12:39,780
It turns out.

207
00:12:39,780 --> 00:12:49,620
And I think, yeah, I think, so I was a security, it's, it's, yeah, it's a topic and I think

208
00:12:49,620 --> 00:12:56,500
the old, we all speak about hacking the infrastructure.

209
00:12:56,500 --> 00:13:04,980
But why do, I don't know, if it's really shift, I think for, for, for, no more than 20 years,

210
00:13:04,980 --> 00:13:10,660
we have called a university to, on say, I'm the professor working for the professor to

211
00:13:10,660 --> 00:13:12,420
get free internet access.

212
00:13:12,420 --> 00:13:13,420
Yeah.

213
00:13:13,420 --> 00:13:16,780
So, so I think that's also, can you give the password?

214
00:13:16,780 --> 00:13:24,780
I think it's not so new, but why do attack us target identities before they target the

215
00:13:24,780 --> 00:13:25,780
infrastructure?

216
00:13:25,780 --> 00:13:33,300
I mean, I think they take the, in my opinion, I mean, attackers are targeting the most

217
00:13:33,300 --> 00:13:35,900
susceptible, easiest thing, right?

218
00:13:35,900 --> 00:13:38,100
So humans are very fallible.

219
00:13:38,100 --> 00:13:41,580
They, they, they, they can be fished, right?

220
00:13:41,580 --> 00:13:46,140
They are, they want to believe that people have good intentions at mine.

221
00:13:46,140 --> 00:13:50,100
And it's not to say that everyone doesn't, but there is bad in the world, right?

222
00:13:50,100 --> 00:13:54,740
There are people who want to take advantage of people in that way.

223
00:13:54,740 --> 00:13:59,180
And that's why things like fishing resistance, past keys, all of these things are so critical

224
00:13:59,180 --> 00:14:00,180
to me.

225
00:14:00,180 --> 00:14:04,500
But, because we are, we are faltered, right?

226
00:14:04,500 --> 00:14:08,780
Like, we, we want to assume these things, but at the end of the day, we, I've clicked on,

227
00:14:08,780 --> 00:14:11,740
I was like, poor, not, unintentionally, right?

228
00:14:11,740 --> 00:14:15,500
Like, oh yeah, that does sound extremely relevant to what I'm doing today.

229
00:14:15,500 --> 00:14:16,500
And that's the thing.

230
00:14:16,500 --> 00:14:20,500
And that's what, that's why it's so dangerous with the, you know, the introduction of AI.

231
00:14:20,500 --> 00:14:25,300
Because if you think about, you know, we all joke about the attacks back in the day, right?

232
00:14:25,300 --> 00:14:29,100
The, the crown prince in Africa reaching out to me.

233
00:14:29,100 --> 00:14:32,900
You know, it's like, oh, does he wants to, he needs help for me?

234
00:14:32,900 --> 00:14:37,300
Like, what, you know, these attacks were, were almost laughable back in the day.

235
00:14:37,300 --> 00:14:42,580
But when you introduce something like AI to the mix, which can easily scrape your entire

236
00:14:42,580 --> 00:14:46,940
organization and start to build out a, a flow chart and understand, oh, your CEO is over

237
00:14:46,940 --> 00:14:48,420
at this meeting today.

238
00:14:48,420 --> 00:14:53,820
You know, they can then, in sight, you know, in a sense of urgency in you as a user, because

239
00:14:53,820 --> 00:14:54,820
that's something we have, right?

240
00:14:54,820 --> 00:14:56,940
Our emotions go from zero to 100 very quickly.

241
00:14:56,940 --> 00:15:01,140
And so what they do is they, they incite this urgency, like, hey, it's the CEO.

242
00:15:01,140 --> 00:15:05,020
I'm over at this, you know, I'm over at, you know, this conference today.

243
00:15:05,020 --> 00:15:06,020
Of course, they're at that conference.

244
00:15:06,020 --> 00:15:07,500
Say, we know they're over at that conference.

245
00:15:07,500 --> 00:15:08,500
Say, right?

246
00:15:08,500 --> 00:15:09,980
It, it, it seems legitimate.

247
00:15:09,980 --> 00:15:14,660
I mean, without, you know, and the fact of the matter is when that urgency level hits,

248
00:15:14,660 --> 00:15:19,580
your, your brain, just that fight or flight mechanism in your brain doesn't necessarily

249
00:15:19,580 --> 00:15:21,900
sometimes go hold on, stop.

250
00:15:21,900 --> 00:15:23,580
Why would they be reaching out to me directly?

251
00:15:23,580 --> 00:15:24,580
Right?

252
00:15:24,580 --> 00:15:26,820
And because of that, that false sense of urgency, you just, you know, I'm, you know,

253
00:15:26,820 --> 00:15:28,260
you just go, oh, I need to help this person.

254
00:15:28,260 --> 00:15:29,580
I need to do this, right?

255
00:15:29,580 --> 00:15:34,260
And I've literally watched financial teams get messages like that.

256
00:15:34,260 --> 00:15:39,020
And next thing I know, they're wiring $10,000 in a wire transfer because they think their

257
00:15:39,020 --> 00:15:42,060
seat, the CEO is actually at the conference.

258
00:15:42,060 --> 00:15:43,060
Everything checked out.

259
00:15:43,060 --> 00:15:46,100
They didn't have the appropriate data governance in place, right?

260
00:15:46,100 --> 00:15:50,780
To put a two gate like, hey, anything over this amount of money, don't wire it unless you

261
00:15:50,780 --> 00:15:56,340
get approval from X and Y instead of just giving them full autonomy to just send a wire

262
00:15:56,340 --> 00:15:57,340
transfer of 10k.

263
00:15:57,340 --> 00:16:01,340
Next thing you know, you're dealing with forensics teams trying to understand why $10,000 was just

264
00:16:01,340 --> 00:16:05,300
wired to someone over in, you know, in Bobway.

265
00:16:05,300 --> 00:16:09,860
So yeah, long-winded answer.

266
00:16:09,860 --> 00:16:17,980
I think we have before we jump in the clouds, we have Active Directory.

267
00:16:17,980 --> 00:16:18,980
Sure.

268
00:16:18,980 --> 00:16:19,980
Active Directory.

269
00:16:19,980 --> 00:16:30,020
So did you think for companies that's also important to look at their identity strategy at AD

270
00:16:30,020 --> 00:16:33,820
or can we handle all of us with the MTA?

271
00:16:33,820 --> 00:16:34,820
Yeah.

272
00:16:34,820 --> 00:16:39,220
I mean, I guess it really depends on the business model, right?

273
00:16:39,220 --> 00:16:40,620
Like what specifically?

274
00:16:40,620 --> 00:16:47,660
So I work for an organization where we had a lot of legacy applications and a lot of need

275
00:16:47,660 --> 00:16:49,660
for legacy AD.

276
00:16:49,660 --> 00:16:53,300
Case in point, you know, I've got extreme experience with Azure.

277
00:16:53,300 --> 00:16:58,420
A part of what I did was I built AVD environments for organizations.

278
00:16:58,420 --> 00:17:02,940
When I started building out Azure environments, unlike this past year where we're now cloud

279
00:17:02,940 --> 00:17:08,660
native and everything can be done cloud native there, there was reliance on Active Directory.

280
00:17:08,660 --> 00:17:14,340
So I couldn't build an Azure Virtual Desktop environment without doing hybrid identities,

281
00:17:14,340 --> 00:17:19,620
meaning and while Interdomain Services is a thing, there's still legacy work.

282
00:17:19,620 --> 00:17:22,060
So there's a lot of different solutions that rely on things like Kerberos, right?

283
00:17:22,060 --> 00:17:23,060
SMTP.

284
00:17:23,060 --> 00:17:28,940
Like we, you know, we, in TFS file shares, there are legitimate needs within the organization.

285
00:17:28,940 --> 00:17:35,940
I do believe in this past year Microsoft has really done an amazing job at pushing the boundary,

286
00:17:35,940 --> 00:17:42,500
at what, to really cause you to have to rethink do I still need Active Directory?

287
00:17:42,500 --> 00:17:47,580
From the introduction to the new features within Intercloud Sync, one of the biggest limitations

288
00:17:47,580 --> 00:17:54,940
that it had was if you think about today, organizations that wanted to hybrid join, meaning they,

289
00:17:54,940 --> 00:17:59,740
they had all their devices, they didn't want to just immediately, you know, join them into,

290
00:17:59,740 --> 00:18:01,980
into, into, only that's a huge up lift.

291
00:18:01,980 --> 00:18:08,420
That's a huge project hour to get rid of that, that old legacy Active Directory join initiative.

292
00:18:08,420 --> 00:18:12,660
They've moved the needle on that and that you can now join directly to, you know, to

293
00:18:12,660 --> 00:18:18,500
into with Intercloud Sync. So you can, you can do that hybrid join, which is a great intermediary

294
00:18:18,500 --> 00:18:21,940
step from on-prem to cloud only.

295
00:18:21,940 --> 00:18:24,940
So I, I do think there are still legacy needs.

296
00:18:24,940 --> 00:18:29,580
I, and I think, you know, understanding Active Directory and the OU structures and, and

297
00:18:29,580 --> 00:18:33,900
really understanding what that is and how to reshape and rethink that with the cloud.

298
00:18:33,900 --> 00:18:37,100
If you look at, if you look at intradd, it's a flat landscape.

299
00:18:37,100 --> 00:18:39,660
There is no, there's no OU structure.

300
00:18:39,660 --> 00:18:42,940
Not the same LDAP kind of category and everything you have there, right?

301
00:18:42,940 --> 00:18:47,620
These are all new protocols, new, new identity structures that exist today.

302
00:18:47,620 --> 00:18:52,500
And I think that, that's why I go back to the idea of why groups are so critical.

303
00:18:52,500 --> 00:18:57,260
A lot of what we try to do with OU's can be accomplished within the group structure and

304
00:18:57,260 --> 00:19:00,900
the group conventions that exist with an intradd today.

305
00:19:00,900 --> 00:19:03,140
So yeah, I think it's extremely critical.

306
00:19:03,140 --> 00:19:08,580
But yeah, I, I do think every organization moving forward from today needs to take a hard

307
00:19:08,580 --> 00:19:13,260
look at, okay, what do we still rely on Active Directory for?

308
00:19:13,260 --> 00:19:18,340
And the post that I released today called groups, the connective tissue, right?

309
00:19:18,340 --> 00:19:24,140
The idea is start to look at how can I use this cloud first approach to start minimizing

310
00:19:24,140 --> 00:19:26,300
my reliance on Active Directory?

311
00:19:26,300 --> 00:19:32,860
Because the trap that we fall in, specifically in the MSP space is that we're like, oh, it's

312
00:19:32,860 --> 00:19:33,860
just, you know, it's easy.

313
00:19:33,860 --> 00:19:34,860
We got to do this.

314
00:19:34,860 --> 00:19:35,860
We'll get rid of this sometime later on.

315
00:19:35,860 --> 00:19:37,460
And then it just sits there.

316
00:19:37,460 --> 00:19:38,860
And no one ever gets rid of it.

317
00:19:38,860 --> 00:19:43,180
So when you start looking at new SaaS apps that you want to introduce, you know, we, we,

318
00:19:43,180 --> 00:19:47,300
the first thing we tackled as an organization was file shares and printers.

319
00:19:47,300 --> 00:19:50,660
We, we moved those, we moved those wholeistically to Azure.

320
00:19:50,660 --> 00:19:52,580
We started using Azure premium files.

321
00:19:52,580 --> 00:19:57,740
We started using, we worked, we tried universal print, but then we found a much better product

322
00:19:57,740 --> 00:20:05,020
called printx that actually was amazing for cloud printing and had a few less limitations

323
00:20:05,020 --> 00:20:07,140
than what universal print had.

324
00:20:07,140 --> 00:20:13,300
The idea was we started leveraging those and moving those needs off from from Active Directory

325
00:20:13,300 --> 00:20:14,620
into the cloud.

326
00:20:14,620 --> 00:20:18,980
And by doing that, then target it with groups, we could then connect those systems directly

327
00:20:18,980 --> 00:20:20,260
into enter ID.

328
00:20:20,260 --> 00:20:25,740
That was then groups and GPOs and other aspects of the on-prem identity that we could start

329
00:20:25,740 --> 00:20:28,340
to diminish and get rid of within the organization.

330
00:20:28,340 --> 00:20:33,780
And then it just easily kept shifting from there to a cloud first world.

331
00:20:33,780 --> 00:20:39,900
And there it's, I think, conditional access for listeners, they are new with the topic.

332
00:20:39,900 --> 00:20:42,020
What exactly is it?

333
00:20:42,020 --> 00:20:43,740
What exactly is conditional access?

334
00:20:43,740 --> 00:20:45,140
Ah, perfect question.

335
00:20:45,140 --> 00:20:51,340
So I have a, I have a GitHub repository that I'm going to give you the, I'm going to give

336
00:20:51,340 --> 00:20:52,500
you the answer from that.

337
00:20:52,500 --> 00:20:54,260
There's a real official, right?

338
00:20:54,260 --> 00:20:58,460
Like a kind of explanation of what it is.

339
00:20:58,460 --> 00:21:00,260
The John Hope explanation.

340
00:21:00,260 --> 00:21:03,660
It's the modern day cloud identity and workload firewall in the modern cloud.

341
00:21:03,660 --> 00:21:05,340
Identity is the server.

342
00:21:05,340 --> 00:21:08,780
It's a control plane that every access request goes through.

343
00:21:08,780 --> 00:21:14,460
So again, I correlate it to the idea of, of a firewall a lot of times, but essentially,

344
00:21:14,460 --> 00:21:18,940
it's a zero trust control plane that makes real-time decisions on authorization.

345
00:21:18,940 --> 00:21:20,340
And do you have access?

346
00:21:20,340 --> 00:21:24,820
So it's an authentication, authorization mechanism that says, okay, you've authenticated.

347
00:21:24,820 --> 00:21:27,100
Do you have the ability to contact this?

348
00:21:27,100 --> 00:21:31,340
Does your device that you're working for have the ability to access this?

349
00:21:31,340 --> 00:21:33,460
So in a labencer, that's, that's my.

350
00:21:33,460 --> 00:21:35,460
That's my explanation of it.

351
00:21:35,460 --> 00:21:36,460
Yeah.

352
00:21:36,460 --> 00:21:43,300
I read, I think it's more on one of your blocks that you say one or, yeah, you consider a

353
00:21:43,300 --> 00:21:51,180
condition like says one of the most powerful security controls in Microsoft 365.

354
00:21:51,180 --> 00:21:53,620
Why, why did you think this?

355
00:21:53,620 --> 00:21:54,620
Why?

356
00:21:54,620 --> 00:21:56,260
Because if you look at it, right?

357
00:21:56,260 --> 00:21:58,340
You, you actually talk about this a lot.

358
00:21:58,340 --> 00:21:59,420
Let me be very clear.

359
00:21:59,420 --> 00:22:04,260
My favorite, my favorite talk if anyone hasn't gone and listened to it is governance is an

360
00:22:04,260 --> 00:22:08,060
illusion that that podcast you did was amazing.

361
00:22:08,060 --> 00:22:14,380
And the, the idea is that if you look at conditional access, you know, you made a point in

362
00:22:14,380 --> 00:22:19,420
there that there isn't necessarily a unified control plane for everything because inside

363
00:22:19,420 --> 00:22:25,220
of him 365, there are aspects that have their own unique identities and, and connections,

364
00:22:25,220 --> 00:22:26,220
right?

365
00:22:26,220 --> 00:22:30,820
And the exchange has the exo command module purview has the IPP session modules.

366
00:22:30,820 --> 00:22:33,580
You've got share point with the SPO modules, right?

367
00:22:33,580 --> 00:22:35,700
They have their own capabilities.

368
00:22:35,700 --> 00:22:41,020
Conditional access is that thing that tries its best to unify security from across the board.

369
00:22:41,020 --> 00:22:45,940
If you think about conditional access, yes, it secures identities and it's, it's main purpose

370
00:22:45,940 --> 00:22:49,620
is to make sure that the identities do have the access it needs.

371
00:22:49,620 --> 00:22:53,180
But on top of that, it hooks into all those other modules.

372
00:22:53,180 --> 00:22:56,300
So into it can look at your device compliance statistics.

373
00:22:56,300 --> 00:22:57,780
It says, well, wait a second.

374
00:22:57,780 --> 00:22:59,420
Is this device still healthy, right?

375
00:22:59,420 --> 00:23:01,340
What does intune say it's still healthy?

376
00:23:01,340 --> 00:23:02,340
Okay.

377
00:23:02,340 --> 00:23:03,340
Cool.

378
00:23:03,340 --> 00:23:06,060
Then we, you know, we have a compliance policy inside of intune that's telling us and giving

379
00:23:06,060 --> 00:23:10,780
those signals back for the conditional access policy to make a real time decision at that

380
00:23:10,780 --> 00:23:11,940
moment.

381
00:23:11,940 --> 00:23:13,900
It hooks into defender for cloud, right?

382
00:23:13,900 --> 00:23:16,500
It hooks into defender period, right?

383
00:23:16,500 --> 00:23:18,100
So we have app and force restrictions.

384
00:23:18,100 --> 00:23:22,460
So if you build policies into defender, it's able to then pass through make a real time

385
00:23:22,460 --> 00:23:23,460
decision.

386
00:23:23,460 --> 00:23:26,180
Are you connected to a third party VPN that you shouldn't be?

387
00:23:26,180 --> 00:23:27,180
Okay.

388
00:23:27,180 --> 00:23:30,700
If you're connected to that, you don't get access into the organization, right?

389
00:23:30,700 --> 00:23:33,580
It's able to make all these decisions per view.

390
00:23:33,580 --> 00:23:37,460
You're able to do authentication contacts and then apply conditional access on top of

391
00:23:37,460 --> 00:23:42,460
it to protect that from accessing, you know, critical sharepoint sites.

392
00:23:42,460 --> 00:23:45,780
There are ways that you can do this natively within each of these tools, but conditional

393
00:23:45,780 --> 00:23:50,740
access is kind of that, in my opinion, that last stop kind of deeded process to ensure

394
00:23:50,740 --> 00:23:56,340
that at the end of the day, all of these aspects are protected.

395
00:23:56,340 --> 00:24:03,980
And when you get a new client, what's the first conditional access policy that you look

396
00:24:03,980 --> 00:24:06,300
if they have deployed it?

397
00:24:06,300 --> 00:24:07,300
Yeah.

398
00:24:07,300 --> 00:24:13,460
So, so hopefully everyone after this goes to my my GitHub repository and I'll, I'll make

399
00:24:13,460 --> 00:24:16,900
sure you have all the links, hopefully you have all the links to that.

400
00:24:16,900 --> 00:24:22,940
So there are six policies in my repository that I consider foundation policies.

401
00:24:22,940 --> 00:24:25,740
So there's not necessarily one policy.

402
00:24:25,740 --> 00:24:30,580
Obviously, if there was one policy, it would just be MFA for all users, regardless of what

403
00:24:30,580 --> 00:24:31,900
you're doing, right?

404
00:24:31,900 --> 00:24:34,540
That is, that is at a clear cut.

405
00:24:34,540 --> 00:24:39,740
That is what security defaults tries to do, but fails horribly at.

406
00:24:39,740 --> 00:24:45,900
As far as like what I recommend to anybody, it is there are six fundamental policies, you

407
00:24:45,900 --> 00:24:49,700
know, not, not looking at your in tune, do you have in tune, right?

408
00:24:49,700 --> 00:24:53,580
Because at the end of the day, one of the, one of the requirements for conditional access

409
00:24:53,580 --> 00:24:55,140
is a P1 license.

410
00:24:55,140 --> 00:25:01,820
So assuming you have 10 users and 10 P1 license in your infrastructure, this is the bare bones

411
00:25:01,820 --> 00:25:06,340
what you could still do to protect that organization, you know, just because you have P1 doesn't

412
00:25:06,340 --> 00:25:09,860
mean you have an in tune plan one license, you can do compliant devices.

413
00:25:09,860 --> 00:25:14,180
And, and I break those down into into those six policies, essentially starting with all

414
00:25:14,180 --> 00:25:21,020
MFA for all users, MFA for all admin roles, typically there, I want to use a stronger authentication

415
00:25:21,020 --> 00:25:22,020
method.

416
00:25:22,020 --> 00:25:26,900
So I want to use something that is fishing resistant if they are in admin or have a privileged

417
00:25:26,900 --> 00:25:28,620
role.

418
00:25:28,620 --> 00:25:33,020
And then there's the two fundamental policies that I believe every tenant should have,

419
00:25:33,020 --> 00:25:36,140
which is blocking device code flow and blocking legacy off.

420
00:25:36,140 --> 00:25:41,580
They are, they are known attack vectors that, you know, very sophisticated nation state,

421
00:25:41,580 --> 00:25:46,140
you know, organizations have attacked and have been, you know, instrumental in gaining access

422
00:25:46,140 --> 00:25:48,900
to the organization's time in time again.

423
00:25:48,900 --> 00:25:54,180
And then I do a two gated process for allowed countries.

424
00:25:54,180 --> 00:26:00,140
And I recommend those for every, every person because the idea is I, if you do one block country

425
00:26:00,140 --> 00:26:06,100
policy inevitably what happens is humans and humans travel.

426
00:26:06,100 --> 00:26:10,540
And then what we do is we say, cool, I'm going to put them as an exclusion because they're

427
00:26:10,540 --> 00:26:11,540
traveling.

428
00:26:11,540 --> 00:26:12,540
And it's like, cool.

429
00:26:12,540 --> 00:26:17,500
Well, now that Bob's in the Bahamas, you just allowed him in from Russia and his account

430
00:26:17,500 --> 00:26:21,660
gets compromised in the Bahamas and he's now accessing everything from Russia.

431
00:26:21,660 --> 00:26:25,900
So there's, there's a very deep dive on why I recommend the way, doing the policies, the

432
00:26:25,900 --> 00:26:31,420
way I do, but I, I highly believe in that concept of you, you have to be intentional on where

433
00:26:31,420 --> 00:26:35,500
people can access specifically on country codes, but understanding that countries aren't

434
00:26:35,500 --> 00:26:37,140
the end all be all right.

435
00:26:37,140 --> 00:26:42,260
Because those bad actors have access to a VPN and to Azure here in the US, right?

436
00:26:42,260 --> 00:26:47,420
But it is, it's kind of a fundamental thing of like, let's stop the low hanging fruit because

437
00:26:47,420 --> 00:26:49,340
it is a vector that people use.

438
00:26:49,340 --> 00:26:53,140
So those would be the six that I would say every company needs regardless of what they're

439
00:26:53,140 --> 00:26:54,140
doing.

440
00:26:54,140 --> 00:26:55,140
Awesome.

441
00:26:55,140 --> 00:26:56,140
Yeah.

442
00:26:56,140 --> 00:26:57,140
Yeah.

443
00:26:57,140 --> 00:26:58,140
Yeah.

444
00:26:58,140 --> 00:27:00,140
That's, that's so funny.

445
00:27:00,140 --> 00:27:03,140
What, what all happened?

446
00:27:03,140 --> 00:27:12,500
But the role of AI, when I look in the intro, for me, I say the co-pilot or AI, a staff looks

447
00:27:12,500 --> 00:27:18,540
more than the human than an application.

448
00:27:18,540 --> 00:27:25,220
Did you think, yeah, this is, yeah, I don't know.

449
00:27:25,220 --> 00:27:29,340
AI is a new vector for a text.

450
00:27:29,340 --> 00:27:30,340
Oh, 100%.

451
00:27:30,340 --> 00:27:32,820
Yeah, yeah, yeah, 100%.

452
00:27:32,820 --> 00:27:37,780
Well, there was actually, I wrote about this one and I'm trying to think what the session was.

453
00:27:37,780 --> 00:27:41,740
There was an amazing session at ignite this past year.

454
00:27:41,740 --> 00:27:42,740
I attended it.

455
00:27:42,740 --> 00:27:49,100
It was essentially the foundation of identity and it was two of the principal architects

456
00:27:49,100 --> 00:27:55,500
from Microsoft talking about how they fundamentally targeted identity inside the organization, right?

457
00:27:55,500 --> 00:27:59,180
One of the, one of the facts that I got from it, to actually two very interesting facts

458
00:27:59,180 --> 00:28:00,700
I got from it.

459
00:28:00,700 --> 00:28:05,500
One was that they were, you know, their entire organization is kind of all in on past keys,

460
00:28:05,500 --> 00:28:06,500
right?

461
00:28:06,500 --> 00:28:07,900
So they're, they're, they're using past keys.

462
00:28:07,900 --> 00:28:11,420
They're, they're eating their own dog food, drinking their own champagne internally.

463
00:28:11,420 --> 00:28:13,060
I think that's amazing.

464
00:28:13,060 --> 00:28:17,780
The other, the other thing was the fact that it was shown on one of the screens that according

465
00:28:17,780 --> 00:28:22,820
to their, you know, data, and I believe they, they, they make this in the digital defense

466
00:28:22,820 --> 00:28:28,580
playbook, is that they're only 80% of administrative level accounts are protected with the

467
00:28:28,580 --> 00:28:29,580
method.

468
00:28:29,580 --> 00:28:31,980
There's a 20% of organization.

469
00:28:31,980 --> 00:28:36,460
And if you look at, if you look at the landscape of what Microsoft sees, that's a lot of companies

470
00:28:36,460 --> 00:28:37,460
out there.

471
00:28:37,460 --> 00:28:41,580
20% is a lot of privileged roles that they're seen without MFA on it.

472
00:28:41,580 --> 00:28:44,220
So if you're one of those companies, please go get it.

473
00:28:44,220 --> 00:28:46,140
They enabled for those account.

474
00:28:46,140 --> 00:28:51,220
But what the, the point of that conversation, the point of that whole session is the idea

475
00:28:51,220 --> 00:28:54,700
of we have to empower AI for good, right?

476
00:28:54,700 --> 00:28:57,100
AI can be used for, for negative things.

477
00:28:57,100 --> 00:29:02,260
It can be used to, to figure out how to, you know, compromise an identity, move louder

478
00:29:02,260 --> 00:29:04,460
really within an organization.

479
00:29:04,460 --> 00:29:08,220
But the idea is that we need to leverage AI for good.

480
00:29:08,220 --> 00:29:12,380
And I believe what they're trying to do with security co-pilot.

481
00:29:12,380 --> 00:29:13,460
I tested this.

482
00:29:13,460 --> 00:29:17,220
Be careful with that, with that tool.

483
00:29:17,220 --> 00:29:19,980
But yeah, the idea is it's good, right?

484
00:29:19,980 --> 00:29:23,700
Humans make mistakes all the time.

485
00:29:23,700 --> 00:29:24,700
We, we click a button.

486
00:29:24,700 --> 00:29:26,500
We think we have it exactly the same way.

487
00:29:26,500 --> 00:29:30,660
And then we go and try to do it 10 more times and each one looks a little different.

488
00:29:30,660 --> 00:29:37,060
And that's the idea of using AI and automation is to create a standard configuration and

489
00:29:37,060 --> 00:29:40,940
then be able to do that very continuously across each environment, right?

490
00:29:40,940 --> 00:29:43,740
For, for my space, the MSP space where I came from, right?

491
00:29:43,740 --> 00:29:46,020
Remain as you know, 120 different clients.

492
00:29:46,020 --> 00:29:52,340
So you start, you take 10 to 12 conditional access policies across 120 tenants.

493
00:29:52,340 --> 00:29:57,900
There is an exponential amount of errors that can be created if you're manually doing that.

494
00:29:57,900 --> 00:30:04,540
So that's, that's the idea of how AI comes in and it really helps to make it more efficient,

495
00:30:04,540 --> 00:30:09,180
but also catch those, those hidden mistakes that we sometimes overlook as humans.

496
00:30:09,180 --> 00:30:10,180
So yeah.

497
00:30:10,180 --> 00:30:19,900
Well, when I often see that organization separate Azure security from identity security, yeah,

498
00:30:19,900 --> 00:30:23,780
there are, say, interconnected, really interconnected.

499
00:30:23,780 --> 00:30:32,300
But why, why did companies have these kind of thinking, what, what your perspective on this?

500
00:30:32,300 --> 00:30:36,700
So I, you know, it's, it's different across organizations.

501
00:30:36,700 --> 00:30:40,780
I think the mindset of what you're, what you're getting to there fundamentally is an enterprise

502
00:30:40,780 --> 00:30:45,700
mindset of, you know, separation of roles, kind of separation of duties that exists within

503
00:30:45,700 --> 00:30:47,100
an organization.

504
00:30:47,100 --> 00:30:49,980
So I think the idea of like you have your infrastructure team, right?

505
00:30:49,980 --> 00:30:51,300
That's the Azure side.

506
00:30:51,300 --> 00:30:55,820
Their, their primary responsibility is looking at Azure infrastructure in SGs, you know, the

507
00:30:55,820 --> 00:31:01,340
VNet, making sure all these rules are optimized and, and working effectively.

508
00:31:01,340 --> 00:31:06,020
But that is, and I, I will die on this hill that there is a, there is a massive need for

509
00:31:06,020 --> 00:31:10,940
these teams to come together to, to talk and be more efficient.

510
00:31:10,940 --> 00:31:17,020
The, the new introduction of this cloud connected world, these silos can't continue to exist.

511
00:31:17,020 --> 00:31:21,500
And, and there's been some really good conversations, you know, Merrill Fernando on, you know, on

512
00:31:21,500 --> 00:31:25,140
interchette, had a great conversation about this, you know, because he's had a lot of time

513
00:31:25,140 --> 00:31:27,420
and work on the Zero Trust Assessment.

514
00:31:27,420 --> 00:31:33,540
And the idea is like these teams have to come together because it can't continue to be silo.

515
00:31:33,540 --> 00:31:35,700
And, and there's a huge overlap.

516
00:31:35,700 --> 00:31:40,380
And there's a reason why I specifically talk about the, the fundamental role that Azure

517
00:31:40,380 --> 00:31:42,580
plays an identity.

518
00:31:42,580 --> 00:31:49,140
Um, it is far as how those two coexist and I mean, any identity admin who's ever tried to

519
00:31:49,140 --> 00:31:54,540
go figure out what's going on in, in a, you know, whether it's conditional access or just

520
00:31:54,540 --> 00:31:59,180
looking through logs should understand the hardship of doing that manually, right?

521
00:31:59,180 --> 00:32:04,180
And so the idea is if you have Azure infrastructure, you can set up log analytics workspace.

522
00:32:04,180 --> 00:32:06,620
You can set up Sentinel around those workspaces, right?

523
00:32:06,620 --> 00:32:08,860
There's, there's huge opportunities there.

524
00:32:08,860 --> 00:32:14,740
I specifically coming from the Azure side built tons of KQL queries and tons of, tons

525
00:32:14,740 --> 00:32:20,820
of quick ways to check for specific logs and that completely changed the way on how I did

526
00:32:20,820 --> 00:32:23,060
conditional access rollouts.

527
00:32:23,060 --> 00:32:24,820
So, and a lot of people don't, they don't know that.

528
00:32:24,820 --> 00:32:29,900
They don't know about these built in KQL workbooks that exist in Azure that help you deploy

529
00:32:29,900 --> 00:32:32,260
out conditional access for identity.

530
00:32:32,260 --> 00:32:33,260
Yeah.

531
00:32:33,260 --> 00:32:37,500
Um, I think Zero Trust plays, um, yeah.

532
00:32:37,500 --> 00:32:39,500
It's, it's so important topic.

533
00:32:39,500 --> 00:32:46,660
A lot of people hadn't lived a little bit like, yeah, I don't know, like the, uh, thin foil

534
00:32:46,660 --> 00:32:55,860
heads guys, uh, but yeah, what roles plays Zero Trust for you in an Azure architecture?

535
00:32:55,860 --> 00:32:59,340
What roles plays you're trusting in Azure architecture for me?

536
00:32:59,340 --> 00:33:03,740
Um, so me, I want to make sure I, I, I break down that question correctly, right?

537
00:33:03,740 --> 00:33:10,760
I mean, inevitably the, the idea there is just ensuring that, you know, you don't have

538
00:33:10,760 --> 00:33:12,000
master owner roles.

539
00:33:12,000 --> 00:33:18,600
So like when I was deploying out Azure infrastructure, I used by said, I was very explicit on who

540
00:33:18,600 --> 00:33:20,500
had the owner role.

541
00:33:20,500 --> 00:33:23,540
And the idea there is no one gets an owner role, right?

542
00:33:23,540 --> 00:33:28,340
Like other than, you know, me as the, to your point, you have to have someone that owns

543
00:33:28,340 --> 00:33:29,340
it, right?

544
00:33:29,340 --> 00:33:31,780
Who is the responsible party for the organization?

545
00:33:31,780 --> 00:33:35,260
Outside of that, the network, we need to start to minimize what they have and the whole idea

546
00:33:35,260 --> 00:33:38,500
of Zero Trust is, well, if you're just working on the network side of things, then this is

547
00:33:38,500 --> 00:33:39,700
what you need access to.

548
00:33:39,700 --> 00:33:43,740
These are the redeemable roles that you can leverage to then do that.

549
00:33:43,740 --> 00:33:47,380
But I don't want you messing with the Azure files over here, right?

550
00:33:47,380 --> 00:33:51,620
There's always an interconnection between the teams and the roles that are needed, but

551
00:33:51,620 --> 00:33:54,660
the idea is kind of controlling that blast radius, right?

552
00:33:54,660 --> 00:33:58,660
Like if you compromise the identity, but you don't have access to the SharePoint data

553
00:33:58,660 --> 00:34:01,060
that you want, you've contained it, right?

554
00:34:01,060 --> 00:34:07,260
Because you've given your team time back to get in and do the things necessary to remediate

555
00:34:07,260 --> 00:34:11,780
the issue and then fix it before any damage is done before this files are maybe, you know,

556
00:34:11,780 --> 00:34:17,500
corrupted or deleted maliciously before data is exultated and you got to go to a governing

557
00:34:17,500 --> 00:34:22,500
organization and, you know, tell them that there was a data breach in your organization.

558
00:34:22,500 --> 00:34:23,500
That's the whole idea.

559
00:34:23,500 --> 00:34:25,020
And the same thing exists within Azure.

560
00:34:25,020 --> 00:34:29,380
We've got to make sure that we're controlling who has access and then building automation

561
00:34:29,380 --> 00:34:31,380
to alert.

562
00:34:31,380 --> 00:34:34,820
Like I did extensive automation around break glass accounts.

563
00:34:34,820 --> 00:34:39,140
If a break glass account was used, if someone sneezed and they were even thinking of logging

564
00:34:39,140 --> 00:34:41,580
in with the break glass account, I wanted to get notified on it.

565
00:34:41,580 --> 00:34:46,380
Like I knew every time a break glass account was logged in, I had multiple alerts coming

566
00:34:46,380 --> 00:34:47,380
from anything.

567
00:34:47,380 --> 00:34:51,260
And depending on, you know, I had an alert that was like, if the break glass account is

568
00:34:51,260 --> 00:34:56,380
used outside of a country, like outside of my, you know, respected country, let me know.

569
00:34:56,380 --> 00:35:00,460
And then it immediately high critical alert started flashing bells.

570
00:35:00,460 --> 00:35:03,260
You know, I didn't have a siren in the office, but if I did it would have, I would have

571
00:35:03,260 --> 00:35:08,580
figured an automation flow to like, a sound the alarm on the siren like it would, it was,

572
00:35:08,580 --> 00:35:11,380
you know, it was obvious what was going on.

573
00:35:11,380 --> 00:35:12,380
Yeah, awesome.

574
00:35:12,380 --> 00:35:20,540
You said you said by said, so, yeah, let me have to talk about the infrastructure as code.

575
00:35:20,540 --> 00:35:23,620
Oh, yes.

576
00:35:23,620 --> 00:35:24,620
Let me tell you that.

577
00:35:24,620 --> 00:35:32,460
How does for you, for your perspective, I see you are in infrastructure, just codes, improve

578
00:35:32,460 --> 00:35:33,860
security outcomes.

579
00:35:33,860 --> 00:35:34,860
Oh, my God.

580
00:35:34,860 --> 00:35:36,620
It's, it's everything.

581
00:35:36,620 --> 00:35:42,060
So, you know, let me, let me give you a little bit of backstory on why I got to that point.

582
00:35:42,060 --> 00:35:45,500
So I was given a mandate by my previous organization.

583
00:35:45,500 --> 00:35:50,620
I worked at, I needed to move every client that we had hosted in a data center into Azure.

584
00:35:50,620 --> 00:35:52,820
I was very new into Azure architecture.

585
00:35:52,820 --> 00:35:54,900
I was, you know, an A.V.D. specialist.

586
00:35:54,900 --> 00:35:56,340
I had already gotten a cert for that.

587
00:35:56,340 --> 00:36:01,620
I was in my Azure admin days working on the 104 and what I was doing is I was building

588
00:36:01,620 --> 00:36:04,460
out the first client into Azure.

589
00:36:04,460 --> 00:36:09,580
So I am a stickler for if it's not documented, it doesn't exist.

590
00:36:09,580 --> 00:36:14,380
Like if you can't document exactly what you're doing, then the standardization doesn't

591
00:36:14,380 --> 00:36:15,380
exist, right?

592
00:36:15,380 --> 00:36:19,180
I have to be able to document every step of what I'm doing so that I can come back and

593
00:36:19,180 --> 00:36:20,940
repeat said steps.

594
00:36:20,940 --> 00:36:25,220
So if you look, there's actually a, I have a legacy document I bill that I haven't made

595
00:36:25,220 --> 00:36:27,540
public, but I have this document.

596
00:36:27,540 --> 00:36:34,300
It's about 120 some paintings and it's every step that I took in the portal to deploy out

597
00:36:34,300 --> 00:36:38,540
the Azure infrastructure from how the NSG got created to how the Azure file shares were

598
00:36:38,540 --> 00:36:40,620
created to each individual settings.

599
00:36:40,620 --> 00:36:43,740
I had screenshots of all the settings.

600
00:36:43,740 --> 00:36:48,340
I had the private endpoint connection to the Azure file share so they connect correctly

601
00:36:48,340 --> 00:36:50,260
from on print.

602
00:36:50,260 --> 00:36:56,740
I then went back to the beginning of the document and I tried to do it for the next client.

603
00:36:56,740 --> 00:36:57,740
Everything changed.

604
00:36:57,740 --> 00:37:04,980
The speed and the rate at which Microsoft is changing the interface is so fast that there

605
00:37:04,980 --> 00:37:08,140
is no amount of documentation that can keep up with it.

606
00:37:08,140 --> 00:37:12,500
And it was in that moment when I had to start that second project that I said, this is un,

607
00:37:12,500 --> 00:37:13,500
this is unitatable.

608
00:37:13,500 --> 00:37:18,740
I will not be able to maintain this document and this stay relevant long term.

609
00:37:18,740 --> 00:37:22,020
And so when that realization happened, I did two things.

610
00:37:22,020 --> 00:37:25,500
I started looking at Terraform and I started looking at Pysa.

611
00:37:25,500 --> 00:37:26,740
I looked at Terraform.

612
00:37:26,740 --> 00:37:27,820
I liked Terraform.

613
00:37:27,820 --> 00:37:33,100
I didn't love all the requirements around Terraform and some of the, some of the files that

614
00:37:33,100 --> 00:37:34,740
you had to, had to leverage.

615
00:37:34,740 --> 00:37:37,900
And I really took a hard look at, okay, what's my objective here?

616
00:37:37,900 --> 00:37:43,380
And my objective was not necessarily to interconnect with other clouds and not to

617
00:37:43,380 --> 00:37:46,380
necessarily maintain anything on premise.

618
00:37:46,380 --> 00:37:50,980
So I said, I feel like I'm kind of making it harder by looking at Terraform.

619
00:37:50,980 --> 00:37:53,100
Not that I've talked to a ton of Terraform developers.

620
00:37:53,100 --> 00:37:54,820
It's an amazing product.

621
00:37:54,820 --> 00:37:56,300
Highly recommending.

622
00:37:56,300 --> 00:38:01,100
But then I started looking at Pysa and I go, okay, well, what the heck is this Pysa thing?

623
00:38:01,100 --> 00:38:07,180
It's a native DSL, so it's a domain specific language that integrates into Azure.

624
00:38:07,180 --> 00:38:12,860
The underlying, the underlying protocol of ARM Azure Resource Manager is JSON.

625
00:38:12,860 --> 00:38:17,340
And the idea is JSON is extremely complex to look at.

626
00:38:17,340 --> 00:38:19,420
It's extremely complex to modify.

627
00:38:19,420 --> 00:38:23,220
But then you look at something like Bysep, extremely intuitive, very friendly.

628
00:38:23,220 --> 00:38:25,580
Hey, create a resource, resource storage account.

629
00:38:25,580 --> 00:38:27,420
I want it to have these properties.

630
00:38:27,420 --> 00:38:28,420
So started digging in.

631
00:38:28,420 --> 00:38:30,340
I watched all kinds of videos.

632
00:38:30,340 --> 00:38:32,780
I started learning from other developers.

633
00:38:32,780 --> 00:38:39,580
And I was able to build a zero trust-ish architecture, right?

634
00:38:39,580 --> 00:38:42,580
Within Azure, I was able to create custom Azure policies, right?

635
00:38:42,580 --> 00:38:47,060
A lot of people overlook that, but Azure has amazing guardrails built in through the Azure

636
00:38:47,060 --> 00:38:48,460
policy mechanism.

637
00:38:48,460 --> 00:38:51,820
I was able to build all of that out with Bysep.

638
00:38:51,820 --> 00:38:55,500
And I went through it one time and I deployed an entire infrastructure.

639
00:38:55,500 --> 00:39:00,860
What would have taken me three days was dropped down to about a four to six hour time period.

640
00:39:00,860 --> 00:39:02,740
And I was like, oh, this is it.

641
00:39:02,740 --> 00:39:07,460
This is the whole point of what Azure is trying to do, right?

642
00:39:07,460 --> 00:39:10,660
They really don't want you necessarily in the interface.

643
00:39:10,660 --> 00:39:13,700
They have to provide a UI in the interface.

644
00:39:13,700 --> 00:39:17,620
But at the end of the day, those APIs stay the same.

645
00:39:17,620 --> 00:39:19,180
A lot of them are very similar.

646
00:39:19,180 --> 00:39:21,060
Now they may add functionality into it.

647
00:39:21,060 --> 00:39:24,740
And that's why you got to get up to date on what new APIs are available.

648
00:39:24,740 --> 00:39:27,820
What within the Bysep code you can actually modify.

649
00:39:27,820 --> 00:39:32,380
But I have an entire infrastructure built out in Bysep.

650
00:39:32,380 --> 00:39:37,580
As infrastructure is code, I can go to play that today and it still works the same way.

651
00:39:37,580 --> 00:39:44,580
So that is the idea you take a standard configuration and you're able to replicate it effectively across

652
00:39:44,580 --> 00:39:45,580
every tenant.

653
00:39:45,580 --> 00:39:48,340
I did this for tenant after tenant as I moved them.

654
00:39:48,340 --> 00:39:49,340
I just took it.

655
00:39:49,340 --> 00:39:51,420
I had an entire AVD build out.

656
00:39:51,420 --> 00:39:54,060
So everything was built out in Bysep code.

657
00:39:54,060 --> 00:39:56,540
Everything custom script, it would call a custom script.

658
00:39:56,540 --> 00:39:59,820
It would join it to a domain because you're probably doing hybrid at the time.

659
00:39:59,820 --> 00:40:03,860
All of that stuff was just built in and it was the same across every deployment I did.

660
00:40:03,860 --> 00:40:09,620
The naming conventions, the regions, the policies as far as locking it down right.

661
00:40:09,620 --> 00:40:11,980
Like that's one of those vectors you have to look at.

662
00:40:11,980 --> 00:40:16,100
If you leave Azure open up to the world, people are going to come in.

663
00:40:16,100 --> 00:40:17,780
They're going to start crypto mining on your dime.

664
00:40:17,780 --> 00:40:22,260
They're going to build some in-series VMs and just say cool, let me have at it.

665
00:40:22,260 --> 00:40:28,020
The idea is, if you're not deploying in-series VMs that need this intense GPU functionality,

666
00:40:28,020 --> 00:40:29,020
don't deploy them.

667
00:40:29,020 --> 00:40:32,780
Put a gate in, put an Azure policy in place that eliminates their ability to even do

668
00:40:32,780 --> 00:40:33,780
that.

669
00:40:33,780 --> 00:40:39,860
So, yeah, there's a long winded, but it's a much story there.

670
00:40:39,860 --> 00:40:51,540
So we can say, a Bysep is the same what's actually for managing automated task and then Bysep

671
00:40:51,540 --> 00:40:54,260
is then for deploying Azure resources.

672
00:40:54,260 --> 00:40:57,940
Yeah, but it's a desired state configuration protocol, right?

673
00:40:57,940 --> 00:41:03,020
Meaning that it's so two things that Bysep has is desired state and item potent.

674
00:41:03,020 --> 00:41:08,340
So it can be rerun again and again and do the exact same task.

675
00:41:08,340 --> 00:41:09,860
Whereas PowerShell, right?

676
00:41:09,860 --> 00:41:11,860
PowerShell is like, you have to tell it where to go.

677
00:41:11,860 --> 00:41:14,420
And if it hits an issue, it kind of just stops.

678
00:41:14,420 --> 00:41:17,220
It's like telling someone how to get from point A to point B.

679
00:41:17,220 --> 00:41:20,980
There may be three different ways you can get from point A to point B.

680
00:41:20,980 --> 00:41:23,500
Bysep's just like, I don't care the direction you take.

681
00:41:23,500 --> 00:41:27,380
I just want the in-state, the desired state to look like this.

682
00:41:27,380 --> 00:41:31,580
And that's what Bysep does really effectively is it provides what the in-state should look

683
00:41:31,580 --> 00:41:35,420
like and it can be continuously run and evaluated.

684
00:41:35,420 --> 00:41:36,740
Does the in-state still match this?

685
00:41:36,740 --> 00:41:39,420
If someone makes a change, nope, revert it right back.

686
00:41:39,420 --> 00:41:41,260
The in-state should look like this.

687
00:41:41,260 --> 00:41:42,260
And that's the idea.

688
00:41:42,260 --> 00:41:45,660
That's how it standardizes that configuration, which inevitably if you standardize your

689
00:41:45,660 --> 00:41:51,620
configuration, security is going to improve from that from that methodology.

690
00:41:51,620 --> 00:42:01,100
And how do what those roles here, Bysep speed, how good is Bysep when we talk about

691
00:42:01,100 --> 00:42:03,980
version control?

692
00:42:03,980 --> 00:42:06,420
By something we talk about version control.

693
00:42:06,420 --> 00:42:13,100
So as far as version control, I would say that a lot of the Bysep is going to depend

694
00:42:13,100 --> 00:42:14,100
on you.

695
00:42:14,100 --> 00:42:21,220
So as far as version control, a lot of what we handled was within our DevOps repo environment,

696
00:42:21,220 --> 00:42:23,860
Markdown was a great way to keep track of notes.

697
00:42:23,860 --> 00:42:30,700
I will say, version control, you can go in and because it's using Git as the underlying

698
00:42:30,700 --> 00:42:31,700
engine, right?

699
00:42:31,700 --> 00:42:35,460
Like, if you're probably using Git for that, I would hope it's stored in something like

700
00:42:35,460 --> 00:42:40,660
Git of or within Azure DevOps, you can constantly see any of the versions that were created

701
00:42:40,660 --> 00:42:44,700
previously and the modifications that were made with inside the actual code that you're

702
00:42:44,700 --> 00:42:45,700
leveraging.

703
00:42:45,700 --> 00:42:50,620
But just like I said, you know, if you can't document it, I still believe there is a case

704
00:42:50,620 --> 00:42:55,220
for extreme documentation.

705
00:42:55,220 --> 00:43:00,980
You should be very aware of any context that is needed outside of it.

706
00:43:00,980 --> 00:43:04,700
You know, not everyone is using Bysep with the CI/CD pipeline, right?

707
00:43:04,700 --> 00:43:09,300
Like, hopefully some of it you are automating with the CI/CD pipeline, but at the end of

708
00:43:09,300 --> 00:43:11,220
the day, Bysep can be used very manually.

709
00:43:11,220 --> 00:43:17,140
You can build a Bysep file and manually deploy it and it still does ABC just like you want.

710
00:43:17,140 --> 00:43:21,620
So the idea is using something like Markdown to help document any context that's needed

711
00:43:21,620 --> 00:43:22,620
around the Bysep.

712
00:43:22,620 --> 00:43:26,460
The day all the version is maintained within the Git repos that you're hopefully storing

713
00:43:26,460 --> 00:43:30,060
your Bysep files in.

714
00:43:30,060 --> 00:43:36,460
And how do you convince traditional infrastructure teams to adapt infrastructure as a code?

715
00:43:36,460 --> 00:43:39,940
That's a great question, right?

716
00:43:39,940 --> 00:43:44,740
You know, I feel like the answer is always it depends on technology, right?

717
00:43:44,740 --> 00:43:48,540
Like, legacy infrastructure teams, you got the guys that just want to sit in front of

718
00:43:48,540 --> 00:43:50,460
the server and do the manual steps, right?

719
00:43:50,460 --> 00:43:51,780
So that's going to be a harder sell.

720
00:43:51,780 --> 00:43:54,220
But then you got the guys that are like, no, I don't want to do that.

721
00:43:54,220 --> 00:43:55,420
I want to save time, right?

722
00:43:55,420 --> 00:43:57,140
So they're building power shell scripts.

723
00:43:57,140 --> 00:44:00,980
So I think for those power shell gurus, it's an easy sell, right?

724
00:44:00,980 --> 00:44:04,860
What if I told you there was power shell, but even more verbose and you didn't have to

725
00:44:04,860 --> 00:44:06,380
be as explicit?

726
00:44:06,380 --> 00:44:08,020
I think it's an easy sell, right?

727
00:44:08,020 --> 00:44:13,340
Let's start seeing how we can use that same automation capabilities to maintain that

728
00:44:13,340 --> 00:44:15,700
adherence to the security configuration.

729
00:44:15,700 --> 00:44:23,180
Now as far as the people that aren't necessarily looking at infrastructure as code, I would say

730
00:44:23,180 --> 00:44:25,380
that it is time to start looking at that, right?

731
00:44:25,380 --> 00:44:28,580
That's going to be a harder sell because there are people who just get scared by the fact

732
00:44:28,580 --> 00:44:31,180
of automation and things of that nature.

733
00:44:31,180 --> 00:44:36,020
But I think when you look at what AI is doing in the industry and where the industry is

734
00:44:36,020 --> 00:44:40,500
going, it's going to become more and more pertinent that every organization is looking at

735
00:44:40,500 --> 00:44:42,820
infrastructure as code.

736
00:44:42,820 --> 00:44:46,340
You know, that is what AI is doing at the end of the day, right?

737
00:44:46,340 --> 00:44:51,380
And like use the tools, if you look at some of the new Microsoft models, they have M.A.I.

738
00:44:51,380 --> 00:44:52,940
1.1 code, right?

739
00:44:52,940 --> 00:44:54,620
Like it's a coding model.

740
00:44:54,620 --> 00:45:02,740
It's, we're trying to demystify how hard coding is and break it down into, hey, what is

741
00:45:02,740 --> 00:45:03,740
it that you want to do?

742
00:45:03,740 --> 00:45:04,740
Tell me what you're trying to do.

743
00:45:04,740 --> 00:45:07,220
I'll build you the script to do that, right?

744
00:45:07,220 --> 00:45:08,220
And so that is the idea.

745
00:45:08,220 --> 00:45:12,180
I think that's really where the conversation is going to lead to is like, it's not something

746
00:45:12,180 --> 00:45:13,900
to be afraid of.

747
00:45:13,900 --> 00:45:18,180
It's something that we have to embrace to become more efficient as an organization.

748
00:45:18,180 --> 00:45:26,340
That is also, I think, not the really new topic, but the, yeah, a lot of people now talking

749
00:45:26,340 --> 00:45:28,900
about policy as code.

750
00:45:28,900 --> 00:45:35,620
Can you a little bit explain what is it and how it fits into a broader governance picture?

751
00:45:35,620 --> 00:45:38,020
I can definitely take a stab at it.

752
00:45:38,020 --> 00:45:40,820
I mean, so if I look at policy as code, right?

753
00:45:40,820 --> 00:45:46,500
I mean, I have a ton of things that exist within that policy as code around the organization

754
00:45:46,500 --> 00:45:47,900
I work for in Forcer, right?

755
00:45:47,900 --> 00:45:49,500
That we are kind of policy as code.

756
00:45:49,500 --> 00:45:52,580
We are a wrapper on top of the graph API.

757
00:45:52,580 --> 00:45:56,900
So the idea is if you look at identity specifically, right?

758
00:45:56,900 --> 00:46:00,900
Conditional access as code, you know, it's, there's graph APIs.

759
00:46:00,900 --> 00:46:06,300
There's things that wrap around it to be able to then bring that into a consistent manner.

760
00:46:06,300 --> 00:46:07,660
And that's one of the things we try to do.

761
00:46:07,660 --> 00:46:09,740
If you look at Azure as code, right?

762
00:46:09,740 --> 00:46:11,660
I talked about Azure policy.

763
00:46:11,660 --> 00:46:15,020
It's one thing that gets overlooked completely, but it shouldn't, right?

764
00:46:15,020 --> 00:46:18,460
From a governance and a compliance standpoint, you know, one of the, one of the policies

765
00:46:18,460 --> 00:46:21,540
that I built out is I worked with a lot of medical companies.

766
00:46:21,540 --> 00:46:28,100
So we had to look at, if you look at Azure, there's a 476 HIPAA, you know, high, a, a, a

767
00:46:28,100 --> 00:46:31,700
line policy for governance of HIPAA organizations.

768
00:46:31,700 --> 00:46:33,980
So now I'm going to be honest.

769
00:46:33,980 --> 00:46:36,300
I looked through all 470 of those.

770
00:46:36,300 --> 00:46:37,620
There's a lot.

771
00:46:37,620 --> 00:46:43,100
There's some that are processes and procedures when it comes to the medical space, a lot of

772
00:46:43,100 --> 00:46:48,100
it relies on processes and procedures and how you're doing things as the human identity

773
00:46:48,100 --> 00:46:49,940
inside the organization.

774
00:46:49,940 --> 00:46:52,620
There are technical things that there's auditing capabilities.

775
00:46:52,620 --> 00:46:56,380
You know, you have to be able to go back at any point in time and pull the logs and look

776
00:46:56,380 --> 00:46:59,060
at, okay, did they have access from this, right?

777
00:46:59,060 --> 00:47:03,380
So did your NSGs or did your vNets have logging enabled on them?

778
00:47:03,380 --> 00:47:05,660
Did your storage accounts have logging enabled on them?

779
00:47:05,660 --> 00:47:07,140
All of that is critical.

780
00:47:07,140 --> 00:47:12,220
And that kind of ties into the full concept and the full picture of why bicep this code,

781
00:47:12,220 --> 00:47:16,820
while policy is code is such an important concept because in order to enforce those policies,

782
00:47:16,820 --> 00:47:19,780
you have to have those configuration set.

783
00:47:19,780 --> 00:47:24,460
So the policy has to ensure that there's a technical prerequisite that's being met.

784
00:47:24,460 --> 00:47:25,460
Okay, cool.

785
00:47:25,460 --> 00:47:28,100
Our policy is to ensure that we have logging for eight months.

786
00:47:28,100 --> 00:47:29,100
Cool.

787
00:47:29,100 --> 00:47:32,340
There's a technical configuration that has to be in place to ensure that logging is being

788
00:47:32,340 --> 00:47:33,340
held.

789
00:47:33,340 --> 00:47:38,260
We need a fill safe loop that goes back and says, cool, do we have those configurations

790
00:47:38,260 --> 00:47:40,780
in place and is the policy correct?

791
00:47:40,780 --> 00:47:41,780
Awesome.

792
00:47:41,780 --> 00:47:45,060
And at the end of the day, who's the human that's accountable for all of that, right?

793
00:47:45,060 --> 00:47:48,340
And that's who the owner of said governance needs to be.

794
00:47:48,340 --> 00:47:56,460
Yeah, I think a lot of companies have these, I don't know, misconception.

795
00:47:56,460 --> 00:47:59,500
We are, yeah, we are compliant.

796
00:47:59,500 --> 00:48:00,580
We have policies.

797
00:48:00,580 --> 00:48:02,580
So we are secure.

798
00:48:02,580 --> 00:48:10,820
Yeah, but we also have to do a, I think another podcast, we talk about he far and healthcare,

799
00:48:10,820 --> 00:48:13,220
I think it's also an interesting topic.

800
00:48:13,220 --> 00:48:15,460
I came from for Mittek.

801
00:48:15,460 --> 00:48:18,580
I have worked years in Mittek.

802
00:48:18,580 --> 00:48:26,740
So this is really, really, yeah, assumption yes, I don't know, remove them.

803
00:48:26,740 --> 00:48:31,860
Yeah, but yeah, let's, let's look a little bit in the future.

804
00:48:31,860 --> 00:48:32,860
Okay.

805
00:48:32,860 --> 00:48:36,940
And there it's, yeah, you are a MVP.

806
00:48:36,940 --> 00:48:42,700
So I think you were in Redmond on the MVP summit.

807
00:48:42,700 --> 00:48:46,500
So I just got my MVP status very recently.

808
00:48:46,500 --> 00:48:47,980
I missed the summit this year.

809
00:48:47,980 --> 00:48:50,900
My buddy, Louis Berry is also an MVP.

810
00:48:50,900 --> 00:48:51,900
He did go.

811
00:48:51,900 --> 00:48:55,780
So I, I heard about all the good times had and I've talked to a lot of the identity architects

812
00:48:55,780 --> 00:48:56,780
that were there.

813
00:48:56,780 --> 00:48:59,220
So I'm, I'm really excited for the next one.

814
00:48:59,220 --> 00:49:00,420
But yeah, I know, very new.

815
00:49:00,420 --> 00:49:04,500
I've been doing a lot in a space for a while, but very new to the MVP side of things.

816
00:49:04,500 --> 00:49:06,500
So I'm really excited to be here.

817
00:49:06,500 --> 00:49:08,740
Then I'm for us congratulations.

818
00:49:08,740 --> 00:49:09,740
Thank you.

819
00:49:09,740 --> 00:49:13,660
Yeah, yeah, yeah, that's really cool.

820
00:49:13,660 --> 00:49:16,300
And, but then, then it's, it's cool.

821
00:49:16,300 --> 00:49:23,700
So you can talk a little bit about what did you see in the future in the Microsoft secure

822
00:49:23,700 --> 00:49:27,620
queue road map and what excited you there most?

823
00:49:27,620 --> 00:49:28,620
Yeah.

824
00:49:28,620 --> 00:49:33,620
I, I'm going to be honest, the thing that excites me the most with Microsoft security these days

825
00:49:33,620 --> 00:49:40,700
is just how they're advancing conditional access and, and the idea of PASKIES as a whole.

826
00:49:40,700 --> 00:49:43,260
I, I think Microsoft is doing a lot.

827
00:49:43,260 --> 00:49:47,540
I mean, if you look at the recent announcements over the past few months, right?

828
00:49:47,540 --> 00:49:52,100
You know, the, the SSPR, you know, instance that we talked about, they're, they're doing

829
00:49:52,100 --> 00:49:55,340
a lot around walking these things down.

830
00:49:55,340 --> 00:50:00,140
They're doing a lot around agents in general as far as bringing those agents and creating

831
00:50:00,140 --> 00:50:04,780
this frontier model where agents are able to connect into every aspect of what you're doing

832
00:50:04,780 --> 00:50:08,540
across the Microsoft stack and provide real time value back.

833
00:50:08,540 --> 00:50:14,260
So I look at, I look at what they're doing with the security copilot agent and then, you

834
00:50:14,260 --> 00:50:16,260
know, conditional access as a whole, right?

835
00:50:16,260 --> 00:50:17,980
Like there are issues.

836
00:50:17,980 --> 00:50:21,780
Every conditional access deployment is not pristine the way it exists, right?

837
00:50:21,780 --> 00:50:28,860
And so being able to use AI to evaluate it and then being able to use the AI to then provide

838
00:50:28,860 --> 00:50:32,060
responses back where someone can communicate easily, right?

839
00:50:32,060 --> 00:50:34,380
Do a chat agent and go, okay, we'll wait a second.

840
00:50:34,380 --> 00:50:36,740
Why is that policy not working correctly?

841
00:50:36,740 --> 00:50:39,020
And then be able to dig into the Microsoft side, right?

842
00:50:39,020 --> 00:50:42,260
If we look at some of the changes, app and force restrictions have changed.

843
00:50:42,260 --> 00:50:46,660
If you look at recent updates, you know, there used to be, I, I did when I did conditional

844
00:50:46,660 --> 00:50:51,220
access, I would go check Fabian batter's introscopes every time.

845
00:50:51,220 --> 00:50:54,660
There's some low level scopes that got removed by default.

846
00:50:54,660 --> 00:50:59,500
If you excluded any service principle, well, you know, Microsoft has made changes in that

847
00:50:59,500 --> 00:51:00,500
area.

848
00:51:00,500 --> 00:51:04,140
So now those four same low level scopes that would get excluded by default are no longer.

849
00:51:04,140 --> 00:51:06,940
That was an update as of March this past year.

850
00:51:06,940 --> 00:51:11,340
Microsoft is continuing to push the limits on what they are doing when it comes to identity

851
00:51:11,340 --> 00:51:13,100
security.

852
00:51:13,100 --> 00:51:20,020
Two of the things that I guess, exactly the most are how, you know, much they are pushing

853
00:51:20,020 --> 00:51:24,100
the idea of pass keys and fight a two fishing resistant authentication.

854
00:51:24,100 --> 00:51:29,100
If you look at over the past few months, right, the introduction of synced pass keys is an

855
00:51:29,100 --> 00:51:35,420
amazing way to start bridging the gap between technical requirements and usability from a

856
00:51:35,420 --> 00:51:36,900
human perspective, right?

857
00:51:36,900 --> 00:51:40,900
The idea of if I can go to someone, it doesn't make sense.

858
00:51:40,900 --> 00:51:44,300
If I show them how a pass key works, they're going to fall asleep, right?

859
00:51:44,300 --> 00:51:46,380
If I go, yeah, well, you just take your phone.

860
00:51:46,380 --> 00:51:52,460
You see on this QR code, there's AL3, AL3, you know, encryption authentication, PK, let

861
00:51:52,460 --> 00:51:54,460
me tell you how public and private keys work, right?

862
00:51:54,460 --> 00:51:56,340
They don't care how PKI works.

863
00:51:56,340 --> 00:51:59,060
What they care about is they like their iPhone.

864
00:51:59,060 --> 00:52:01,300
They like to scan their face and get in.

865
00:52:01,300 --> 00:52:05,900
So if I can explain to them, we can replicate that exact same behavior, whether it's a Mac

866
00:52:05,900 --> 00:52:06,900
or Windows device.

867
00:52:06,900 --> 00:52:10,540
We've got Windows Hello for Business, which is going to use that same fishing resistant

868
00:52:10,540 --> 00:52:13,140
authentication, Macs with the platform.

869
00:52:13,140 --> 00:52:18,140
So using the secure enclave, touch ID, so you just click it and you're in your device,

870
00:52:18,140 --> 00:52:19,140
right?

871
00:52:19,140 --> 00:52:24,420
If they can get that same type of iPhone-like experience with all of their enterprise tools,

872
00:52:24,420 --> 00:52:31,380
it's a huge addition to being able to start to bring the average user into the ecosystem

873
00:52:31,380 --> 00:52:35,540
where fishing resistance becomes a tangible thing for a lot of people that otherwise wouldn't

874
00:52:35,540 --> 00:52:36,540
have adopted it.

875
00:52:36,540 --> 00:52:41,780
I think that's a huge point that I'm excited to see how it continues to advance.

876
00:52:41,780 --> 00:52:45,660
The new registration campaigns are pushing that and incentivizing that behavior, which I

877
00:52:45,660 --> 00:52:48,500
think is amazing for Microsoft's end.

878
00:52:48,500 --> 00:52:54,740
The other aspect is, while I have not gotten to play with it as much as I would have liked,

879
00:52:54,740 --> 00:52:59,620
is kind of a play on with the verified ID and then the account recovery process, right?

880
00:52:59,620 --> 00:53:07,340
That was a really cool implication or new technology that they added so that when you

881
00:53:07,340 --> 00:53:09,980
do get that new phone, you're not necessarily done.

882
00:53:09,980 --> 00:53:13,180
You don't have sync pass keys, but you have account recovery.

883
00:53:13,180 --> 00:53:16,580
So now if you get that new phone, you lose your phone, whatever the case may be, you can

884
00:53:16,580 --> 00:53:17,580
go in.

885
00:53:17,580 --> 00:53:22,820
If your organization has this setup, you can use another identity provider to go, "Okay,

886
00:53:22,820 --> 00:53:24,900
nope, yep, I see your government issued ID.

887
00:53:24,900 --> 00:53:25,900
That is you.

888
00:53:25,900 --> 00:53:26,900
Okay, cool.

889
00:53:26,900 --> 00:53:28,420
I'm going to generate a tap for you.

890
00:53:28,420 --> 00:53:32,300
You're going to use that tap to then bootstrap the process into getting your new fishing

891
00:53:32,300 --> 00:53:33,900
resistant credential setup.

892
00:53:33,900 --> 00:53:35,460
You never had to contact the help desk.

893
00:53:35,460 --> 00:53:37,020
You never had to get any of that done."

894
00:53:37,020 --> 00:53:40,740
That one's super exciting.

895
00:53:40,740 --> 00:53:43,140
The problem is I don't have a third party provider right now set up in my tenant because

896
00:53:43,140 --> 00:53:47,100
I'm broke and everybody, one is a real thing.

897
00:53:47,100 --> 00:53:51,660
I do need to get that going so I can do some testing there, but yeah.

898
00:53:51,660 --> 00:53:59,940
Yeah, a while, I think, two weeks, three weeks, I have started the synthetic market and it's

899
00:53:59,940 --> 00:54:09,500
around, and it's, I think, 1,300 companies between one and 1,000 users and it's run from

900
00:54:09,500 --> 00:54:18,340
the, I call it, I was the name, the gold standard, all Azure information and it's now, it's

901
00:54:18,340 --> 00:54:24,540
placed different characters or different employees and then it's learnt where security

902
00:54:24,540 --> 00:54:26,500
issues come from.

903
00:54:26,500 --> 00:54:28,580
That's what a really, really fun project.

904
00:54:28,580 --> 00:54:29,580
That's awesome.

905
00:54:29,580 --> 00:54:36,180
I got some 150,000 ad renders for free so I can't check that out.

906
00:54:36,180 --> 00:54:37,180
Oh man.

907
00:54:37,180 --> 00:54:38,180
That's awesome.

908
00:54:38,180 --> 00:54:40,340
That was really fun.

909
00:54:40,340 --> 00:54:48,180
Yeah, but that's really interesting and I think that comes a lot of new stuff and yeah.

910
00:54:48,180 --> 00:54:53,220
So yeah, let's just jump in the quick fire round.

911
00:54:53,220 --> 00:54:57,300
I say some things and you say what's come first on your mind.

912
00:54:57,300 --> 00:55:06,140
So pass, pass, versus pass keys, pass keys, as a policy or conditional access, oh, conditional

913
00:55:06,140 --> 00:55:13,020
access all day security or productivity security.

914
00:55:13,020 --> 00:55:18,180
Most on the right is Microsoft security feature.

915
00:55:18,180 --> 00:55:26,980
Most on the right Microsoft security feature defender defender.

916
00:55:26,980 --> 00:55:34,580
And when you got, when you get one day at Microsoft CEO position and you can say one thing Microsoft

917
00:55:34,580 --> 00:55:38,980
should develop tomorrow, what, what should it be?

918
00:55:38,980 --> 00:55:41,780
A true multi tenant interface.

919
00:55:41,780 --> 00:55:43,980
They, they need one.

920
00:55:43,980 --> 00:55:44,980
It's, it's hard.

921
00:55:44,980 --> 00:55:49,780
It's very, it's all very separate still and it's obvious.

922
00:55:49,780 --> 00:55:53,620
And coffee, tea or energy through red TV?

923
00:55:53,620 --> 00:55:54,620
Coffee.

924
00:55:54,620 --> 00:55:59,380
They literally have my Starbucks in hand right now.

925
00:55:59,380 --> 00:56:04,420
And is that one, your, your biggest security met?

926
00:56:04,420 --> 00:56:10,020
Biggest security met security, security defaults are secure by default.

927
00:56:10,020 --> 00:56:12,460
It's a crazy math that exists.

928
00:56:12,460 --> 00:56:13,460
They are not.

929
00:56:13,460 --> 00:56:14,460
Yeah.

930
00:56:14,460 --> 00:56:15,460
Okay.

931
00:56:15,460 --> 00:56:21,860
Now my closing question is if you, if every listener should call, implement just one change

932
00:56:21,860 --> 00:56:22,860
this week.

933
00:56:22,860 --> 00:56:26,300
And that would dramatically improve their security posture.

934
00:56:26,300 --> 00:56:28,260
What showed the B and Y?

935
00:56:28,260 --> 00:56:30,020
Interesting.

936
00:56:30,020 --> 00:56:35,260
I would say that would be authentication methods.

937
00:56:35,260 --> 00:56:38,660
I think they should look at their existing authentication methods.

938
00:56:38,660 --> 00:56:43,420
And if they have email, TOTP or SMS, they need to look at getting those cut off.

939
00:56:43,420 --> 00:56:49,380
I think using the, the higher privilege, the more secure, I've got an article on authentication

940
00:56:49,380 --> 00:56:51,300
methods on conditional access dot tech.

941
00:56:51,300 --> 00:56:55,780
Hope everyone will look at that article and kind of guide some, some context to why I'm saying

942
00:56:55,780 --> 00:56:56,780
that.

943
00:56:56,780 --> 00:56:59,780
But I think that's a critical component that's often ever worked.

944
00:56:59,780 --> 00:57:00,780
Yeah.

945
00:57:00,780 --> 00:57:05,460
So Jonathan, thank you for, for joining us today and sharing your experience on identity,

946
00:57:05,460 --> 00:57:10,060
security, conditional access, Azure governance and infrastructure as a code.

947
00:57:10,060 --> 00:57:11,060
Yeah.

948
00:57:11,060 --> 00:57:16,700
And I will say, remember in the cloud, first world security, security, identity isn't just

949
00:57:16,700 --> 00:57:19,860
a part of security is security.

950
00:57:19,860 --> 00:57:23,140
I think that's my little link for today.

951
00:57:23,140 --> 00:57:26,700
And yeah, thank you for listening to MC64 guys.

952
00:57:26,700 --> 00:57:28,780
And thank you, Jonathan for being here.

953
00:57:28,780 --> 00:57:32,580
And I hope we have another session and we talk about you and healthcare.

954
00:57:32,580 --> 00:57:33,580
Yeah.

955
00:57:33,580 --> 00:57:34,580
Yeah.

956
00:57:34,580 --> 00:57:35,580
I love that.

957
00:57:35,580 --> 00:57:36,580
Awesome.

958
00:57:36,580 --> 00:57:37,580
Thanks, Marco, for having me.

959
00:57:37,580 --> 00:57:37,580
Appreciate it.

960
00:57:37,580 --> 00:57:41,880
[indistinct]