Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to Episode 26. We've not been keeping score, it's actually our one-year anniversary. Very excited to be at the one-year point. Hopefully, we'll have many more years to come. Of course, being a security geek, what's the first thing I want to go and check? What is the certificate on the Azure Security Podcast website?
This week, we have a guest. We have Tanu Abala, who's here from the Azure Hybrid Networking Team to talk to us about Azure Bastion. We also have a full house. We have myself, Mark, Gladys, and Sarah. But before we get to Tanu, let's take a look at the news. Gladys, why don't you kick things off? It was a little bit difficult to select what to talk about in the new sense. There are so many capabilities that were in preview during Ignite, and now they're generally available.
The first one that I want to talk about is that we're releasing in public preview some new capabilities with ADFS signings. This is really good with Connect Health. We are providing integration with Azure AD Activity Reporting, providing unified view of hybrid identity infrastructure. This is a good one to look at. In addition, we go general availability with a Heather-based authentication for single sign-on in application proxy.
Many of you have heard me talking about Azure Application Proxy before. I'm really excited about this product because it's a way to get connections to on-prem applications. It supports SAML, password, or OIDC, but now we are providing Heather-based authentication. Finally, I wanted to talk about new guidance that we are releasing to help customer-enabled support for TLS 1.2. This is important because as June 30th, 2021, we are deprecating from Azure AD TLS 1.0,
1.1, and 3Ds, Cyber Suite. That's all for me. Hey everyone. A couple of bits of news for me this week. Firstly, Azure AD B2C is now available in public preview in Australia, which is very cool. This has been available in Australia, but not having the user data stored locally. This is a big thing if you've been waiting to use B2C and you're in Australia and my part of the world, but you weren't able to send user data overseas, you can now look at using B2C. Next, I'm going to talk about my baby.
I'm going to talk about Azure Sentinel and talk about some of the things we released during the last month or so. Going through the updates, which we will link to in the show notes. You can now set workbooks to automatically refresh when you're in View Mode. Workbooks are like dashboards in Azure Sentinel and you do need to refresh them at the moment, but now you can actually set that to auto refresh because of course, it might be that you're looking at statistics that change regularly.
If you're using them as a dashboard up in your SOC or wherever, ideally you want them to refresh. You can do that. The supported refresh intervals are from five minutes to a day. Do remember that auto refresh is still turned off by default, you do need to go turn it on. When you close a workbook, it doesn't run in the background and this is just to optimize performance and not put too much load on the platform.
Another thing that we've got going this month in Sentinel is new detections for Azure Filewall. We've added quite a lot of out-of-the-box detections in the analytics area. Some of them we've got known in video in my P, known gallium domains, known phosphorus group. Go and check those out, especially of course if you're using Azure Filewall.
Even if you're not using Azure Filewall, you could look at maybe amending those rules and the logic in them, and creating your own for your firewalls because they are written by our threat intelligence folks who are very clever. We did touch on this, but I guess I'll just do it for completeness. We also have automation rules.
Now they were announced at Ignite, but automation rules are a really nice way to do very simple little changes in Sentinel in an automated fashion, without having to go full on logic apps. So definitely go check that out. Something that sounds tiny, but a lot of customers have been asking for is that you can now print workbooks or save them as a PDF. Workbooks are a way of monitoring things and they are a way of reporting statistics.
So it's not surprising that a lot of customers have been asking to be able to save as a PDF so they can send it to their management or if they're a managed service provider they might need to send some statistics to their customers. So now that is available. Hooray. So you don't have to do, you don't have to try and do a screenshot of it which is much nicer. We also, something that's gone into public preview is the incident timeline.
So what that does is it basically means that you can have a timeline view on your incident page. We used to only have the timeline within the investigation graph. That means that you can see your notes and comments, the entities involved and the timeline of what happened all in one place, which of course is great for triaging. So moving on from Sentinel and moving on to log analytics. So the log analytics agent which previously was known as the MMA agent also known as the OMS agent.
The Windows version of that agent for winter 2021 is now generally available. So that basically means it's got some bug fixes, it changes how the agent handles certificates. As always, we do suggest that you use the latest version of the agent. So if you're using this agent in your environment, do go and look at upgrading. That leads me nicely onto another thing that we haven't talked about on the show yet.
If you're using the log analytics agent, we are actually transitioning to a new agent which is known as the Azure Monitor agent or the AMA. Now the Azure Monitor agent essentially does the same sort of things. It collects Windows events and it can collect Syslog and other telemetry from the machine it's installed on, but there's going to be a lot more features with it. Now some of those, they're not all there at the moment, it's still a new product in preview.
But certainly if you're using the log analytics agent, go and look at the Azure Monitor agent because in due course, this will be replacing it and that's a good thing because it's going to have loads of really cool features. A few things caught my interest over the last couple of weeks. The first is object level security is now generally available in Power BI Premium and Pro.
This is not a replacement for say, row level security or even column level security or access control mechanisms that are say in Azure Synapse or SQL DB. But this is another layer of access control that you can put in place, but it's down at the Power BI layer. Another thing to call my interest was in App Service. We've now updated the authentication portal. This is now available in GA in general availability.
We're just changing the way it looks and the way it handles, just to make it more streamlined and make it just more obvious how you're going to use authentication when you're using modern identity and Azure App Service. Another one is we now have in general availability, private link support for Azure Cash for Redis. It only seems like a few days ago, we announced that it was in public preview. This is really cool.
As I've mentioned on many podcasts prior, we're seeing a general move across the platform to more use of things like private link, private endpoints, customer managed keys for data at rest, encryption of data at rest, and so on. So it's great to see that yet another Azure PaaS offering, platform as a service offering is now supporting private links. This next one isn't actually that new, but I only came across it this last week with a customer.
That's a thing called SKIM, which can be used with Azure Databricks. So SKIM is essentially a way of helping you map between Azure Active Directory users and groups and Databricks. So you're going to realize tools like Databricks were not designed upfront to work, specifically with Azure AD or Azure in general for that matter. So this provides a really nice mapping between the two. So it's great to see that there's now support for SKIM in Databricks.
The next two actually got nothing to do with security whatsoever, but I just can't help myself. The first is that Microsoft Power FX, which is an open source, low-code programming language that we can use with the Power Platform. For example, Microsoft Power Apps is now in public preview. It's very similar to the way Excel works. If you've been to development in Excel, you'll feel pretty much at home using Power FX.
The last one because again, I just can't help myself because I despise JavaScript so much, but TypeScript 4.3 Beta is now available. So if you've not been using TypeScript and you've been hitting your head against the wall using JavaScript, especially in large projects, then do yourself a favor and spend a little bit of time with TypeScript. That's all I have.
A couple of things caught my eye in the news and also had some interesting discussions and realizations that are going to show up in some of our public documentation soon that I thought I'd cover. The first kind of hearkens back to my old days of consulting with the federal government, which I did for many years. The public preview of the Azure Stig solution. To help with those Windows and Linux virtual machines and be able to get that out there and get it configured quickly.
So I want to make sure folks are aware of that because I remember how little fun it was to do Stig. Then there's a couple updates in Azure Security Center on the public preview side and the general availability that were interesting. One of the highlights is that the Azure Firewall Management, the integration of it into Azure Security Center, is actually generally available. Then there's a couple of other detections and rules and enhancements.
The usual DevOps resulting in new features on a fairly regular basis stuff. So I got the links there in the show notes. The two topics that have been interesting that light bulbs up in my head as we were going through building some security guidance for the cloud adoption framework. The first one, we came to this realization, we're trying to figure out what's the most important thing about DevSecOps.
There's a lot about it. There's the SAS, the DAS, the integrated CI CD, make sure it's native and so that you're doing stuff that shows up as a bug and security bugs are in a whole separate process they have to learn and just kind of that whole integration thing. But the thing that we started to realize is that the biggest thing about DevSecOps is to do it right. And we know this is hard and it's a change, but it requires actually kind of honoring all three of them.
So the Dev, which really represents a business and the need to ship features and keep it moving forward and get those capabilities live. If you don't have that, it doesn't work. Like you've got to do that or the app isn't relevant. Then the Ops side, the performance, the reliability, all the things that IT brings to the table is also critical because if you don't have that, then it's not going to be a very pleasant app experience.
It's not going to be as compelling as you want it to be, etc. And the security side, the second part of DevSecOps is really what keeps it safe and those classic confidentiality, integrity, availability, assurances. And the thing that just really kind of came to mind that was super important is that you need them all. It's sort of like a race team. Like if you have a driver that makes a bunch of mistakes and you lose the race, you've lost the race.
If the tire blows out and you lose the race, you lose the race. If the engine blows and you lose the race, you lose the race. It doesn't really matter. So it's really important to kind of honor all of those things. You can't really let one voice dominate all the decisions. Like you can't do all Dev all the time. Yeah, they're going to win some arguments. Can't do all Ops all the time. You know, being conservative and architecting it carefully, etc. And the same thing with securities.
You can't overpivot on security. You've got to figure out the MVPs for each of those and blend them together. So it's a really interesting set of realizations that, you know, kind of occupied my mind in the past couple of weeks.
And then another one was, you know, as we were kind of looking, you know, working up the security governance guidance on that we're putting together, we sort of realized that there's a real difference between security and compliance, but there's also a very strong commonality because, you know, security is really about dealing with the threats in front of you right now. And compliance is about meeting the requirements that were written sometime in the past.
Could be five, 10, 15, 20 years, depending on the regulation. And so it was really sort of, you know, that's always been sort of the difference between the two for me. But then the thing that started to realize this as we get to this real time data in the cloud, and we can actually instantly tell you, are you configured right? Are you patched? It's an all answer all these questions instantly with real time stuff that used to take, you know, months of an audit.
You know, we're starting to see those two disciplines get closer and closer together again, because you can now do the scope you need closer to comprehensive, you know, still have people process and human things. And you can do it quickly. And so you can actually meet both requirements without having to make these massive tradeoffs that led to these very different dynamics. So those were the things that really been top of my mind over the past couple of weeks.
I don't know if you know or not, Mark, but I actually worked on the secure software developments dig back in the day, the original version of it. I actually enjoyed working on it. It was actually a good bunch of people I worked with. And it was like a 35, 40 page document. It was actually a lot of fun. Now that we've got the news out of the way, let's turn our attention to our guests this week. We have Tanu Bala. She's a program manager in the Azure Hybrid Networking Team.
Tanu, welcome to the podcast. We'd like to spend a moment to introduce yourself, give us an idea of what you do at Microsoft. Sure. Hi. It's great to be here. So I've been at Microsoft now for, wow, a little less than a year, I guess. My background is in computer science and business. And so for my first job, I thought that program management sounded like a great fit.
So I ended up on the Azure Hybrid Networking Team, where I've been working with Azure ExpressRoute, Azure Bastion, and a few other services since I started my time here. Fantastic. So I got to start with probably the most simple question. Sure. A lot of people are asking the same question. What is a bastion? Yeah, sure. So a bastion host is either like the computer or virtual machine that's used to separate external traffic from a customer's private network.
So it can be used to provide access to the resources that are in the network, and it can be the main point of entry. And so what that means is that any resources sitting in the private network no longer need a public IP address to be accessed, so they're not accessible directly from the internet or by external traffic. So I have to ask, then, what is Azure Bastion? So as the name suggests, Azure Bastion is Azure's Bastion host offering.
It's a fully platform managed PAS or platform as a service, and it provides lightweight and secure connectivity to your Azure VMs and eliminates the need to assign them public IP addresses. So from an IT Pro or from a security architect perspective, how would you compare contrast like a traditional bastion architecture if someone has one set up versus an Azure Bastion? What are the pros, the cons, the advantages, analogies, and whatnot?
Sure. So a big part of that comes from the fact that Azure Bastion is a PAS service.
So while an IT admin or pro could manually set up and configure their own jumpbox server or bastion host in their Azure virtual network setup, that would require constant maintenance, configuration, and management, whereas Azure Bastion works right out of the box when you deploy it, and there's no need to consider the underlying infrastructure or the security considerations that are being taken under the hood so that whoever is setting it up or anyone else that's trying to use
the Azure Bastion resource just gets smooth RDP and SSH access via the Azure portal, they get monitoring tools, and maintenance and updates to their Bastion without having to worry about it. So it's kind of like the, it's like, you know, running a SharePoint server online versus Office 365 in a way. Yeah, share exactly.
One thing that, and perhaps this is really obvious to a lot of people, but I assume that this is used, you mentioned RDP, my guess is this is used for managing just VMs, like IaaS solutions inside of Azure. Yes, that's right. So right now, Azure Bastion does only provide RDP and SSH access to Azure IaaS VMs. However, we are constantly considering how to expand the target resource set so that customers can begin to use Azure Bastion to connect to other resources as well.
So expansion there may come over time. What are the ways that customers connect to it? Do they have to use the portal? Yes, right now we are heavily focused on the Azure portal based experience, which fits well with the lightweight aspect of Azure Bastion. It provides a way for users to connect via the browser without needing to download any additional agents or software in order to enable the Azure Bastion Connect experience.
So it really is, they click a button to deploy their Bastion, maybe configure it with a few more clicks, and then they can just access their VMs via the Bastion in the portal. So I have a question that's got nothing to do with security necessarily, but it's just something that's always kind of eluded me for a while. How does it actually work? I mean, here I am in a browser and I'm seeing Windows desktop getting rendered. Pretty amazing speech.
I mean, it's not laggy, there's no real screen tearing going on. So under the covers, just from a purely curiosity perspective, kind of what's going on there. Yeah, it's cool. What we do is we decode the RDP and SSH streams on the Azure Bastion host itself, and then the video frames are sent via a web socket to the browser for the customer to see in their portal experience. And that's an important point, right? Because that's all over TLS, right? You don't need anything special.
This is just from a browser, TLS out to an Azure Bastion service. So from a firewall perspective and so on, I'm just basically doing HTTPS traffic. Yes, that's right. That's totally right. I'm a big fan of Azure Bastion. I have to do all my interview questions right away so that people get that. But one of the things we're looking at this for is privileged access workstations as part of securing privileged access.
Because we've got this native connection to the cloud, but we need to connect it to the on-prem legacy resources, which you might be hosting on IaaS, might be on-prem. And so Azure Bastion is one of the things that we're looking at for that. So I was curious, is the only scenario that people are thinking about it from, or what are the common scenarios that you're seeing that this would use? How are you seeing it used by our customers?
Sure. So right now, because Azure Bastion does focus on enabling connectivity to Azure IaaS VMs, there are two main architectures that we see. The more often used one at the moment, just because it's where Bastion started, is the idea of one Azure Bastion resource per Azure VNet. And so customers will choose to just deploy a Bastion in each of their VNets in order to access the VMs that sit in each one.
The other option now, more recently, is a hub and spoke model, because Azure Bastion has recently started to support VNet peering. So customers may instead choose to deploy a single Azure Bastion resource in a hub VNet, and then have it provide access to all the VMs that sit in the peered VNets of that hub. Both of these options are very specific to an Azure-only environment, with the target resources being Azure IaaS VMs.
But the common architectures that will expand over time as the resources we can access via Bastion expand over time. So one thing that every customer I deal with, and I deal a lot with healthcare and finance, are things like logging and monitoring both at the control plane or the data plane. I mean, I think the control plane is fairly straightforward. You know, it's using Azure Monitor. But what about at the data plane?
Or just in general, what are the best practices, or what sort of features do you have in place so I can see who access what and when and so on? Azure Bastion is always considering ways to expand the logging that's available for customers, especially our more compliance heavy customers, to be able to see, for example, like who's logging in and when. Right now, monitoring is fairly new.
And so what we do have for customers is metrics that they can view such as Bastion communication status to see if the Bastion is actually up and reachable. Metrics for like total memory, CPU usage, memory usage, and then session count to see how many sessions were concurrently being used on the Bastion at any given time. These are our first ways of metrics that we're offering to customers.
And then aside from that, you can also see basic Bastion logs to understand when it was used to connect to what VM. Over time, that will expand to include more specific logging of who is accessing the Bastion and how long they're staying on it in order to offer like more options for customers who have higher compliance requirements. So who do you think Azure Bastion will be good for?
Sure. So one big user persona that we consider often is the IT admin, and we've kind of discussed them before already in these questions. And so we're thinking about the IT admin who's managing the networking needs for their company. And for them, Azure Bastion needs to be easy to deploy and set up, easy to manage and configure, and easy for others to use.
And so we already see this persona influencing the current Azure Bastion offering with things like it being platform managed, lightweight with the portal experience, and offering just general security. But it also shapes our feature work going forward as well. We asked this of all I guess, but is anything currently in preview or anything that you can talk about? Yeah, so we are actually just finishing up our public preview for VNet clearing support for Azure Bastion.
So customers will likely see that this preview is generally available very soon, which is exciting for us. Following the topic of we asked this of every guest, we always ask our guests for any final thoughts they have, any single idea that they would like to leave without listeners. So don't access your VM via public IP if you don't have to, and you don't have to with Azure Bastion. It really is a simple solution. Our goal is for it to be lightweight and secure.
And so customers can really just deploy their Bastion and start to use that to access VMs and eliminate the need for public IPs. Someday, it would be great to see all VMs in Azure getting access to via Bastion instead of via public IP addresses in order to improve the security of every customer's Azure experience. I don't think I know of a single customer, certainly not an ideal within healthcare and finance, who even allow VMs to have a public IP address associated with them.
So yeah, I think as you bastion will be a fantastic solution for them. And on that thought, thank you so much for joining us this week. Tanya, I really appreciate you taking the time out. I know you're extremely busy. I know you're working on a whole bunch of new features that are coming out in bastion. So we really appreciate that. I always learned something from my guests and this was absolutely no exception. And for all of you out there, thank you for listening.
Thank you for listening to our first year. We're really excited to have that under our belt. I think it's an important milestone for the podcast. So again, thank you for listening. Stay safe and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website azsecuritypodcast.net. If you have any questions, please find us on Twitter at azuresetpod.
Background music is from ccmixter.com and licensed under the Creative Commons license.