Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to Episode 33. We have everyone here this week. It's myself, Sarah Gladys and Mark. We also have a guest, Carmichael Patton, who is here to talk to us about Zero Trust. But before we get to our guest, let's take a look at the news. I'll kick things off.
First item that took my attention the last few weeks is a YouTube video about using Azure Sentinel to analyze ubiquity logs. I use ubiquity Wi-Fi gear here at home. I'm a huge fan of learning by doing, and I've been trying to find an excuse to use Sentinel in anger. Well, this solved the problem really. It's a nice little video, shows how you can take your ubiquity logs and ingest them into Sentinel and see what's going on.
The only thing I really learned from all of this was that no one really cares about my network, but I guess that's a good thing. Next thing is Azure Automation now supports user-assigned managed identities, and it's in public preview. This is actually pretty cool for a number of reasons. As I mentioned so many times, you'll see more and more PaaS and SaaS offerings support the likes of system-wide managed identities and user-managed identities.
The nice thing about user-assigned managed identities is that you can set one up and use it multiple places. And the reason why that's important is because Azure does have a limit to the number of role assignments per subscription. So this helps alleviate that because if you have a system-managed identity, you can only apply it once to one resource, whereas a user-assigned managed identity, you can use it all over the place, which is nice to see.
So something else I saw the last few weeks was we now have free extended security updates only on Azure for Windows Server 2012 and SQL Server 2012 R2 and SQL Server 2012.
So if you've got an on-prem solution based on these platforms, and you can't sort of cut over to a new version of the operating system in time for the extended security updates to expire, you can move that workload into Azure and we will actually add more years at the end so that you can actually take more time to essentially move to a more secure and more updated operating system. So it's just kind of cool.
So take your current workloads, move them to Azure and you'll get an extension to your Windows security updates. Another feature which I was really happy to see was confidential computing using always encrypted and secure enclaves for Azure SQL Database is now GA. This is great to see. This has been in preview for some time now. I've been playing around with it quite a bit, but it's nice to see that it's in GA.
So essentially what you do is you set up an Azure SQL DB and when you come to set which kind of infrastructure it's gonna live on, you can choose one of the DC series VMs and that will give you support to the underlying Intel hardware that supports the software guard extensions or SGX and that will now give you support for always encrypted using secure enclaves. So that's a really nice thing to see as well. We also now support Azure AD authentication for application insights.
Normally, in the past it's been really kind of painful to support various authentication schemes for data going into app insights, but now we support out of the box the ability to use Azure Active Directory identities. There's now an update to secrets configuration in app service and Azure functions. I'm not gonna go into all the details, but historically we only have a small number of ways of storing secrets that's then accessible by app service and Azure functions.
Well, we've now increased that to include things like better support for Azure Key Vault. And the last item I have, this is also in preview, is the ability to configure token lifetimes in the Microsoft Identity Platform. A lot of customers I see have been really wanting this for quite some time. So now you have complete control over when tokens are issued and when they need to be refreshed. And that's all I have for this week. So I've got a couple of things.
Oh my goodness, and nothing about Azure Sentinel, though I could probably find something if we wanted. No, today I'm gonna talk about the next generation firewall capabilities which are in the firewall premium. It has been in preview for a while, but it's now gone GA. So if you haven't looked at the Azure firewall premium, what it has in it above normal Azure firewall is TLS inspection.
It does signature based intrusion detection and prevention or IDPS, of which I know is a requirement of many regulatory, quite a few regulatory regimes. You need to have that. It also lets you filter web things based on categories. So things like social networking, gambling, other dodgy things, that you might want people to go on through your enterprise internet connection. And we've also got URL filtering.
So you can actually filter outbound access to specific URLs, not just fully qualified domain names. So that's really, really quite cool. So it is very cool. Go and have a look at it. I know if you're one of those customers that needs to wait for something to be GA before you're gonna use it, now is the time. So go and have a look, because Azure firewall is probably not as loved as it should be because it's just a firewall, but it's very cool. You can deploy it as code.
So it can fit very nicely in with your cloud deployments. Next for AKS. AKS will now allow Active Directory integrated clusters to be created without a local admin user account, which is cool because of course, a local admin account is not the best thing from a security perspective because anyone can use local accounts, whereas now you can actually create clusters just disabling those local accounts when you've set up the AAD authentication. So again, very nice.
Nothing sort of groundbreaking, but again, really good for your security hygiene. And then a couple of things in ASC, as Azure Security Center, we've got some new alerts in Azure Defender for Key Vault. So if you're using Key Vault and you need to keep an eye on it, Azure Defender is checking out some new alerts. We've also got recommendations. The recommendations to encrypt with customer managed keys is now disabled by default.
So if you're using ASC and you use those security hygiene recommendations, which are very cool, of course, if you're not using customer managed keys, I'd say probably the vast majority of our customers do not manage their own keys, but there are some parts of the world and some industries that require it. You don't want your secure score to go down just because there's a recommendation, a hygiene recommendation that isn't relevant to you. So that's now disabled by default.
Another just FYI, the prefix for Kubernetes alerts in ASC has changed from AKS to K8S. So AKS is Azure Kubernetes Service. K8S is actually the more standardized way of abbreviating Kubernetes. And that's all of my updates for this week. As we all know, Microsoft keeps looking for better ways to help provide users with a way to own and control their own identity. So there are many capabilities that are being developed around this.
One of them is Azure Active Directory verifiable credentials, which is currently in public peer preview. We talked a little bit about it when it was in private peer preview. But if you haven't heard about it before, it is a way to centrally manage decentralized identity or DIDs. For example, when you're first logging into a company environment, you're given an account password or some other method to log in.
When you first log in, the service sends you to a site for you to scan for a QR code, which with your phone camera, in order to enable the verifiable credential in your authenticator app or to start it. This is really cool because we are expanding the factors of authentication. For example, something you know, account and password, something you have, in this case, the verifiable credential.
If you use conditional access, then you expand to use a factor that verifies where you're logging from or somewhere you are, such as IP address. And if you enable the Windows protection, you could have something you are, like biometrics provided through Windows Hello, or even something you do, like a picture password. I think this is huge because we're starting to look at identity as a bigger than the platform itself. This concept of decentralization is really important as well.
In Microsoft, we are anchoring the verifiable credential with a decentralized identifier, which points to a public blockchain. This makes the credential durable over time and across domains. So in theory, let's say that Microsoft were to go out of business, just still will have the credential, it be yours as an individual, and available for you to control. This also means that multiple autonomous systems can use it as well. Anyway, identity management is going through a lot of changes.
So it will be fun to watch all the identity capabilities that will be released in the next few years. The other thing that I wanted to mention since we're talking about identity is that everyone should look at aka.ms, sensitive operations report, and run the assessment. This assessment got created earlier this year, but it's still very relevant.
One of the most common ways for attackers to get persistent in the environment is by adding new credentials to existing applications and service principle. This allows the attackers to authenticate as the target application or service principle itself, granting them access to all resources to which the application has permissions for.
The assessment will help you detect such actions, modified applications and principle creation and authentication methods, modified federation settings, new permissions granted to service principle, and many others. Now let's jump into another area of Azure. Azure Bastion is now in public preview. As mentioned before, Azure Bastion is a service you deploy to let you connect to virtual machine using your browser and Azure portal.
It is a past service that you provision inside your virtual network and provides secure and seamless RDP and SSH for the virtual machines directly from the Azure portal over TLS. When you connect to Azure Bastion, your virtual machine do not need IP address agent or a special client. There's another way that you could do this without Azure Bastion.
Basically, you could give an external IP, but that means that your VM will be available externally all the time, unless you use a service such as Just-In-Time DM, which allows you to lower the risk by providing a time-based access to that RDP connection. The other thing that I wanted to mention is that Windows 365 will be available in August 2nd.
I'm really excited about this and playing with it because it allows you to securely stream your Windows experience, including your personalized apps, content, and settings from the Microsoft Cloud to any device with Windows 365 Cloud PC. This means Mac, and it allows you to use it this means Mac, iOS, Android, and I think soon Linux is coming up. Your applications, your settings, your content are streamed from the Microsoft Cloud to any of the devices.
There's persistent integration between the Cloud and the device. So if you disconnect, you come back to whatever you were doing before. The information is stored in the Cloud, not in the devices itself. The system is always up to date and built on the strength of Microsoft security capabilities and baseline. It uses network speed provided by the Cloud service instead of the device itself where the user is connecting from.
So it's not about that physical network speed, but the Cloud network, which in turn allows you to collaborate with large files much easier, no matter where you are and which device you connect from. I'm looking forward to play with this, and I know that once this is released with the 5G Azure space and other capabilities that Microsoft is working on, and it's releasing, this will open up a lot of opportunities for more mobility and at the same time availability.
And in my world, a couple different things. First is, as most folks probably know, I'm a Zero Trust architecture forum co-chair over at the Open Group. We recently had an Open Group event where we announced the Zero Trust commandments that we're working on, essentially taking the core principles that are already published and out there and translating those into commandments, very much in the vein of the Jericho commandments that really kicked off Zero Trust some decade or two ago.
We're exploring an interesting idea there where we're taking that assume-preach, assume-compromise idea as a core assumption and looking at it more as an assume failure and also having the yin-yang assume success because business does continue and organizations do continue after a breach. And so trying to have that blend of the positive negative instead of completely focusing on the negative.
So it's sort of an interesting set of things, but then developing those guiding commandments that real clear guidance to follow up on it. So it's work in progress. I put a link in the show notes there for the LinkedIn group where y'all can join and kind of share your opinions and discussions there. And then for those that are Open Group members that are organizations that work, if you work for an organization that's in the Open Group, you can also participate directly in that process as well.
And some recent acquisitions recently hit the news. Microsoft purchased a company named Risk IQ which provides intelligence information for your company, for other companies, et cetera. So really, really exciting news and really interested in digging in with that team to kind of really deeply understand what they're doing and how to connect it with all the other good stuff that we're doing. We also bought Cloud Knox.
So this is a cloud infrastructure entitlement management company that helps kind of discover and help you kind of secure and tighten up permissions within Azure, AWS and the like. So really, really excited about that to help organizations get some clarity there and clean up any permissions or any issues there from kind of the rough and tumble of DevOps and learning the cloud and figuring it out, that might be there.
And then on the firmware side, specifically the IoT firmware side, we bought a company called ReFirm recently. And so they're really into kind of scanning and looking at the firmware of your IoT devices and is that secure, is there vulnerabilities in there, et cetera. So really excited to have that capability as well. So really can't wait to connect all these different pieces together.
Next thing, this is very important for those who are in the security operations space, SecOps analysts, SOC analysts, managers, directors, et cetera. One of the biggest things there is a lot of folks are very network familiar and really been trained on and really get like IP addresses and subnets and CIDR addresses and you name it, really good at that. But identity was never something that a lot of security operations analysts were trained on.
And it's becoming more and more central to investigating and it's understanding what happened because the network traffic, you don't always have that and it's not always clear and easy to figure out who was trying to do what at the time. And so we released this Azure AD SecOps guide set on the dock site that helps with all those kind of things related to investigations and remediations, detections, et cetera. So really, really powerful stuff. Highly recommend folks out there check that out.
And then just a couple of few reminders, the ransomware guidance is out there. We actually kind of merged together the human operator and the ransomware, aka MSURL. So both of them lead to the same place. We translated the slide deck, that downloadable plan into kind of one, two, three guidance in the documentation to make it easier to follow and follow along with as guidance. Of course, recently published in the last couple of months the cyber reference architecture already had like 9,000 hits.
I think on the landing page recently, so that one's getting some attention, but make sure you don't miss that one. And then the more of the security program guidance in our cloud adoption framework or CAF, secure methodology is also out there. So we put those links in the show notes as well. And that's all I got. Okay, let's change tags now and let's introduce our guest this week. This week we have Karl Michael Patton, who's here to talk to us about ZeroTrust.
Karl Michael, welcome to the podcast. Would you care to take a moment and introduce yourself to our listeners? Yeah, sure. So as mentioned, I'm Karl Michael Patton. I'm a senior security architect here inside of Microsoft in our digital security and resiliency organization. We're like the internal security IT org here at Microsoft. So our our billet is to ensure that we as a company are secured.
For the most part, for the last six years or so that I've been here, it's been around a lot of what is not Microsoft. My area of focus is around all of the non-window systems. How do we protect, you know, iOS, Android, Mac, Linux, as well as in the cloud, how do we do open source containerization, you know, orchestration, things like that.
The relevancy here is for the last three years, I've been on our team leading our internal ZeroTrust efforts to how do we get ZeroTrust deployed inside of Microsoft. So what is ZeroTrust? Why are we trying to address with it? That's a great question, Gladys. I think, you know, for us or for me, it really comes down to three things, right? It's healthy devices, healthy identity and telemetry to understand the states of both of those, right?
And I think that's maybe a little bit over simplification of what ZeroTrust is. And I think it's been around in the industry for quite a while. It started out as a network strategy, you know, how do you micro segment your networks? But I think as we have moved through, especially this last year, we've had to really pivot and think about it in a different way, you know, we're not on those traditional networks anymore. We're actually accessing a lot of cloud resources now.
And so how do we ensure that we're protecting ourselves without having the corporate environment to actually do a lot of those protections that we had before. So let me take a little bit of a sort of a skeptic's hat for a moment, like, so what's the big deal about ZeroTrust? Why would I even bother doing this? You know, I'm doing my job just fine. You know, like, how would you respond to that? Well, I think it's, first off, I would say keep a skeptical approach, right?
I think there's a lot of, even our own architecture that we put out there. And I think for every company, ZeroTrust is a little different. So I think keeping that skeptic's hat on when you're looking at it is a good approach. I think, you know, come in with the understandings of what you need. And I think one of the things we say is have a good set of telemetry to understand your risks and really, really, you're falling.
But I think to answer your question, you know, again, sort of just simplify it, right? Is you could go to the complete knee jerk and overreact and put in so much security and compliance on top of getting access, but you become nonproductive. And I think the, where I would say to the skeptics, it's really more about productivity, but staying secure, right? Like, what are the benefits that you're gonna get out of it? Right?
If you're, you know, you have your endpoints managed and your identity is providing health to access those. Your security teams are getting improved visibility because you're putting, you know, anti-mower and vulnerability management on those devices. You're getting logs and telemetry from them directly. You're not having to rely on other devices or other things to try to guess and speculate what those devices are doing.
But at the end of the day, the users are able to get to what they're trying to get to, right? Is, you know, especially when everybody's working from home, I have access to all of the systems I need to access to without having to worry about that. But I am coming from that, that managed and healthy device. Yeah, I mean, it's something, it's hard.
I went through the, some of the things where we saw a whole bunch of different vendors presentations on Zero Trust and it was just fascinating to see like all the different views of it. And I mean, I just felt such sympathy for the people that have to deal with that crazy amount of confusion. And oh, Zero Trust is this, which happens to find the products that I'm selling you. I think that's the number one thing is like navigating that to get to that core truth.
And so I'm actually really excited about the NIST work in the National Cybersecurity Center of Excellence, the MCCOE lab to sort of, you know, drive that consistency and drive that kind of clarity on it. So people know what it is, what it isn't. And oh, by the way, even though it does some amazing stuff, it's not like a magic wand and you just don't have to bother operating it. You just put it in product and go. Love that point you made. It does have to be operated and practiced every day.
Yeah, it's funny. I remember you were running me to an event we did a little over a year ago. We went to a customer's onsite. They had a bunch of different vendors there to sort of do similar to what you were talking about. But for them explicitly, and they questioned one of the vendors asked was back to the customer, you know, hey, what is it that you could do for us?
And then we were looking at him and this person is pretty well known in the Zero Trust circles, but I remember looking at him going, shouldn't we be collaborating and doing things for them to make it easier for them to deploy all of our technology? It doesn't matter what it is, right? Or who is deploying it? I mean, that's the thing about Zero Trust that makes it so great is it's not a product. It's not a suite. It's not an application.
It's not a thing you lay down in your environment and know now you have Zero Trust. It's an architecture. It's a thing that you deploy in your environment based on the needs that you have to satisfy the risks that you have in your environment, right? And I think that's, even for us, again, I'm not the marketing guy. We look at third-party products and we have third-party products inside of Microsoft that we use.
So how do I get to ensure that those are also in my model to ensure that I have healthy devices and healthy identities, right? And if I go to my VPN, which is not a Microsoft VPN, right? You know, am I conditionally access enforced and for health on that VPN tunnel to get in, right? I have to be able to ensure that those things work. So I think, you know, again, sort of to your point, Mark, which is it's not just a thing. It's an idea. It's an architecture and how do we make it work together?
And I think that NIST approach was interesting the other day, listening to all the groups collaborate. And I'm hoping that as an industry, we start collaborating more on this to make it easier for folks. Yeah, I fully realize hope is a four-letter word, but I'm right there with you in that. And the word that I'm starting to use, like to cover all of the things, because it's so different depending on whether you're like a CISO or like a SOC analyst or a director of identity security or something.
It's so different. I mean, I think of it as a transformation. It's like a digital transformation. Like it's gonna change the retail dude or lady on the ground. That's like checking people out. It's gonna change the business strategy. It's gonna change everything, right? So I feel like that it's basically a transformation that touches everyone. You just described our last year of working from home for all of our storm employees.
So one thing I'm a huge proponent of in the world of security is pragmatism. And to me, pragmatism is absolutely foremost. Is it still, is it possible to achieve zero trust goals and stay within the spirit of zero trust without like adhering to the letter of the law? Yeah, absolutely. I think so, right?
And kind of going back to the three things that I mentioned before, which is focus on identity or that the identity, the health of the identity, the health of the devices and the telemetry, right? So focus on ensuring that your users are doing things like multi-factor authentication to validate who they are. If you can go passwordless, I mean, those are just spirits of identity and healthy identity, right?
Is if I can make sure that Michael is who Michael is and it's not Mark spoofing his account to try to get into, change the podcast recording or something, right? And then the other piece of that is the devices, it doesn't matter what you're doing, getting those devices into management. I think a lot of companies in UW, we're probably call ourselves a unicorn to some extent because I think we fully embrace the BYOD strategy.
It's not just mobile devices, iOS and Android, with which we have about a hundred thousand of each or more. It's the Windows devices, the Macs, the even to some extent Linux devices, right?
That users bring in because their job requires it, but it's their own device that they wanna connect to our resources for having an idea or strategy around that and just don't make it difficult, make it simple and you can actually come close to that letter of the law to some extent or at least a spirit of the law, like you said, right? Michael, it's just having that management there.
And then telemetry, I think I'll probably just say this openly, if you don't have telemetry, if you don't understand what's going on in your environment then how do you understand the risks that are happening in your environment, right? And I think that's ultimately what we're trying to solve for is to minimize the risk where possible and just getting that understanding, where are my users coming from?
How are they accessing things, even if it's Office or even if it's Exchange or your line of business application, whatever that is, your HR app, your time and away reporting app, how are they accessing it? What devices are they accessing it from? When are they accessing it? Just getting an idea of what's happening in your environment and then making decisions based on that. It doesn't have to be the full letter of the law, like you said, of zero trust.
It could be small steps of just applying MFA just to ensure that it's the users and then going from there, right? So is there a role here for AI and ML? I know we're using a ton of buzzwords, but gotta ask the question. Yeah, no, that's it. Wow, is there a role for AI and ML? The answer is wholeheartedly yes. And I think we rely on it very heavily, right? In the decision-making that we do.
When we use Microsoft Defender for Endpoint, NDE on all of our endpoints, and we're getting the telemetry from those devices, you're not gonna ask your first line SOC analysts to sit there and look through all of that telemetry. You're gonna use that machine learning and some of those AI tools that we have to try to at least understand where things may be occurring to try to give you that notification and then have them go from there on their exploration, right?
Without having that sort of detailed modeling that can actually depict what's happening and then making those alerts, then that becomes almost impossible for a SOC. When you have, I forget what the numbers are, what two trillion bytes of data, day, two billion events a day in AED or whatnot, I forget what all the numbers are, but in the sheer number of telemetry of learning and reporting and all that stuff that we get is just ridiculous without having the AI and machine learning.
And we didn't even talk about Azure Defender for identity. I mean, all of the stuff that happens there to understand what's happening with your identity to ensure that you are who you are and that your account hasn't been compromised, right? It's just, there's so much there for that. In everything that you're talking, you're mentioning a lot of identity. Why do we focus so much on identity?
Yeah, early on we looked to say identity is a new boundary, and I think it's almost true at this point, right? In that we've moved away from network being that boundary and especially over the last 18 months, the users are no longer in the office. They're sitting in their home offices connecting to us and we use split tunnel VPN so they're not necessarily even coming in to our data centers.
So we have to rely on the identity now being that access point for how they're connecting to our resources. When I go to office or when I go to Teams or when I go to PowerPoint, Power BI, name and application or even a third party app that is tied to my identity. If I go to the login there, it's logging in with my at microsoft.com credentials and then it's going out and it's checking to make sure that my identity is healthy and then it's pulling in all of the other stuff.
Azure Active Directory now has conditional access enforcement on top of that too. So that identity suite really becomes the new gating function, whether you call it the policy enforcement or whatever terminology you wanna use for that, that's where it's all happening. Those decisions are being made on top of that identity when you're accessing that. And then beyond that, it's continually assessing that same thing, right?
It's not just making that one time look and saying, hey, okay, yeah, Carmichael can go in, he can access office, he can access Teams, he can join a meeting and meet with the folks here and chat about zero trust.
But every period of time, whatever you've tuned it to, I'm also getting reattested to that and making sure that throughout that lifecycle, I'm continuously being validated through my identity, whether that's the, I think we're doing hourly token refresh, with MFA every 24 hours, I believe something to that effect, but it really has sort of shifted away from that legacy network being the traditional network to the identity now being the boundary.
So we've got, we talk about zero trust having six pillars. Can you talk about the challenges that Microsoft has gone through for each pillar? Probably too many to talk about in the period of time we have, but yeah, I mean, we talked a lot about identity already, we talked about devices already, which make up two core pillars there.
Infrastructure, we always have a challenge of ensuring that the infrastructure itself is healthy, that the applications are being built safely that they're using the right, what's the word I'm looking for, the right libraries from the identity, the new MSOL libraries for folks that weren't aware, ADOL is slowly being retired as of June, I think some of the support for it has gone away, limited, I think it's now down to limited support.
So making sure that the new libraries are being integrated into there so that the conditional access flow works. And I think we'd actually be surprised that that doesn't happen even on some of our first party applications that we sell to customers, right? It's going back to those teams and saying, hey, I gotta make conditional access work, not just for Microsoft, but for insert customer here, right?
I think networking is a good one, especially as we get through trying to figure out how to segment our environment, traditionally we've been pretty flat, but with the new models, and I talked a lot about getting away from sort of that traditional on-prem model, moving more to the cloud model, we've been fortunate about 93% of our traffic actually goes directly out to the clouds, whether that's our first party SAS or PAS solutions, or if it's third party solutions that we have.
But for what's left in the environment, how do we ensure that we're segmenting it in the right way? And I think the challenge for us lately has been trying to get into these IoT segments. We've got high-risk IoT and a low-risk IoT, so high-risk would be your things like building management and life safety systems, and then low-risk would be printers and other IoT, like the conference room phones and things like that.
And I think we've seen some compromises in the industry on those types of devices, so how do we ensure that we can segment those away in a good and effective way? And what we found is it's actually probably a little bit more difficult than we thought it was, but we're working through that. And I could probably talk about challenges for a while. Maybe we'll leave it there then, but we'll just... Otherwise, the podcast will just get too long.
So over the last few years or so, especially certainly the last few months, there's been some very high-profile attacks. Without naming any names, I mean, how could zero trust have helped mitigate or reduced the severity of some of these pretty public attacks? That's actually a great question, and something we were challenged by Brett Arson or R.R.C. So was exactly that, and some of the ones that happened earlier this year or last year at the end of the calendar year, right?
We wanted to kind of prove like zero trust worked. What we actually proved was zero trust itself didn't really necessarily do anything specific to protect us, but what it did do is reduce the blast radius.
And a lot of the reasons for that is because of the telemetry that we were getting, because of having all these devices being enrolled now, Microsoft Defender on all of these devices and getting all of that telemetry, and like I said, the machine learning that was happening, you start to see things occurring in your environment, and all of a sudden you recognize that you have an attacker there, and that attacker is now getting to a particular system and going from there to someplace else.
And you can then start using the rest of the telemetry that you have to really sort of isolate and figure out what's going on and getting down to ensuring that you're able to, like I said, sort of reduce that blast radius.
And what we found again was for everywhere where we had a managed device and we had MDE enabled and we were MFA enabled, there was no risk that we were protected, but where we weren't, we had a system that wasn't managed that happened to have access into the network that was unknown to the security team and the attacker got in, but because the user had limited access to the environment, they actually didn't get very far.
So some of that stuff is publicly known, so I'm not saying anything that's breaking me into jail. I won't mention names of the attacks or anything like that, but that's where I think Zero Trust comes in as an effective thing, right? Is I think one of the things that our marketing team says is assume breach, and I think most of the industry has used that for defense and depth as well. And honestly, you have to assume breach, right?
They're there, we just don't know they're there until we find them. And I think that's exactly what we found with what we did with Zero Trust is the more we have the Zero Trust model deployed, the better we are with the visibility to understand where they could be and how to mitigate it from there. So let's switch gears for a moment. Like how do you think about, because security's always had a, shall we say contentious relationship with productivity. Some people see it as the opposite.
So how do y'all think about that as you're going through and kind of building a strategy architecture, et cetera, for Microsoft's IT? Yeah, for us, I think it's not one of the core pillars in the Zero Trust architecture that we have, but employee experience for us internally is part of our core set of pillars. And I think it's something we take very responsibly. And I think there's a couple of ways to look at it.
One is at the end of the day, you've got to get users to buy into what you're trying to do from a security perspective.
You can make all the decisions in the world and you can lock down your environment as tight as you wanna get, but if there's a lack of understanding, if there's a lack of knowledge, then I think that you're potentially breaking yourself into, or locking yourself into a way that you're making users unproductive because they don't understand why you're doing it or how they can get to the things that they need to get to because you've locked it down so much. And there's that balance, right?
So again, keeping yourself secure, but then making yourself productive.
And by doing that, you're doing things like giving easy access, allowing them to connect to places that they need to connect to from wherever there are, it doesn't have to be in office, it doesn't have to be their home, it could be a coffee shop, it could be their folks house, wherever they're at, if they need to get access to that resource, ensure that you have a way for them to get access to that, securely, single sign on, making the experiences of them logging in easy and simple
that pulls in the password list story as well, right? And I mean, we are Microsoft, we are a Windows shop and we do have Windows Hello. Think about the times you walk up to your computer, you smile at it, you frown at it, you get mad at it and still unlocks your computer and lets you start working, grumpy on a Monday morning without a lot of cup of coffee and it still knows who you are.
I think we could point to some events in the past where we hadn't necessarily been as focused on productivity, but we've had events where folks have had to go home and they weren't as productive, but lately, last year was almost too easy for us because folks went home and realized just how productive they could be without having to be in an office because of what we did to get us there, right?
We had the ease of the VPN, we had the simple Windows Hello getting in, you had access because you were on a managed and healthy device, your identities, you didn't know we're being looked at and protected. We removed the requirements for resetting passwords, it's almost been two years now.
You guys remember, we have to reset our passwords every 70 days, I think at one point, that now you don't have to reset your password and you probably, unless you're like me and you're using a non-window system from time to time, you probably don't even know what your password is anymore. So also making it simple for them to reset it if they had to. I think there's a lot there to ensure that. And I think the flip side of that too is have the listening systems in place, right?
Make sure that you're listening to what the users are saying when they're complaining or not. Have those things in place to hear them and listen to them to say, okay, we're getting a lot of folks that are complaining about this new policy, what is it that we did that is making them complain? Okay, getting that understanding, okay, we pushed malware, anti-malware tools to a mobile device, okay, why are they upset?
Okay, let's figure out how we fix that and then make it more clear why we're doing it. What are the reasons why we're putting this on your personal device? What is it that you're accepting by us doing it? Being very clear on what you can and can't do. Our terms of service we renew about every three to six months because we just want to ensure that every agreement we're making with our employees is accurate.
Here are the things we're absolutely gonna do on your machine, here's the things we're absolutely not gonna do on your machine, here's the telemetry that we have access to, here's how we use it. Being very clear about those things too becomes part of that promise. And I think zero trust can always be taken the wrong way because folks think you don't trust me, but what we're trying to do is build that trust and know that they help them understand that in order to trust we have to verify, right?
And I think that's where you have to get that balanced in order to make them understand both the productivity and the security side. So let's say a listener is new to zero trust. What now, how would you recommend that they got started because it's a big thing, right? So have you got any tips for where someone should start if it's new to them? Yeah, great question. And I think first off, one thing I'll say is it's not a short journey, it's a long journey.
We've been on this road since before we called it zero trust for the six years I've been here and I think they started, they may have started the year before that. So, and not to scare people, I mean, we're a fairly large organization, but it takes time to get to where we are even in our state. So the first thing I would say is really just what is it that you're looking, what is it you're trying to do, right?
And for us, what we always tell customers when we talk about it is collect telemetry and evaluate your risks and then set your goals. What is it the goal that you're trying to do? I think the easy button for starting this is really moving your identities to the cloud identities. So getting into Azure Active Directory and you could do that by migrating to Office 365. That's a great way, that's what we did.
We started our migrations several years back and then got onto Azure Active Directory and then started from there. That and then just enabling MFA. I mean, if you wanted the simple button, that's your simple button as far as I'm concerned, right? That gets you into the zero trust story and then you can start making some additional decisions from there. Pick a hero app for us, it was Office 365. It could be a line of business application.
It could be something just simple that a lot of your users are using. Or if you have a particular risk profile, that an application that those users are using, start with those and then set simple policies. Don't overwhelm them. For us, it's basically six things. Are the devices up to date with their operating system patches? Are they threatened risk-free? Are they encrypted? Evaluating the integrity of the device? If it's jailbroken, do they have secure boot enabled?
And then we do some app control things where we may push an application to a device or we may restrict an application from a device. I think that's actually five things, not six. But like I said, start simple. Don't take the 8,000 group policies that we used to have and try to force those onto a device and say, you're healthy if you meet all 8,000 of these. Because honestly, we probably don't even remember what those 8,000 were. And they're probably an overlap of about another 4,000.
I think that's how I would suggest. Don't overthink it. Start simple. Start with telemetry. Start understanding your risk. Pick a hero app on board the AAD. Start applying in FAA where you can. And once you do that, you're actually a long way down the road. We always ask our guests for their final thought. If there's something that you want to leave our listeners with a one piece of advice or a thought, what would it be? Yeah, I think, again, I'll just reiterate it. It's not a quick fix.
It's not an application you deploy. It's not a button that you push for zero trust. It's a journey and really everybody's journey is different. Our journey is where we are because we've been on this for a while. If you're just starting out, it's your journey. But again, understanding the risk in your environment, understanding what it is you're really trying to protect, starting simple and going from there. I think that's the key.
Don't think this is just something you're gonna fix overnight and go. It's a journey and it takes pretty much everybody to really kind of lean in and do it. Whether it's your security teams, your leadership teams, your employees, it's a journey for everybody. Well, thanks ever so much for joining us, Michael. He had to drop off the end of this recording. So I'm gonna wrap it up and say, thanks everyone for listening, stay safe, and we'll see you next time.
Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website, azsecuritypodcast.net. If you have any questions, please find us on Twitter at azuresetpod. Background music is from ccmixter.com and licensed under the Creative Commons license.