Top ten ways to secure your Azure environment – THR3067

August 17, 2019 posted by


HELLO EVERYBODY. WELCOME TO THE TOP 10 WAYS TO SECURE YOUR AZURE ENVIRONMENT. WHO HAS A CURRENT AZURE ENVIRONMENT? OKAY, YOU ARE IN THE RIGHT PLACE. I AM THE CHIEF TECHNOLOGY OFFICER, I HAVE 20 MINUTES TO GIVE YOU 10 THINGS. WE ARE GOING TO GET TO THE LEVELS OF DEPTH, BUT MY EXPECTATION IS THAT EACH OF YOU WOULD LEAVE WITH AT LEAST ONE GOOD IDEA, AND WITH THAT I WILL FEEL SUCCESSFUL. THIS IS A TIME TO PREPARE. WHAT I EXPECT, EACH OF YOU WILL FIND THAT SOME OF THE THINGS THAT WE HAVE ON THIS LIST ARE THINGS THAT YOU HAVE ALREADY DONE. THERE WILL BE SOME THINGS THAT YOU WISH YOU WOULD’VE DONE IT HOPEFULLY, THIS IS AN OPPORTUNITY FOR YOU TO GET THAT LIST OF THINGS I YOU CAN GO BACK TO THE OFFICE AND YOU CAN, YOU CAN SAY CHECK, ARE YOU WISH YOU HAVE. I WILL TAKE QUESTIONS AFTERWARD MY PRIORITY IS TO BE HERE FOR YOU. I SEE THESE IN ALMOST EVERY AZURE ENVIRONMENT. THIS IS A GOOD OPPORTUNITY TO CONVEY BEST PRACTICES. NEITHER OF THESE ARE NECESSARILY MORE OR LESS IMPORTANT THAN EACH OTHER, AND THE FIRST THING WE GO INTO IS NOT NECESSARILY PRIORITIZED GREATER THAN THE SECOND THING. KEEP THAT IN MIND. LET’S GO TO NUMBER 10. NUMBER 10 IS TO INTRODUCE A CONCEPT CALLED MICRO NETWORK SEGMENTATION INTO YOUR AZURE ENVIRONMENT ONE OF THE NUMBER 1 PROBLEMS WITH YOUR CURRENT ENVIRONMENT, YOUR SERVICE CAN TALK TO YOUR SERVERS MAY BE EVEN MORE SO, YOUR DESKTOP AND END-USER ENVIRONMENT CAN TALK TO THE SAME SERVICE AS WELL. THIS IS THE MAIN REASON WE HAVE LATERAL MOVEMENT. WE HAVE THE ABILITY FOR DIFFERENT THINGS TO TALK TO DIFFERENT THINGS. A LOT OF THOSE THINGS SHOULD NOT TALK TO THOSE THINGS, MOST OF THE TIME YOU HEAR ABOUT ORGANIZATIONS BEING TAKEN ADVANTAGE OF ONE OF THE MAIN REASONS, BECAUSE YOU HAVE A CONTRACTOR MACHINE, AND THAT MACHINE HOPPED FROM THERE TO SOMEWHERE ELSE, AND FROM SOMEWHERE ELSE, AND THEY GOT INTO THE ONE PARTICULAR SERVER, ACTIVE DIRECTORY, SO ON AND SO FORTH AND THEN MONTHS LATER SOMEONE FOUND OUT ABOUT IT MICRO NETWORK SEGMENTATION IS ABOUT MOVING AWAY FROM THIS IDEA THAT EVERYTHING CAN TALK TO EVERYTHING, AND THAT WHEN YOU MOVE INTO AZURE, EVERYTHING GETS A RESOURCE GROUP, ALSO CONTAINING A NETWORK SECURITY GROUP. WHAT HAPPENS WITH MOST ORGANIZATIONS, THEY MOVE INTO AZURE, BUT THEY LET IT COMMUNICATE THE EXACT SAME WAY THEY DID BEFORE. IT IS LIKE, I WILL MOVE AND LET IT KEEP COMMUNICATING, THEY MISSED THE CATALYST TO CHANGE THE ENVIRONMENT, WHEN THEY MAKE THAT MOVE. USE THE CATALYST TO MOVE TO AZURE, TO IMPLEMENT A VERTICAL NETWORK. HERE IS ANOTHER NETWORK. APPLICATION ONE, TWO AND THREE. ALL CONTAINED WITHIN RESOURCE GROUPS, ALL OF THEM HAVE A NETWORK SECURITY GROUP THAT GOVERNS WHAT GOES IN AND OUT. THE END STAY IS ALL THE APPLICATION SHOULD TALK, THEY SHOULD TALK TO EACH OTHER, ONLY TO THE EXTENT THAT THEY SHOULD TALK TO EACH OTHER. OTHERWISE THEY SHOULD NOT AT ALL. INSIDE THE CONTEXT OF THE APPLICATION, GO AHEAD, COMMUNICATE. COMMUNICATE TO THE EXTENT YOU NEED. PERHAPS THAT NETWORK SECURITY GROUP PROTECTING YOU BETWEEN THIS APPLICATION AND THAT APPLICATION, FACILITATE INTO APPLICATION AND IN A STRUCTURED WAY. DOES THAT MAKE SENSE? OKAY, NUMBER 2, — NUMBER 9 ACTUALLY. I CALL THIS BLOCKING AND TACKLING. OPERATIONAL NEEDS, PATCHING AND LEARNING. THIS DOES NOT MEAN THAT YOU TAKE EVERYTHING FROM YOU ON PREMISE ENVIRONMENT, AND YOU SHIFTED UP INTO AZURE. DID ANYONE GO TO THE WINTER SESSION BEFORE THIS? A COUPLE OF YOU, OKAY. YOU CAN BRING THINGS LIKE YOUR EXISTING ENVIRONMENT TEMPORARILY INTO THE AZURE ENVIRONMENT TO CONTINUE YOUR PATCHING PROCESSES, BUT THERE IS A NATIVE CAPABILITY — THERE WILL BE GAPS BUT THERE ARE NATIVE CAPABILITIES THAT YOU SHOULD BE TAKING ADVANTAGE OF STATE CONFIGURATION IS A GREAT BASE TO TAKE ADVANTAGE, AND AZURE MONITOR, CONTAINS THINGS LIKE LOGGING ANALYTICS AND ALERTING. FULLY DEFINING THE OPERATIONAL PROCESS BEHIND WHEN SOMETHING BAD HAPPENS, AND HOW YOU REACT TO THAT WHAT HAPPENS. SPECIFICALLY, WHEN SOMETHING HAPPENS THAT HAS CAUSED A SECURITY FAILURE, HOW DO I REACT TO IT? DOES IT OPEN UP A TICKET IN MY CASE MANAGEMENT SYSTEM, THIS IS SEND AN ALERT TO MY PAGES, HOW DO I DEAL WITH THAT SCENARIO? IT IS VERY IMPORTANT. JUST BECAUSE YOU MOVE INTO THE CLOUD DOES NOT MEAN YOU ARE NOT GOING TO PATCH. I FIND A LOT OF SCENARIOS WHERE PEOPLE DEPLOY BUT THEY HAVE NOT DEALT OUT THAT PATCHING SCENARIO. THE NEXT IS UNDERSTANDING THE DIFFERENCE BETWEEN APP SERVICES AND AT SERVICE ENVIRONMENTS, WHO IS BUILDING THE NATIVE APP SERVICES AND CONTAINERS RIGHT NOW? YEAH, OKAY. AND AT SERVICE DESK APP SERVICE IS LESS ISOLATED. IT IS INTENDED TO BE EXTERNALLY ACCESSIBLE, EXTERNAL INTERNET IP’S, WITH AZURE FIREWALL YOU GET MORE CAPABILITY, BUT GENERALLY SOMETHING THAT IS MORE AVAILABLE, AND LESS ISOLATED FROM THE INTERNET. A LOT OF ORGANIZATIONS ARE PUTTING — ARE NOT COMFORTABLE, THAT IS SOMETHING WHERE THEY WANT TO HAVE ONLY AVAILABLE FOR AN INTERNAL USE CASE. AND THAT ENVIRONMENT IS AN ABILITY TO HAVE THAT PROVISION, AND THE APP SERVICE INSIDE THE CONTEXT OF — NOT A CONTAINER BUT A CONSTRUCT THAT CONTAINS A NETWORK SECURITY GROUP. THE SAME THING WE TALKED ABOUT THE REVERSAL MACHINES. AND PUTTING ENCAPSULATION. AN APP SERVICE ENVIRONMENT HAS THE SAME FUNCTION. WHEN YOU BUILD OUT BY NATIVE APP SERVICE AND AZURE, YOU CAN PUT A NETWORK SECURITY GROUP ON THAT APP SERVICE ENVIRONMENT THAT ALLOWS YOU TO ISOLATED FROM THE OUTSIDE WORLD, AND TO PUT IT ON THE INSIDE. DOES THAT MAKE SENSE? OKAY. THE NEXT ONE, NUMBER 6. STORE THE IP CONFIGURATION AS CODE. NO CLICKY. DO NOT DEPLOY YOUR CORP. I.T. ENVIRONMENT AS SOMETHING YOU LOGGED INTO THE AZURE PORTAL AND SAY, CLICK, CLICK, HERE IS THE RESOURCE GROUP, NOW I HAVE THIS OTHER THING, YOUR GOAL IS TO TO REAPPLY ABILITY IS A SECURITY FEATURE WE DO PLIABILITY ALLOWS ME TO SAY IF SOMEONE ACCIDENTALLY MESSED SOMETHING UP, OR THEY DID IT ON PURPOSE, I NEED TO BE ABLE TO TAKE THE I.T. ENVIRONMENT AND REDEPLOY AS CODE FROM A SOURCE CODE REPOSITORY. THE SAME REASON WHY WHEN SOMETHING GETS OWNED THEN YOU NEED TO BE ABLE TO RECOVER AND SO YOU DO NOT NEED TO PAY RANSOM, IF YOU CAN RECOVER FROM BACKUP YOU ARE IN A BETTER POSITION. HAVING A CORPORATE I.T. IS CRITICAL TO YOUR BEING ABLE TO SURVIVE THAT. THIS MEANS THAT, AT YOUR CORPORATE I.T. ENVIRONMENT IS FOLLOWING A DEVOPS HAS IS IN THE SAME WAY THAT YOUR APPLICATION DOES WEIRD AND IN AND OF ITSELF IS A SECURITY FEATURE, YOU ARE CONFIGURING SOMETHING THAT IS RE-DEPLOYABLE. ALSO MAKE SURE THAT RESEARCH GROUPS ARE TIED TO AZURE BACKUP, AND YOU I DID IT WITH AZURE POLICY. YOU NEED TO BE ABLE TO RECOVER YOUR ENVIRONMENT. IF YOUR APPLICATION TEAMS ARE BUILDING THINGS THAT ARE NOT BACKED UP, THAT IS ENCORE I.T.. — ON CORP.. HE MAY HAVE GIVEN RESPONSIBILITY, BUT THEY ARE GOING TO COME TO AT SOME POINT, BECAUSE SOMETHING BAD HAPPENED, YOU WANT TO ENABLE THEM TO EXECUTE RECOVERY PROCESSES. AZURE FOR MY CORPORATE I.T. STANDPOINT ENSURES THAT THEY CAN RECOVER THE ENVIRONMENT, PUT THEMSELVES IN A GOOD POSITION. AND YOU DICTATE THE TERMS, OF HOW AZURE IS EXECUTED WITHIN THE ENVIRONMENT, BACKUP IS A SECURITY FUNCTION. BACKUP ALLOWS ME TO GO BACK TO WHAT WAS GOOD BEFORE. NUMBER 7, LEVERAGE OUR BACK AROUND RESOURCE GROUPS AND TEAMS. OUR BACK MEANING APPLICATION GROUPS ISOLATED BASED UPON WHO USES THEM. DO NOT JUST GIVEN TO THE TREND THAT EVERYONE IS OWNER OF THE ENVIRONMENT, OR EVERYONE GETS ADMIN RIGHTS, OR EVERYONE CAN LOG INTO WHATEVER RESOURCE GROUP THEY WANT, THAT IS A BIG DIFFERENCE BETWEEN IMPLEMENTING SECURE , AND MOST COMPANIES HAVE NOT DONE A GOOD JOB. THIS MEANS THAT APPLICATION TEAMS ONLY ACCESS TO APPLICATION RESOURCE GROUPS. WHEN YOU ARE LOGGING IN YOU HAVE AN ACCOUNT THAT THOSE, MAYBE THE MAIN ONE FOR DEPLOYMENT, AND IF AN APPLICATION OWNER ALSO IS AN OWNER OF THE OVERALL DESCRIPTION, THAT IS A DIFFERENT ACCOUNT. IT IS NOT THE SAME ACCOUNT AND REQUIRES DIFFERENT PERMISSIONS, AND MANAGES OTHER CONTROLS THAT I WILL TALK ABOUT. RESEARCH GROUPS NEED TO HAVE GOVERNANCE AROUND WHO CAN USE THEM AND WHO CAN DEPLOY. ALSO, THE DEPLOYMENT SHOULD BE AUTOMATED FROM SOURCE CODE THE MAIN FUNCTION OF THE ACCOUNT SHOULD NOT BE TO EXECUTE DEPLOYMENT OF APP CODE, IT SHOULD BE TO EXECUTE READ ONLY ACCESS TO SEE WHAT IS GOING ON. THAT SECURITY AROUND THAT DEPLOYMENT ACCOUNT, LETTING YOU USE STRONGER PASSWORD, FOR AUTOMATED RELEASE, YOU CAN TURN IT UP ON A REGULAR BASIS, SIGNIFICANTLY MORE SECURE THAN SOMETHING SOMEONE REMEMBERS. DOES THAT MAKE SENSE? OKAY. WHERE DOES THAT GET APPLIED? YOU SEE THIS, IT IS CALLED A APPROPRIATE MANAGEMENT GROUP STRUCTURE I WILL GO INTO THIS MORE THIS WEEK WITH MY LONGER SESSION. THE MAIN THING I WANT YOU TO SEE, ON A SUBSCRIPTION BASIS, YOUR APPLICATION TEAM MAY HAVE GROUPS OF PRESCRIPTIONS, THESE RESOURCES WHAT THEY BUILT WITHIN, WITH THE MAIN PERMISSION AND HOW THEY GET APPLIED. AN OWNER OF THE APPLICATION TEAM WITH THE PERMISSION TO GET APPLIED TO THE ACTUAL SUBSCRIPTION. THOSE TWO RIGHTS ARE SEPARATE. DO NOT FALL UNDER THE TRAP BECAUSE SOMEONE OWNS THE RESOURCE GROUP THEY ALSO HAVE ACCESS TO THE SUBSCRIPTION. NUMBER 5, USE AZURE POLICY AND ARM TEMPLATE RULES TO DEPLOY SECURITY CONTROLS. THIS IS NOT SOMETHING WHERE IT HAPPENS BY ACCIDENT ANYMORE. I WILL GO BACK TO THAT. THIS DOES NOT HAPPEN BY ACCIDENT. YOUR GOAL SHOULD BE TO INFORM, NOT JUST INFORM THE APPLICATION TEAMS, BUT DEFINE WHAT CORPORATE POLICY IS, FOR THE SECURITY OF THE ENVIRONMENT. AZURE POLICY LET YOU DO THAT. WHEN YOU COME UP WITH THE THINGS THAT ARE IMPORTANT TO YOU, LIKE YOU HAVE TO HAVE TAGGING, THE APPLICATION NEEDS TO BE CLASSIFIED, YOU NEED TO HAVE THE RIGHT SECURITY CONTROL, YOU ARE ENABLING CREATIVITY ENSURING OPERATIONAL PROCESSES. YOU ARE ENABLING THOSE FUNCTIONS DO EXIST IN A CONTROLLED WAY, BUT YOU ARE LETTING THEM RUN DOWN THE ROAD QUICKLY. THAT IS WHAT SEPARATES THESE TWO FUNCTIONS. THAT IS WHAT SEPARATES THE MEN FROM THE BOYS. YOU ARE NOT GOING TO BE ABLE TO HAVE COMMUNICATION WITH EVERY SINGLE APPLICATION TEAM. APPLYING SOMETHING LIKE AZURE POLICY IS AN IMPORTANT STEP, FOR YOU TO DECLARE AND SAY, THIS IS WHAT A SECURE ENVIRONMENT LOOKS LIKE FOR US TO APPLY THAT POLICY, MAKING SURE YOU ARE IN A POSITION WHERE YOUR APPLICATION TEAMS ARE RECEIVING THE POLICY FROM YOU, AND IN A POSITION THAT YOU ARE JUST SUGGESTING IT. NUMBER 4, USE AZURE SECURITY CENTER. THIS IS ACTUALLY AN OLD SCREENSHOT. THEY HAVE A NEW AZURE SECURE SCORE, AND IT IS FANTASTIC. THEY HAVE CONSOLIDATED MANY THINGS. IT WILL ANALYZE THE CONFIGURATION OF YOUR AZURE CONFIGURATION ITSELF, AS WELL AS THE VIRTUAL MACHINES COPY APP SERVICES THAT CONTAIN HIS EXIST INSIDE OF IT, AND APPLY THAT CONFIGURATION AGAINST IT. AND THEN IT GOVERNS YOU A SECURE SCORE, IT GIVES SUGGESTIONS ON HOW TO IMPROVE YOUR ENVIRONMENT IF YOU ARE ALREADY USING AZURE AND YOU ARE NOT USING AZURE SICK 30 SENECA YOU ARE MISSING THE OBVIOUS MESS. THIS IS A STRAIGHTFORWARD PLACE WE CAN GET ADDITIONAL INFORMATION TO APPLY AGAINST YOUR ENVIRONMENT AND IT WILL GIVE YOU PRESCRIPTIVE GUIDANCE. THERE ARE SOME COOL THINGS BEYOND THAT. IT WILL ASSESS THE PATCHING WHICH I THINK IS NICE. NOT P.M. SECURITY THE STRAIGHT FACT IS THAT WE ARE MOVING TO A WORLD WHERE VM OR LEGACY, CONTAINERS, AND PATCH SERVICES IS WHAT WE ARE BUILDING ON. IF THEY WANT TO HAVE A FUTURE STATE JOB. YOU ARE BUILDING ON CONTAINERS, AND TECHNOLOGIES. THEY ARE INVESTING IN LAW AND HOW WE ASSESS OUR APPLICATION, AND WHETHER OR NOT THEY ARE CARE THAT WE BUILT. THE DEAF TEAMS LIKE IT OR NOT ALWAYS THINKING ABOUT IT. WE CAN BUILD THIS WRITING TO SECURITY CENTERS, LOOK FOR WAYS TO IMPROVE IT. SECONDLY, IF YOU ARE USING SOMETHING LIKE RAPID SEVEN, YOU BUILT AND ON PREM, ONE OF THEIR SCANNERS AND IT GOES TO SCAN YOUR ENVIRONMENT, THERE IS A SERVICE FOR THIS. THE SECURITY CENTER, YOU CAN ADD A WALLACE AS A SERVICE OR A RAPID SEVEN AS A SERVICE AND IT WILL SCAN THE VIRTUAL MACHINES THAT EXIST WITHIN THE ENVIRONMENT. IT WILL BE AS A SERVER AND IT APP, IT WILL LOAD THE SAME DATA INTO THE SECURITY CENTER RATHER THAN DEPLOYING SOME VIRTUAL APPLIANCE, IT RUNS IT RIGHT WITHIN AZURE, AND IT PROVIDE YOU WITH OUTPUT. IT IS LIKE HAVING THE SCANNER ON PREM, BUT APPLYING IT TO YOUR AZURE RESOURCES, AND CONSOLIDATING THEM INTO THE SECURITY CENTER ENVIRONMENT. WHICH I THINK IS A COOL ADD-ON. IT HAS EXTRA COST BUT IS WELL WORTH IT. ALSO, ALL OF THIS , TAKING ACTION ON THE PLATFORM LET YOU PULL THESE TYPES OF SUGGESTIONS, OR PROBLEMS, AND BUILDOUT PLAYBOOKS THAT CAN TRIGGER LOGIC APPS. FOR EXAMPLE IF THERE IS A STATE LIKE, THIS SERVER IS NOT PATCH WITHIN 10 DAYS, YOU CAN BUILD A LOGIC AT THAT WILL AUTOMATICALLY BRING IT INTO A CONTROLLED STATE, OR BRING IT OUT OF THE CONTROLLED ENVIRONMENT OR IT WILL SEND A AN EMAIL OPEN UP THE TICKET. THE NICE THING, IT UNDERSTAND SOMETHING IS BROKEN, AND IT REACTS TO A SET OF ACTIONS. DOES THAT MAKE SENSE? OKAY, WE ARE RIGHT ON TIME. NUMBER 3, DO NOT USE EVERYDAY ACCOUNTS AS ADMIN’S. THIS IS A PET PEEVE OF MINE WHEN PEOPLE GO INTO THEIR AZURE ENVIRONMENT, AND USING A AN ACCOUNT THAT YOU LOGIN WITH YOUR EMAIL, AND THAT IS HOW YOU ADMINISTER THE SHOOT THAT THING DEAD, THAT IS THE NOT THE WAY YOU ADMINISTER AZURE. TALK ABOUT OPENING UP THE FRONT DOOR, THINKING YOU HAVE THE BACK DOOR LOCK, THAT IS HOW YOU LEAVE THE FRONT DOOR OPEN YOU WILL MAKE YOUR ACCOUNT, THE ONE THAT YOU LOG INTO THE AZURE ENVIRONMENT WITH, DO NOT DO THAT. ALSO, USE PRIVILEGED IDENTITY MANAGEMENT HAVE A SEPARATE ACCOUNT SEGMENTED, USE PRIVILEGED IDENTITY. THIS ALLOWS YOU TO LOG INTO YOUR ACCOUNT BUT YOU DO NOT GET ALL OF THAT ACCOUNT. I ASKED FOR CERTAIN PERMISSION, AND GRANTED THOSE PERMISSIONS, I CAN BE GRANTED AUTOMATICALLY, WHICH IS A STEP ABOVE, OR I MIGHT HAVE SOMEONE APPROVE THEM. MAYBE A CERTAIN TYPE OF RESPONSIBILITY NEEDING TO BE APPROVED, BECAUSE THEY SHOULD NOT BE USING IT VERY OFTEN. HOW LONG DO I NEED TO BE IN AZURE OWNER? NOT VERY OFTEN. WHEN I REQUEST THAT MAYBE I NEED TO HAVE IT APPROVED. OR IF I ASK FOR SOMETHING I DO NOT USE VERY OFTEN. WHEN YOU USE IT, IT IS AUDITED, YOU WILL GRANTED PERMISSION, AND IT IS NOT JUST AUTOMATICALLY AVAILABLE. IF SOMEONE GET YOUR ACCOUNT THEY CANNOT JUST LAUNCH SOME SCRIPT AND DO EVERYTHING. YOU NEED TO AUTHENTICATE WITH THE ACCOUNT, ASK YOUR PERMISSION AND THEN DELETE. AND IT ADDS ADDITIONAL SECURITY LAYERS AND IS BUILT INTO THE AZURE PLATFORM. AND IT CAN INCORPORATE THINGS LIKE ADDITIONAL ACCESS. WHICH IS THE NEXT TWO THINGS. HAVE YOU EVER SEEN THAT FAR SIDE, WITH A GUY IS WALKING OUT OF THE BATHROOM AND A LIGHT SAYS, YOU DID NOT WASH HER HANDS. I WISH THAT EXIST. YOU SEE GUYS WALKING OUT OF THE BATHROOM WITHOUT WASHING THEIR HANDS WHO DOES THAT? IS AND THAT THE GROSSEST THING EVER? THIS IS LIKE NOT WASHING YOUR HANDS BEFORE YOU GO INTO AZURE. CONDITIONAL ACTION IS LIKE THE SECOND COOLEST THING TO DOING MICRO NETWORK SEGMENTATION. CONSIDERING THE BIG PICTURE, OUR CURRENT STATE IS HIGHLY CONNECTED NETWORKS WITH PC. THE FUTURE STATE, NOT HIGHLY CONNECTED NETWORKS WITH NETWORK SEGMENTATION, AND MODERN DESKTOP COMPUTING WITH DEVICES ARE NOT ON THE NETWORK. IT ALLOWS US TO SAY IS THIS DEVICE HEALTHY, AND THAT YOU ARE USING THE ACCESS AZURE X IS SET IN AN ENVIRONMENT THAT I LIKE? LET’S SAY SOMEONE GET SOMEONE’S PASSWORD THAT IS A A ACCOUNT AND THEY ARE OVERSEAS, AND THAT IS NOT A PLACE THAT YOU HAVE AN OFFICE? BY DEFAULT, YEAH, GREAT THEY CAN LOGIN TO I HAVE YOUR PASSWORD AND I’M GOING TO LOGIN. CONDITIONAL ACCESS SAYS THERE ARE CERTAIN QUALITIES YOU NEED TO LOG INTO MY AZURE ENVIRONMENT. IT IS LIKE YOUR PHYSICAL DATA CENTER, YOU NEED THE KEY CARD, HIS GRAY THERE TO OPEN THE DOOR. I WALKING, ALL THE THAT EXIST. WELL AS YOU DO NOT HAVE THAT ANYMORE WITH CONDITIONAL ACCESS YOU NEED TO BE ON A CORPORATE MANAGED DEVICE, NEEDS TO BE HEALTHY, UP- TO-DATE, AND IT CANNOT BE TAKEN ADVANTAGE OF, YOU NEED TO LOG IN WITH YOUR CREDENTIALS, PROMPTED FOR MULTIFACTORIAL OFF. ALL OF THAT STUFF AS FAR AS CONDITIONAL ACCESS. FOR BOTH ADAMANT FUNCTIONS AND ON, YOU DECIDE TO YOU CAN ENABLE IF YOU HAVE DESK IF YOU’RE RUNNING A FULLY S CCM ENVIRONMENT, IT WILL COMANAGE, THAT WILL GIVE YOU THE ABILITY TO DO CONDITIONAL ACCESS. EVERY DEVICE GETS ENABLED, AND WHEN I LOG INTO AZURE I CAN CONTROL THE KIND OF DEVICE, FROM WHERE AND WHO IS ACCESSING IT SO I CAN GOVERN THE WHOLE EXPERIENCE. IN MY OPINION, THIS IS TABLE AND WE SHOULD HAVE THIS. IT — MOST PEOPLE PROBABLY HAVE IT, ENABLING A GREEN FIELD OR A COMANAGEMENT IS PRETTY STRAIGHTFORWARD. THIS ALLOWS US TO BE ABLE TO GOVERN THE ACCESS TO THE ADMINISTRATIVE EXPERIENCE, AND ACTUALLY MAKE SURE THAT WHO IS ACCESSING IT ARE THE RIGHT PEOPLE. MAKE SURE YOU DO THIS AS IT IS AN IMPORTANT STEP. THE FINAL THING IF I DO ANYTHING TODAY, ENABLE MULTIFACTOR ROLE AUTHENTICATION FOR ABDOMENS AND USERS. THIS IS STRAIGHT UP YOU SHOULD DO IT. YOU ARE USING AZURE. ENABLE MULTIFACTOR ROLE AUTHENTICATION PLEASE. THIS THIS IS LIKE THE MOST EASY THING TO BE DOING BECAUSE I HAVE A PHONE IN MY POCKET, RIGHT? LIKE ENABLING THIS IS SO MUCH BETTER THAN IF SOMEONE GOT MY PASS WORD. AT LEAST I HAVE TO AUTHENTICATE ON MY PHONE VERSUS SOMEONE GETTING IN. THIS ENABLES JUST IN TIME OWNER FUNCTIONS AND FOR ME TO COMBINE WITH CONDITIONAL ACCESS. IT’S THE SINGLE MOST IMPORTANT FUNCTION AGAINST BREECH, SINGLE MOST THING YOU CAN DO. DO THIS, IF YOU HAVE ALL TEN OF THESE THINGS ENABLED, BLESS YOU YOU HAVE AN OPPORTUNITY FOR A GREAT AZURE ENVIRONMENT. IF YOU DON’T, ENABLE AT LEAST ONE OF THESE, I THINK THIS IS THE ONE TO START WITH. WE’RE RIGHT ON TIME. THIS IS HOW YOU FIND ME ON TWITTER. SO THERE’S LOTS OF COOL STUFF COMING OUT ON TWITTER. I’M SPEAKING THIS WEEK IN THE BIG ROOM, HANG OUT WITH ME, ASK SOME QUESTIONS AND ALSO GET AROUND FOR — WHEN IS THIS DONE? RIGHT NOW I THINK IT’S DONE. I’M DONE WITH MY TIME. THANK YOU SO MUCH. GIVE ME ALL THE DETAILS IF IT WAS GOOD, GREAT. IF IT WASN’T GOOD, TELL ME, GIVE ME GOOD DESCRIPTIONS AS TO HOW I CAN DO IT BETTER.

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *