a very good morning everybody. >> good morning. >> thank you so much for coming outso early, i really appreciate it. i'm from scotland,as we say in scotland. all right, and as you guys say here,morning [laugh]. okay, so welcome to my session. favor the bold. managing and deploying rock solidmicrosoft azure security solutions. i didn't come up with the title.
i'd just like to pointthat out now okay. it's basically my top ten andit is my top ten solutions that i think that are gonna makea real difference to your business. so do come in, come and join us. again, i really appreciate it. who am i? my name is andy malone, i'm a mvpin security and have been for a number of years,in fact ten years now. i am also a microsoft trainer for20 years.
you don't get that for murder. well, maybe you do here. also, i'm an author, as well. so i've actually written a book, and the second one isinbound as i speak. it's gonna be part of a trilogy. i'm also in negotiation rightnow for the movie rights. so, and it's going quite nicely. i'm not a millionaire.
i'm not jk rowling yet,but we'll see. but it is basically highlandermeets the davinci code. i won't mention the book, okay? [laugh]okay. i'm from a wee town inscotland called sterling, if any of you have been there. one thing that sterling isfamous for is castles, okay? so this is just one of our castles. this is a castle veryclose by where i live.
it's called doune castle. d-o-u-n-e. some of you may think that,hey, this looks familiar. this is actually winterfellin game of thrones. and it was also the castle frommonty python and the holy grail. and it's also in the tvseries outlander, okay? so if you're familiar with thoseshows, you'll be familiar. they film loads of stuff here. and you're probably thinking,
why on earth, andy, are you talkingabout castles at microsoft ignite? well, we're talkingabout data centers. and one of the things i've had thepleasure of in the last few years is working with microsoft office365 and also microsoft azure. i've got to work withthe actual product groups. i've got to work withthe service people. so the people who take yourcalls on the service desk. i've spent some timewith these guys. i've also spent timein the data center.
i was mentioning to a coupleof folks earlier that it is kind of interesting here becausethe data centers that you've got in the us here, they're so vast,people ride around on these segways. did i say that right? segways, segways. people ride around on those things. in ireland, where i work withthe guys, they ride around on bikes. so they like to get fit, all right? so what do thesethings have in common?
well, this, if you think about it,is a 12th century data centre. and they've not reallychanged that much. they're both responsible for protecting assetsin their own right. obviously their responsible for howdata flows out of the data center. this is the actualdata centre in ireland, this is the dublin data centre. with the other data centresabsolutely enormous and so is this one of the biggestdata centre in amia.
so, andy, why on earth are youtalking about data centers and castles? because they're allcomprised of these things. isn't it amazing that inover thousand years we're still building with bricks? all the technology that we've gotwe're still building with the basic things yes? i was gonna mention one ofthe events that i do is an event called the cybercrime security forum and
i work with, you might know,a lady called polly aniskovich. she speaks here apparentlyat night sometimes. she's quite popular apparently. i got to tell you a funny story. she was actually stopped atimmigration, she was strip searched. did you know that? this is true, this is true. yeah. i've got the video, i can sell it to you, if you like.
>> [laugh]>> [laugh] don't tell her about it, okay? so basically, i don't know if you'velooked at microsoft azure recently. but it's a big beast, yes? if you go away [laugh] fora month or something and come back, it's all changed. so you've got all of thesekind of security features, and there's gazillions of them. honestly, microsoft azure changesfaster than i change my underwear,
i'm not kidding, it's crazy. and i'm thinking how on earthcan i include all of this, throw this all at you,in 75 minutes? and it's kind of almost impossible. so what i've tried to do is i'vecome up with i think andy's top 10. okay? so these are my top 10 andi'm gonna cover it, in all of these kind of areas. you may disagree with me.
i know, andy,why didn't you speak about this? it was out yesterday. hey look, i wrote this eventa couple of weeks ago and i wanted it to be kind of relevant. and also it's stuff that youcan use now, you can use today. so, let me talk about my number 10. my number 10 is what wasi syncing about, okay? you'll know aad-connect, yet identity is an absolute corefeature of microsoft azure.
we all wanna be friends witheach other, but there's so many different identity models andmechanisms going around that i'm thinking,hey we need something in the middle. and i was actually looking at thisand i was having a conversation with somebody in the speakerroom yesterday. now, does anybody remember this? who remembers this? raise your hand. see, respect, okay, respect, okay.
what are we looking at here? this is exchange 5.5,this is what, 20 years ago? it is 20 years ago, right? and there was a file called dir. now this is purespeculation by the way. please, the press,don't go and write this, i'll never work againwith microsoft, okay. this is speculation, butbear with me on this. i foresee a place in the not toodistant future where you go into
windows server, you go to add removeroles and you add active directory. but active directoryis not installed. you connect toazure active directory. it's cached in your machine. work with me here, yeah? it's cached. there's no dcs, there's no domaincontrollers but you have ous. you can do group policies,you can do security. is that beyondthe realms of reality?
i don't think so. and this is exactly wherewe were 20 years ago. this is this product, yes? because dir.edb connected exchange, if you think about it,to windows nt, right? nowadays what we've gotis we've got some kind of intermediary technology. now whether we call it aad-connect,whether we call it adfs, whatever you wanna call it,it's designed to connect
your on-premises solution to azure. we're back where we started. is it great, isn't it? it's absolutely awesome. so it's all about connectivity. it's all about identity. and it's one of the mostexciting areas of modern times, really, to get into. so aad-connect, now i'm sure you'regoing to see guys like john craddock
and mark russinovich. they'll talk about all of theseproducts in great detail this week. i'm not going to boreyou to death with that. now, did you know, however,that aad-connect has a secret? i've been working with office 365and azure for a number of years. and this is somethingthat's not commonly known. now, if you were familiar witha product called dirsync, yes? which is all basedon the same thing. you'll remember that dirsyncoriginally synced every three hours.
you could force what wecall a delta sync but, the problem is, i had a customer inleeds, that's in england by the way. i had a customer in leeds and hesays to me, i need to manually sync. and he had something like 100,000objects, huge number of objects. and he was forcing. he actually edited the text files sothey're synced every ten minutes. of course what's gonnahappen with that? it's not gonna work. it's gonna get corrupted andthat's exactly what happened.
and if, you know this tool, so you can go in here andyou can edit this stuff, right? but what is not commonlyknown is actually this. this is the active directorysync manager in aad-connect, just the same as it wasin dirsync and so on. now this is somethingthat you don't know. there is actuallya second resync cycle. there's a pulse,it's an undocumented feature. and it pulses every two minutes,okay?
an undocumented feature. you can't edit it,you can't change it. but what it does, is it looksat your emergency delta syncs. your password resets. your deletions and things like that. so your critical syncs are takingplace with this, okay? that's an undocumented feature foryou, all right? so that's my number 10,what are you thinking about. now, i can feel the excitement inthe room because you sat there,
you're thinking my god,what is that number ten, what's gonna be number 9? and i've got to tell you thatmy number nine is identity. so identity is absolutely critical,but identity today isbecoming a challenge. but i'm saying that, identity is actually being startingto be dominated by the big few. so microsoft, facebook,google, okay. and the only questionabout that i have,
as a security guy,is who's governing all of this? yes, i like to know thatgoverness is really important. compliance and governess,is really important here. but it's quite complex, so remember my picture ofthe castle at the beginning. in those days what do you do ifyou're tying to get a message out, and game of thrones ofcourse it's under raven yes. [laugh] we can't send ravens butwe do it. well the modern ravenis called ssl right?
[laugh] so we just hopethat nobody shoots it down. so identity,definitely has its challenges. so whether you decide to hey,we're all in the cloud, we wanna move to the cloud,we migrate, we're in, that's it. or, are you gonna have somekind of intermediary solution? so very much that dir.edbfile that i mentioned. something that connects yourarm premises active directory, to azure active directory. cuz let's face it guys, activedirectory was never written for
the cloud. it was written ina different time,yes, it was written ina different time period. so now we need thisintermediary technology. now obviously one of myfavorite ones is azure, sorry active directoryfederation services, and i've got a little demo of activedirectory federation services. now, this demo is not forthe experts in the room. this is if you've never done it,okay.
also another thing as well,i'm going to do this demo on windows server 2012,and 2012 r2 why? that's because, that's whatcustomers asked me to do it on. what are the chances of you goingon to customer premises and they're gonna have windows server0206 with the latest and greatest. there's no chance right? so i wanted to make this demoa little bit more relevant. now, some of these demosi've canned, mainly because you can imagine it takes a littlebit of time to do this and
i'm a bit limited with time. so key thing, deploying federationservices, this guy in the middle. so the thing about federationas well initially is, federation was quite complex. you would never justinstall a single server, because potentially that wasa single point of failure, right? so what would you do? we have a federation farm. and of course, it's not considered
good etiquette to connectto directly to the server. so what do we do,we connect to the proxy. we have some kind of proxy, okay. so i've got my nice colleagueup at the back there, mary o'shea,i'm making this up, okay. and she's gonna help me out. now she's a bit slow sometimes soyou've gotta bear with me, okay. so, this is my dc1. and, in dc1, what i'm gonna do here,is the first thing that i'm
gonna do, this is right fromthe beginning, step-by-step. i'm gonna go into myserver manager here. i'm gonna go into dns, andyou can see that in here, i've created a local dns record forfs, federation server. okay, now that i've done that,what i'm gonna do is, i'm gonna go into activedirectory users and computers. of course you don't typicallyuse an admin account for this. so what i've done is, i've gone and taken an account called adfssvc orwhatever you wanna call it.
okay sothat's the first thing i've done. the third thing i've done, is i've granted that userthe right to log on as a service. so, i've done the set spn and so on, which you can see here if iflip over to my server, too. you can notice that thisone is a 2012r2 box. so what i've done is i'vejust run that command, and all of this will be availableto you guys later by the way. so now what i'm gonna do is i'mflipping over tmg remember this?
this is a real world scenario. so i'm flipping over to a customer. they've still got tmg. again i'm just going in to dns ,andi've just created an fs record with my public ip address here. again, both sides of the coin. so now, what i'm going to do. now that that's been set up. again, i'm just gonna flip back.
and i'm going toopen up aad-connect. now, aad-connect, at the moment,is awesome, by the way. it's come on such a long way. so i'm gonna go into here. and you can see that i've alreadygone ahead and deployed sync. yes, i've deployedthe sync mechanism. so, all i need to do. unlike the old versions, where ineeded to uninstall and reinstall. i can just click on,i want to change the log-in type.
so, it says okay,you need to connect to azure. so, i'm gonna log-in here. this is my office 365 account. of course the beautiful thingabout azure active directory is, it doesn't matter whetherit's into office, oms. it doesn't matter, it's usingthe same directory structure here. i'm now gonna, once i've connectedto that, of course, now it says to me, all right, how are yougonna change the user sign-in? what sign-in option do you wanna do?
so in this case,it's password sync at the moment. i'm gonna go with adfs. so i'm gonna select that option, and i am gonna go ahead andclick on next. now, you can see it tells me here bythe way, although aad will connect and install on 2012 and 2008 r2 youwon't be able to run the adfs part. so the adfs part requires r2. so now what i'm doing is,i'm just browsing to my certificate. so i've got a publiccertificate here.
so i'm just gonna go ahead andi gotta tell you, by the way, this is so much easierthan it was a couple of years ago. or, as i call it, the days of yore. okay. so i'm gonna to justload up my certificate. you can see i select my certificate. remember this becauseadfs requires ssl. so if you get an erroron the screen, that would make a good examquestion wouldn't it by the way?
it means that you've notactually configured ssl. now which server is gonna beyour federation service, or server two in my case here. so i'm just logging on with mycredentials just to say, yes, i'm authorizing this. okay, sonow that i've done that, yes, i am going to just type this in. okay, now it's asking me. best practice, of course,
you would always put ina web application proxy. always. but for the purposes of thislittle demo, i can skip it, okay? but in reality,i would just also do this. and the wizard would actuallytake care of that as well. but just because of limited time, i didn't want to bothergoing through that. so, again i'm just gonnaclick on next there. click it,told you she was a little slow.
so, now that we've done that, it nowsays now you need to put in your domain administrator credentials. so, i'm just putting in hereonprem/administrator, and i'm putting in my password. and again, i click on next. so, now it says whatabout service account? now the cool thing here is it says,okay, you can create one if you want to, or of course,i've already created one some. just logging in here withmy onprem/adfs service or
whatever you called it. do remember though that youneed to run that setspn command in order to grant the permissions. so now that i've done that, awesome. so now it says okay, for whichdomain is this for, which forest? so in my example,i'm only using a single forest. so i'm just gonna clickon the drop-down arrow. and i'm just selecting thisparticular domain here. all right, and again it justsays make sure that you put in
the correct dns records,blah blah blah. and then once you're happy withthat then we can click next. okay, so looking good. now it says, okay, it's gonnause the synchronization engine as a backup, so it's gonna do that. so i click next. and we're done, okay? so installation is complete,i just quickly verify that. and that's it, we're now in activedirectory federation services mode.
okay, now beyond thatthere was absolutely loads of powershell, okay. so, if you would have been doingthis a couple of years ago, that was quite a verylarge exercise. so, considerably easier today. now, as i say, andy why didn't youdo that in windows server 2016 because nobody's usingwindows server 2016 yet. not for that or at leastthe customers that i speak to are, many of them are wantingto make it real world.
so, andy,we're talking about identity, that's what you said, right? so that was part of it. so now, that we've made thatconnection, either by using the sync engine or adfs,we joined those forces together. but the key thing is, okay. how many of you are on office 365,by the way? raise your hand,quite a lot, that's nice. so, one of the greatthings about office 365
that's pretty much what youcan do in office 365, right? but the problem withthat is there's so much more in azure that willbring extra value to that. so, we have a featurein azure called azure active directory identityprotection, and this is basically where you can set up risk basedconditional rules, if you will. so, you can identify certain usersand actually say well you know that they're in a particular area that'squite risky or they're a risk. and you can actually say okayonce you've identified those,
you can actually set up conditions. so, andit works a little bit like this. so, this isazure ad identity protection. so, here's bob, bob logs on. and i don't know why he's saton the floor, by the way, but there we go maybe he'sfeeling a bit lonely. maybe he couldn't make it to thecanteen here, i know that i can't. so users, bob signs in,and basically, a number of processes takes place.
so first of all,it logs the date and time. it logs his location,so where is bob? is he in an approved area. is he in an approved location? so, i do a lot of jobswith the military, yes? so, of course, things you mighthave access to in one room, you may not have access toin another room, right? so, location can playan important part. alarms, so something's not right,
it might trigger an alarmit might trigger an alert. so, you're not inan approved location, so you might need to let's say performa multi-factor authentication or something like that. another solution that obviouslyit will record everything. so everything is logged. everything is audited. this is awesome stuff. and then, finally of course itdoes that risk evaluation on you.
so, is this user ina risky location? are they? is this the user that they say,they are. and, of course there's lots ofmetrics, and charts, and views, and things that you can go and view. so, this is azure adidentity protection. so, if you got users in office 365, flip over to azure ad, andhave a look at it there. you can set all of this up there,it's so cool.
so, detailed reports on userswith leaked credentials. whether it's an irregular sign-incoming in from an unfamiliar ip address, suspicious activity,and there's loads more. one little gotcha. it requiresazure ad premium version 2. so this is the latest version2 of azure premium, okay? but you can, of course, add that on. so, now when we flip overinto the demo here, so you can see, i'm going into this.
essentially, what we havehere on the left-hand side, i've not set thisup at the moment so it we can say which users are loggedon, you can identify risk. you can say risk events. and again, it detects anypotential vulnerabilities. so, one of the first things we'regoing to want to do is of course kind of set it up. the first thing you need todo is obviously say okay, which users do i want to flag up?
so, you can obviously do all users. i can select individualusers if i want to. so, for example if i go in here andi'll say, do we have, let say capt jean-luc picard here ori'm a big trekkie sorry. do we do like chandler bean, so for this example, and again,i'm just gonna click on all users. so, once you set the users, you canof course then set the conditions. and of course the conditions,you can then say, okay, if they meet these conditions,what are you gonna do?
and are you gonna identify theseusers as potential medium, low, high risk. and based on those conditions,you can the say, all right,what are you gonna do with that? so, i can then say, okay if theyare high risk or medium risk. you can actually say, i'm gonna askthem to reset their password or maybe invoke multi-factorauthentication, something like that and that's it. that's all you do, basically,it's really simple.
so once you've done that, of course then it's justa case of reading the reports. and reading the logs, okay. but the fact is thatyou're in control of it. absolutely awesome,that's my number 9. identity is the new control plan. what about number 8? i can feel the excitementespecially, at the back there. somebody's jumping up and down.
number 8. hey admin,just who do you think you are? so, all of us. who remembers windows nt? baby, i love you. okay, so, windows nt,we were gods, weren't we? yes, we ruled the world. yes, but then they changed things. yeah, they put in auditing andthings like that.
so, number 8,hey admin who do you think you are? so, do you remember this rollbased admin control, r back. so, in the old daysthings were simple. in the old days,you would be added to a group and then you would begranted permissions. remember agdlp and all of that. but what was the problem with that? the problem was,that as time went on. you might be changed group, or.
and permissions wouldbleed like crazy. so, a couple of years down the line. it's like, you don't know whatpermissions this guy's got. so ,at least, with roles. the idea is you can be one role oryou can be another role, yes? you can be one or the other. but and this is where it getsreally interesting, so that's it. that's pretty much whatwe've had for a while. but check this out.
this is something calledprivileged identity management. this is awesome. right, this combine somethingcalled jea and jit. so, just enough administrationwith just in time administration. this is very cool. so basically, what this essentially does,if you've got these minor roles. so, let's say you'rea password administrator or you're a building administrator,something like that.
well, what this does is,i could say hey, i want bob to bea password administrator. but i'm going to justset bob's account up, so that when he actually clicks onactivate, so he's maybe not working with the account right now or he'smaybe not doing that role right now. but when he clicks on activate,a timer kicks in. so, lets say he's a passwordadministrator but you can put a time limit on it. think how cool that is forcontractors and people like that.
that's something we've never had. so, just because you'rea role-based admin, it doesn't mean that you should bea role-based admin permanently. so, it basically sends out alerts. and the idea is whoare the numbers of users so we can find out which users are,what we call, privileged users. but it also allows you, as a globaladmin as god, to basically look at those users and say, doesthis guy still require that right? yes, now okay, if the contractorsof course abuse that privilege and
it's time now. you can just reset it again. okay, again it's so simple. okay, so basically this is called azure active directoryprivilege management. so again, the first thing you do is,you basically identify your users. again, here i've gota pretty simple set up. this, hardly any users see it. but, basically what i'm gonna do is,i'm just gonna flip it over here
and, i'm gonna go into azureidentity management here. identity protection, i should say. so, privileged identity management,again, i'm just gonna enable it. click into here. and again, one of the first thingsthat you need to do is we need to, basically identify whichare our administrators. so you can activate the roles,obviously, we can then manage the roles. and so, obviously,you've got the global admin and
you would never really put a timelimit on a global admin role. you would tend to do thison one of the minor roles. so once you've set that, obviously, once you've set upthe monitoring, i can then say, okay, i want to activate this useras a potential temporary role. so if i've got bob here, i can activate bob aspotential temporary role. the nice thing is you can go in,there's a log file. you can see what bob's up to whenhe's logging in, how long he's got.
the reporting features hereare really awesome as well. yeah, soonce you've set that up, again, you can then obviouslyjust enforce that. once you've selected the user, you can then say i wantthis user to be eligible. so he is, let's say,a guest administrator, a sales administrator,something like that. i want him to be eligiblein the role, okay? so these are allthe different roles for
let's say, azure exchange,sharepoint, office 365 and so on. so you can basically identifythe users in those roles, okay? and then as you can see here,i can then say, okay, activations. you can then say, okay, i'm gonna give this guy 30 days,i'm gonna notify them. and of course, you can do thingslike if there's an incident or a request. and you can also invoke things likemultifactor authentication for this user as well.
this is a very,very cool feature, guys. you wanna seriouslytake a look at this. now, the thing about this is it'snot actually in the likes of office 365. so as a global admin in office 365,i'd love to see it in office 365. but the thing is, you can bolt it onto it bygoing through the azure portal. because it's the sameazure active directory, right? okay, so once you'veidentified the users here.
you can see that, that user isnow earmarked as temporary. so once that user decidesto activate their role, that's when the timer kicks in,basically, okay? really nice feature, okay, socan i do this through powershell? of course you can, sothis is basically how to do it. you can either do it throughthe gui and through powershell. okay, it cannot bedone in office 365, but again, one of the things youneed to do is you need to earmark or make an administrator eligible.
and it must be a globaladmin role that does this. all right, now andy, let's have a top tip,okay, here's looking at you, kid. there's a new feature in azure, wouldn't it be nice to recordwhat admins are doing? so again,every single admin will be recorded, it goes into a log and of course,you can then follow that up. so you do have rogue admins which,let's face it, it does happen from time to time.
you've got the auditing, you've got the power there togo in and enforce the rules. that's a really nice feature,by the way. all righty, sothat's my number eight. i can feel the excitement growing,i think we need a drum roll. number seven then, absolutely, it's amazing how many peopledon't use this at the moment. so what ismulti factor authentication? multi factor authenticationis when you sign in.
i, as a security guy, i reallyhave a problem with passwords. so you see speakers all the time orso called security people all the time,hacking passwords. and the crazy thing is that,when they hack the passwords. they're actually logged on asan administrator so, of course, they can get the password, okay? that's common sense andpasswords are so 90s. nobody uses passwords anymore andyou know why? the reason being is becausethat passwords only tell you
something that you have andsomething that you know. so something that you have is you or a bank card and something thatyou know is a pin number. so what? that doesn't prove who i am, that just proves that i've gotsomething and i know something. what we need is something thatyou are, yes or some other. so aidas prove who you are orsomewhere where you are. for example,in the uk at the moment,
do you guys used chip and pin here? are they rolling that out here? >> yes>> yeah. so we have chip and pin forabout 20 years in europe, okay? long time, i'm sorry guys, okay. [laugh] okay, you've got better movies thanwe have though, so touche. [laugh] so chip and pin, right? again, something that you have,something that you know.
the bank machines now, the royalbank of scotland in the uk, what they've done, is you can nowregister your image with them. so when you go to a cash machine oryou make a cash withdrawal, you put in the card,you put in the pin number but it does a facial recognition. how cool is that? so even if you stole my bank card,you can't get into it, that is awesome. so multi factor authenticationis absolutely really important.
now, how do we do this in terms of,let's say, i mean microsoft hadbeen great at this. they really lead the industry here,i will take my hat off to them. so onedrive, for example,most of that technologies. yeah, so if i get access to your,let's say, your onedrive account, what's the first thingit's gonna ask me? it's gonna say, okay, you're not logging in froman approved device, yes? so yes, you know the user name,you know the password but
you're not logging in froman approved device, okay. so authentication, you can phonecall, you can text message. there's an awesome mobile app,by the way, that you can get. users can also choosehow they want to log in. and again, it's really,really simple to set up. so you can do it through powershellor you can do it like this through the gui and just enableit for one or all your users. now, just a word of warning here,don't enable it for everything. so every time that you log on,for example, to office 365,
it will doa multi factor authentication. make security usable, yes? because if you don't make it usable,what happens? it get brushed under the carpet,all right? or the rug,do you call it carpet here? anyway, so you can makethe choice here and that's it. i went ahead here andjust put the slides in. i'm not gonna go through these but,the step-by-step guide on how to do this through powershell as well,all right?
so there we go, now,andy, what if i, earlier you showedme how to do adfs. is it possible to combineadfs with single sign on and multi factor authentication,absolutely. check this out,you can download this tool, install it on to yourfederation server. and now you can invokemulti factor authentication and it just locks in seamlessly, okay. so this is microsoft multifactor authentication server,
just bolts directly onto your adfsserver, absolutely rocks, okay? number 6, okay, so we spoke about identity,we spoke a little bit about access. what about,how do we protect information, okay? how do we actuallyprotect our information? now, i don't know about you, butinformation has really changed. now, i come from the uk, and what happened inthe 18th century in the uk? something that changedthe entire world,
it was called industrialization. so the population's camein from the countries, we built factories,engines, technology, ships. and of course,we went worldwide with this, okay? and america is a perfectexample of that, okay, we took that industry to the world. it was calledthe industrial revolution and in that industrial revolution,what happened? in fact, if you think about it,
the early years of computingwas the industrial revolution. yes, what happened? client-server environment, you go through the factorygates in the morning. when you get into the factory, yousit down at your laptop or your pc. you remember those boxeson the floor, yes? you connect to your pc, you connectto the server, and what happens? you do your job, at the end ofthe day you get up and you go and they close the gates behind you.
that was the industrial revolution,right? that's the way it worked, soon the left-hand side here, this is how we havetraditionally shared out data. but today, look at the difference, some of you said that youwork with windows nt. i can't tell you how many peoplei've seen that still think in that time period,you have to move, okay? if you don't move, you're gonna end up shovelingfries in mcdonald's, okay?
which might not be a bad thing forsome people, i don't know. so on the left hand side is yourtypical kind of data flow from client server error. but on the right hand side isthe way that data flows today. and the problem that alarmsme with this is that, we'll send in an attachment. i'll send a file outin the attachment. i've lost control of that file,it's gone, right? as soon as you share somethingout there, it's gone.
so we need something to,it's almost like a lasso. i'd love to see that, by the way. in the west, to see the cowboys andthat stuff, yeah. so, we need to lasso that data sono matter where that data goes, we've got some kindof control to it. and that's what werestarting to see now, yes? so this is something, and you might call it,almost like a social network,yes? so we need a mechanism to kind ofable to hook onto that data and
pull it back. so, you know? just to show you mydata is out there. my data is out there. but how do i. again, i'm just making thisdemo up as i go, by the way. so i'll go into microsoft'sfavorite search engine. oops, i'll never workin microsoft again. okay, [laugh]okay, and
i'm gonna type inan advanced google search. so here's a favorite one, all right? [laugh] i'll go withmembership list, okay? so you can see i'm typing site.com. it's a com website, file typexls spreadsheet membership list. and you can see, look at this,it pulls out membership. now, do i dare open one of these,cuz this is being recorded. so, that's in spanish. okay, let's go with it.
let's open one. okay, so here we have, for example, names, phone numbers,what they do mm, that's a social networking dream,is that. that's a social hacking dream. i mean you couldeven do things like, let's say pdf, mill. i can feel those rubber glovescoming out at the airport. >> [laugh]>> okay and i'll say classified.
now you think that nobodywould ever post this right? look all the documentsmarked classified. okay, now even worse than that. so, the problem is as soonas you share something, as soon as you give a pieceof data to somebody. it's gone. you've lost control. almost like if you posta picture of yourself. so how many folksare on social networks?
of course you are. you're all on them,right, everybody. you didn't put your hand up, sir. you must be shy. >> [laugh]>> so i'm gonna show you a picture,all right. let me load up a file here,just to prove that you really do lose control soi'm gonna take. i'm doing research for my next book.
by the way did i tellyou i've written a book? [laugh]so i'm gonna just find a picture here. okay, here's a nice picture. one of the scenes in my next bookactually takes place in croatia and i was doing some workin the broadneck and so i took a picture of myself. so if i click on this,this is called metadata of course. metadata is data about data, right?
it tells me the deviceit was taken on. it tells me the exposure,the date, the time, the gps coordinates, the altitude,the longitude, the latitude. the other thing that it showsme is it shows me exactly where i took the picture. come on. >> [laugh]>> protect yourself. protect your information. if that was pictures of yourkids in the back garden,
how creepy is that, okay? we have to protect data fromleaking outside an organization. so what is some of the technologiesthat can help us protect our data? so lasso that data and keep it in. okay, i call it azure, well microsoft calls itazure information protection. and basically this isour wild west hero. so the problems that we have todayis permissions bleed, you share files, you reattached files andyou basically lose control of those.
once it goes beyond the realm of theorganization is beyond your control. content can easily be copied. you know, download movies, whatever,i never do that by the way. so some of the mechanismsthat we have here, you can set up classification. now this is nothing new. we've had this technology fora long time in windows server. and file classificationsystem in windows server. so you can attach, you can labeldocuments as top secret or
classified. we can encrypt files of coursewith technologies like bitlocker, you can enforce rightsmanagement all of which you're gonna get sessions hereat ignite on these topics. rights management is actuallya really interesting one. because rights managementyou just switch it on and it's really justan end user feature. so i can go into mymicrosoft word here and i can say don't share this documentout with our organization.
now it doesn't stopme sending it out but what it does,it's got that lasso on it. and it basically encrypts thatdocument with a call home feature. and essentially what happens is,even if i try and rename it, change the extension of it, if i send itto you, it will always call home. it will come back and go, eh you know, we're outside youdon't have the rights to do this. okay, a very cool feature availablein office365 and it is also available in azure as well aslocal versions, but check it out.
if your not using it guys,my goodness me. its a fantastic feature sojust enable it, switch it, on and from then on it is basicallyan end user feature. we can enhance thisa little bit further, as well,with that kind of classification. i'm going to go in here toazure information protection. this is where you canstart labeling documents. you might put one in sensitive,secret, classified. you can classify it as a secretdocument, you can switch it on.
you can put in a littledescription for the user, and you can enforce it. you can change the color,red, green, amber, whatever. now, if you are usingrights management services, you can also enforce iton a template, as well. so, again, that can reallyintegrate brilliantly. you can put like a visual thing,almost like a watermark, into the document, as well. okay, so i can select my color,my text, and that's it.
basically, you justset these labels up. so, really, really simple to use. now, of course,you can purchase this. i have no idea how much it costs, but you can add this on tothe likes of office 365. you can enforce itinto azure as well. so that's it. you just go ahead andthen i publish this label. so once it's actually published.
and so once you create,then you can create the labels. so i will then just obviously,you can set up a condition on it. so, for example, i'm going toenforce this, if somebody tries to put in a credit card number,or a social security number. cuz the last thing you want ispeople sending credit cards numbers across. it's almost a little bit like dataloss prevention policies, almost. again, once you've set that condition up you canthen do another one.
and then you just click okay. you can specify how manyoccurrences are you going to allow. i've got, obviously,things like a credit card number. you would never allow that. and it's all,they call it information protection. i like to call it preventinginformation bleed outside of your organization. but the thing is, it's sosimple to set up. okay so once you've set it up, thisis basically what it looks like.
so in the likes of microsoft word, you get these labels acrossthe top of the screen here. so then all the user needs to do isjust simply classify their document. and again, if it's tied in withrights management services, it takes care of the rest. okay, excuse me. again, this is my top ten features,okay. not microsoft, this is mine. but i honestly think that these willmake a real difference in security.
it's all about keepingthat lasso on that data. microsoft have gotthis thing as well. you know one drive, yes? they call it modern attachments. what the heck isa modern attachment? a modern attachment is whereyou don't attach the file, you attach the link to the file. because by doing that, you're not actually sendingthe file to somebody.
so, by doing that, you've already got controlbecause you set permission. so they've only gotaccess to that file if you've set the permissions up. that's a great feature, by the way. who uses vm's? who uses virtual machines and azure? yeah, okay. i am not gonna show you how to setup a virtual machine in azure.
you know how to do that right? yeah, come on. and there's sessions here galore. so, my number five is called rageagainst the virtual machine, okay? and what do we mean by that? so, virtual machines,this is the marketing. highly scalable, highly elastic,multi os support including linux. i'm sure if you godown on the show floor, they'll tell you howmarvelous all of this is.
but on saying that,there are a few issues, right? now the problem is,with virtual machines, you tend not to treat themlike physical machines. so you've got things like managingoversight and responsibility. so who's responsible for these vms? now whether you use microsoft or whether you use another vendor,the principles are the same. what about compliance? so again that's a really,really important area.
patching and maintenance, hm. people often forget, we needsome kind of automated methods to ensure that virtual machines as,remember, it just takes one. the fact it's on your network orhas got access to your network is just as dangerous as if itwas a physical machine, right. so patching and maintenance. visibility and compliance,compliance is so important. so this year, the european union have just enforced something thathas rippled around the world.
yes, and america has got toabsolutely re-conform to it. this is one of the reasons why we'reseeing data centers in germany, and just last week a couple ofnew data centers in the uk. okay, because a lot of countriesaround the world have said, yeah, this is great, but our datacannot go out with our country, like the us. so your financial data cannot leavethe borders of the united states, and quite rightly so, okay? other areas.
vm sprawl,this never happens, right? [laugh]and finally, managing virtual appliances, okay? and of course,it's virtual networking, all the security involved with that. so, windows server 2016, one of the great features of 2016is that you can now raise shields. so obviously if i've gotvirtual machines and a data center,yes okay you're protected, but
then what's to stop me justsiphoning off a copy of those vms? thanks very much. and hacking into them, right? and lets face it, once you'vegot the physical machine or a virtual machine,you can hack it, right? so once you physically have the itemor the vhd you can hack it, okay? i mean, anybody who tellsyou otherwise is crazy. but what we have here is, windows server 2016 has this featurecalled the host guardian service.
absolutely awesome,by the way, okay. and there'swindows server sessions here, this week i'll explain all aboutit and go and check it out. this is a fantastic feature. and it prevents that from happening. so even though an administratorhas your virtual machine, there's nothing they can do with it,okay? it's yours, okay? so, just andy's top tip here,by the way.
i deliver classes on office 365. now, office 365, great. i can just go into the portal,sign up, boom, i get 30 days free. it's amazing how many peopledon't try azure virtual machines. and the question is, andthe answer is, well, because you've gotta putyour credit card in. rubbish, yes,you have to put your credit card in. but it's only for identity, okay? they don't bill you unlessyou click the button
to convert it toa paid subscription. so you can have as manysubscriptions as you want, by the way. now be careful though,there is a gotcha here. okay, you can only have onesubscription per email address. so the way around it, just go in and create yourselfan outlook.com address. yes, perfect. okay, so, and you get $200 free.
and [laugh] there's got to bea gotcha about that, right? there is a gotcha. watch this, now, if you gointo the azure marketplace. this is beautiful. you can try virtual machinesfrom all over the world, at different companies. [laugh] i've got to tell you though,this is a true story. one of my friends, he signed up toa vendor, who will remain nameless, but a very famous vendor whohad a prominent virtual machine
environment, actually whichis visible in this slide. >> [laugh]>> [laugh] i'm not naming them. [laugh] okay? and get this, he signed up forthe azure test. and he forgot to switchthe virtual machine off. he ended up with a $17,000 bill. i know what you're thinking. wow. >> [laugh]>> [laugh] and
there's no mercy with these babies. anybody done azure? you leave the virtual machine on? and you gom i leftthe virtual machine on again. so? [laugh] yeah, so be careful. however, i was having a verynice conversation yesterday with the azure marketplace people,and i was speaking downstairsabout this very same subject. and what they now are saying to meis that there's a whole bunch of
these vendors that will allowyou to have the free trial. okay, not all of them. and incidentally, not the onethat charged my friend $17,000. okay, so go to the marketplace andget the information. otherwise you'll be stiffed,basically. all righty,i can feel the excitement. number 4.>> how are we doing for time? >> we're good, we're good, okay. >> i wish i could be secure.
i wish i could be compliant. compliance is so important. i've spent time onthe ground in a microsoft data center with the staff. i've spent a month on the groundwith, i'm gonna tell you, you cannot appreciate howsecure these places are. physically, it's almostimpossible to get in. so once you are in, they usea multiple redundancy model, as you know.
do you know that there's only maybe12 staff in an entire data center? really small staff. and if you work in a data center, ihave no idea what data is in there. no idea, okay? i don't have access to that, okay? so i don't know whose data is there, all i know is that microsofthave over 200 services and microsoft it, xbox live, azure,office, all of those, yes? i have no idea whatdata is in there.
now i will to tell you one thingthough, when you go through, when you actually get physicallythrough, go there and you get into the security area andyou get given your job card. it gives you the job card and says,right, you need to go to room 131. you need to pull rack 40 and changea board or do something, okay? so i'll go, yep, no problem. they give you a geo-tagged key. there are at least threecameras on you at any stage. so you go to room 131,you open the door.
if i opened 130 or tried to go to132, it's immediate dismissal. if i go up to a differentrack that i'm supposed to, it's immediate dismissal. in the data center in the rooms, thedata is separated into non pii and pii, personallyidentifiable information. if i walk into the area of pii andi wasn't supposed to be there, if i take the key off premisesit's immediate dismissal, they do not mess about. i'm telling you,they're serious dudes, okay.
think military type level, okay. they even have machine gun turrets,no they don't, i'm just kidding. okay, free and paid servicesare stored separately and we also have something called thecustomer breach notification policy. so, if your data is breachedyou will be notified and compensated for it,okay, which is awesome. so compliance, it's a minefield,baby, absolute minefield. so again, we have the office365 compliance center which is absolutely awesome,let me just show you this.
so if i just flip over here,and then just go into here. and i'm just gonna go intothe compliance center here. so if you work, let's say,with medical, pharmaceuticals, financial, legal, whatever,and you are a consultant and you are trying to sell a cloudservice, it's a hard sell, right. it can be a hard sell, so, what we have here are justbasically a whole set of tool. now, depending on the skill thatyou signed up for, so, enterprise, business, whatever, will determinethe functionality of what you get.
but basically what we have,you can set permissions, you can see the security policies,things like device management, so in my portal here,i've got intune hooked in. and basically what these are, bythe way, these are kind of shortcuts into the actual main product,so it's kind of one place where i can come in here, andi can actually set all of this up. so you've got things like,anti-malware, anti-spam, of course, my decon in exchange. data management, you can importstuff in through exchange,
you can export it out. this is your data, right,you could export it out at anytime, you can archive, data retentionpolicy, data loss prevention, you can search and investigate,auditing, e-discovery. and i love this by the way,service assurance. so we have this thing calledthe service assurance dashboard now. and you can say okay, if i go intosettings, and what region am i in. so again,i'm in the uk let's say, and let's say i'm working in banking andfinancial.
so i save that and then when igo into the compliance reports these are relevant for my industry. i can give these to my customersto prove their data when it's stored in 365 is absolutelyrock solid right? absolutely fantasticfeature by the way. so rather than try to play aroundwith all the different tools in exchange and sharepoint you haveone location to manage everything. and this is the compliancecenter in office 365 here. and, okay, so,just flipping back again,
let's just have a quick drink here. we're doing good, we're doing goodfor time, we're doing good, okay. so, number 3, it's getting exciting. this is number three, cloudforensics, i'm a forensics guy. i'm digital forensics,i've been working with forensics for a number of years. and of course, you're probably thinking wellwhat is digital forensics. digital forensics is actually notthat old, it's actually fairly
recent but obviously, it's aboutthe science of, as it says here, identification, examination,collection, analysis of data. it's evidence that i can use ina court of law, potentially. so whether you think that somebodyis pilfering from your organization, maybe somebody's downloadedinappropriate content. again we have to somehowgather that evidence. but apart from that thingslike putting things on legal hold and so on. a lot of companies maybejust want to do that just to
make sure that theirdata's not deleted right? so there's a whole bunch ofreasons why you would do this. now of course this varies greatlywhere you are in the world. so for example, in norway,i work a lot in norway and they have pretty stringent controlsabout who and how data is stored. in other places, like cypress for example, it's actually illegal foryou to do any kind of digital forensicsother than law enforcement. and in fact, you could endup behind bars on that.
so digital forensics, butthe world has changed. and you think, my goodnessme we've gone to the cloud. i've lost control. where is my data? i've got no control anymore. and actually it wasprobably on this very stage at teched a few years ago that iactually sat with mark russinovich, and mark minasi, and paul. we had a discussionabout cloud security.
and we were all veryskeptical at that time. do you remember a few years ago? everybody was skeptical of it. but i tell you,the world has really changed. and the question is heresurely it's become harder, forensics has become harder. actually, no,it's actually become easier. okay because if you thinkabout it what have you got. you've got virtual machinesshrink wrapped crime scene.
it's there for you. you've got things like you know imentioned onedrive for business. the users got to log in witha device when the user logs in you know you are where you arewhat time of day it is and so on. so you've got things likethe cloud security alliance, the growth in platform identity. and microsoft are reallydoing very well there. but of course,it's also where your data is, so when you save data it goes toa hard drive on the server.
of course, it's backed up. you get dual copies of it. and it's also mothered offto a partner datacenter, and you get backups andyou get recycle bins. so the thing is, at any point, there are atleast ten copies of your data. so again,if i just flip over into my windows 10 machine soi've got a windows 10 here just to show you how forensicstools are adopting.
so this is a tool calledpassword forensic. and check it out if i just goback let's just go back here. so obviously i can decryptfull disk encryption. bit lock for example, andyou've got this area, mobile and cloud forensics. so i can recover an iphone. apparently that's quitepopular with the nsa. i can do a icloud backup, android. i can recover from an android image,
a windows phone image,a onedrive image, a dropbox image. so i don't actually needaccess to your data anymore. your data is stored centrally. i don't need access toa physical device, okay? so that just shows youhow things are changing. okay, so cool. and incoming by the way, we havethese forensics tools coming in to microsoft azure in the nottoo distant future. number 2, my nuggets of gold.
so now when we choose in the datacenter for example office 365. we can choose where wewant add data to be. and i'll mention jit and jea, so nowwhen you share a filing one drive. and you can put a time limit on it,that's awesome. the customer lockbox scenario, so when you full microsoftsupport microsoft. they would basically have to say,hey. they just can't access your account. it needs to go to a manager,who then approves it.
and the invitation is then sentback to you to approve it, to approve the user's access. and it's only time limited. it's awesome. documentation, azure documentation. yuri andthomas have done a fantastic set of documentation forazure security. so just go tothe microsoft azure homepage, look at the documentationthere on security.
it's absolutely awesome,powershell.office365.com, fantastic examples of scripts,and so on. another tip, sign up for the microsoft it pro cloud essentialprogram. it's free,you get loads of free stuff. i'm from scotland, believe me,nobody does free like me. okay, so andy, number 1. what's my number 1? okay, my very own security centre.
wonderful, microsoft. this is absolutely awesome. so, it helps you again if you've gotvirtual machines, you can prevent, it's for preventative tool. you can detect potential problems. but it also allows youto respond as well. so, looking at this, you can see basically i've gota virtual machine running here. so i go into the virtual machine,i can see the policy,
let me set up a policy. and so you can see,i can set up a prevention policy, i can do email notifications. so, i'm just choosing whichlocation it's going to be in. and it says okay. what do you want it? do you want it to deploy antivirus? do you want it to make surethat the firewall is enabled? sql auditing.
do you want all of thesepreventative tools enabled? so, once you set this up, it then deploys these thingsto your virtual machines. so, you can then set upemail notifications. so for example, if antivirus isout of date or find something, it will send an emailnotification to you. and of course, we have multiplepricing tiers, as well. so, each of the pricing tiers willdetermine how much information that you wanna pull out.
some of it is absolutely awesome. so again, you've got kind of real timeinformation on auditing here, okay. again, i'm kind of runningout of time, so i apologize. so, there you have it. that's my top ten,my top ten of tools and features that i think are gonnamake a real difference to you. now, question. did i mention my book?
>> [laugh]>> so [laugh] under the seats, under your seat,there is one of these. there are two going around, okay? so there are two of these, okay? if you can find it, [laugh] then,look at them scrambling, okay? [laugh] actually, there isn't one. no, there is. really, there is. [laugh] okay, there are two copies.
i will sign these andthese are for you, okay? okay, [laugh]. i'll give you a clue,it's not under the front row, okay? [laugh] there's oneover here somewhere and there's one over there somewhere. all right, right now,here is the trailer for my book. volume please. [music] do we have any winners?
they're there, there's two copies. no? >> [inaudible]>> you got one? awesome. give him a round of applause. well done. >> [applause]>> this one here, no? nobody got it? okay, well, i'll give it away. i'm doing a session thisafternoon in theater 2.
so, i'll give oneaway there as well. okay, i'm andy malone. thank you very much. >> [applause]
0 Komentar untuk "winterfell in game of thrones"