Azure Security Fundamentals – Level 1

View Show Notes and Transcript

Episode Description

What We Discuss with Andrew Brown:

  • 00:00 Introduction
  • 04:04 Guest Professional Background
  • 05:25 What Technical Skills are required for an Azure Security role?
  • 07:25 Building Blocks for Application in Azure
  • 09:29 Building Blocks for Infrastructure in Azure
  • 12:22 Governance components for Infrastructure in Azure
  • 14:53 Most common Compute being used on Azure
  • 16:12 Is Azure used as a PaaS more than for building infrastructure?
  • 18:13 Certification for Security roles in Azure?
  • 20:07 Technical knowledge required for moving from AWS to Azure?
  • 21:35 Can we only use PowerShell in Azure?
  • 23:15 What Security Foundations can Startups use in their Azure environment today?
  • 25:40 Benchmark for securing Application in Azure?
  • 27:28 Does Microsoft Security Centre enough for securing Azure hosted applications?
  • 29:53 Examples of security services in Azure?
  • 34:04 What kind of application are perfect for Azure?
  • 35:47 Does Azure need open source tool for security similar to AWS?
  • 38:20 What are certs or knowledge outside of Azure Certifications people should look at?
  • 40:17 Is Azure more developer/sysadmin focused?
  • 41:55 Importance of Compliance Certifications in Azure?
  • 44:11 What is Azure Confidential Computing?
  • 45:15 Where can you find Andrew Brown on socials?

THANKS, Andrew Brown!

If you enjoyed this session with Andrew Brown, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank Andrew Brown at Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode

Andrew Brown: [00:00:00] Welcome Andrew. 


Thank you for having me. 


Ashish Rajan: Pretty sure a lot of people know about you, an ExamPro already, but for people who may not know who Andrew is, could you share a bit about yourself? 


Andrew Brown: I’m the co-founder of exam pro training, Inc, which is a company that provides a certification training for first-year cloud service providers, AWS, Azure, GCP, and other things like cloud native, like Kubernetes, Linux, things like that. 


And the way I got into it was more, so the fact that I wanted to just build my own learning platform, I’ve been always really passionate about. At tech technical education. And prior to this, I worked for a variety of startups building educational platforms. So learning platforms has always been my thing. 


And I always knew, I knew that I wanted to build my own for my own learning purposes. And I knew that I needed to adopt cloud. In a way, you know, all of the cloud certifications you see be producing is really the acquisition of knowledge. So I can apply that to build the best learning platform. 


There is, it still has a lot of work to be done, but, you know, that’s where we got [00:01:00] into with. 


Ashish Rajan: What’s required from a technical skillset for a role in an Azure cloud role? 


Andrew Brown: Yeah. So, you know, if you’re talking about Microsoft Azure compared to all their first tier cloud service providers and you’re coming in fresh, like you you know, you might have some developer experience, but not cloud experience. You know, it could be a difficult a learning curve or it could be a very easy learning curve. 


It really just depends on. Your environment where you’re from, like over in the UK, Azure is highly, highly adopted over there. And so they have a lot of like ecosystems community ecosystems to help you succeed in there. If you have been working with Microsoft based workloads for the past 10 years, and you’re just getting your cloud, you’re going to find that it’s going to be like a natural path straight to the cloud for you. 


You know, in terms of skillset, specifically for Azure compared to other ones, you know, I would say that that platform specifically relies a lot more scripting languages. You’ll find services in there where you just can’t do click ops. It’s not going to be fully interfaces. You’re going to have to pull out your [00:02:00] PowerShell scripts JSON files . 


And also, you’re just going to have to kind of do things the Microsoft way, the windows way. So if you’ve always been like big into Linux and things like that, well, I’m sorry to tell you, but if you’re going to want to have the maximum performance, the maximum security you’re going to want to adopt Windows-based workloads and visual studio code. 


And what have you, 


Ashish Rajan: talking about security as well then in terms of say building blocks for what’s required to do security in Azure what kind of things would people know about from a security context when trying to build infrastructure applications in Azure 


Andrew Brown: When you’re approaching , especially if you’ve got the level 100, my strongest recommendation is to take a look at the SC 900. 


That is the Microsoft security compliance identity. I’m looking at the screen to remember all the words in it. I did not want to rentals and it covers basically not just Azure, but also. Adjacent services that you’re going to be using because most people that are running, especially if, if Azure is their primary workload, they’re going to be utilizing and 365 Microsoft [00:03:00] teams, they might be managing, they might be all windows workstation. 


So they’re managing those devices with Intune or whatever. The new thing that Intune is, and they put it under an umbrella there something, something, something I don’t know what’s called now. And so, you know, I think that it’s not just a matter of. Looking at security and Azure, but looking at the entire landscape first, and then you can go down and, and, and, and narrow into just securing your your assets in Azure or Azure, or however you want to pronounce it. 


I like to saying usher. It sounds fancier. Yeah. 


Ashish Rajan: It was Azure as well , but it sounds almost like an alien ship, but it’s tomato, tomato with. 


From a building block perspective, you were saying that obviously understandable. 


Having the understanding of what you’re trying to deploy makes more sense in terms of identifying what you want to use from an infrastructure perspective, what are some of the common infrastructure that are used by Azure? 


Andrew Brown: Network, security groups, auto logs. 


Ashish Rajan: What are some of the foundational building [00:04:00] blocks in that respect? 


Andrew Brown: You know, I think identity plays a large role with accessing your resources, like manage identity and things like that. So surprisingly Microsoft is your or Azure has, I would say the best the best directory of the best identity service. 


And it’s no surprise that a lot of courses focus around a lot with identity. So I would say the first thing I would do. His tackle identity and understand how that, that can be utilized to gain access to your resources. We’re talking about infrastructure is a little bit different, right? So you generally will have you know, virtual firewalls. 


So there’s different kinds of firewalls, right? So there’s firewalls that are going to wrap around your virtual machines. Like if you’re in AWS, then there’s. Security groups and ankles. If you’re in GCP, they’re called, I think theirs is called firewalls, but you know, there there’s that level of securing those compute resources that run inside a virtual network. 


And then there is of firewalls for like setting up a security. What’s it called? It’s when you’re doing VPC pairing and you have. [00:05:00] A it’s a special type of firewall, but there’s a type of firewall that you set up for. Like, if you’re setting up like an enterprise connection, you’ll have a intermediate firewall there or something like that, or maybe connecting to a resource. 


So like, how do you actually get into a machine? Right. So whether that’s using bastion or a SSS. I think Azure has IEP. IEP is identity aware proxy. If you’ve never heard that term, it’s similar to, like, if you ever used any of those sessions manager, it’s a way of like clicking and getting access to your resource like your compute environment very quickly. 


But I believe that Azure has that through Azure active directory there’s things like that. And then there’s just like a whole host of, of tools that you can use, like as your defender, it’s like every week. Or Azure policies or infrastructure as a code plays a role. So utilizing I don’t know if blueprints did blueprints ever go preview. 


I don’t even, I got a preview. I don’t know, but but you know, like using arm templates or, or things like that. So there’s a lot of, a lot of tools, but it’s not like there’s anything different than what you find at other [00:06:00] providers. It’s always the same kind of building. 


Ashish Rajan: If I was to start today in the Azure space and I have not watched any of YouTube videos on the whole AZ-900 or any other courses , I may be from an AWS or Google cloud background for me to have an understanding of what does it look like from an architecture perspective. I’m going to use the AWS example. Cause that’s what I know a bit more of AWS organization. Then you have account, which is the highest level of segregation. And part of that 


Andrew Brown: kind of work in the Azure space. So we’re talking about governance, right? The ability to manage our resources. 


And again, if you’re looking at AWS, they’ve always done it, organizations, organizational units, and then accounts and over GCP, they have organizations folders and then project. That’s right. And at, over at Azure, I would, I would say if I could remember it, it is kind subscriptions, resource groups. 


And so but what’s interesting between like the, the governance of those resources is different. And to be honest Azure has I would say it’s my favorite structure in terms of utilizations, like over data, AWS all your resources are within an account and let’s say you [00:07:00] want to have another account and you literally have to sign up again. 


And spin up resources and you cannot easily, or at all move resources from one account to another, you literally have to tear them down, go to the other account and spin them back up. Right. Or share them across accounts, which is just crazy. You go over to Azure, you just, everything, every time you create a resource, you’re always putting in a resource group. 


And so I guess it just depends on, you know, how you feel about guardrails, right? So some people think that eight of us accounts, like eight of us account is good, a hard guard rail around your resources, but Azure puts it up, like pushes it a little bit up and that’s more at the tenant level. 


And it gives you a lot more agility and flexibility in terms of moving your resources around. So if you make a mistake, you’re like, well, I really meant to put that over there. You just say, transfer this resource over at this other reason. There, but one thing that’s interesting. I can’t, I, yeah, you can’t have nested resource groups inside of nested resource groups. 


It’s just a flat level. Whereas over on GCP, you can have folders within [00:08:00] folders, within folders, within folders. And I, you know, it’s nice to have that kind of level of flexibility, like, like organizational units, but to be honest, I find that you don’t really need all those levels. And I just find that you know, that way is a lot more simpler. 


Ashish Rajan: So we spoke about the network level firewall earlier. We spoke about governance layer as well in Azure from a host perspective, I imagine compute a bit different as well you have the whole compute engine in GCP from an Azure perspective. What are some of the common infrastructure, like from a compute perspective? 


What do you see commonly being used by a lot of people? What kind of application compute will I be expecting to be using, current common theme that you come across 


virtual 


Andrew Brown: machines? 


I feel like a lot of organizations like Azure, Azure obviously has a large existing customer base because a lot of people are using windows based products on, on site. And so a lot of times their transition is that lifting. So most times they’re not, they might not be leveraging containers or, or functions. 


And even if you read about Azure functions, they [00:09:00] don’t really talk about it. Like building applications, like AWS, they talk about like, you can build your entire application with it on Azure. They kind of sell it as like, oh, it’s more like an integration tool between between things like application integration, but not necessarily composing entire application out of functions. 


I’m sure you could. So, you know, I think that a lot of things are sitting on that standard compute like virtual machines. 


Ashish Rajan: This is kind of where my question is coming from, because most people that I speak to, they talk about from perspective or if you want compute, like virtual machine you go to AWS, but if you want like a PaaS, like a platform as a service solution, which is where Azure really shines. So is that something that you noticed as well. Considering you also kind of like me had done multiple clouds, is that the reality of Azure? 


Andrew Brown: Yeah, cause I mean, like again, you know Microsoft is really good at tailoring to trying to bring whatever resources you have on prem over to that, where it’s like in AWS was the other way around. 


You know, cloud cloud first or whatever they determine they want to go for it. And now they’re trying to bring people over. So the offerings are not as, as strong, like [00:10:00] it was, has some. Elastic something. 


Ashish Rajan: let’s just go with, but, 


Andrew Brown: When you’re using those kinds of services that you would normally use on premise, like it’s just like a seamless transition over like active directory, you bring it to trajectory directory over to Azure active directory or, or just like you’re running your SQL servers. 


You bring over those Managed SQL Servers. So it really does mirror closer to the on-prem environment and makes that transition a lot easier for people. But you know, with AWS, you’re going to be kind of reaching out to third party providers to meet those needs. 


Ashish Rajan: We spoke about network. We spoke about the governance layer. 


We also spoke about things like from a security block perspective, what would be required and the difference in the compute as well. So I’m thinking from a fundamental perspective, I probably would also want to know what kind of certification should ideally be starting with? 


People starting today understanding the Azure space. They may or may not have experience or technical experience, but a do I need to be technical? Sounds like we see. Yes. Based on the first time that you gave me B how do I kind of go down the path of [00:11:00] becoming an Azure person, but maybe even specifically, can I specialized something in security in the Azure space? 


Andrew Brown: Oh, yeah, there’s a lot of, there’s a lot of room to specialize in Azure and Microsoft. And, and I think that, what is it like four or five associates certifications? I know they just released another one. So, so the thing is, is that you know, the beast of like the nature of the. Microsoft is that they are trying to be number one, right? 


They want to be, it’ll be us. And they are moving super fast and they are sprawling extremely quickly. And the more stuff you build, the more stuff you have to secure. And so that, there’s a lot of opportunity for specialization for you know, cloud and Microsoft cloud workloads in general, across all, all the stuff there in terms of starting out, you know, like, should you go straight for certification or get your hands on? 


You know, like or, or should you even start with S 960 and a hundred is the fundamental certification that gives you broad knowledge there, but, you know, Azure, I would say has more of a challenge when approaching certifications and it gets a lot steeper when you jump between. A fundamentals associates. 


So like I would always suggest to [00:12:00] go do 8,900, the 900. And even before you touch any of those other security related certifications, you should go take that easy 1 0 4 first and then figure out what you want to do. And the great thing about the SC 900 is that because it touches a bit of everything, you’re basically kind of sampling a little bit of what all the other certifications have to offer. 


So if you do that, then you kind of go, oh, I really liked doing this stuff. And so that means I will, it will lead me to this certification. So you know, I think that’s why I would recommend that. 


Ashish Rajan: I’ve got a question here from Anuvindh on the wards, What’s teh most important things we should learn about Azure. 


I am from AWS environment. What technical knowledge I should have to work with Azure environment. 


Andrew Brown: Well, you know, like I started on AWS and then I moved over to Azure and you know, again, the hardest thing was. Was realizing that the Azure active directory was a large, larger role. Like I am policies are very straightforward and easy to use, but when you go over into Azure, they have more than one. 


Right. And then policies. Aren’t the same thing as it was [00:13:00] policies, they’re actually like it was config rules. And so the hardest thing is kind of mapping that knowledge over. And so again, you really want to go look at the AC 900 S U 900 to get the landscape. Nap your existing knowledge. You’re definitely going to really need to have a war scripting skills, or you have to be very comfortable with windows, windows, environments, and it really does help to have a windows machine because some of the stuff I mean a lot, I guess it runs on everything, but I just find it easier to, to work on Azure when working working with a windows machine. 


And it doesn’t hurt to learn about windows. Right. So, because, you know, like if you’re going to be on Azure, you’re not going to be running. You can, but like, you don’t really want to be running , Linux server. So really diving deep on those Windows-based tools. 


Ashish Rajan: Just on that. With the scripting thing as well. If people are trying to learn scripting, would that just be partial then they can’t use bash or anything. 


Andrew Brown: It’s not really, like, it’s not like learning a programming language. It’s like going into the Microsoft docs and [00:14:00] copying, adjusting and pasting because like, if you watch like one of my favorite Azure instructors, that’s on YouTube. 


Gene’s a C4, I would say it’s like Azure academy. And if you watch his like like his labs, he’ll be doing something and be like, yeah, we’re going to do this thing. And they just like pulls out a big script and it’s just giant. And you go like, and for me, I want to know everything that’s in that script, but you do have to just embrace the fact that there’s a lot of code out there and a lot of engineers that put that stuff out there and you’re not going to know all of it. 


And you just have to kind of get used to going like, okay, I got this big global. And I’ll just kind of move it around a little bit and push it and it works and you have to be comfortable with that. So not necessarily like, like nobody writes arm templates. If you’re like a database, you write CloudFormation templates, but aren’t templates with like you spin up resources. 


And when you want to have a declarative IAC, you export it, it’s like exporting a CloudFormation template, which sounds crazy. But that’s what it is. So, I mean, you of course can write Azure bicep, which is new and awesome. But you know, like it’s just those kinds of paradigms that are different. 


Ashish Rajan: Talking the [00:15:00] implementation side of things as well, if for a startup listening into all of this and going, okay. I was just going to build my own thing. Cause I think we spoke it’s this offline as well. You kind of been having billings yourself. , what do you recommend when implementing an application in Azure? 


What are some of the basic foundational low-hanging security things they should be taking off as they’re going to go through it, or maybe what’s involved in it in your mind that the status should do at minimum? 


Andrew Brown: Well, I think the thing is, is that Azure provides a you know, best we call those conformance packs, but it’s whatever. 


It’s like Azure policies have Azure templates. It’s like a group of policies. And the nice thing about these security controls is you can kind of read through them and say, oh, these are all the things I should be implementing. So they basically have a checklist for you. I’m sure Azure has like a landing zone. 


So you know, if you want to make sure you set your set up your account correctly, you just go to the docs and look up landing zone and you know, go through that documentation. Take the recommendations. I just can’t remember. Because it invests. They have like an actual service called land, new [00:16:00] zone. 


You press a button. And I can’t remember if Azure has it or not, but like, that’s what I would do if I wanted to get set up properly investigated. And then they have a really, really good you used to be called security compass. They renamed it. But it’s like this giant, a giant PDF and a video course, that’s in Microsoft doc docs and it covers like everything, like everything you’d want. 


And it’s like multiple hours, but it goes well beyond the se 900, but it’s from a practical perspective from the customer. Right. And that’s something that I think that’s, you always should give Azure or Microsoft credit for. Is that their documentation? They’re always thinking about. The business use case and the application using that language to, to think, okay, not just like, here’s the tool, it does these things, but like, why do you want to use this thing? 


And, and, you know, when should you use that thing? 


Ashish Rajan: Who should use it as well. I think they have that. Yeah, that was pretty big one as well. And to your point, you’re right. Three to any other documentation from say AWS, Google cloud is more. This is some examples. This is how you use it and good luck, [00:17:00] like, okay then. 


Thank you. But I think I love the fact that Azure kind of calls out the purpose behind I guess why would you want to go down the path as well? So maybe another question in this is that okay. You, you kind of start at that level where you’re going to the videos and you understand the basic foundational piece for it. 


What do you consider as like a benchmark for. , if this is great security in Azure, that makes sense. Like, so if, if, say for example, you’re not teaching anymore, you’re just basically reviewing an Azure environment and you’ve gone. Okay. I’m going to review the Azure application that Ashish’s deployed. 


What are some of the things you’ll be looking for to give me a kind of good score for all? This is a good benchmark. This is great. This is great. 


Andrew Brown: Well, again, you know, as your has, it’s called the Azure security benchmark, and you can go through that and it’s a list. There was like another service Oh, what’s it called? 


I, maybe they moved it to Azure defender, but like they will score you based on Azure security benchmark is what Azure provides to you. 


They have a bunch and they have a lot more than AWS. Well, actually I shouldn’t say that because AWS, I just recently checked [00:18:00] and they’ve had a lot of performance packs, but so you know, that’s, that’s a good thing there, but I remember, I just can’t remember it’s called Azure defender or if it’s the Microsoft security. 


But what they’ll do is they’ll, they’ll score you like they have a tool that scores you and shows you like how they believe that you’re doing. So, you know, there’s like, I would say that Azure is like the best at telling you if things are shipped here. Whereas like on AWS, you generally are reaching out to third-party providers for those kinds of things. 


They have a lot of tools already, already baked into the platform, 


Ashish Rajan: Third Party provider providers. I think that’s one thing that I having primarily worked in the AWS space for a while, I always find that the tools that are provided by AWS are never enough. And this is not saying that that AWS is bad, but they’re doing what they’re doing, but Azure is doing what they’re doing. 


You’ll be seeing what they’re doing. But in terms of, if you were to see an organization, which is only running an Azure, And you have Microsoft security centers. Would you be comfortable to say, Hey, that covers majority of your [00:19:00] security 


Andrew Brown: and if you’re using core services. So I think the thing is, you have to think of the nature of these providers in us is very good about releasing things when they’re. 


And they’ll do it very small and scope and like the version one, it will build it over time. Whereas like Azure will literally throw in coming soon into API documentations and throw up preview products. And they’re, they’re fast and loose because they’re trying to gain as much ground to catch up there. 


And then you have GCP where you know, they have a lot of services or, sorry. I mean, like they have, their services are more like well-groomed in the sense that they don’t have as many services as other ones, but they’re all very solid. But you know, you know, their approach is that they roll things out. 


Like they deprecate things all the time on you, but you know, it’s not like it, they, they, they, they ship things when they’re ready. Right. They do, they do a really good job there. So I would just say that if you, if you’re like into star wars, I’m not big into star wars, but like in star wars, they have like this. 


Of the galaxy and there’s like the core, the core world on the outside, there’s like the sprawling stuff. And so the idea is like the farther you get away from those core [00:20:00] services, the more risk you’re running. And so the more vanilla you can be, especially on Azure or any platform the better you can get by with the stuff that is there, but especially on Azure, out of all the providers, they’re really, really good at giving you that visibility for core services. 


So yeah, you just, you would just have to say, is this. 


Ashish Rajan: Primarily Azure service cause they have DLP and stuff in there as well, especially if you get the license and that’s part of the adding to the cost of it. But if people have the privilege of being on an E five licenses, a lot of the security services are quite robust. Like the there’s a DLP, there’s more other things out outside of the whole firewall and defender. 


It seems to be really prolific series of services and security that the people can utilize, but they worked really well in the context of Azure. So an example maybe of a custom one could be like a CP. 


Andrew Brown: Well, I mean, like for instance, like Azure has application monitoring, like APM built into it, right as Azure Monitor. 


You don’t have that on any of us. You don’t have [00:21:00] that on GCP. I don’t think it’s on GCP. And so like, it’s just nice to have that, you know, like they’re integrated with services. So a lot of stuff is just there for you. You don’t have to go reach out to that stuff, but again, it comes with a caveat of you should be using windows or Microsoft stuff because a lot of times they’ll say like, yeah, we might support this down the road or no, it only works with windows constantly. 


Or like, like, let’s say you launch an Azure function for. And you use windows as the hosting. You’re going to get a lot better visibility, whereas Lennox, like I don’t have any visibility at all. You know what I mean? So but you know, I would just say that there’s a lot of stuff that’s already there for you and the stuff that’s not there. 


Like, you know you know, we think of defense depth, defense in depth in defense, or you want to say the other way. And as you can see, I made it into their data centers here. So all you need is Microsoft authenticator. You just go like this and. But anyway, so, you know, like things like code, you know, I don’t believe they have like a statical analysis, like in the platform, like cannabis has like a code. 


I mean, they [00:22:00] might, but like, you know, like there’s code guru. 


Ashish Rajan: I don’t think any provider has Static code analysis. 


Andrew Brown: Unless I’m using the wrong term, but the idea is it looks at your code and says, Hey, I think there’s problems. 


So codeguru, but that’s only if you use like Python or Java. So, but I think like, you know, if it’s not in Azure, they probably have it as an source tool somewhere, because again, Microsoft is, it’s not just Azure. They have all this stuff like around it. Right. Like when you go over to get hub actions and you see all the stuff that you can attach in terms of like sneak and things like that. 


I just kind of feel that, you know, everything that that could be is generally in Microsoft Azure and the things that are not are probably like they probably own that company, you know, or they’re the only company that’s partnered with that stuff where it has easy integration, like, like, you know, github and things like that. 


So, 


X-ray distributed tracing. So distributed tracing in Azure is going to be done through application [00:23:00] insights. 


And so one thing that I really like about application sites is that it has auto instrumentation. For a lot of providers, again, it’s going to be mostly for.net and or like jobs and things like that. But it’s very appreciated that it’s there x-ray is such a pain to use. Oh really? 


Oh, it’s, it’s so hard to get working properly. But I mean, it is very cost-effective compared to other third-party service providers, but it is really nice that application insights is there. And lots of times it’s like single. For like Azure functions and things like that. Okay, 


Ashish Rajan: cool. 


Thanks that anuvindh has a better experience with x-ray, maybe he does. Feel free to share that I was going to say from a team perspective , when I’m making a decision for what kind of cloud should I go? 


What should be a trigger for, Hey, sounds like you should go for Azure. Is there like a thing like that for 


Andrew Brown: Azure space, windows servers, windows SQL, like really like if you’re using this up or it’s like, maybe you’re building applications that are for organizational workloads. Right. So you know, you’re using Microsoft teams, so you’re going to logic [00:24:00] apps and things like that. 


You know, you need to build a I got this on Azure, but it’s in the realm of, you know, 365 and things like that. So all the times with services over there I mean, I have some particular preferences. I really like as your data factory for, I, I think it’s the best ETL. Yeah. Probably does both. 


But you know, like data transformation tool for that. So, you know, there’s some best of, best of class features in there. I’m not a big fan of cosmos DB. It’s not, it’s not my particular favorite, especially when they had that security vulnerability. That was the go you know, but you know, like it’s just going to be best of class of what you want or I’m running windows workloads. 


Ashish Rajan: That’s pretty awesome. And talking about the wonder ability thing as well, the Azure part, unfortunately, has been getting a lot of attention recently with the three vulnerabilities that came in, but it’s a good thing as well, because that just means that people are finding out more about Azure. 


So popularity in this context, the negative popularity is good probably for them. The AWS space has a lot of open source tools. A repository by Tony, de la fuente about the awesome security tools in [00:25:00] AWS. What are some of the things people use for open? 


I mean, is there even a need for an open source tool for Azure for 


Andrew Brown: security? Hmm. I mean, I bet there was, I remember I saw one recently that existed, so like there’s, I’m trying to remember the ones for AWS that will investigate your, your account. But like, I, I just don’t remember seeing any, I know there’s like one, and to me it’s just like, it’s, you know, it’s speculation, maybe it’s because, you know, there’s just all those broad services. 


So you don’t have to reach out to, to an open source tool. I don’t know, but I could just tell you that it has more as your does not have as many one thing I really like and I don’t know if it’s been updated. I’m sure it exists for Azure. If it doesn’t, somebody has to build it, but I love it when people have tools that will set up a vulnerable infrastructure and then it’s your goal to go through it and try to figure it out. 


So like cloud goat, you’ve heard of cloud for it. So like if there’s one for Azure, somebody tell us what it is, [00:26:00] because I always think that’s a great tool for, for learning. Like, you know, like, like learning how to read audit logs and Azure and things. 


Ashish Rajan: All right. So wait, so is there a one or there isn’t one? 


I’ll be definitely here as well. If 


Andrew Brown: there’s one. No, I don’t see one, but like 


Ashish Rajan: maybe be one of the listeners who get inspired by after listening to this, they should check out AWS cloud goat. Use that inspiration to build something for Azure, because there is nothing for GCP. 


Andrew Brown: No, there’s not. I mean, like I’m sure that they have like a, you know, like quick labs might have like tutorials, but it’s not like go investigate this problem. Right. And I don’t know if it’s because it’s around the tooling. Like it of us has always had really good tooling for that kind of stuff. 


And that’s why early on we saw that stuff there. And you know, I think it’s just a matter of time that we get a better I don’t really call them, but like, like in like a sandbox environments for you know, doing, doing that kind of stuff. 


Ashish Rajan: That’s a good segue into my last question for the episode as well, then, you spoke board-certification certification, but so some of these skill set, like the cloud board thing, what [00:27:00] do you recommend people to be learning? 


Certification provides you a certain part, but from a practical perspective as well on day to day, what they would be doing in the Azure space in our day job, what are some of the things you’d recommend they should work towards in learning security and maybe Azure cloud in general as 


Andrew Brown: well? 


I mean, I think a really good certification is the CCS. K is the certificate of cloud security knowledge by the pod security Alliance. So I think that is a good basis of knowledge. That’s outside the scope of. I mean, outside of that networking is very important. So trying to brush up on your networking knowledge as your has a networking certification, you can take it if you want. 


I would, I wouldn’t, I don’t, I don’t like doing networking certifications, but well, I, I w I would like to say networking, but if you’re going to go cloud native, then obviously networking is very important, but yeah, I mean, other than the CCS, K you know, I don’t really have much recommendations as, as additional resources. 


I think that if you have the opportunity and this is not just security, this is anything. If you have the opportunity to pay that a hundred dollars for the support, you can, you can [00:28:00] call them on, I think, chat with them, call them and ask them whatever you want to kind of further your knowledge. A lot of. 


You know I, the way I learn a lot of information is, is like when I go to reinforce, I, if I didn’t have so many young kids this year, I would have gone it’s in June or July. And even though it’s in the AWS space, all the vendors, there are cloud agnostic. So the thing is like, you go there and you go talk to every single vendor and then. 


What you do use their products. So they’ll give you all the information of the things that you’re missing out on, right? Yeah. And again, you know, even if it’s not Azure to say the best, and the thing is, you know, they’re not supposed to talk about Azure, but if you, if you pass them, they will tell you and you’ll get like a boatload of information. 


So if you have that opportunity, go, go there or, or just go sign up on their product and someone will call. And then ask them every question you want, you know, we’ll leverage the bill, tell you anything. 


Ashish Rajan: I felt good. So I got a good strategy. I’ve got a question here from Jay as well for Jay Flora has a question. 


GCP is more developer focused. AWS is more, [00:29:00] it sysadmin focused how about Azure? 


Andrew Brown: Well, I would say Azure is more, it focused AWS is more like a cloud-first cloud first startup focused, you know, you know, like and I would say GCP. Is more, I don’t know, people that like GCP, startup focus or data focus in particular like their data services are amazing, like big query vertex, AI. 


You know, or like cloud native every, everybody wants me to talk about Kubernetes on, on their CSP, but I always, I always say like, DCPS is the easiest, like it, like, I really like, like a, like a EKS. They have this tool. It’s it’s the coolest tool. I think Kevin Evans showed it to me and it was for setting up a proper EKS and EKS platform. 


And it was awesome. And it was awesome tool. And then, you know, like eight of us had. Whatever their CLI tool is a UK CLI and it’s it’s all right. It’s a pain in the ass to set up criminals on there, but the ecosystem of using Ava services is so good that you just kind of go, all right, I’ll go through the pain of [00:30:00] setting it up the one time. 


And it’s fine after that. But like GCP was so nice. It was just like, it’s just so nice for. 


Ashish Rajan: There you go. And I think the other thing we also go with Jay was that if you’re a windows shop or if you’re trying to skate a for windows applications, definitely be as sure as for the, you should look at a compliant. 


Anuvindh has another question. How important is compliance certification for cloud computing or cloud service providers 


Andrew Brown: I’m going to interpret this, I see the word compliance certification. So I assume this means like, let’s go get our SOC our SOC two type two compliance or things like that. 


The thing is, is that you know I’m just gonna talk about like, how, like, how would you do it first of all? So the thing is, is that there are, again, it must has a conformance packs as you’re having. And as your policies as your templates, whatever they’re called for groupings at, but the thing is, is that you’re never really going to meet those requirements without a third party. 


So even though they have a lot of stuff built in there, you’re always going to be reaching out to something like very good security, the Anta cyber bite, cyber bite. Now, what are they [00:31:00] called? I’m trying to give them trying to give them some some promotion here. I feel bad. I can’t remember. 


I can’t remember the number of the new properties. It’s something. You know, and, and I would say that, you know compliance matters based on your requirements, right? Compliance does not equal security compliance means. I’m comfortable doing business with you because I know you’re doing things in a, in a normal and predictable way, similar to us. 


Right. That’s the idea behind compliance. So, you know, that’s why you’d go after compliance you know on your CSP, like for your. 


Ashish Rajan: I think the other side is also because if you have applications which should acquire a certain compliance standard, having your CSP or Azure have that certification on their side of the fence for quote unquote shared responsibility that helps your certification get easier as well, because you can say the service that I’m using for Azure is certified for SOC 2 of you were saying, and hence, I’ve had to worry about that part. 


But for the part that I have to manage, this is the thing that I’m doing for my SOC 2. And this is what you can audit. 


Andrew Brown: Yeah. And I mean like all, all CSPs are [00:32:00] quite comparable in terms of the coverage they have for their services. Something that one thing is like FedRAMP, where what’s called gov cloud. 


So like eight of us has got cloud. Azure has gov cloud and Google has, I think that’s, they, it’s not gov cloud, but they have something that they say is better than the other two, but it’s just. 


Ashish Rajan: Address something quietly, Azure, confidential compute or something right called con confidential computing is that 


Andrew Brown: let’s talk a term. 


Confidential computing was one of my like little gaps that I never got to put more time into, but it was something that I learned when I did the INE certification. So I need people don’t know. I need.com. Super nice folks over there. They’re also, they create a cloud content security content. And they made a cloud certification. 


What is it called? I can’t remember. ICPCs something, I dunno. But it was interesting because even though they were doing like a fundamental cloud certification, they had brought up a bunch of security questions that I had never really thought of, like computational compliance that you said. And you know, I thought that was very valuable. 


So I’m going to add another recommendation and say, you should go take the . It’s not, it’s like, it’s a new certification, but you should take it just to get [00:33:00] better coverage, like industry covers. 


Ashish Rajan: Cool. All right. I’ll, I’ll link that in the notes as well. And thanks for the question Anuvindh , Jay and Rama and Vineet as well. 


That was pretty much what we had time for. But for people who may have a few more questions to kind of go to maybe touch base with you, where can they connect with you and make, can they find you on social media? The 


Andrew Brown: best place to find me is TikTok. But I’m not getting, I do have to TikTok I’m working on it. 


But unfortunately, TikTok not available in all countries. So, you know, I would say Twitter is where I’m putting a lot of my energy these days. So twitter.com/ Andrew Brown LinkedIn is a good place to, so Andrew Brown or sorry, linkedin.com like the.com/ or slash Andrew hyphen WC, hyphen. I usually don’t say I’m a middle initials because in Europe, WC stands for water closet, which is the bathroom, but I couldn’t get Andrew Brown on there. 


So you got the initials in there. But there’s that I hang out in a bunch of discords I’m in like the cloud skills discord I’m in the a hundred is a cloud. That’s my [00:34:00] discord. I’m in the tech stack study discard, which is Adrian controls. I’m everywhere. So I’m not hard to find I’m always in the pod one. 


It was community builders if you’re there. But yeah. And so I need the followers, Twitter. Yeah, 


Ashish Rajan: fair enough. I’ll put all the links as well, so people can follow you and TikTok to it. And I guess that anyone else, they just, they want to hang out with you on discord as well, but thanks so much for this, Andrew. 


I really appreciate you hanging out and kind of, I know it’s like a very abbreviated version, but I think I’m glad we kind of got through some of the initial level one question, but we definitely should bring you in for level two conversation when we kind of go through that as well. But thanks so much for coming in, man. 


And thank you everyone for, with. And we will see you next week in episode, but thanks, Andrew. And thanks everyone else piece.