AZURE vs AWS from a cybersecurity lens

View Show Notes and Transcript

Episode Description

What we discuss with Tanya Janca:

  • Difference between Azure and AWS
  • Basic security building blocks in Azure
  • Free vs Paid version of Azure Security Centre
  • Centralised view of Azure Security Centre
  • What does DevSecOps look like in Azure
  • Identity Management at Scale
  • What is the benchmark for good security in dev ops?
  • Should you do a certification to get a cybersecurity job
  • Tanya Janca – Book – Alice and Bob learn application security
  • And much more…

THANKS, Tanya Janca

If you enjoyed this session with Tanya Janca, let him know by clicking on the link below and sending her a quick shout out at Twitter:

Click here to thank Tanya Janca on Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Ashish Rajan: [00:00:00] Hello and welcome to cloud security podcast. My name is Ashish I’m here with a really special friend of mine, Tani Jenka. Hi, Tanya. Hi Tanya. I obviously I’m sure a lot of people in the audience would know who you are, but for people who don’t know you, could you just introduce your. 


Tanya Janca: I am Tanya. Jenka also known as she hacks purple. 


And often I just tell people I’m a nerd on the internet, but a lot of people have told me that’s not very accurate description. I’m obsessed with the security of software cloud security and just how to move our industry forward so that we can have a lot less stories of data breaches. 


Ashish Rajan: Yes, we definitely want less, less stories of data breaches and more people in purple team and blue team means hopefully means less breaches. 


The first segment of the podcast is usually around the what, why and how around. And my first question, most of the time is what is cloud security for you? Because there’s so many definitions forwarding it around. What does it mean? 


Tanya Janca: Cloud security is the act of trying to make sure your cloud deployment is secure, very boring. 


Basically cloud is different than [00:01:00] on-prem. There’s a lot more modern application and networking practices that are different. So on prem most on premises, which means in your own data center, most places don’t have, for instance, like a dev ops pipeline, some do, but not as many as in the cloud. A lot of them don’t have serverless or containers or, just the plethora of different options. 


They definitely don’t have platform as a service like for hosting your web apps. Just things are different on premises. You have a lot less options. And if you do have more unusual options is because you are manually doing them and creating those options yourself. So because we have more modern infrastructure and more modern application development and hosting. 


That means we have to adjust the way we do our security and we have to modernize it and we have to make sure we’re accounting for not only oboe legacy stuff, but also all the new stuff. And so cloud security is not just networking. I believe that’s also securing more modern application deployment. 


Ashish Rajan: The point about it’s more than application, does it vary between a startup and an enterprise? 


Tanya Janca: I find [00:02:00] so a startup will have one or two apps and then like, you know, one serverless app and a little script over here. And because there’s only like three people that work there, they all remember what those things are. But in enterprise has had people start and leave and start and leave. There’s that guy that’s been there 20 years better. 


All of the knowledge, the corporate memory all lives in his head. And if he leaves everyone’s screwed 


Ashish Rajan: that’s right. That, that one guy that people like please do not leave ever. Yeah. 


Tanya Janca: I used to work somewhere in there’s this woman named Simone and she had worked there over 20 years and my manager would just refer to her as my corporate memory corporate memory. 


Come here. 


I like, I don’t know if that’s like really a good, like long-term plan. Like maybe we should have someone take notes or something. 


Ashish Rajan: Yeah. Or at least just download the corporate memory somewhere. I 


Tanya Janca: like, what if she quits? He’s like, no, no, it’s just stay forever. I’m like, 


Ashish Rajan: Talking about a corporate memory makes me think actually you work in the Azure space. 


Quite extensively. And I work in the AWS space quite extensively, but there’s almost like there’s a state now with multicloud is becoming a thing. Would you agree [00:03:00] with multicloud and what does multicloud mean for you? 


Tanya Janca: So AWS was first then Azure and GCP decided they would offer public clouds. And now there’s all sorts of public clouds. 


But those are the ones that matter. 


Ashish Rajan: But people are 


Tanya Janca: already tweeting at me. I’m a jerk, but I think that a lot of people all got deep in bed with AWS and a lot of companies, they migrated. All the way, all the way into AWS. So everything’s in there and then they realized, oh my gosh, AWS, isn’t a country. It’s, it’s a corporation. It’s run by a human. 


And you know, like, I don’t think that they’re going to go out of business anytime soon. It’s a dangerous thing to put all of your eggs in one basket. And it’s a basket that you did not make that you don’t get to control. Right? So a lot of them are all doing now. Multi-cloud so some of our stuff will be an AWS. 


Some of it will be an Azure. If you’re really wild, I’ve seen some places where they also have GCP. I’m like, is this like, no one knows what they want is good. But three clouds seems like much like, well, you’re adding a lot of extra complexity. Like if [00:04:00] the idea is redundancy like it, to me, it doesn’t make sense to have three. 


It’s their bills, not mine, but C cloud is that you have some in one cloud and some in another, I used to work somewhere and we were not allowed to use the cloud because of Canadian data sovereignty laws, the Canadian government’s data, can’t leave Kenyan government soil. And so since then, all three major cloud providers have created data centers within Canada. 


So that’s different now, but at the time we couldn’t do that. And we, we had like this giant data center that we would use, but we were really concerned about rollover. And so we had this giant room in the basement. I’m like, why don’t we make our own second data center and have a bunch of stuff there and we’ll have it be. 


Or hot, right. I’m going to have like one app that runs from there or two that aren’t important, like just old crap, but then have the backup in the real data center, have everything else run from the real data center and have backups they’re in the basement of our buildings. So we’re hot, hot, and everyone’s just like your brain Z Tanya. 


We’re never good at that. Anyway, I’m not going to get into it, but if you have [00:05:00] two clouds, right. And you have some of your stuff in one, especially if you have your backup, like yes, you’re backing up in your cloud of choice, but then you have another like once per day, In another cloud, but also specifically that is geographically differing. 


So you don’t want all of your stuff just in California, because what if, I don’t know something happens that’s less than ideal to the data center there. You’re screwed you definitely. Now that we have this ability. Definitely want it to be like the other side of the coast, maybe another continent, like we have these abilities now. 


Ashish Rajan: Yeah. Yeah. And I think it’s interesting one as well. I guess we have a bit of a mix of that in Australia. And also another mix where a lot of people have chosen say Google flour because they found that they only wanted to work on a what’s that word for NDA or applications or whatever, whatever it’s called. 


Basically everyone wants to go serverless or everyone wants to make modern applications. No one wants to be bogged down by legacy applications. So people who want to go down the path of [00:06:00] saying, oh, we only do projects in Google. And they really sell the fact that, well, if you want to make more than applications, Google cloud is a way for. 


And then obviously Azure and AWS kind of started pushing the same thing. So what has happened over that as well? And Cuban Andy’s kind of became popular, but what we kind of, at least what I’m seeing at RN is for a lot of big query Google cloud seems to be doing really well for big data. And for some of the people that I’ve spoken to, what they’re saying is they prefer Azure for platform as a service, amazing as a platform, as service. 


And AWS is good for an I as like an infrastructure as a service. Although they’re trying to, everyone’s trying to. Everything that they can on the cloud market. So everyone has a service, everything in that, 


Tanya Janca: if you can get any piece of the cloud market, you’re going to be a very happy rich person for a really long time. 


Like they measure their profits and trillions and billions, not millions. 


Ashish Rajan: Yeah. I needed to buy some shares. 


Tanya Janca: Yeah. Like it is very, very, very, very, very, very, very profitable. Like if you see articles comparing, like how much money each of the big three, bring it in. It’s just 


Ashish Rajan: like, yeah. Yeah, definitely. [00:07:00] It’s not an individual’s company. 


If the country’s budget sometimes. And you’re like, or a contents budget, for sure. That’s like all the money means. 


Tanya Janca: Yeah, I think it depends on the thing that you want and also like why you’re choosing. So like businesses often make decisions based on how much something costs. Right. But I, as an individual often make choices based on business practices, the environment. 


And I don’t know if you know, but Azure and GCP are both carbon neutral, but AWS 


Ashish Rajan: is not. 


Tanya Janca: Yeah. And I don’t know if you’ve ever seen a cloud data center, but it’s it’s like bigger than Melbourne. How data center is gigantic. It’s the size 


Ashish Rajan: of a. I just imagined it to be like a, just another data center. 


So it’s like that big 


Tanya Janca: it’s the size of the city they’re gigantic and they have one or not like, I’m sure there’s at least one for each cloud. And in Australia, certainly in Canada, like we have one for each of the big clouds. Too, I think for Microsoft maybe. And they might not be quite that big there, but the ones in America are just there. 


Like if you see the overall aerial view, like it’s like, it’s like the, like the whole [00:08:00] downtown and then some of Melbourne, like the city core. Wow. Wow. Big. Yeah. And so that much being, not carbon neutral versus carbon neutral, like I’m kind of a hippie. I know I took a lot of airplanes last year. I did that for work and in my personal life I come home. 


I do all, but I recycle, I reduce and reuse 


Ashish Rajan: sustainable. 


Tanya Janca: Yeah. So if, if like from a personal standpoint, I’m like, Carbon neutral is important to me. That makes sense. That’s an, 


Ashish Rajan: that’s an interesting one. I think it’s a good way for us to share kind of notes on what differences would be between AWS and Azure. 


I guess the next question I was going to ask was how does someone do cloud security and Azure for some of that starting off as you go along to Azure first, and then I can add in AWS and we can probably see how similar or how different they are apart from just not being carbon neutral, by the way, AWS, if you guys listen to this piece, be carbon neutral, carbon neutral, 


Tanya Janca: we would 


Ashish Rajan: love that. 


That’s right. So what, what do you recommend as I use the basic building blocks of security for. Anyone who’s going on Azure. Right? 


Tanya Janca: [00:09:00] The very first thing you would do is turn on Azure security center and then they will guide you. So, yeah, so they have like a, a thing and there’s a free version and a paid version, but the free version is absolutely outstanding. 


It works really well. I give workshops on it all the time and basically like you flip it on and it’s like having a network expert give you advice. They’re like, Hey, I see that over the. That is not in your network security group. Do you think maybe it should be, oh, you’re missing critical patches there. I would like you to add the, 


Ashish Rajan: is that something that I think it’s called subscription in Azure, right? 


So is this, so you 


Tanya Janca: turn it on per subscription, right? 


Ashish Rajan: So there’s like a centralized view for it or is it I have to go in each of the August even better. Yeah. 


Tanya Janca: So you can turn it. So like, let’s say you and I work for a company and you’re my boss. And then some other person is your boss. So the top boss, assuming they have owner permissions over ours would be able to see theirs, yours, and mine. 


But I would just see mine right away, even so that you’re [00:10:00] like, I don’t trust Tanya to know her security stuff. Obviously not. You can keep that information private and it’ll tell you stuff like, oh, those boxes aren’t monitored. Oh, that’s not that database isn’t turned on. Logging’s not turned on. We suggest this. 


It also has like application security advice. So this platform as a service is allowing this app to be accessed via HTTP and not just HTTPS, or you have core sets, a star that seems less than ideal, right? Hey, did you know that your certificates about to expire? You have 30 days, maybe you should deal with that now, instead of after bad things happen, it’s less sarcastic than me. 


It’s a lot more professional and Microsofty, so the first thing I do in sight, like run these little workshops and then I load all of this infrastructure and security as code, awful stuff into their subscriptions. 


Ashish Rajan: And then we secure. Oh, right, right. Well, that makes sense. You actually, I didn’t realize you run workshops for this as well. 


That’s a great idea. Security center. As a starter, you may only have one subscription, but as an enterprise, maybe even out of each business unit [00:11:00] can have their own subscription and manage the security like that. So very dev ops friendly as well. It’s 


Tanya Janca: really cool. And then Azure also has Azure dev ops. So I think Google has one, but I don’t know if AWS has their own it’s 


Ashish Rajan: like the pipeline, the pipeline. 


Oh yeah. Yeah. They call it AWS code pipeline so that they have their own 


Tanya Janca: words. So they have that and it integrates with, with their secret store and we’ll take your secrets out and manage it all for you. And then like, they have all these free tools that you can click in. So I’m doing, I’m doing a workshop at RSA. 


If you’re going to RSA, it’s free com and I’m just going to teach everyone like, okay, so let’s build pipeline, like just plain Jane one, but then let’s add all these cool security tools to it and then like, see, and then let’s catch up. Oh, no, we have this old version of SSL. That’s not acceptable. Oh no, this is happening. 


Ashish Rajan: Oh, I think this kind of brings us to another part where once you find the problem, how do you get someone to work on it? 


Tanya Janca: Yeah, that’s a whole nother matter. I have it. So it breaks the, build [00:12:00] it, depending upon the level of the problem. 


Ashish Rajan: Yes on yours. Okay. Let’s say enterprise will be like, whoa. On yet. This is just not acceptable. 


Tanya Janca: I think certain things should just break the build though. 


Ashish Rajan: Oh, I agree. I’m just curious in terms of how this plays out in an Azure world, how does the security person who’s trying to be, I guess, DevSecOps for lack of a better word and they’ve integrated the security actually. What does it look like? 


Difficult to measure? What, what does it look like? Is there integrated into a DevOps pipeline or is it a separate pipeline for security? What does it look 


Tanya Janca: like? The AppSec person? So my definition of DevSecOps is an AppSec person doing this. In a dev ops environment, it’s the same application security goals, but you have to adjust because dev and ops are doing different things. 


So you have to adjust or you’re going to be left behind. So if they have a pipeline, I want to be in the pipeline. I want to have little checks that are very, very important. And then I would, I would love to have a second pipeline, like a parallel security pipeline. And it’s like, if you could just kick off your code [00:13:00] in this and Friday, it’s not going to publish. 


It’s not going to do anything. I just want to do like those long, big, slow. Dan’s or like static application, security testing or dynamic application, security testing, things like that. Like slow long where I’m not knowing anyone, I’m not in their build pipeline, I’m in mine and it doesn’t go anywhere I just want. 


Ashish Rajan: Right. Right. And that’s a great example as well, because to your point, if it’s something serious, you probably start the pipeline. But if it’s like a medium risk, then you assess it. High-risk clearly they break the biplane right then and there. Yeah. What about false positives? And I guess dealing with false positives, I am 


Tanya Janca: a big fan of testing things first, before you put it in the pipeline. 


So everyone still likes you later. You can put it in the pipeline and have it on alerting and not breaking. So with Azure, you can set it like don’t break the pipeline or it’s a it’s okay. If you break it 


Ashish Rajan: or it’s not SAS tools 


Tanya Janca: as well. No, no, they don’t have their own test tool. I mean, like when you add a test. 


It breaks or doesn’t break. So you can just get all of [00:14:00] the information that the tool gives, but without stopping it. And you can say like, even if this step fails, just continue on with the pipeline. I just want to run it and see the test results, but like, don’t stop, keep going. And so do that first, right. 


It out. So when I was doing stuff with the OSP dev slop project, yes, we would, well, we smashed our build old time because it’s just us. Right. But eventually when I’m like, okay, so we’ll set this as our goal and if something happens and it goes, you know, above that, then we break because then we had like a baseline to follow. 


If that makes sense. And then we stopped breaking it all the time, or if we broke it, it was a good one. Is 


Ashish Rajan: there an example of a company that, where you think this has been done really well? Yeah. 


There’s 


Tanya Janca: lots and lots of companies that will tell you about it. So like Shannon Leeds from Intuit, she has a million awesome stories of like really cool stuff that she does there, or I’m at the same. 


single-A I’m saying her last name wrong. I’m sorry. I asked that from Netflix. Right? She has like a million cool [00:15:00] stories of things that she’s done. And I, her team 


Ashish Rajan: has built if I’m an AWS person listening to this and I have Azure coming down the pipeline. I know it’s just around the corner we spoke or multicloud cleanly that clearly knows the thing. 


It’s okay. So thinking USA and Canada, it’s definitely a thing in Australia as well. So I’m pretty sure anyone else who’s listening for any other country would agree. They have it coming in the pipeline as well. I was thinking maybe if we split this. Compare Azure to AWS, but on certain topics, like say identity management, what does that look like? 


Backup and recovery. What does that look like in terms of their cloud native options? Let’s go with that. 


Tanya Janca: It might be slightly predictable because. What I have seen with the three big clouds is that whenever them, one of them has this awesome idea, the other to implement it like a month later. 


Ashish Rajan: And maybe it wasn’t a fit for people looking to be Guinea pigs for it. At least that’s how it works in LA AWS. Like 


Tanya Janca: whatever. Super cool thing I’ve seen in Azure. I’m like, oh, that’s how you do it in AWS. Cool, good. I just didn’t know the name, but it turns out you can do almost all the same awesome [00:16:00] things and all of them. 


Ashish Rajan: I don’t know if it’s with Azure as well. What AWS? I find every new service thing, they introduce it. Say it’s an MVP. Let’s just say that it’s, it’s almost feels like a startup has created a product and they’ve released it out in the wild and the first few users are the be they use. Yes. 


Tanya Janca: That’s so true. 


It’s so true. You’re absolutely right as well. I’m pretty sure. Yeah. Like they have like a new service and you’re like, oh, I’m going to, you’re like, wait a minute. A lot of people complained that they felt, I guess that Azure wasn’t like right when they started, but it wasn’t enterprise ready because they’re used to things from Microsoft being like glossy and perfect. 


You know what I mean? Like that feel of like very professional. It’s a very high quality, like they’re not messing around and they’re like, oh my God, it’s not quite perfect. This is ridiculous. 


Ashish Rajan: And I think to your point earlier, because AWS came before and had a lot more on the, on the scoreboard, the Azure kind of had like, oh, they had a, they almost had like a mountain decline before they get even dock compared themselves. 


But because they had the brand name, [00:17:00] they were instantly compared to AWS. Yes. 


Tanya Janca: And also I think too, because visual studio code is the number one code editor in the world. It’s the 


Ashish Rajan: most used. I use it as well 


Tanya Janca: as server, very, 


Ashish Rajan: very values 


Tanya Janca: database that used to make most things. And then also, unfortunately, Microsoft access is still one of the most popular database system. 


Ashish Rajan: No way people still use Microsoft 


Tanya Janca: access. Yes. There’s so much legacy, crap running. And that you would not 


Ashish Rajan: know and of license as well. I mean, the last time I heard of Microsoft access, when. I dunno, uni school. 


Tanya Janca: Oh yeah. Yeah. Like not all the time, but often clients are like, why don’t we do about the access apps besides be ashamed of 


Ashish Rajan: yourselves? 


It’s like production, 


Tanya Janca: is it? There’s just like 


Ashish Rajan: a production? Oh my 


Tanya Janca: God. I’m just kidding. I never showed my client. It’s bad. Right. I’m like, okay, we can do better. Like how can we port that, et cetera. Or just like put it in a container and seal it with like a million 


Ashish Rajan: locks. Mm. Yeah. 


Oh my God. Yeah. It’s scary because you become we are all Guinea pigs to a trillion dollar data centers, but it may be a good [00:18:00] idea for us to at least compare he’s at least in a few jobs. It’s like identity management at scale. How does that work in Azure? Has your 80 


Tanya Janca: Azure active directory. And it can go across to your other cloud and manage all of it with one sign on. 


Yeah. 


Ashish Rajan: Ooh, also Azure ID coupled with so I guess I’m thinking like an enterprise, I would need an Azure 80 and a few subscriptions for each of my business unit where I guess like a top hierarchy for whoever manages everything else. I guess like a tech lead or a DevOps leader, I guess. And single sign on across all of them through Azure rating. 


What does that go into applications as well? Or is it just the platform? It can, you 


Tanya Janca: can do basically whatever you’d like, it’s, I mean, active directory is the most used one. There’s another reason why Azure just went like this. Right? It’s like we already 


Ashish Rajan: have all this stuff. Yeah. That’s why. And they both enable us think between Azure and Azure, 80 and 80 as well. 


So, well, conveniently, I think what I find interesting with Azure 80 in general, and this is, I don’t know if it’s true or not, but a lot of people saying that [00:19:00] initially Microsoft, the way it was approaching selling Azure was all, we’ll give you X number of free credits. Because you have Azure 80 already, and you have office physics five, why don’t you try it? 


And I think that’s a great way to sell it. It 


Tanya Janca: just like clicks in perfectly. Like if you are an, like a dotnet dev shop, you like flick some buttons and you’re into Azure. Like it’s like really, like they have migration tool. You’re just like, oh, we’re in Azure now. Right. So that’s how they did it. Like, just like. 


We already have all the awesome stuff. Let us separate all up and just run it for you. And it’s like, that sound quite appealing. Yes. 


Ashish Rajan: Yeah, of course. The easier you make it for the customer, the more I guess you should. They become, they had to stay for longer. 


Tanya Janca: I should mention, I used to work at Microsoft and I don’t work there anymore, but I’m still at the fan girl as much as I want 


Ashish Rajan: nothing wrong with that. 


Nothing wrong with that. And I’m pretty sure people would not judge you for. Cause I think even though. I guess you’re, you’re, you’re sharing the other side of Microsoft, but you’re still sharing it with love is kind of like your favorite child, right? Everyone just still talk about bad things, but where we wait, I, I can say bad things. 


You cannot back off 


to your point [00:20:00] earlier about the similar service for everything. So AWS has identity management, obviously, which you can have local users if you’re a startup. But then now I think over the past year, they’ve introduced something called AWS SSO, which is similar to an Azure 82 single sign on, onto another AWS account. 


And does the scaling would be similar? You would have a organization hierarchy where someone’s like the top hierarchy and then they basically at least our policies at the bottom. So yeah, you’re right. It’s kind of like, huh. Seems very similar, just different services, different names, but kind of the same thing. 


Tanya Janca: The Azure identity. No, sorry, the AWS identity system, 


Ashish Rajan: was it called? I am also as in the single sign on one or the, I am users. I am users. Yeah. The local users. Yeah. They, they are created locally on the AWS accounts. I think 


Tanya Janca: that it can also manage identity within Azure. I think that they made it so that it was interoperative. 


Oh, 


Ashish Rajan: right. Yeah, yeah, yeah. Yeah. So before AWS as a soul came along they had almost like a, they had a service quality or this, they still have AWS Cognito [00:21:00] and they still allow you to federate your AWS accounts to an Azure 80. You’re 


Tanya Janca: going to have a multi-cloud strategy. I would say the first most important thing would be that you only have one system to manage identity across like your on-prem Andrew, 


Ashish Rajan: a hundred percent, a hundred percent. 


And I think that’s probably the, I consider I it to be the key to your cloud kingdom and one key through them all. Yes. 


Tanya Janca: And actually, while we’re talking about one key, let’s talk about to everyone, everyone ever for their cloud credentials should have multifactor authentication, 


Ashish Rajan: MFA 


Tanya Janca: as Azure. We’ll give you a talking to, if you don’t, it will be like, this is an owner subscription. 


We would really like you to turn it 


Ashish Rajan: on. Yup. Yup. The same thing in AWS as well, like MFA. Yeah. And w well, I was going to say, do you have a stand on using soft tokens or hard tokens or because in AWS sword software token, a hardware token. It’s the same in Azure or is it like a mobile phone option as well? 


Tanya Janca: It’s a mobile phone option. So Microsoft makes Microsoft authenticator just like Google makes Google [00:22:00] authenticator. And I don’t know if Amazon makes one, but I would suspect they do. 


Ashish Rajan: No, I don’t think they have an authenticate. Not that I know of. Unless well, as you space releases podcasts, they get released a Guinea pig service, whatever you want to use, 


we didn’t have an authenticator service. There you go. Like what, why it doesn’t work, but no, but there’s a service. 


Tanya Janca: Yeah, but they basically, like, I use the Microsoft authenticator app on my phone. It, so then I have to get into my phone and then I actually was giving like this big demo on stage for Microsoft ignite the tour and then Cloudville, which is like their, like their bash shell for Azure to me out on stage, in the middle of a demo. 


And I’m like, so I, I’m going to break up with a Coachella after this after this, this demo, but for now, I’m like, I’m going to log in. And then I did three factor authentication because I had to like have my phone and then you have, and then I had them the password to get into my phone. And then I use my fingerprint to attend to Kate with it, then Skeeter app. 


And I’m like three factors, indication, score. Excellent demo. 


Ashish Rajan: Oh, well, well there isn’t, it is still multifactor. That goes [00:23:00] like three. Oh my God. Yeah, that would have been annoying because that’s an awesome way to kind of like off identity management, logging and monitoring the Azure play on that. 


Tanya Janca: They do those things. 


As far as I know, monitoring is pricey. That’s what I’m told 


Ashish Rajan: pricey for collection. As in for storing law. 


Tanya Janca: Just that the monitoring is pricey compared to the other two clouds. I don’t know because I have never paid my own Azure bill because I worked for Microsoft. They paid it for so long and now I’m doing like silly little free trials and like below the yeah. 


Anyway. 


Ashish Rajan: Yeah. The feed. Yeah. Well, yeah, because there’s free down AWS as well. I just, I just look out for the credit, like each event that I go to from AWS, I just get the a hundred dollars credit and keep applying it. 


Tanya Janca: Yeah. I’m going to, I’m going to have to be doing some of that soon to make my workshop for RSA. 


I don’t want to spend like thousands of dollars creating my workshop. 


Ashish Rajan: So login monitoring. Is that like a separate service for auditing versus just logging? 


Tanya Janca: Yup. Yeah. So you turn on monitoring and then the logging is like storing that rather than just watching. Does that make sense? And then you can also turn on threat [00:24:00] protection so where it will actively stop threats rather than just telling you about. 


Ashish Rajan: All right. So threats, which would be from an external feed or threats, which are from Microsoft only, like why does that work? 


Tanya Janca: So if they see something and they’re like, oh, someone appears to be trying to empty your database. That looks bad. 


Ashish Rajan: It can do that. As in that could be user behavior. Right. I think it sounds like a, is that, would, that would be the kind of type it’s protecting against user behavior. 


Tanya Janca: Yeah, like that’s for the database production, there’s also stuff like you know, there’s this logging in and that looks weird. Like Tanya’s in Paris now. Timing is in Bangladesh. It’s like, yeah. So some are more obvious. It does like this. You know, like every cool security tool does machine learning, 


Ashish Rajan: obviously, of course. 


I mean, why are we even like putting that in here? Surely, I mean, it’s like a default, right? These days. Yes, 


Tanya Janca: exactly. But it will, it will learn about you. And eventually it will be like, Hey, that employee is trying to escalate their privilege and then they’re trying to delete. So like when I [00:25:00] quit I like was shutting down all my accounts. 


Cause I didn’t, I didn’t want to like make bills for them after I leave. Right. So I had all these demo accounts and so I was deleting them and then I was trying to delete the backups. Right. Because their demo counts, I don’t need them and address like, oh no, Cause if it was a real business situation, as opposed to a demo, you wouldn’t want to play quitting and then deleting the database and then deleting the backup of the database. 


So they made it wait 14 business days so that it would be past the amount of notice UVA. And it gave updates like to my subscription and my subscription owner. So my boss knew that I had done it, although my boss asked me to do it. So it was okay. And so then I actually ended up assigning another employee to delete it for me after I left, because I don’t want to, I want to be that jackass, that leaves. 


And then it’s like, oh, and they get this giant bill after I go. Right. Like when I leave somewhere, I want to like, leave it as nice as, as I found it. 


Ashish Rajan: And so 


Tanya Janca: like, they’re like, oh, have you done it? This and this I’m like, yes. And then this person is going to like delete that after. And like, it wouldn’t allow me to say the fact being the super duper duper owner to delete [00:26:00] my own backup. 


It’s like, Nope, we need we need a management check on this because that’s a risky behavior. 


Ashish Rajan: In the AWS space, I guess the ADB splits the whole logging, monitoring, and auditing a bit. They have like a cloud trail, which is just does auditing of the account, which looks after the account, but it doesn’t create some kind of a threat notification. 


And they didn’t have this kind of a treadmill notification service for a very long time. They started a service called cloud watch, which was a logging service for locking applications. You still had to kind of tell your application to go and log, but what I find interesting is maybe after the threat protection thing that you mentioned AWS, like, well, we should be doing something about this. 


I know what we’ll do. Create guard duty sounded like a similar thing, but so, and GoDaddy does exactly pretty much. Yeah, I don’t think it’s smart enough to say that. Oh, so she’s trying to do an admin function. It doesn’t do that. It does look at autonomy is coming from Canada, but two minutes later she’s coming from Bangladesh. 


So it definitely does the geolocation part. It definitely does. Scans of logs for seeing any, I guess, Bitcoin mining [00:27:00] happening, which that considering that the most popular thing on AWS 


Tanya Janca: from a narrow, what harder for, so I guess like the signature for Bitcoin’s really, really obvious and cloud platforms can tell immediately, but when it comes for Minero, it’s a lot harder 


Ashish Rajan: kind of currency. 


Oh, well, there you go. I wonder, obviously if we ask you a WSL will adding more services, so you would hear about her when you see it and like, thank you. That was like the response I was after, but sure. I think it’s in your radar. That’s good to know. I think the logging and monitoring. The other one that I wanted to ask, trying to think, what else, what other does elements of identity management, the grading scale, logging, monitoring, backup and recovery. 


You mentioned a backup account earlier so well now when I think about that, it’s not equal in the AWS services for backup now for, I dunno if we’re, if it would stop you from deleting the backup, which I like that feature where it stops you, because you’re absolutely right. And thinking that an athlete, a person who’s leaving could be a disgruntled employee as well. 


So it’s a great check from Azure. We definitely have thought about this a bit more. 


Tanya Janca: I have a bunch [00:28:00] more of them. I don’t know all of them and I don’t know if I’m allowed saying that 


Ashish Rajan: the Sentinel then what a central do. Yeah. So 


Tanya Janca: Sentinel is their SIM. So it’s like, 


Ashish Rajan: it was like a theme service, like a security incident. 


And management. There you go. Yes. I was like, what does that mean for, 


Tanya Janca: yeah, so it’s it’s advertised as the first cloud native SIM. So it’s made specifically for the cloud and it’s also supposed to be the quietest SIM. So it apparently gives almost no false positives ever. So it’s very quiet. Yeah. But if it hits something, you probably better run around because it’s probably big. 


I haven’t seen that much of it yet because it’s, it’s so new. It’s about a year old. And, but one of a hacker came up to me at a conference and he’s like, I got Sentinel and I was like, okay. And he’s like, and it’s bullshit. And I was like, oh, please tell me more. And he’s like, I threw all these hacks at it. 


And I’m like, yeah. And he’s like, and then it cut them. And I was like, okay. He’s like, and then that’s it. And I’m like, what do you mean? He’s like, it caught all the [00:29:00] things that all the packs I did. I’m like, yeah. And he’s like, and then it didn’t say anything out and he’s like, no other alerts. It might maybe nothing else happened. 


He’s like, that’s too good to be true. I can tell it’s not good. It must be faking everything wrong that you did. And then it didn’t have any false positives. He’s like, yeah, it’s bullshit. I’m like, no, that sounds like it’s awesome. 


Ashish Rajan: That’s an interesting one. Like, so wait, so is it like a source system as well, then? 


It’s not a seam. It’s like a salt. Is that, what is it called? S O a R like where it’s more around say if a suspicious action is identified and there’s a response. So it sounds like a source system as well. Okay. It 


Tanya Janca: doesn’t respond. It just alerts you, but you can actually like program responses. So if so they call them playbooks, but it’s really a logic app, which is just a trigger. 


And then which calls a serverless app that you wrote. Right. So you can say like, if the SIM sees this and you’re like used to it and you know, what’s usually accurate, you can say like run this playbook, but really it’s like trigger. The serverless [00:30:00] app to run, and then you can code in like black hole that IP, or shut down that server or like, you know, take away that user’s permissions or whatever. 


Ashish Rajan: Yeah. All right. Okay, cool. And is this an expensive service as well? 


Tanya Janca: The playbooks, I think are pretty cheap. I think it’s just the cost of a serverless app spreadsheet, the cost of a logic app. So just the trigger and then just the serverless 


Ashish Rajan: app. So. 


Tanya Janca: So, I don’t know how much Sentinel costs. I’ve been told by people in industry, it costs the same amount of time. 


Ashish Rajan: It’s a good time to move on to the next segment. The second segment is often to Nathan’s and basically it’s a incident that you would have been part of. You may have done it yourself, but you don’t want to disclose your name. Is there an incident that you can share? And also you can completely exclude yourself out of it. 


If you’re, if you are somehow responsible for this. 


Tanya Janca: Actually, I’ll tell you when, where it was my fault. 


Ashish Rajan: I would love to hear that. 


Tanya Janca: So when I 


Ashish Rajan: first started, yeah, I 


Tanya Janca: do. It’s okay. It’s okay. My, my boss knew, so when I, when I was at my Microsoft, I like part of my job as a developer advocate would be to make all these lessons and [00:31:00] demonstrations. 


So I was making a demonstration on purpose of, a username and a password in your code, like a connection string. Right, right. And so then I used Azure dev ops to check it in. Right. Like was like compile the code and then publish it. So is it the same username and password for like a demo database? 


Right. But it was on purpose that way. And then and then Azure dev ops was like, oh, I don’t think so. 


Well, so it warned me and I was like, do it anyway. Cause I, as I, as I’m, what was I doing? So I was in visual studio code and I was pushing it to get hub. Right. And so push to get hub and then get hub triggers, the pipeline. And the pipeline is 


Ashish Rajan: like, 


Tanya Janca: no, no, it’s okay. And it gave me like so many warnings and I was like, do it anyway, do it anyway, do it. 


And then it went through and I was like, yeah, that’s fine. I don’t care. And then, and then I went out for, or no, no. Then like five minutes later, I get a call from my boss. Tanya, what are you doing? Told my boss on me. He’s like, I just got this like [00:32:00] emergency notification from Azure that you just like check credentials and to get hub. 


And I’m like, no, no, I didn’t it’s for this lesson. And he’s like, oh, ha, that’s so funny. And then, and then we’re laughing about it. Right. And he lets me. And then I go out for dinner with some friends and then the Microsoft incident response team. 


I didn’t know that it was like, I just figured it stopped there and they’re like, excuse me, ma’am we need to talk to you. And they’re pretty serious. And I had to apologize a lot and they were like, if you’re going to do things like this on our platform, you need to alert us. We are a serious company. It’s like, I was just like, sorry. 


My boss was like, oh, need to make friends with the security team, John. 


Ashish Rajan: Yeah, I know now, you know, if you’d be able to know. 


Tanya Janca: I know, so eventually like eventually we’re friends, but but I made a very bad for 


that. Just started. I was like, oh, oh shit. But I kept like reporting real incidents and helping them with stuff. So I think eventually I grew on them and like all the different security teams are really nice to me, but they made a pretty bad first impression with 


Ashish Rajan: that. Well, that’s one way to introduce it.[00:33:00] 


Introduce you all set up for the rest of the organization. 


Tanya Janca: Yes. Actually in the, in the government, once I did a pen test and and like I had permission. Great. And then I started it up. Like I started up my scanner. I just like to check things out. And then like five minutes later, this woman comes up to my office. 


She’s like, ah, is this you? And I like, yeah. But I sent a, I sent the form to the team and she’s like, you’re also supposed to send it to this team. And I was like, oh, I’m sorry. Like me and my boss didn’t know. She’s like, that’s fine. But next time fill the form. So I’m like, okay. But then I worked there for like a year and two or three more times, she came into my office. 


She was like, Tanya, is that you? And I was like, no, she’s like, I have to go run out. And she’s like, like, she was really, she was like, I was really hoping that was you. I’m like what happened? She’s like, I’m not telling 


Ashish Rajan: you. 


Though that was a different memory. 


Tanya Janca: Memory was a sophomore developer lady. This was a threat hunter. She was pretty serious. She was like, Tanya, are you doing something right now? And I’m just like, God, stop coming in here. I always feel the forums. You only have to tell me once. So yeah, 


Ashish Rajan: considering [00:34:00] we just shared an incident, which isn’t a flip the other side of the coin with the blue team. 


When that you can share, 


Tanya Janca: I have to say like that Microsoft incident where they, they caught me and then they caught me, like they tried to stop me. Then my boss called me and then the team, like, and it all happened in like 14 minute. That’s 


Ashish Rajan: 14 minutes, 14 spend a few hours. 


Tanya Janca: It was fast. Like for me, that’s a huge win. 


Like if I find that my software developer, cause I used to be like a team lead for software developers for forever. And if I could find out that that happened and I could run to their desk and be like, we need to change those credentials now. And then we’re talking about. Yeah, but like, let’s just fix this right now. 


Cause my boss called me in less than five minutes. If, if that had been like, if I had been the boss, then I could run over, we could fix the problem together. What’s 


Ashish Rajan: a big conference for Azure out of curiosity, like, cause I mean, AWS has 80 between when, which is their big announcement thing what’s equal and for us, 


Tanya Janca: ignite. 


So they have the giant huge. In Orlando, but then they have Microsoft ignite the tour, [00:35:00] which I went on last year and it went to 17 countries. But this year, I think they’re doing 30. 


Ashish Rajan: I was going to switch gears a bit. And I think we’re going to go into a MythBusters section or segment the segment three MythBusters, basically questions that are, what are the myths around cloud security that you see. 


Tanya Janca: I do a consulting a lot. So I’ll meet with clients and talk with them about whatever thing they’re trying to do, and then give them an advice, help them make the plan. And I would say like the two biggest myths, which are very similar is like, so people are moving to the cloud. A lot of them think that everyone just moved to the cloud in six months or a year. 


No, it takes like five years. If you’re a giant legacy. Like you’re a giant enterprise and you have a bunch of legacy stuff. Like a lot of people are in the hybrid situation where you have some on-prem and some in the cloud for like three to five years. And people are like, oh, we’ve been at it for a year. 


And we’ve only moved half the stuff. I’m like, you’re above average. You’re doing so great. Stop being so hard on yourselves. I find like a lot of clients, it might stop being so hard on yourself. You’re doing [00:36:00] fine. And the other thing is with DevSecOps. So a lot of places are like, yeah, we’re doing dev ops. 


Okay. So we have like nine dev teams that we’re aware of. And two of them have pipeline and one of them let us put a security check in it. And then they’re like, we’re failures. I’m like, no, no, you’re not. You are not failures at all. Right? Like, oh my gosh, people are so hard on themselves. What’s 


Ashish Rajan: the, what’s the benchmark then to point, what’s the, what’s a good benchmark for an organization. 


So you’ve mentioned the example of taking five years from migrating and then people thinking they’re DevSecOps, but then they have out of the 10. Dev ops team. They may have only one or two of them. Are really integrated security. What’s the, what’s a good benchmark. Even if it’s one, I feel it’s a decent benchmark, I guess, to start off 


Tanya Janca: the first thing for moving to the cloud, the first thing you would want to do is all new development would happen. 


Okay. All new things that you build will be there. Does that make sense? And then, so we make a lift and shift plan or heard of doing an application portfolio management exercise. 


So it’s like, forgive me for saying Gartner, because for some people it’s a fair word, [00:37:00] but 


like they have this, like this thing and it’s, it works. Like you go through all of your applications and you look at them and you’re like, you know, these two are sort of the same and maybe they could just be one or like, you know, we have these six, but people only use this part of them. Right. And so I worked somewhere and we had 72 apps and we squished it down to like 20. 


So we got rid of some and then added some functionality to other ones to cover the stuff. Cause like, when you look at an old legacy app, well are usually only using like 10 or 20% of it or maybe 30% and they don’t need the other 70% of that functionality. So if you’re going to rewrite it, you don’t need that. 


And a lot of times there’s a product that already exists that does most of it. Yeah. So we like does manage to throw away into the garbage, a whole bunch of like old things rather than rewriting them and moving them. So first you have to take inventory, right? Like of all the things you have and then you can get a complete picture of your security posture. 


So that’s usually the thing I say is like, let’s make sure you know, of all your apps, I’m not going to get into like the list of different ways to do that. We’ll get a complete [00:38:00] list of all your stuff and then see where you’re actually at and what your tech stack looks like. Because some places, their tech stack is like a jungle. 


They have like 20 applications, like programming languages, like there’s like four different API pies that their devs are using. But some of them they’re like, okay, so we’re 95 percent.net and 5% PHP. Okay. We’ll meet that PHP stuff for a lot of reasons could turn into.net and then you could have like just a. 


It’s huge. And then you only have to worry about like one tech stack, right. And then try to get everyone onto the same framework version and that, do you know what I mean? And like, when you do things like that and like for dev ops, if you’re gonna use Azure, you can make a DevOps pipeline template and you can enforce it in Azure. 


So every pipeline has to have these security checks, like it automatically builds them in. 


Ashish Rajan: Oh, right, right. That’s a good one as well. I think so to your point, if someone’s listening to this and starting off, well, it’s a mountain to climb. Where do I start? Step one, new applications, go into cloud first step to application, portfolio management, to assess what you [00:39:00] really need to move into cloud and what you need to get rid of. 


Probably a good time to also identify things with just for sovereignty data. Sovereignty reasons cannot be moved out at all or government stuff, I guess. The, so the third step off of that is like, Then we’d go into the pipeline, I guess. Does it change from a security standpoint then aware most of the organizations may have a lot of deployments already. 


What have happened before and now they’re like, Hey security. And be like, oh, you’ve been doing this for a year now. I had no idea. I call it a shady ID. Yes, shadow it. I call it shady ID, but I know shadow ID. 


It’s kind of like a shady things that’d be doing. Yeah. So have you got some recommendation on those? Like how do they. Go about doing that in the Azure world. Oh, 


Tanya Janca: so shadow. It is pretty obvious in the Azure world. I’m sure the same with AWS is that like, if it’s in your subscription, you’re going to see it, right? 


Ashish Rajan: Yeah. Can you write up separately though? Like 


Tanya Janca: that? So that’s the thing. I was going to say. I, a student that used to work for me, she was showing me her app for work. And I was like, why did the URL change? [00:40:00] Why did the domain change? When I went to your page? She’s like, oh, you know, the governmental service that provides our infrastructure, which in Canada, everyone knows what that means. 


Wouldn’t give me a server that I wanted. So I just took my credit card out and touching AWS. Oh man. And I was like, I have to tell on you now. I don’t want Canadians to go to your page and it’s not bad. Yeah. So I got her to talk to her boss and tell him, I was like, no, cause they won’t follow. And she’s like, I know what all that stuff is so slow. 


And I’m like, you know what? It’s really fast to make a crappy app. That’s very insecure. You can do that very quickly 


Ashish Rajan: if you want to. So is there like a function in Azure? I guess if you’re an enterprise, listen to this and you may come to know the story that, oh, there has been some Azure instances running in the background. 


Can, I’m assuming there’s like a account manager, someone that can reach out to and find out who else from the organization with a corporate email would be doing this. 


Tanya Janca: So to search the corporate email address, I’m not sure how that would work. Like I’m sure they can do with it, but I don’t know what that’s called. 


I know [00:41:00] that there’s like an account manager and like there’s a thing to show you your expenses and hope you manage them. Oh, sweet. 


Ashish Rajan: Fred. I’m going with this is if a person listening to this isn’t that situation, they can probably reach out with an account manager and find out. Are they aware of any other people who may be trying to reach out to them or want some service or has a subsequent. 


Tanya Janca: Yeah. Yeah. Basically like your account manager is your person. 


Ashish Rajan: So basically if you ha, if you have this kind of scenario before you do step 1, 2, 3, that, which you mentioned earlier, do a consolidation exercise, as you find out who else is out there in the jungle. Yes. 


Tanya Janca: Yes. And it’s unfortunately an uncomfortable exercise because you’re going to find out things that might make you unhappy. 


I’d rather know the bad news. 


Ashish Rajan: Yeah. Fair enough. I’ve worked in one more question. Where do you think people are not talking about cloud security? It could be an Azure context, but what are they not talking about? About security 


Tanya Janca: training? I feel like they’re just, we’re throwing people into things and we’re not giving them the security training necessary to, to know how to do it. 


Right. 


Ashish Rajan: And it [00:42:00] gets frustrating. 


Tanya Janca: Both. Like, I feel that the devs and ops folks and the dev ops folks should all be getting like, like I feel if you’re getting tech training, it should include how to do the thing you’re doing securely. Like if you were learning how to change a light switch in an electrical class, they would teach you how to do it safely. 


Right. So that you don’t get electrocuted and you don’t burn down the house. Good job. We give people lessons like, and we, and we teach them like, you know, this is how you create a serverless app and blah, blah, blah. But we don’t teach them how to create it to make sure it’s secure. Yeah, and I feel, I feel like you have to pay a lot extra. 


If you want to learn the security right now, or take a separate extra course. And it’s just not in the budget for a lot of people, or even like on the radar. It’s like, this is how you code this in Python. I’m like that’s wildly insecure. Oh my gosh. I hope that we will make a switch in the twenties. 


Ashish Rajan: 2020. 


If I was someone that she told me yesterday, a happy new decade and like, w why is it a decade? But it’s a whole different story. I was going to say, as someone [00:43:00] who would be going to a training exercise that makes me think, or someone who’s to maybe looking at training exercise, most of the Google searches, or most of the YouTube searches in a dev ops or DevOps people would do, they would be, how do I deploy an application? 


They don’t talk about their own such, how do I securely deploy an application? So that’s an interesting way to even, cause when you mentioned like, actually that’s true in training people, don’t like, if you don’t tell them, they will not know, but because their job profile hasn’t really called out that you should deploy things at securely, they will not Google. 


Tanya Janca: It is my opinion, that security is everybody’s job. Like it’s your job to do your response, like your responsibilities, your duties at work and the most secure way that you know, how, and it’s your company’s responsibility to make sure you know what that means. Right? Like I can’t just expect that help desk knows, oh, ransomware. 


We should call the security team. I was like, why can’t they just read my mind? That is not a good strategy for life. And instead I should like tell them exactly what I want from them. Like, I’m the security team. I need you to call me if you see this, 


Ashish Rajan: this [00:44:00] or this. Yep. Perfect. It’s a good way to go into our next segment as well. 


It’s called the Unicon segment and I would love for you to share what do you feel your superpower is and what, what do you love talking about? 


Tanya Janca: I would say that my security superpower is explaining things to people in a way that they understand. And then they can go do it. 


Ashish Rajan: Ooh. I was kind of hoping you would share your mentoring Monday part as well and there, 


Tanya Janca: so I’m 


Ashish Rajan: not that I’m just a little bad only about this mentoring Monday thing. 


I taught people 


Tanya Janca: full of little online initiatives. So when Wednesdays I’m doing security when Wednesdays, so I have a hashtag security when, and people are just sharing. Wins and positive news because we always just complain about bad things. But if we talk about when we win, so people are sharing with me on Wednesdays, cool stuff that they’ve done, it sounds like 


Ashish Rajan: I should release a podcast on a Wednesday then as part of a security when we can just share that story as well. 


Tanya Janca: And then I also run mentoring Mondays, which is a hashtag mentoring Monday. And then it basically a matching [00:45:00] people with professional mentors, even if it’s just, Hey, you should follow these people. And here’s a book or reductions to keep people, but some people are meeting in person and having like long-term mentoring relationships. 


Some people are helping people find their first job. The community has really stepped up in a wonderful way. And for your listeners, if you have worked in your field for two or more years, You are qualified to be a mentor. What that means is someone else wishes. They could have your job, that they were qualified enough to be able to do a job like yours. 


And there’s a lot in a lot of people that want to get into our industry and there’s no formalized really obvious way for them to do it. There’s no, like I took this course and now I can do this. That’s why people keep talking about certs online. Like, what is this magical cert that I can take? And then I’ll get a job. 


That’s what people want. People want their first chance they want guidance. And so mentoring Monday is trying to just help and match 


Ashish Rajan: people with so much. So many of us have had such a very background as well, [00:46:00] and it’s such a very bad way into security. And I always find these questions from people ask about undoing. 


The security plus certification would, does help me get a job. I’m doing this. I dunno something else certification. And I always feel it’s an interesting one where certification may be good for someone who’s not coming from a security background. But I always find the best way somehow has been. If you work in an organization as a dev or an ops or a dev ops person, you probably are in a better state to social security because security is still, I mean, we’re living in a time where a lot of automation is coming in. 


Traditional security has not been in more automation and the devil’s force folks are leading the charge. We need more people from the dev ops guys to change the security champions. I feel like, but when I tell that to people, they’re like, but that’s going to take awhile. I’m like, yeah, it does take time. 


It doesn’t happen in one day you do a third and you get a job next day. That’s very rare, but that’s just my experience. Is that your experience as well? 


Tanya Janca: Yes, I actually so a lot and a lot of people come to me because of my public speaking and my blogging. And they ask like, [00:47:00] you know, will you mentor me? 


And I can’t mentor everyone, obviously. So that’s why I created mentoring Mondays. But then when I worked at Microsoft, they always talked about how they could scale me. Cause they’re like, there’s just one Tanya, but they would say tie for one, just to be clear. No, the cloning machine isn’t is it finished yet? 


So how could we make you, you know, not have to work lots more hours, but instead, how can we do things? So we would scale you. So, you know, rather than flying to speak somewhere stream, rather than you know, texting each person, you know, people would ask me the same question a lot. So I would write a blog post. 


So then I could just reply with the blog post because everyone kept asking that question. Right. And so then I thought about it, I’m like, I should write a book. So I am writing a book with all of my knowledge in it. And it has like code of course, cause I’m a nerd. But it, it has like clear casual language. 


Explanations like with simplified language and then also stories of Alison Bob from photography and how it affects real people’s lives. So like, [00:48:00] why does framing a website matter? Well, Bob was on this website and he was doing blah. And so it sees how, like it weaves things into their lives and not in like a blaming way, because I feel like we blame users a lot. 


It’s like, you know, Ellis is a highly intelligent woman, but she still makes mistakes sometimes. And she’s lived on this thing. Right. And, and what we can do about that. So, I have totally submitted chapter two now to my, 


Ashish Rajan: but it’s a real estate. Or do you have a, is that 


Tanya Janca: how it works around six months? 


Yeah, you’re looking forward 


Ashish Rajan: to you share the name of the book or is that still a 


Tanya Janca: secret and Bob learn application security. And if it goes well, I hope Alison Bob will learn DevSecOps incident response, et cetera. Oh, 


Ashish Rajan: looking forward to it on our next segment, which is fun questions. I’ve got three questions for you. 


It’s a totally not security latent could be if he wants it to be. So the first question is where do you spend most time on when you’re not working on cloud security or. 


Tanya Janca: I hang out with friends a lot and I also, I really like to cook it fellow, like the whole foods, [00:49:00] paleo type of food lifestyle. So I don’t eat grains because when I do, I feel really bad. 


So I like. Okay. I’m like obsessed with recipe books. And then, so I like to have people over and cook for them and vice versa. 


Ashish Rajan: So that kind of makes me feel like nice, next question plays in really well. What is something that you’re proud of, but it’s not on your social, like LinkedIn or Twitter? 


Tanya Janca: I used to be a professional musician and I released five solo albums and yeah, DVD and I, I played all over the place and and then I was like in a lot of bands too. 


So it was like a loud 


Ashish Rajan: music genre of music. 


Tanya Janca: So I did folk music solo, and then I did punk rock with different bands. I played on the vans work to her briefly in 2005. 


Ashish Rajan: They go, I had no idea. And what, so I find the question. What’s your favorite cuisine or restaurant that you can. 


Tanya Janca: Oh, my gosh, Thai food, hands down. 


I love food. I have not met any Asian food. I didn’t like. 


Ashish Rajan: Yeah, definitely. One of the quizzes in life I look forward to enjoying every now and then that was, that was the, a podcast episode. Thank you so much for your time. I really appreciate it. 


Tanya Janca: Thank you for having me. This was super fun [00:50:00] and it was kind of nice to see you.