Ashish Rajan: [00:00:00] Hello and Welcome to another episode of Virtual Coffee with Ashish! This morning, I have an interesting episode where. I think I’ve been trying to do this for a while, for people who seen my posts, we’re going to talk about Azure cloud security. One-on-one and it’s an unbiased version because it’s not from Microsoft.

It’s a real life. How are you Nick?

Nicholas Hughes: [00:00:20] I’m doing well. Can you hear me okay?

Ashish Rajan: [00:00:22] Yes, I can hear you. Okay. Hope you can as well. Welcome to the show. and, it’s a tradition. So I’m going to start with that.

Cheers.

Nicholas Hughes: [00:00:32] Cheers.

Ashish Rajan: [00:00:34] so I’m going to start with the obvious. well, who is Nick for people? Don’t knowyous so far, we may not have heard of you before, so pleasetell my audience, who is Nick?

Nicholas Hughes: [00:00:46] Sure. I’m Nick Hughes. I’m just a guy. I do things. so. I actually run a company, a CEO of EITR technologies, with my two partners.

And, I do a lot of cloud [00:01:00] security. so we’re kind of like a services company. So we touch a lot of different clouds, a lot of different technologies and do like super cool stuff. on top of that. I am the cloud working group, captain for the salt open source community. And I also run a small open source project that provides Azure functionality to a brand new configuration management.

I see tool called item ID. So I do cloud

Ashish Rajan: [00:01:29] things. I mean, we definitely need to get into some of your contribution that people should be aware of. Cause I feel like there’s a lot of public work and a lot of open source where people do , but we are before we get into that, what was your path into cybersecurity out of curiosity?

Nicholas Hughes: [00:01:44] all over the place. I don’t know. It’s. It’s probably really interesting. And I can take up a lot of time. but like the high level is I kind of fell into it. I always had, you know, capacity for doing computer [00:02:00] type things. as I was growing up, my dad said, Hey, you know, you should probably get into computers.

It would be great for you. And, and, because my dad said it, I promptly went the other direction and decided not to do that

Ashish Rajan: [00:02:15] as all kids do. Of course.

Nicholas Hughes: [00:02:16] Yeah, exactly. so. Yeah, I was doing like a bunch of different, like weird work. I was in a retail is actually the lead auditor for a big box store in the Maryland area.

And a buddy of mine , he had an internship with a large building controls company and somebody came over to fix his computer and said, Hey, are you hiring? Cause my buddy Nick, he has like a two bedroom apartment and one is completely full of computers.

Ashish Rajan: [00:02:44] Oh

Nicholas Hughes: [00:02:45] yeah. So I was like, okay, doing it in my spare time.

And I guess I went into that interview and sounded like I. At least had half a brain when it came to it and did it from there. So yeah, it just sort of evolved into a bunch of different, activities, you know, you name it. I’ve [00:03:00] probably done some thing inside of it, touching, you know, various technologies, you know, I’ve written applications in, in.net.

like way back when I was kind of a windows guy, then windows admin stuff. Transitioning into like doing more Python now. but automation is like my first love. Right. So, yeah, we’re just automating things. And then when people started moving into the cloud, I’m like, yeah, I can automate that too.

Let’s do it.

Ashish Rajan: [00:03:25] that’s one of the reasons why I’m here by the way, one of the things that got me attracted to you was the fact that you have your title as automation consultant as well. Which is I’m like, this guy is cool. Cause he’s actually calling it out that this is exactly what, I’m not a dev ops.

I’m not the, I’m just automation, just talking about automation. So

Nicholas Hughes: [00:03:44] yeah. Yeah. I mean, that’s what it’s called in the good old days. Right. You know, it’s like there wasn’t a dev ops. It was just automating things. Yeah,

Ashish Rajan: [00:03:53] that’s right. I mean, it’s always been, it’s always existed now. We just have different marketing names for it.

I guess that’s kind of how I see it. [00:04:00] Yeah. And I, I think I definitely want to get into a bit more about the automation and, the security side of it as well for where does security mean for you? And I think it’s for, I know everyone has different definitions, so I’m keen to know yours as well.

Nicholas Hughes: [00:04:15] Yeah. You know, I think it usually shakes out into what people tend to care about the most or, you know, the thing that they, watch the most, but ultimately what it boils down to is like mitigating risk, right?

Like that’s, that’s what cyber security is in general. you know, there, there are people that take a very hard line approach and say like, we need to lock down all of the things, but like, ultimately you’re there to. Help business. Yeah. Your, your company wasn’t founded to lock down things. It was founded to do something else, right?

Like you’re, you’re providing a SAS platform providing something. and so, yeah, I mean, we should definitely lock down those things, but it also needs to be usable and [00:05:00] functional and fast, and all the other things that you care about in your business, So, I really think about like, Hey, let’s, let’s mitigate the risk let’s balance.

This let’s make sure that, you know, we lock things down as much as we can, but also let’s, let’s get stuff done.

Ashish Rajan: [00:05:14] Talking about risk and getting stuff done. One of the things that people want to get done is had the right security foundation for an agile plan. And I’m, I’m not going to start. I know we had this Lord topics in there and I did want to focus on one particular, I guess, section of cloud security, Nashville, which is kind of where most people start usually.

So I’m going to start with the, I guess with the question here, which may. I, it would become a good segue into this. So what’s the highest level, level of segregation that someone can have between resources and Azure?

Nicholas Hughes: [00:05:48] Well, it’s a, it’s funny you say that because I happened to have some slides that we can go through where we can talk about just that

Ashish Rajan: [00:05:57] I had these prepared earlier.

[00:06:00] Yeah. Let’s go through them with me.

Nicholas Hughes: [00:06:05] Awesome. yeah, so. Yeah, just sort of talking about that, the highest level of, of what Azure is, right. You know, a lot of people out there, AWS has the, the largest market share right now. So they’re probably familiar with AWS accounts. Right. You know, like that’s where your stuff sits.

you stand up your resources, you know, interact with services inside of your account. And, so in Azure land it’s called a subscription and, So that’s kind of the corollary. There is like Azure subscription equals and AWS account. but instead of just getting an AWS account and like having the equivalent of like local user and a local group in cloud land and AWS, right.

It’s your, I am a users in groups. Microsoft actually gives you this layer above it, that you would actually get when you move into AWS [00:07:00] organizations. Right? Like the concept of like, Hey, I have this overarching, place to house, my user accounts for single sign on and things like that. so this is just something that you get when you start your first subscription, right?

You go out there for, a free pays. You go. Azure subscription, you’re going to get this tenant and that’s where you’re your users live, live, you know, your users, groups, roles, all that stuff. so your very first subscription, this is kind of what it’s going to look like if you know, icons were things.

so we’ve got our, our Azure ad tenant, at the top and I’m describing it a little bit because like I consume. This podcast as a podcast. So I’m going to try to like, not rely on visual AIDS too much, but it will be helpful if you want to look at this. but, so the underneath it, the tenant, right?

Like that’s where all of your Azure stuff’s gonna live. And then there’s this concept of resource groups underneath of that, where you can lump a whole bunch of resources together and interact with them as that whole and. [00:08:00] There’s kind of the concept of that and of us, but it really relies more on like tags, more than name spacing.

Right. So, you know, resource grouping in AWS is like, Hey, I’ve tagged things appropriately so that it has grouped my things together. in Azure, one of the things that I really like about it is that it’s more hierarchical. you know, it’s almost like I’ve dropped things in this directory. so I’m going to delete this directory and now it’s all gone all of the things that were in there.

Right. and it also helps to like namespace things so I can, you know, create. Two different resource groups and, you know, have things named the same inside of them because it, in the padding structure that, that Microsoft has, you know, it’s basically in a different directory at that point. So you can name there.

Ashish Rajan: [00:08:47] I’ll ask you a question over there then. Cause I think. The way and two point about the podcast audience as well. It’s going to see this. So when I sign up, I get this thing called yeah, sure. 80 tenant. And then that I get [00:09:00] subscriptions. And is that my resource or resource group is a bunch of resources.

Like, you know, getting kind of, you got to kind of lost me over there. So

Nicholas Hughes: [00:09:09] yeah, no problem. so like we haven’t even gotten to the things that actually do things yet. Right? Like

Ashish Rajan: [00:09:16] stuff,

Nicholas Hughes: [00:09:17] right? Yeah. You know, and that’s, you know, when we first started talking, what we were talking about really was like foundational security and, and that’s.

Well, I really wanted to go over the really, really basic concepts of, of how things are structured. and it’ll make a little bit more sense as we run through them because you know how you structure the really base levels of how things are put together. you know, it’s going to affect everything going forward and you don’t want to have to.

Yeah, you don’t want to over architect early. Right. But you don’t want to have to think about, you know, some of the stupid, easy things later either. So you got to find, find that right balance. so maybe we’ll, we’ll go a little bit farther and maybe it’ll makes sense.

Ashish Rajan: [00:09:59] Yeah. [00:10:00] Perfect. Perfect.

Nicholas Hughes: [00:10:01] so like this wa would be what it would look like if we spun up another subscription.

Right. You know, we have another, Yeah, effectively an account that our resources are going to live in and why would we do this? Why would we have another subscription? Could we just have a whole bunch of resources groups inside of one subscription and just have all of our stuff in there? yeah, you could.

but you know, sometimes it’ll get really ugly, right? Like having a ton of resources all in one spot. one. There’s like quotas. Right. You know, like AWS has quotas, you can only do so many things inside of an account before they’re like, ah, well, you know,

Ashish Rajan: [00:10:40] you probably shouldn’t be, shouldn’t be using that many of this.

Nicholas Hughes: [00:10:45] Right, right. so like Azure does the same thing. so you’re going to have to keep bumping those up, but then, you know, one really. Cool fundamental concept. That’s making its way more into cloud security. Is this concept of using [00:11:00] accounts or subscriptions as a security blast radius. and so what does that mean?

Right. Like, okay. I’ve stood up resources. I have. You know, instances, that are serving web applications or something, inside of these resource groups, what happens when somebody pops one of those? What happens when one of them becomes compromised? you know, maybe. Maybe they have lateral movement from my web server and reach some sort of provisioning server that has access to stand up resources in my environment.

Maybe they max out the number of instances that I can stand up in my Azure subscription, crypto mining or something like that. And before I catch it, you know, I have some process in place to spin up like a new product or something like that. And all of a sudden I’m adding all my resource limits and I can’t do that.

That creates a denial of service for me. So having this account as a blast radius is super important to help mitigate like weird edge cases like that. [00:12:00] So, you know, really thinking about like, Hey, how can I separate things? using subscriptions as a barrier, really becomes this, this cool, real base, fundamental security concept.

Ashish Rajan: [00:12:12] Oh, I like that concept as well. And I do want to call it out because we have a few students in the mix as well, because I know blast radius people like you, and I would understand, but it sounds like straight out of like a movie, like what’s the blast radius. for

Nicholas Hughes: [00:12:29] whatever you think it is, that’s what it is.

Ashish Rajan: [00:12:32] so for people who may not have heard the term blast radius before in a cloud context, but you just, quickly on like a sentence on what do you mean by a blast? And here you gave a really good example. And I kind of liked the fact that I’m not going to take your time, excuse the Tundra. So I’ll let you explain it.

Nicholas Hughes: [00:12:49] No, no, you are, you explain it. Nope. So, you know, a blast radius is exactly what the name sounds like. Right. You know, like you set off an [00:13:00] explosion, it’s going to go so far. so what we’re really talking about is artificially constraining. That radius, to a point that’s manageable. So in the context of computer security, right, you know, if your blast radius is very big, that means that it has affected in a negative way, a bunch of things.

so we want to try and tighten that down and make the blast radius smaller. So the level of effect, is much smaller, when bad things happen.

Ashish Rajan: [00:13:32] Oh, I think I’ve got a related question from David here. I don’t know if you can see the chat window as well.

Nicholas Hughes: [00:13:38] I’m really bad at reading and talking at the same time.

All right. I

Ashish Rajan: [00:13:41] want to make it out. I think it would be good for the audience as well on the podcast. How do you use subscriptions as a blast radius boundary? If they are members of the same tenant is having them in a separate tenant directory, the only way.

Nicholas Hughes: [00:13:56] So. You know, when we talk about, [00:14:00] maybe we should go a little bit farther, because I have some slides.

Okay.

Ashish Rajan: [00:14:04] Maybe we can come back to the thing.

Nicholas Hughes: [00:14:05] Yeah. so let’s start talking about that, after this slide, so I’ll just slide this one in row real quick. so. I’ve thrown away the resource groups at the bottom now. And let’s just talk about like those two subscriptions that we just stood up. now if we wanted to manage those things, like the compliance or like access to them, we don’t have to do that separately so we can actually manage them as a whole using the concept of management group in Azure.

so. Azure actually gives you one for free. A lot of people, you know, unless they were like, really dig in like w there’s a management group that all my subscriptions live in. I didn’t know that, like, when you’re just starting out, you’re like, I just got my subscription. I didn’t know this. but there’s this management group that’s over top of any subscription.

That you tie into your tenant and it just like sits there so you can apply policies [00:15:00] and all sorts of cool stuff. Yeah. At this management group level. And it’s there, by default and sort of segwaying into the next iteration of that, you know, you can artificially build out these management group structures that apply different policies, frictions, and like access levels, two different.

Parts of your business, right? Cause this is what this is all for. based upon, you know, how your business hierarchy looks, right? So in this diagram, for the people that can’t see it, we have our Azure 80 tenant and we, then we have the tenant group. Management group right underneath of it. That’s there by default.

And then we’ve created some other management groups underneath of it, a one for marketing and one for it. And then like further separated the it one into like geographic regions or anything that’s important to your business, right? Like how do we want to separate things? And then you can start creating subscriptions underneath of here and all of those policies that you’ve applied, like [00:16:00] based on geo region or something like that, like, Oh, you know, th this, We have business in Australia because we’re hanging out with a sheet, right.

how we can apply things that are important for like maybe very specific Australian compliance policy, at that geographic region level and any new subscriptions that we spin up and attach underneath of that management group, then get managed the same way. and then to sort of speak. In the same vein to the question, you know, yeah.

They all share the same Azure ID tenant. but you know what we’ve done when we’ve created this structure is separate access so that maybe people in marketing, right. If that subscription gets popped and maybe they have. you know, managed identities that are attached to instances, that can do things within their subscription.

They can’t like reach back into our prod it main hosting zone and do stuff, right? [00:17:00] Like it all goes back to like properly architect, all the things for sure, because if you start sharing identities between subscriptions, you’re basically shooting yourself in the foot. I don’t do that. so. Yeah. I mean, there’s other levels of segregation for sure that are gonna protect you much better, but in a large organization, you want to have shared identity.

you don’t want to have to go to all these subscriptions and, and create accounts like that becomes a nightmare. You know, that’s, that’s the whole reason that, you know, you’re, love SSO, right? Like. Oh, I’ve got like one account and I can sign into all of my things. Yeah. That’s glorious. I only have to remember one password.

Right. so you know, like active directory does that in Microsoft land. there’s some other like directory as a service companies that do really well. so for like random SAS applications, you can, integrate those single sign on. so that like. People can use the same account to get into get hub and, [00:18:00] you know, random AWS subscriptions or whatever.

so there’s you, you want to have a single sign on for sure. And as long as you’re doing things properly and securely, hopefully it doesn’t become like a huge risk.

Ashish Rajan: [00:18:11] Would that single sign on sit on Azure 80 tenant or, and I think even in my head coming from an AWS land, I’m looking at this diagram and I’m going.

Or it’s tenant rude or is the tenant group the same as say organizations in AWS?

Nicholas Hughes: [00:18:26] Yeah. Yeah. That’s probably the closest corollary that you have in, in AWS. so when you sign up for organizations, right, they abstract that out so that you can have that single sign on across your accounts. So that’s kind of what you’re getting here

Ashish Rajan: [00:18:40] also.

Does that mean, I guess, for anyone who’s from the AWS background or coming from. Cool. Well, I guess AWS background, I guess, they would be able to visualize this in a better way in sense that, so I, the way I see as an AWS person, Azure ADI at the 80 tenant, that’s sort of my identity though. Azure ADSL, my identity that is just a [00:19:00] logical representation of you have an account with me now, is that right?

Nicholas Hughes: [00:19:03] Yeah. You know, like. It does a lot of things.

Ashish Rajan: [00:19:07] All right. Okay. So Kelly look more than this identity, I guess.

Nicholas Hughes: [00:19:13] Yeah. And it really, and it’s really going to depend on like what you currently have in your enterprise and how things are going to be tied together. because you, you can federate your identity from Azure ID to like actual active directory in your enterprise.

If you had one, if you’re starting from scratch, right? Like you’re starting up. Accompany rate now. And you decided that, Hey, I’m going to do things inside of Azure because I can sign up for like Microsoft three 65 account and get all my company email in there. That’s all going to be the same thing, right?

Like they’ve stood up Azure. Ady for you. for your Microsoft three 65 account, that can also be the like holding spot for all of your, has your subscriptions. Like everything just fits together nicely. so, you know, when you, when you [00:20:00] live inside of a single ecosystem, like that things just like really work well together.

and so, you know, w when you start going outside of that is when you have to think about like, okay, how does this integrate with this other thing that we have I have, or the other thing that we want to do? And like, how does that fit in? Where does it plug into?

Ashish Rajan: [00:20:19] I think that, I mean, I guess the representational VA kind of answers questions from David as well, and we can correct me if I’m wrong.

It’s the question that we had about how do you use subscriptions as the blast radius boundary? If they are members of the same tenant is having them in a separate tenant directly. The only way. Is this the way, I mean, I guess we have a few more slides after this confirming.

Nicholas Hughes: [00:20:41] so really the next thing that I was going to start talking about was like, How Azure policy works and compliance and things like that.

so I mean, we could talk a little bit more, I guess, about the tenant and how it might put a monkey wrench in your blast radius theories, but [00:21:00] you know, really what it comes down to is implementation. You know, I, it’s very hard to talk in a vague way and say, somebody probably got a use case that they’re thinking about in their head.

Right. It’s it’s hard to,

Ashish Rajan: [00:21:16] could be that if we talk about how does the account structure differentiate between say a startup was, is a small to medium sized business or an enterprise, like, how do they. Design so that they start had the right foundations. If I want to start up listening to this, who’s starting on Azure because I got the startup funds from Azure and I’m like, Oh great.

I’ve got some money. I want to go all in on Azure. What says enterprise? Who obviously to your point, complexities added by whether they have an exit 80 or whatever else may be like, how do you kind of go above or having the right foundation for each one of those that makes.

Nicholas Hughes: [00:21:55] Yeah. So, really it’s, it’s all about, you know, [00:22:00] having a plan, right.

You know, as we grow, we’re going to make sure that we are creating subscriptions, right. For this atomic unit of something, right? Like we’re going to do it on a project level or we’re going to do it, on like some sort of business unit, right? Like not like a huge business unit, but like, Work structures and companies.

So, you know, when you’re small, you have a very flat organizational structure. you know, you have like a half a dozen people, like, why are we gonna create some huge mess of a tree, right. Like, Oh yeah, Larry’s our sixth employee. And he’s like three levels deep and management that doesn’t make any sense.

Right. And then the same thing goes for your subscriptions. You know, you don’t want to create. You know, this end game that we just talked about, where, you know, things [00:23:00] are tiered under different management groups, for a single subscription, but you want to have it in mind as you’re going along. So, you know, really the first slide I showed you, your first subscription, you know, that’s good enough for a small business starting out.

You know, maybe add another subscription for, for dev versus prod. If like your thing is SAS, you know, you’re standing up some, you know, next level, you know, corn, you know, web app that everybody’s gonna want to use. Right. You’re gonna like run up all sorts of funding and stuff like that. Like. Yeah, start small and grow, to whatever makes sense.

So maybe you have a subscription for dev and that’s where you’re going to play around. And like your prod web app is going to be in different subscription, but Hey, you only have like 20 people right now. So it doesn’t make sense to have more than that. Like yeah. Do that, do whatever makes sense. but you know, say that same company, all of a sudden they blow up and, you know, [00:24:00] everybody’s using their app and they’ve scaled to thousands of employees and, you know, they’re like the next Facebook.

all of a sudden they’ve got, you know, or organizational structure, they’ve got tiers of management, they’ve got tiers of funding, where, you know, like, Oh yeah, the, the company as a whole, as a budget. And then like R and D as this budget. And it, he has this and marketing as this. And, so you create your organizational structure kind of like that.

And, you know, that way you can segment activities based upon actual business activities, not arbitrarily.

Ashish Rajan: [00:24:35] Yep. And I think to your point, One of the things that people probably talk about in cloud is also the fact that you probably don’t want to design in such a way that it would cost you too much as well.

So I imagine this kind of helps you keep your costs optimized as well. Would that be a fair statement?

Nicholas Hughes: [00:24:52] Yeah. Yeah. So, you know, Azure has some built in yeah. Capabilities for cost management, that are pretty nice. And, you [00:25:00] know, digging into those is probably worthwhile, especially early on. Yeah. So that you can like set limits, especially like established companies that are starting to get into cloud cloud can very easily be a playground, right.

Like, Oh, we gotta do the cool new cloud stuff. Right. And you just open up the flood Gates and people start like just standing up all sorts of crazy stuff in there. and they’re just not used to that. CapEx versus OPEX, right? Like capital expenditure. We have. Sunk money into something that’s going to live in a spot and depreciate over time.

And we’re going to use over the next five years, like, Hey, we got this physical server to operational expenditure. Like month to month, we’re incurring a bill based upon what we’re using. and like, people are just like, Oh yeah, I can just do things. You know, it’s not my money. Does it take the company, paying the bill?

Right. Like I heard that I could stand up like this, like. Kick, but, you know, new instance type that [00:26:00] uses GPS and Oh, who cares if it’s like $50 an hour, right. I’ll just let it run for the two weeks that I’m on vacation. so definitely have cost controls and definitely have them early. you know, there’s, there’s a lot of like native ones and then there’s a lot of companies that that’s like their thing.

Right. You know, like creating, Some, some limits and boundaries around cost. there’s some third party companies that do really well, too.

Ashish Rajan: [00:26:23] Interesting. And I think it’s your point about, be kind of spoken about the segregation at account level subscription level of tenant group. Something, I feel like, and we spoke about the startup and small to medium sized business and the, and, and that kind of change that comes in as well.

it it’s something else that I wanted to, kind of raise from here was the fact that we spoke about the cost. We spoke about segregation, but we haven’t spoken, touched on automation yet. So there’s this whole concept of account vending. Well, and you being the automation consultant, I would love to hear your thoughts on the, on the whole vending process and what I mean, I [00:27:00] guess let’s just start from the basic for people who don’t know what what’s an account vending.

Nicholas Hughes: [00:27:04] Sure, sure. Yeah. So, let me, do you have to like reshare the slides?

Ashish Rajan: [00:27:09] Yeah. I can show that each of the flights.

Nicholas Hughes: [00:27:12] So I’ll just real quick, like hit on some things because they’re, they become very important. when you’re talking about vending, right? Like a sort of hit on it a little bit, when we were talking about policies and where we can apply them and then how they ply to new subscriptions when they’re being onboarded.

So Azure policy is like a super. Cool security tool definitely use it. and you can use it as little or as much as you want, because it can get really, really granular. So, you know, here, for the people that can’t see, and they’re just like, you know, listening to this podcast, What I have is a bunch of arrows pointing at all of them.

Yeah. Management groups that we created earlier on that are sort of tiered and Azure [00:28:00] policy is being implemented at those different management groups. So as your policy is compliance mechanism, right? Like I want to restrict the locations in which you can create stuff. Like, for some reason, like I do government business or something like that, I can’t create, some instance out.

In Europe or Asia or something like that in a region that Microsoft supports for like regulatory compliance reasons. you know, the federal government’s like, no, you know, you, you play in the U S right. so like you can apply that at the tenant root level and then everything underneath, gets that policy.

So now, you know, I stand up a new subscription and it automates radically takes on those properties. And, you know, you kept different policies based upon, you know, it versus marketing, right? Like maybe marketing yeah. Is doing crazy stuff and you know, [00:29:00] they need a little bit more wiggle room and that’s okay.

Okay. And you’re willing to accept that risk then, like maybe you assign different policies there than you would for the it department, which is a little bit more locked down. So like Azure policy is like a really cool thing. And this is kind of what you end up with. For free. So you apply as your policy, to your subscriptions, to the management groups that hold them.

And all of a sudden you get this like free visibility of compliance based upon the things that you care about. Right. So like,

Ashish Rajan: [00:29:33] Oh yeah. If it’s so good, you need to say it twice as far as like

Nicholas Hughes: [00:29:38] hashtag free, free as in beer. so. Here. I just have like a few policies that I stood up just to like show. and so like disc encryption, I want to make sure that all of the disks that I use in my instances are encrypted, right?

Like that’s something that I care about from security standpoint, I’m [00:30:00] currently noncompliant. and I can see that on the dashboard, based upon Azure policy, right? So like Azure is big security thing is Azure security center. which has tiers. So, you know, you get the free tier and then like you want a little bit better functionality you go up to, I think they call it like standard tier and you bump up to the next tier and you get like cool stuff.

But like Azure policy works at any tier. So, you know, find a bunch of stuff that you care about and apply it. And you get stuff like this. Like, I am compliant for my allowed locations. Nobody has been able to stand up a infrastructure and. Yeah, Australia, because I wouldn’t let them like that particular policy.

Doesn’t. Audit like the disc encryption one does, I will allow you to stand up an unencrypted disc. Okay. but I’m going to complain about it. the allowed location one, it’s like a hard and fast restriction. You cannot do it. And that’s why we’re compliant because I said like, Literally, it won’t let you.

So it’s equivalent of like standing up a similar, I [00:31:00] am policy inside of AWS, where, where you restrict based on those locations that AWS has. And so like we’ve applied that policy and now we can see on this dashboard, like, Hey, everything’s green, cool or not. And, and go in for mediate that.

Ashish Rajan: [00:31:17] Interesting. So just on that account vending, we can be automated with policies.

Can I automatically create accounts themselves? Or is that something that just has to be done triggered manually, even though I may have a structure where, sorry, I’ll let Johnson I’ve seen jumping in, but

Nicholas Hughes: [00:31:35] yeah. So, so like Azure policy allows you to put the framework in place, to, to make account vending very, very easy.

You know, maybe more so than, than in other cloud service providers, because, you know, I’ve applied this policy at the management group level, and I know exactly where I’m going to stand up the subscription, which I can do programmatically. So maybe I tie into [00:32:00] my ticketing mechanism, right? Like I’m service now shop or, you know, JIRA or whatever.

And. We have this process and it goes through approvals and like people in the finance department are like, yeah, thumbs up, create an account. And then it just like automatically creates one in the right spot. it just pops up in the right management group because I’ve written the code to do that. And then all of a sudden on the policies slide, and it’s just ready to go.

Right. And you can do fancier stuff, right. Like eat and it. I’ll I’ll, I’ll say this over and over again. Right? Like there’s, there’s companies that stand up that, do this and do it very well because that’s the thing that they’re, they’re targeting. and whenever you’re thinking through these processes, you have to think like, Hey, do I want to like, spend some money?

Or I want to spend some time. Cause time is money, right? Like it, if, if I have the resources. of like a Facebook or LinkedIn or something like that. Right? Like [00:33:00] they hatched these cars, open source projects and release them into the world because they have these like, Crazy engineering teams that can do all this magical stuff.

And they’re willing to put forth a bunch of money and time and effort into doing it. If you’re not a shop that has that level of engineering expertise or, you know, doesn’t have the, you know, the capacity to, you know, I guess take on those soft costs now. Like I’m not actually like paying money to a vendor.

I’m paying money to my employees that are doing a thing. then you know, either pay a guy like me to come.

It’s like, shoot the shift into like show mode, or, you know, like there’s, there’s software companies out there that do this, right? Like, you know, just go hook up with them and you know, most of the time that reasonable and, and you can get this level of [00:34:00] automation, Pretty easily integrated in your environment.

Ashish Rajan: [00:34:03] Yeah, I think to your point about, and this is something I’ve noticed in between startups and enterprise and product companies as well. So I’ll be keen to kind of hear you talk because kind of the knit, I guess, the coffin and the nail, for lack of a better word or. Whatever those phrases.

Nicholas Hughes: [00:34:19] Yeah. Hitting nails with stuff.

Ashish Rajan: [00:34:21] Yeah. Yeah. That’s why I thought nail, I don’t think you have a hammer. That’s kind of where I’m coming from. I was thinking more in awesome. So, you know, every time I, he, I talked to, any cloud service provider. Well, that’s Azure or Google cloud or AWS, everyone. So it’s what calling out. No, one’s perfect.

Nor they don’t have all the services. They don’t have all the products, some of their partisan aren’t mature as well. So you probably should use them with caution, but. People do need to understand that if they choose that part where I’ve already put all my eggs in say Azure or [00:35:00] AWS, whatever. But if there is something extra that I want to do for my organization, like to your point about creating policies or account vending in general, you kind of have to be aware of the fact that you’re potentially taking on work.

Which, you should be okay to kind of maintain like, I mean, Joe pointed about earlier CapEx versus OPEX. You’re, you’re kind of boarding on some more opics costs ongoing at that point. And yeah, you have to consider the fact that you have to keep updating based on a new service that gets released by Azure or AWS or whatever, I think.

Do you see that as well in your part of the world?

Nicholas Hughes: [00:35:37] Yeah, definitely. and it’s one of the things that I really talked to a lot with my clients, right. Because where are the type of organization that we can, we can do anything. Right. You know, we can do anything you want to do. so it’s very important for us to have the conversation up front, like, you know, How is this going to be [00:36:00] maintainable going forward?

Right? Like if we’re slipping in and when we’re making this happen, we want to make sure that we’re leaving it in a way that it will continue to just like chug along and work and not cause you heartache. And you know, I just, I just want to help people do cool stuff, right. Like I don’t, I don’t want to.

You know, make more work for myself going forward. Like, I would be completely happy if I talked to somebody once and did a thing and then like never came back. Not because I didn’t like them. Of course I like you. but you know, it’s, it’s like, I just, I wanted. I want to help, right? Like I just want to help.

so, you know, it’s definitely important to have that conversation very early on and figure out like, Hey, what’s, what’s the maintenance plan on this? Like, are we training a person, a team or whatever that’s capable of maintaining this. and then. We say, okay, now it’s now it’s your baby, right? Like you just didn’t have enough time to do it, but now that’s done.

[00:37:00] You’re good. Right? Like cool. Just wanna make

Ashish Rajan: [00:37:02] sure. Yeah. Yeah. I definitely feel that it’s not spoken enough about, I think all, and I think one of the reason for me to start this topic in my show, as well as, because that’s of reality, like I think it’s, it’s, everyone’s drinking the cool layer that, Oh my God.

Azure is amazing. Although I do want to call it out. They are. They are ahead of the game in terms of where we were with data centers. So a hundred percent Azure, AWS, Google cloud, all the power to them for doing awesome work and us making everyone rethink data centers, rethink automation, rethink all these other things, which, but we do need to understand is like, th that is a, there’s a caveat attached to it, I guess.

That kind of is like a good segue also into another question that came through from our own. do you think Azure has a greater benefit in terms of integrating its resources with Azure Ady than other cloud provider?

Nicholas Hughes: [00:37:55] if the question is, do I think Azure can integrate better with Microsoft [00:38:00] products?

Heck yeah. you, that there’s absolutely zero world in which, you know, You’re going to bring in some outside resource in a easier way, then everything just fits together in Microsoft. Mmm. So if that’s the question then yeah. You know it, I had this conversation with another one of your, your folks who was on their show.

Chris Hughes, no relation. great guy. Look him up on LinkedIn. So we were talking

Ashish Rajan: [00:38:34] hundred percent great guy.

Nicholas Hughes: [00:38:36] we were talking about like people starting out in cloud and like starting with one. And getting good at it and, and maybe thinking about multi-cloud, if it makes, so, you know, and you’ve pick your first cloud either because like some developer picked for you because, you know, he just wanted to get stuff done or you actually made like a [00:39:00] conscientious decision.

Now you have to figure out how that’s going to integrate with the rest of your ecosystem and your entire company. Yeah. And do you need to get that down? You know, don’t, don’t say, Hey, we’re going to go live in GCP and Azure and AWS. And we’re also kind of stand stuff up and digital ocean and Linode or whoever, and, you know, you’re like a 50 person shop and all of a sudden you’ve got like a dozen cloud service providers because you weren’t.

Making good choices. So, you know, definitely be thoughtful about how you think things are going to integrate, you know, one of the reasons that I like. As you’re so much. even though I play in a lot of different cloud security, cloud service providers is, is because of its integration with other Microsoft things and those work well, too, you know, like.

I happened to use Microsoft [00:40:00] office in my work life. Right. Like, yeah. CEO is my title. So yeah, I do like spreadsheets and other fun stuff like that. so like, Hey, you know, if, if I have Microsoft office products and Oh, I also have. Microsoft outlook mail. And it’s tied to my Microsoft three 65 account and Oh, we do cloud things and it’s on Azure.

It’s like, it makes it very easy for me. Right? Like I have all these things and they’re all in the same ecosystem. And I don’t have to think about how things tie together very much. so maybe for a small shop, that’s just looking for a cloud service provider. Maybe you choose that, or maybe, you know, you go the AWS route and you have a very well thought out plan about how your other services are gonna, you know, integrate together or you choose GCP because, you know, it’s kind of the same ecosystem as their G suite stuff.

you know, definitely just be thoughtful about all of the things that you’re doing in addition to [00:41:00] your roll out of cloud.

Ashish Rajan: [00:41:02] Oh, he’s got a follow up question as well. Most of the, I’m going to bring that up again. Most of the enterprises use 84 using management have to integrate with their Azure Ady and spend extra effort doing it.

Azure has benefited in that it’s more for common Azure has benefit in that sense. What are your thoughts?

Nicholas Hughes: [00:41:21] Yeah. So a lot of enterprises do use Microsoft active directory, you know, especially large organizations just because it does. Eldap and user management and those types of things. Very, very well.

at scale it’s just, it’s, it’s kind of unbeatable, right. You know, it’s, it’s, it’s kind of like the killer app when it comes to those things. so for those organizations that already have some sort of directory structure, you can actually federate to Azure Ady and then use. A lot of the same structure inside of, Azure after the fact.

So, you know, [00:42:00] that’s, that’s almost a completely different topic too, that we could talk about for hours

Ashish Rajan: [00:42:04] and hours. I was gonna say that,

Nicholas Hughes: [00:42:07] but like, yeah, I mean, you can federate existing, active directories. you know, it, it’s just, it’s definitely another layer of complexity. but it’s, it’s kind of a necessary one as you scale, right?

Like when we’re talking about going from like startups, small business, a medium sized business enterprise at the enterprise level, you’re going to have considerations like that. You’re going to like, how do we fit or federate all of our accounts.

Ashish Rajan: [00:42:31] Interesting I’ve would a follow up comment from George Abraham?

I think it’s more of a startup idea, right there, a policy center, similar to Azure policy that works with AWS and GCP would be a great product or a great idea for a startup. So for any startup, this thing, I think we have a potential idea. I think that that’s a fair tool. I think that’s definitely

Nicholas Hughes: [00:42:52] George I’m I’m with you, man.

If you need an early stage investor, you call me first. Let’s do this. That’s not

Ashish Rajan: [00:42:59] what [00:43:00] happened, George.

Nicholas Hughes: [00:43:01] Yeah. Yeah. So going back to like third parties, Yeah. A lot of times when you’re talking, multi-cloud, it’s somewhat easier to talk, in the sense of, of going to a third party for some sort of abstraction of that management.

so when we’re talking about like account vending in, in Azure, it’s. It’s kind of easy when you really think about it, right? Because of the management group structure and like spinning up new subscriptions inside of that. you know, in AWS, it’s like, if you are inside of organizations, it’s kind of easy.

cause you can do similar things. Yeah.

Ashish Rajan: [00:43:41] AWS STP. Sorry.

Nicholas Hughes: [00:43:44] So when you’re talking about like both of them at the same time, you know, like I have AWS accounts and I have a GCP accounts and I have Azure subscriptions, The people that do that best are not any one of those [00:44:00] cloud service providers, although like Microsoft has, that does some, some management things, but like taking a step back and having somebody that just looks at it, a holistic view and standardizes that interface for you is kind of like really beneficial.

so yeah, definitely check out who’s out there. I don’t wanna like. Plug anybody, you know, I’m kind of like a trusted advisor. Right. But like, if anybody has any questions they want to contact me directly, always happy to talk about random. Yeah. Yeah. So, yeah, I would just say that yes, like abstracting that, if, if somebody could do that really well, I think that that would be a great startup idea.

I think there’s a, there’s some companies that do it. Well, to a degree, with sort of. No, it’s no magic bullet, but like applying policies across new accounts [00:45:00] as they spin up across multi-cloud, I definitely have a short list of companies that

Ashish Rajan: [00:45:04] do that really. Oh, awesome. And I think I’ll let you people reach out to you on that.

Okay. Well, we’re kind of coming close to the end of the show as well. So I do want to switch gears and these are three fun questions and you’re a fun guy. So I’ve got, I’ve got these fun questions secret. The nontechnical just about just helps the audience know a bit more about Nick outside of the, the awesome techniques in Azure.

Yeah. The first question that I have is where do you spend most time on when you’re not working on cloud or technology?

Nicholas Hughes: [00:45:34] and if you ask my wife, she’s probably gonna say that I’m always doing that. So whatever she, whatever she tells me to do, whatever she needs done, I’m going to do it. So ask the question.

Yeah. She, she can hear me.

yeah, I don’t know. I like expended time with my family. you know, we. We like to play board games and stuff. have two boys they’re 10 or [00:46:00] 11 and they like video games. And my wife likes to play video games too. I used all the gamer, but now we don’t have any time. So like sometimes I’ll just watch them play video games.

but spending time with family is good and, you know, friends and family, you can’t really be in it.

Ashish Rajan: [00:46:14] awesome. second question. What is something that you’re proud of, but is not on your social media?

Nicholas Hughes: [00:46:20] aside from LinkedIn, I’m not really much of a social media guy. I, if I want to get really angry, I will get on Facebook and sort of read through,

I try and stay away from it as much as possible.

But, I don’t know. I mean, talking about things that I’m proud of, you know, I’m proud of proud of the business, proud of where we are. me and my two partners shout out to them. Stephanie Pfeiffer and Jonathan Gordon looked them up on LinkedIn too. They’re they’re equally as cool as me. and, yeah, my boys, so I’m super proud of them, you know, they’re the 10, 11, you know, they’re.

They’re turning out to be a funny little guys. So

Ashish Rajan: [00:46:58] fair enough. I forgot a final [00:47:00] question. What’s your favorite cuisine or restaurant that you can share?

Nicholas Hughes: [00:47:04] Oh man, that’s a tough one. So. my wife is a spectacular cook, so anything she makes I will eat. and it is wonderful. I’m also like you can’t tell from video obviously, but I’m like I’m six, three, 200 and some of them.

And, so like I just like food in general, but, huh. Oh man. Like I, I do like various types of food, you know, I really like Indian food. Thai food, Italian is always good. You know, you name it, man. I’ll eat it wherever you’re at to where. Yeah, no,

Ashish Rajan: [00:47:41] no. You and I get along too. Well, no one that you and I get along so well.

Food is life. This will we’ll say, Oh, you just eat food to survive. Like, no, no, no, no. But like the whole,

Nicholas Hughes: [00:47:54] the thing growing up, my dad always say, you know, you need to eat to live, not live to eat. And I’m [00:48:00] just like, yeah, whatever, man.

Ashish Rajan: [00:48:03] Like the led to my belly. Okay. No, I appreciate that, man. They say thanks so much for taking the time out, man.

I think, The audience definitely found, an introduction into one of the first security foundational things that they could be doing in an Azure setup, whether they are a startup or whether they, they are a small to medium sized business or an enterprise. There’s definitely some good food for thought for them for no pun intended.

and I think it’s definitely a word life. I mean, I definitely would like to bring you in and just talk about other things as well, but I’ll let you get back to your food this time. and where can people find you on I’m thinking you mentioned your neck you’re, you’re mainly active on LinkedIn already.

Is that where people can find you to ask follow up questions?

Nicholas Hughes: [00:48:49] Yeah. Yeah. LinkedIn. so I am Nicholas M. Hughes on LinkedIn. Reach out and grab me. And, really I tried Twitter once and it’s just like, man, [00:49:00] it flies by so fast. You could spend all day reading Twitter. It’s crazy. So I just, I had to lay off of it.

Yeah.

Ashish Rajan: [00:49:09] Treated just like billboard. I imagined it to be like one of those nineties billboard and probably shows my age as well, I guess. But it just keeps it like, you know, I mean, maybe you’re in the middle of times square and you’re just like, all these ads keep coming up one after the other and you be interested in all of them and just keep like, Oh, that’s interesting.

That’s not interesting. It’s like, you can spend the whole day.

Nicholas Hughes: [00:49:27] Yeah. It’s like, it’s like a news ticker. You’re you’re right. You know, like times square, you just stand in there and like watching it go by and it’s just like more and more stuff like

Ashish Rajan: [00:49:35] that. Yeah, it does never ends, never ends. And I think it, I think that the more connotation that started over there, some of them going away very different rabbit hole that you probably don’t want to go down, but I don’t know.

That’s a that’s social media, I guess that’s probably why some people just stay away from it. So thank you so much for your time, man. I appreciate it. And I’ll let people reach out to you. I’m going to leave your LinkedIn profile on the show notes as well. The people get on the website, which [00:50:00] is kind of taking over there.

But, thank you so much for this. And I really appreciate it, man. I’m looking forward to having you back again.

Nicholas Hughes: [00:50:07] Yeah, definitely.

Ashish Rajan: [00:50:08] And for everyone else, I’ll see you guys next week. All right, , I’m gonna jump off. Thanks everyone. Bye bye.

‍