Azure Security Best Practices for Cloud Architects

View Show Notes and Transcript

Episode Description

What We Discuss with John Savill:

  • How is security different between Cloud Security vs On-Prem Security?
  • How does one track API/User Activity across Azure implementation?
  • What are some of the security products in Azure that are good practices for anyone starting today?
  • So what log must be collected to ensure all API events are collected?
  • What are the best security practice for Identity and Networking in Azure?
  • What Security Frameworks for Azure like CIS exist for Azure?
  • How would Monitoring and Incident Response work in an Azure Deployment ?
  • What are examples of Azure Security Maturity Levels?
  • Creating Content for the technology space, where does one start?
  • And much more…

THANKS, John Savill!

If you enjoyed this session with John Savill, let him know by clicking on the link below and sending her a quick shout out at Twitter:

Click here to thank John Savill at Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at

Resources from This Episode:

Ashish Rajan: Welcome to the Show and I’m so glad that you came in, man. So I’m going to start with the obvious thanks for this man.

John Savill: No, I appreciate you having me again.

Ashish Rajan: I do also see that you have a massive bottle of water as well. So I don’t expect anything less from an iron man person as well. So I want to get into this, for people who don’t know John Savelle I hope I pronounce it last name correctly.

Tell me a bit about yourself, man, and for people who don’t know you, because you seem to be a lot of things. You are a YouTuber, you’re an Author, Iron man and also happens to be a principal cloud security architect as well. So who is John Savelle? How’d you reach where you are today?

John Savill: Yeah, so I like doing different things. I like to stay busy. I like to kind of continually challenge myself. So. Yeah. So I’m doing the iron mans right now. I got into that about six years ago, which is kind of like the swim bike run combination, but I’ve always been into some kind of fitness. I did martial arts from the age of seven.

I taught Krav maga for 10 years. I’ve done marathons, bungee jumping, scuba [00:01:00] diving but really fitness and kind of compute as lose my passion for nature seven. I liked playing with computers, maximize ZX spectrum when I was a kid at 16 K of memory. And then really, it just grew from there when I was 18.

I got a job as a VAX BMS systems administrator, which sounded cool, but it was really about changing backup tapes and fetching printouts from the basement for the developers. But then I became a developer. I actually started coding. Then I found windows NT, and I started a website called NT

And when I was like, that was 25 years ago now. And that’s where

Ashish Rajan: Twitter handle is NTFAQ.

John Savill: So the, the story of that is NTFAQ guy. So I started a website, NT when one day my sister had to, she had a prescription and I went and picked up this prescription from the pharmacist and the pharmacist come out and wait, are you the NTFAQ guy?

And I was like, yeah, yeah. And so it just kind of stuck in [00:02:00] my head. So that’s where that comes from, that can yell days of windows NT. And so I did the website, I did books, I did magazine articles. I just always enjoyed kind of sharing information. People helped me when I got started, I’d be on newsgroups asking questions that people would help me.

So I’d to and help back and put the information out there. And then it just kind of evolved. I came to America 15, 16 years ago now, and I was a sort of in the infrastructure practice for a company. And it’s just grown up, always done some kind of architecture bit designing software architectures or infrastructure architectures.

I’ve always enjoyed computers. That would be my passion. And so it’s just all fairly organically over that time. Like it was narrow as Azure and that’s the

Ashish Rajan: cloud. All right. Oh, by the way, I’ve got a few people online, a few people on YouTube as well. Morning Vineet. Vineet just mentioned that John is a Superman.

It sounds like you kind of have had a lot of history from kind of like from the beginning. So for people. [00:03:00] I have normally asked this question to my guests quite often, what is cloud security for you?

And if you maybe even want to put like a Azure angle to it as well, feel free to do that.

John Savill: Yeah. So I think cloud security to me is I think it’s a shift. And I think back to, I guess you go back to those days with VAX VMs or anything on premises, we were kind of an Island. We were castle and we had a moat around us and we had that moat and we had the Drawbridge.

We could drop the Drawbridge, but it was one access point. And so the moat was all security premise, which on premises is the networks. The network was our security perimeter. We could be very safe in our perimeter that we just worried about this one kind of entrance to the network. We would lock that down.

When you start thinking about the cloud? Well, now we have these other things where using, Hey, I’ve got this SAAS service over here, a SAAS service over there. Now I’m using these PAAS services or infracstructure and so the network can’t be that primary security perimeter anymore. It’s too [00:04:00] important.

You might be connecting my network over private connectivity or a VPN over the internet, but there’s been a shift I think is when I think cloud security, the biggest thing for me is as a shift identity becomes now one of those primary security perimeters, because it’s that what controls and governs the access to these cloud services.

And then when I think about, okay, so if identity is now the big deal, I don’t want 50 different identities. That’s not good for me because I’m going to use the same password or forget it it’s bad for my company. Because if I leave the company, they can’t remove my access easily. And it’s bad for the poor other company is maintaining a bunch of accounts that I’m going to forget the password to, and I have to support that.

So then you get into, well, it’s now federations. Well, okay. We don’t like passwords. We want at least MFAs now there’s MFA and what we shouldn’t MFA all the time, because I get muscle memory. If I’m constantly MFA, I’m just going to click. Yes, yes, yes, yes. Even when it wasn’t me. So now I need to say, well, [00:05:00] am I elevate in my privilege to do something important or accessing something sensitive?

Or is there been some risk detected on what I’m doing out in the ordinarily? So I should do something else. So we start to move to these federated identity as be it SAML or Ws fed or off to with consent, or it’s open ID connect, but that’s this huge shift. Now that doesn’t mean we still don’t have those other aspects.

In fact, the cloud introduces new risks. The company is that. before on premises, I can kind of be that burly guy. I wasn’t the admin and if someone wanted something, that’s ask me for it. Hey, I need to, I need a resource. Hey, it needs to be this facing the internet. And I would check it. And I’m the one that would create it.

Everything goes through me. if I think of the cloud, I can’t do that. Like it’s self service. It’s dev ops pipelines that are continually deploying. And so now the shift is rather than me mapping out to stand in the middle of the process. I have to do my work [00:06:00] up front. I have to make sure the right guard rails are in place.

The, I still have those requirements. I still need to be careful about where things are done, but now I have to use technology. So you said from an Azure perspective, things like policy, I use policy to say, well, where can I create public facing things? What can I actually do with that? Where can I create?

And then of course you just have the whole shadow it thing. Like it’s very easy now for someone say, Hey, have credit card. We’ll buy a shadow it. And so me as a company now, it’s not, how do I manage that? And so you get into this. Well, again, I have to start looking at, well, all their things I can kind of do cloud security, CASB, cloud, brokering solutions to see what are people doing? Where are they going? Kind of lock those things down. So there’s this massive shift now in all the different things I have to worry about. It’s not just that Drawbridge anymore. There’s this massive different things. Now the [00:07:00] plus side is there’s this massive different things, but also now they’re these massive solutions to help me.

And I think that’s kind of a key thing that we leverage. So there’s very long answer.

Ashish Rajan: No, but I think I, it makes sense as well, because to your point about an on-premise, we have set defined roles for who would do what and to your point, you always go to a sys admin, Hey, I want more servers. You wait, six months and six months later you get like probably half the size, where do you want it?

Because there wasn’t enough budget for it or something. But now I have the privilege to have a key, which gives me access to the entire data center whenever I wanted in five minutes. And I think it’s funny, the moment he met, you mentioned all this and there’s already a question coming in from Chris.

Ways to notify global admin sign in and events is that. Something that you would know of.

John Savill: Yeah. I mean, so there’s different solutions when I think about signing events. So there’s things I can do with things like Azure ID privilege, [00:08:00] identity manager.

So that is a solution Azure where I can kind of set up different, alerting me for one thing I want to kind of reduce who are those global admins in the first place? I don’t like standing privileges. I want to do the whole just in time thing, outside a few kind of break glass accounts. So what we would then do is, Hey, if someone elevates up, I can do alerting around that.

I can fire things off. I can do notifications, I could require approvals, but I could also do things like, Hey, those Azure ID logs, I can send those to St like again, an Azure road log analytics, which is kind of like a, a place I can send logs so I can send lots of all these different systems. Then I can run analysis on top of it using something called Cousteau query language.

Well, I can have these alerts triggered to say, Hey, when I see these logs, come in, do this. Now that do this, could be fire off a logic app, which is a type of serverless technology that does a series of steps. Hey, maybe I want to go and write this log to [00:09:00] somewhere or, Hey, I want to do this other type of alert.

So there are many ways all of those things are logged in the logs for Azure AD and I can get those logs to go to other things. Be it just, Hey, I just want to store them, or I want to do a notification, maybe something richer. So they’re there, there are numerous ways I can attack that.

Ashish Rajan: Interesting. And so, yeah, I think we will get more into this as well.

So I think hopefully that answered your question, Chris, and we might get into this a bit more. I’ve got Nicholas here as well. He’s a great friend and also a past guest who loved the architect perspective. Let’s do this so you kind of touched on a few topics already from a logging perspective and admin perspective. And for people who may be coming in from say AWS or GCP or whatever, like Azure it’s just like, I have no idea what’s going on there.

So just to set some context, what are some of the security products that you kind of interact with, or you kind of talk about in Azure that are good practices. And so maybe people can use that information or that use the name [00:10:00] to go back and Google and find out more about it. So what are some of those services that they should look for or you recommend

people look for?

John Savill: Yeah. So if I think about if I was like brand new to Azure and like I’ve created a subscription, the first place you’re going to go is for the Azure security center. And so if I think about Azure security center, what it’s going to do off of the bat, I thought that policy before, and I think about policy, Hey, assess the things I’m looking at and then sets of States.

I want it to be, and then. And action. Maybe it’s the nine, maybe it’s audit as right as secure what you, that kind of crisis. Great big initiative, which is a whole bunch of different policies that looks for certain best practices for the resources you deploy. Hey, you’re not just putting public IP addresses out there on the neck of RDP.

Hey, you’re using secure connectivity. Hey, you’ve got encryption configured on your desk. It’s a whole set of these things. And when it does, it actually uses that to give you something called a secure score. So the more of these things you’ve addressed, Hey, the better my score. And it will [00:11:00] kind of show you, Hey, look, if you do this, you’re going to get 30 extra points to your secure score.

If I do this, you’ll get 10 of like, Oh, I want to do this 30 point the thing that’s, that’s going to be more bang for my buck. I’m going to focus on that. So I think about if I was coming in straight away, I’d go to the Azure security center. And I could kind of dive in straight away to that secure score.

And that will actually give me things that the biggest bang for the buck. I, the biggest impact in my overall security to really get me going now, then I start to move on to more advanced things and that’s just free. So I can just use Azure security center. Then there’s things like an Azure defender for the different solutions.

These are deeper secure insights for things like containers or container registry or virtual machines or sequel database or DNS or resource manager that are then tuned to that specific service. Looking for key signals that may be, would show me, Hey, there’s some kind of bad actor going against my service.

I’ve [00:12:00] not got this good configurations that goes to a deeper level. So I think Azure security center. And then there are these various Azure defender solutions that kind of sit on top of that. Beyond there. We start to get into the whole kind of SIM and soar type solution. So security incident and event management, and then the saw would kind of that orchestration, that automated response.

I thought that log analytics. So I think log analytics is just this big store of logs where I can send stuff from really anywhere but on its own. That that’s kind of useless. Like if I just get these deluge having logs doesn’t mean I’ve got good security or good insight. I’ve just got a whole bunch of stuff.

They might be good for forensic purposes after an event. But on its own I as a human being, looking at 10,000 logs, I’m not going to come out with anything super useful from that. So then you get this like Azure Sentinel, for example, that’s the Azure native SIM source solution that takes all that data.

It’s using log analytics, but now applies [00:13:00] machine learning on top of that. It actually goes and looks for, Hey, look, these signals and it learns, this is indicative of this. Hey, look, we need to actually respond. And so it can alert me, Hey, these things are happening. And then I can actually use kind of playbooks to automatically respond to that if I think, Oh, actually, well, this is a, not a good thing I want to build on that.

I actually want to go and do something else on top of that. if I was thinking just bare bones, core things, I’d start with those. Then of course there’s things like web application firewalls, there’s there’s extensions of things like virtual machines that there’s many other aspects to it.

But from the core thing, no brainer, it’s free. I’m going to do that thing. Yeah. And then I can start to use things like defender for the richer insights security and Sentinel, those types of things.

Ashish Rajan: it’s really interesting cause I kind of came more from an AWS and Google cloud perspective and the more I hear [00:14:00] about services in Azure, they seem a lot more focused on like it’s a platform as a service as well.

Whereas it seems like the. AWS side. I think it kind of is probably good, good side angle into what Chris is asking as well over here. He said, Austin, John, one more question. AWS has cloud trail for cloud trail is like an audit trail log. So for all the activities that are performed within I guess my AWS account, which is they couldn’t do subscription in Azure.

So what log must be collected to ensure all API events are collected?

John Savill: so I can think that there’s two levels to that you were saying there’s kind of the control plane and the data plane. So from a control plane for Azure, that’s the Azure resource manager. So that’s, if I’m going in for the rest API or PowerShell will CLI have a portal.

If I’m doing sank at the Azure resource manager level, like creating a resource, delete a resource changing resource. So that stored in something called the activity log. So every subscription has an activity log and that’s just native. I don’t have to pay for [00:15:00] that. Everything I do at that control plane is logged at the arm level into that activity log.

Now it’s only kept, I think it’s maybe 90 days or 93 days. There’s some time limit on that. And I can do things from that. I can actually create kind of certain alerts from that, but I can also send that somewhere else. Like for example, I could send it to log analytics. I can send it to log analytics for maybe longer attention, or I can set it to a storage account or I could send it to maybe send called event hub.

So event hub, the whole point of that is it’s a published subscribe mechanism so I can publish things to it. And I mean, Kels can subscribe to it to get them what super common there is. If I had like a third party SIM. It could subscribe to that event hub. So I could send all those things to an event hub and I can pick them up from something else.

So that that’s that control plane. And then I think of the service itself, things happening inside the service, inside the storage account [00:16:00] inside that database. So that’s where we asked like diagnostic settings, it’s diagnostic settings. I have to configure. They do not exist by default. It’s not capturing those logs, but I can turn on that diagnostic setting.

And I can say, Hey, I want to send it to a log analytics. I want to send it to a storage account. I want to send it to an event hub. I get those same three options, like use any combination of those. So now I get to pick, depending on the service, maybe it’s errors, maybe it’s Hey, There’s going to be a whole set depending on the surveys and metrics.

I can now send them some way to get the more of that data plane insight into it as well. So all I care about is the kind of Azure API layer. That’s the activity log by default. I can’t turn that off. It’s always going to be there as a finite retention period, or I can then send it to somewhere else as well for a configurable retention or saying just


Ashish Rajan: Sweet. Awesome. And I think that’s one more question from him is the defender or Azure security center [00:17:00] standard required for endpoint security, malware vulnerability, scanning of free ASC is enough. So

John Savill: yeah, there are things like windows defender I can add as an extension, that’s just there. I can use that for free and things like Linux have kind of their own engines around that as well.

And then there were solutions in Azure, for example, there’s an update management solution. And that gives me then that orchestration capability to kind of walk, track. What patches are you missing? I, funny enough that uses log analytics, to capture the state and what it’s missing, and then say called Azure automation today to then actually go and drive and say, Hey, go and update.

And it’s using the native features of the iOS. So for windows, obviously it’s using windows update for Linux. Maybe it’s using Yammer or whatever that is, so that there’s minimal charge because it’s going to log analytics, but that’s not an expensive thing. Generally, if I’m just using those solutions.

Ashish Rajan: that definitely makes sense. I think we’ve got to mention this definitely a no-brainer to start with the Azure security center on day [00:18:00] one, if you’re starting today. People should just do it. I’ve got a comment from me I’ve recently did the Microsoft cloud skill challenge. Here’s the link.

Oh yeah. So that’s a good link for people to kind of, there it goes. There’s another learning tool. Thanks for that I might switch gears and I think we’re, I’ve got a few cloud architects listening to this aswell, and I would love to kind of get some of your perspective on just the basic foundational pieces.

Right? I think you kind of touched on this already. We spoke about if you’re doing security in Azure, think from a security core security product perspective, you look at Azure security center, diagnostic and Sentinel, like you’ve kind of mentioned the core security products in terms of. A cloud architect starting to build an Azure.

Like there are obviously some foundational pieces around identity networking, or maybe even building like an incident response architecture. So keen to know from your perspective, let’s start with identity first. How would you go about setting the right foundation for identity?

And obviously I understand there’s a, well, depends on the solution, but keeping it very high level.

John Savill: No, that’s obviously, [00:19:00] so Azure AD, Azure AD is kind of the, the Microsoft identity provider solution and it has AD in the name, but it’s not AD. I was the eighties great for on-prem with coveralls and NTLM and LDAP none of that applies to the cloud.

So Azure AD is all about, Hey, open ID connect and I will too. And Simon with AWS fed it has things like conditional access. So, Hey, I can control. Based on maybe risk factors of what app you’re trying to access, what controls I want. Maybe it has to be a known device. It has to be a hybrid device.

Maybe I want you to do an MFA. So that conditional access is really a super important thing. When I think about identity. Cause again, I don’t. I can do just MFA, but we don’t like that. Just MFA constantly. It’s not good for anyone. So conditional access lets me do things like, Hey, I want MFA if I’m accessing this privilege or maybe I’m detecting your from an unknown location or I’m detecting some elevated risks or integration with identity protection.

[00:20:00] So they’re kind of key things is absolutely get my identity right first, because I think that’s kind of that first perimeter. Ideally, I want to do things like just in time. So I hook into being like producer entity manager. We might have guests, people we collaborate with so I can do that client. It could be to be business to business.

I can bring those in. And then once I get past the identity, before I start thinking about networks or anything else, I have to get the governance in place. Because again, we talked about, Hey, on prem, I have that burly network admin that says, Hey, you want this thing grew. I don’t want to give it to you.

I want your first born. Then I might consider it at some time fa Why I can’t do that in the cloud because we are self service. We have this infrastructure as code with pipelines that deploy. So I have to get the policies in place. I have to understand first as a company, what is my policy? Like I have to be able to write down, this is what we do and what we expect.

Then I can create a policy to enforce that, which would always apply if I’m going through the [00:21:00] portal or PowerShell or templates or CICD pipelines. So I have to get the policy in place. I’m on one things like tagging that’s metadata key value pairs on objects. So I can easily track and find things like cost centers and owners and creation dates.

And again, I can enforce that through policy. Naming standards structure, cause I’m going to have role based access control. So there’s things like management groups and then subscriptions and then resource groups. And I put resources in there. So I want all of that in place before I start creating anything.

And then absolutely. Okay. Grabbed my virtual networks and I’m going to have this type of connectivity from on premises to those virtual networks. Well, I’ve got other applications and what are my standards? And so Microsoft has kind of two key resources that I think helped with this. So they have kind of this whole cloud adoption framework and these well-architected frameworks.

So you can kind of think about these as these best practices and guidance around how I should think [00:22:00] about using app, but also have these kind of landing zones. Which are basically these things I can stamp down that puts down a certain network config and policy and security to really just put me on a good starting point.

So rather than just hang on, I don’t know what I’m doing. I can go to one of these things or at least get me on a good starting point. I can look at these there’s different sizes, that different ways to scale these, but it’s going to put me on a good starting point.

Ashish Rajan: That’s awesome. Cause I think we funny enough on season one last year, we got Nicholas who was, who left a comment before

he came and spoke about retail manager groups multitenant, multi subscription model as well. And I think we had another person come in and talk. I think David O’Brien came in and spoke about identity. So I’ll definitely encourage people to go check those episodes out, to go in a bit more detail.

And to your point about the, the governance side of things, it’s really interesting that do you find that when people talk about well architected framework, like I think I had this contention with CIS, which is the center of entered security have a [00:23:00] standard, they built one for AWS. It was great for when AWS was just one account.

one company will only have ever one account great model works really well, but that CIS benchmark doesn’t really scale. Well, do you find that similar thing with the frameworks that are there for Azure? Are there any frameworks that you feel like people cause people might Google a, what’s a good framework for me to compare to you.

You mentioned one already in terms of user well-architected framework is there a security framework that people can look at as well?

John Savill: Yeah, so there’s actually different types of landings though. So one of the things you can actually do Am I a small company? Am I a medium, Am I a large company? Am I going to have one network or am I going to have multiple kind of spokes?

I need to consider, maybe I’m even multi-tenant there are actually different landing zones. Based on the type of company I am. And to your point Microsoft just did a new security kind of as a security benchmark it’s using now for security center. So they’ve actually evolved that to encompass a lot more things.

The one it used to be. So they’ve actually literally think three weeks ago, [00:24:00] they kind of switched over to a new security benchmark to really bring a lot more things into it.

Ashish Rajan: Yes. From Azure, that’s more like a CIS benchmark. Wow. And that I’m assuming then that scales across a multitenant or multi subscription

model then.

John Savill: Right. So those kinds of, again, that’s built on the policies it’s going to look at, Hey, what do you have? And , it’s using all of that to, yes. I can have multiple subscriptions. I can multiple tenants that it’s still going to apply.

Oh, that’s pretty interesting. So maybe just try that structure and I get asked this question quite a bit for Google cloud and AWS I’m keen to know from an Azure perspective as well.

Like , is there a certain framework you should be going for when you’re trying to build for incident response as well? Like, you know, the incident response angle where in AWS people might say, Hey, we should have a known template infrastructure as code that we bring. Bring up every time there’s an incident.

I can spring up a virtual network and our boys and girls to get access to this super important, like potentially affected virtual [00:25:00] machine, is there like a similar thing that you recommend for Azure?

I think that’s where Sentinel would come in. So sentinel is that kind of incident response capability.

Ashish Rajan: Yeah. So, but would that give access to the resource as

John Savill: well? No. So that will initially just kind of seize all the telemetry coming in, but then I can use those playbooks and those playbooks is our automated responses. So what I could do through that automated response, again, it’s just a logic app, which can really do anything.

So I could do things like, Hey, I’m seeing this incident coming in. I’m seeing this maybe bad actor I could do maybe saying like, why could change the network security groups? And that prohibit that IP address I could go in and change the role based access control to now give something access to that.

I could maybe change a tag on the virtual machine that now puts that VM in a quarantine. So I can do various things through because there’s a logic cap and I can do anything. I pick what makes the most sense for me based on what [00:26:00] is that signal? What is it telling me? Is that type of potentially malicious action that there’s going on against me.

Ashish Rajan: Ah, okay. That makes sense because why not use the automation to your advantage that’s actually pretty good. cause I’ve seen that people use like serverless functions for it. So she’s facing. I’ve got a question from Vineet here. what do you suggest sorta approach to securely architecting?

I think that’s what he’s meant a hybrid solution. I think that’s where he’s going with. So from a hybrid solution perspective, are there different nuances to kind of what you’ve already mentioned? You mentioned identity, you mentioned networking. What’s a specific nuance for a hybrid one.

John Savill: I don’t want to have these two completely separate things.

I don’t want to think about there’s this pane of glass over here when these sets of tools over here, and then it’s like completely different over here. So one of the things you think about if I’m a hybrid is, well, how can I leverage the same pane of glass that could be, I fantastic tools on prem and I want to try and bring those to the cloud.

If it’s like virtual machines, I probably could do that. If I have a phenomenal [00:27:00] SIM today on prem, again, nearly every aspect of Azure, lets you send things to that event hub. I could pick up some the SIM. So I want to try and keep that same pane of glass, but conversely, maybe don’t have a phenomenal tool on prem.

Maybe I don’t have great insight today. So the opposite actually applies as well. So when I talk about things like Azure security center and some of the defender and Sentinel. Many of those things can actually now go to on-prem or even other clouds. You may have heard of synchrony Azure Arc. So Azure Arc lets me do things like take the monitoring, the policy, the method, data, the extensions to servers that could be on prem.

I can do the same things for Kubernetes is it’s. As long as it’s CNCF compliant, I can use a lot of the Azure capability is there and the defender solutions do that rich and more intelligent and the scanning and protection for that. And then of course there’s various data services. So if I’m looking at a hybrid approach, I’m thinking, [00:28:00] okay, how can I use the best tooling I can across them?

I definitely don’t want two things. I want to as much as possible try and get that single pane of glass. If I’ve got a phenomenal social site, fantastic. I’m going to try and extend that to Azure, but Azure has a great set of things that if I’m not particularly happy with that over here, I’ll stretch it the other way.

So I would think about that. I’m trying to say, I want to consistency. if I can bring the Azure things to the other on, or even other clouds, which I can do as well. Hey, I’m going to do that.

Ashish Rajan: I saw some answer and I think it’s worthwhile definitely looking at what you already have from a cost perspective as well.

You don’t want to be spending like it just buy another solution for the sake of buying center, the solution just because it’s been called out. So not, that’s a great answer. Hopefully that answers your question Vineet. And you kind of touched on monitoring and visibility as well. And its kind of ties into another question that came from Chris about configuration drift.

And I was in, so from my ongoing monitoring and visibility [00:29:00] perspective where do you see people to for ongoing monitoring that you mentioned they could be instead of having two panes of glasses, one for on-prem one for Azure, one for AWS, one for Google cloud, try and bring all that to one. And is there a pattern that you see that works really well in the whole monitoring a large scale Azure deployment,

John Savill: right?

So, and again, it took that kind of configuration drifts. This there’s two sides to that. So I think back configuration drifted the Azure resource. Again, that’s not Azure resource manager. So I want to use a declarative technology. I don’t want to do an imperative where I’m writing a script, they create this VM, then configure it this.

So it’s very hard to check with it, still that config and to fix it. So when you use a declarative technology, so Azure natively is saying with this Azure resource manager and as Jaison templates, which while fantastic for a machine kind of ugly for a human it’s very chunky and it’s horrible to write, right?

They just released, I think it was like two weeks ago. It’s like bicep as a bicep [00:30:00] is actually a language designed to be told. It’s designed for a human there’s like a plugin for BS code to easily write this in a declarative fashion. And the huge thing about declarative. It’s I’m stating what I want the end state to be.

I’m not telling it how to do it. I’m saying I want this, I want this storage account. I want it to be globally redundant or what is container? I want this VM make it so like the whole star Trek make it. So, number one, I don’t care how you do it. Just get to our Wallaby. Yes. Because, and so when I’m using those technologies, now I can detect a drift.

I can say, Hey, this is what I told you. I want, is this still the case? And it can say, Hey yes. Or here’s the difference. And if you talk about dev ops, often, what we’ll do at the start of a pipeline is we’ll just deploy that template again. It’s item potent, which means I can run it as much as I want. If it’s in that state, it won’t do any damage.

It won’t change anything. But if it’s drifted, it’s going to bring it back. So that’s the Azure, but then there’s obviously the resources as well. Now, if [00:31:00] it’s saying like a virtual machine. That’s where we get into things like, well, there’s their chef and puppet as PowerShell, desired state configuration.

Again, a declarative technology is saying, Hey, I want it to look this way. Make it. So if it’s only like containers, the less where Kubernetes is comes in again, I had those declarative Yammel falls that say, this is what I want in terms of, I want these pods, I want this number of the pods, make sure that’s the state.

So again, I can kind of detect rift with that. So I think there’s a number of different technologies I can use depending on, Hey, am I, am I worrying about drift that kind of that Azure resource manager level? Or am I trying to think in inside the service? And so I think there’s ways to do it, but it’s not, I don’t think there’s one answer across everything.

There’s different things, but all of those things I talked about in terms of that data play in the guests. Yeah. I can use the same technologies if it’s a resource in Azure, Or if it’s something on premises like the containers, for example, [00:32:00] Kubernetes is it’s, it’s not some Azure special version it’s fully portable as Kubernetes is.

It’s just managed for me, but I could use the same kind of get ops mentality. Hey, I get a point that Kubernetes is cluster at this Git repo. It could be private on prem. It could be, more. I can point that in Azure, I can point it on prem. I can do those things and it would just use those Yammel files in that Git repo just to make it so, and I can detect effective, but I, I can keep it to that.

Ashish Rajan: Awesome. And it’s actually a pretty good explanation. Cause I think I agree. I didn’t know, know that’s why, because I saw your video on the bicep thing and I’m like, I just, I told you, you’re talking about iron man at that point. I didn’t realize you were doing,

John Savill: if it’s not Friday, it means it’s a technology Friday.

I might post other things like motivational or mentoring, a technology video. That’s kind of the rule. It’s only on Fridays. I’ll have a post saying it’s not a technology.

Ashish Rajan: Oh, right. Fair enough. But it sounds like written name for language as well. I wonder if it was the person who named it.

John Savill: Yes, sir. Someone made a comment and they were [00:33:00] like, so you have the Azure resource manager, which is all, Oh, so now on top of arm, you’re building bicep.

So I don’t know that’s the reason, but it makes sense if you think about it.

Ashish Rajan: Yeah. Now, now since he put it. Yeah. Like that definitely makes sense. I mean, I guess shout out to that person who left a comment makes more sense. I

John Savill: hadn’t thought of that and it’s probably really obvious. I’d just dump. It never crossed me.

This person was like, Oh Oh, and you got bicep. I was like, Oh yeah, that makes sense.

Ashish Rajan: It’s really and you’ve kind of touched on dev ops as well. I guess the question that I was going to ask about that from a devops perspective is although Azure has a service called DevOps, but this is talking about the people that were ops were actually yeah.

What’d you find as is this the same in the Azure space where.devops also do a job and in some cases would just handle with a fence to, Hey, security that you go job done, move on. And which is still very waterfall and used to be like a non-cloud [00:34:00] way. Do you still see that

John Savill: I think the companies that have embraced it, no, I think they realize now secure it can’t be at the end.

Secure is ingrained in the process again, I think it starts with, Hey, the governance side, we’ve got those white policies, but then, Hey, we’ve got the right structure in place for the role based access controls. We’ve got the right permissions secure is also using solutions like, Hey, I’m using this container repository.

Hey, I want to be scanning those images to make sure there’s nothing bad in there that then gets pulled into that DevOps pipeline, which then gets deployed. We can now think about, will our coach check team to maybe it’s GitHub, for example. Hey, I’ve got plugins running and get hub looking for what I’ve got some dependency on something that has got a vulnerability.

So I’m going to automatically create a pull request to say, use this instead, which is remediated that, or I’ve got, Hey, I’ve checked in a secret or key. So, no, I don’t think [00:35:00] it’s front over the fence because it’s way too late at that point. So I think the companies that they’ve got it down, the secure is ingrained in, in all of the steps now, to your point of the companies that haven’t, there were companies that maybe you have a team that’s, Hey, I’m doing dev ops.

I’m deploying this stuff out, it’s there. And it’s curious, or what do I do? It’s a problem. But I think the ones that are really embracing it, I think there’s actually, it’s actually a nice thing. I think one of the things that the cloud has forced in a way is a better collaboration, because I think they’ve kind of realized.

It can’t be this isolated world, which it used to be possible because how you got the developers over here, they create something as like, Hey, this needs to go into production. Then the security people would take it that create the environment. They’d lock the things down that work with the operations, get it installed.

You could kind of separate and now you just can’t if you want to be efficient. So I think there’s actually maybe a bit more, there [00:36:00] was this whole mantra that, Hey, you can be secure and out of business, you get these very inflexible security teams that were secure. You can’t get anything done, but at least we’re secure.

Okay. But we’ve gone bankrupt because we can’t do it. And I think that’s moving away now because those senior executives of the companies, I know where we are embracing this. I want this dev ops. I want this with focus now on the business value of anything. And now we can actually think about, we’ve got this constant deployment of new functionality that differentiates us.

We’ve got this constant feedback on it. Is it providing value? You get this fantastic loop as to the executives are saying, I want this, we have to do this to survive. So I think it’s brought a better cohesion together , for the team. Awesome.

Ashish Rajan: And I think if I put another perspective to this as well, then the Azure security space, do you see any patterns there for what?

What’s a maturity pattern? Like what’s there to [00:37:00] your point, you mentioned, we started this conversation saying you should have Azure security center should have log analytics. So I’m assuming that’s maturity level one what’s level two or level three in your mind.

John Savill: Well, I think security level one will probably just be looking at Azure security center.

I think if I’m just brand new, I’m coming in my day, one is go and look at Azure security side. I don’t know. I think that’s day one. And then I think day 2, three, four, then I’m looking at, okay, what are those Azure defender solutions that I would leverage start giving me that, that richer insight kind of scanning of my different types of resources then I’d be looking at, okay, well now I know I need kind of to capture this additional information and do something useful again, if I’ve got an existing SIM.

I want to integrate with that. I’m going to use a policy to drive that diagnostic settings, to send it the pertinent information to the event hub. So my SIM can take it, but don’t have a good SIM, Hey, I’m going to look at Azure Sentinel and I’ll send it to the log [00:38:00] analytics and let it then add that machine learning and all that capability to give me fantastic insight into what are these logs actually mean that I, as a human I’ve no idea, but it can actually bring me that insight so I can do something useful with it and then automate responses.

Those things that I might get insecurity tend to like a lot. It can feed into Sentinel as well to give me kind of this, this one place to go. And again, Sentinel is not just Azure. It’s a massive number of feeds. It can get from all different types of services to give me that kind of holistic solution.

Ashish Rajan: And to your point, you’re able to almost use that as a seam.

Instead of buying one, you can just use sentinel as well. The whole

John Savill: point of Sentinel is it’s not for Azure. It’s a SIM source solution that I can use my organization. And so it’s fully managed. All I have to do is there’s a whole bunch of connectors. I connect it to things to get those signals coming into it.

Then it takes care of, [00:39:00] okay, this is what I’m going to go and look for. And there’s elements where can say, Hey, I’m seeing this when it sees something bad, but I can also do things like hunting. It has a whole bunch of Cousteau queries that will actually go and look. So something’s not happened yet, but I’m saying, well, I want to get indications of maybe something’s happening over here.

Show me is that happening? And so I actually to go and hunt on the data to go and find those

Ashish Rajan: things. I’m gonna ask this question, cause I think I’ve even talking about the good slide or I do the bad side is what’s an anti patter that you see happen that you kind of want people to not go forward with any more.

Is there any Anti patterns that you see with companies that you work with or around yourself when people are deploying into Azure?

John Savill: I think one of the biggest problems you see is companies. Treat Azure, like another data center. They don’t appreciate, there is a shift in responsibility that okay. Well, okay.

How do I get on the host to check the patches on the physical host [00:40:00] and, how do I start doing my networks NEF on the wire? And what sand is it using? So it’s not possible. I can’t do the same things, but also I’m losing all of the benefit. Like what is the point in going to the cloud if I want to do so you get these people that have been data center managers, security managers for 15 years.

And it’s very hard for them to realize there were some shifts in responsibility. Now I still need to know about things if from security, but it’s a shift in who’s responsible. there’s kind of these models about kind of these RACI models, responsible accountable, sort of contacted informed, and there’s all those different things.

So it shifts and I have to be willing to think about, okay, there were these new types of service and these new responsibilities, but also it hampers my ability to get the benefit from the cloud. If I have this very old school thinking of, I need this agent in the iOS, so I get this information, well, then I can’t maybe go and [00:41:00] use things like containers or app services or serverless technologies because you can’t put those things in the iOS.

It’s not my responsibility. I have to be willing to kind of trust that cloud providers doing the job. And they’re doing good things. So that’s, I think the biggest anti-pattern I tend to see is I do it this way on prem. I want to do it that way in the cloud and it, maybe I can make bits of it work that way, but I’m going to lose a whole set benefit to it.

So that, that I think is one of the big

Ashish Rajan: thing at that point. Yeah. At that point you might decide not be there, I guess, to begin with you might as well still stay in data centers,

John Savill: but I’m not getting all the benefit. Yeah,

Ashish Rajan: that’s right. And I, it’s a great answer as well. What I might do is people dig deep into this a bit more outside of this as well.

Cause I’m sure we have a few people who are starting off in Azure as well today. And a couple of people messaged me about Azure certification. Is there like, is it a pathway for people who probably don’t know anything about [00:42:00] Azure? They’re cloud architects, at least in the AWS space or whatever, what’s the pathway to becoming like a cloud architect or a cloud security architect, I guess in Azure.

John Savill: Yes. There’s different levels of certification. You, if you go look at the certification site, you’ll see, there’s kind of one-star ones which are like fundamentals. So they’re like very broad, but not deep at all. There’s like a, an Azure fundamentals is actually kind of a security fundamentals.

There’s like an SC 900. And I actually did an exam cram video on my YouTube channel a few weeks ago. I like two hours, just all the key things that get covered in the exam. So you can start there. And I would, if I’m new to Azure, I would definitely look at what’s the fundamentals one for Azure, if I’m a security person.

Okay. So what’s kind of the security compliance kind of fundamentals one. And then there are certifications around being an Azure architect. So there’s as a track, that’s an expert, that’s like a three-star certification. So I could be an architect, but there were also security ones. So again, there’s ones about [00:43:00] identity, there’s ones around kind of operational.

So there’s a whole set of search depending on what do I really care the most about. So yeah, there’s track. So I would start with the fundamentals and then I can kind of build up from there.

Ashish Rajan: Awesome. All right. And I think I’ve got a couple more questions coming in, but I do want to cover your YouTube channel as well.

Cause you kind of mentioned that a couple of times, and for people who have not heard of your YouTube channel, I’ll definitely recommend checking it. That’s called Savill tech though. That’s not called John Savill

John Savill: it’s it’s NT FAQ guy in vinyl. So it’s yeah, it’s, it’s the NT FAQ Guy

Ashish Rajan: because I get questions from people about they all want to create content and make that personal brand for themselves.

And I know you have a very different perspective for why you creating your own videos, but I wanted to kind of get from you. what got you into making videos and how often are you uploading right now?

John Savill: Yeah, so I started off again with the NT Faq site, which was just text. So I started off there and.

I did that for a really long time. And [00:44:00] then occasionally, maybe 10 years, I don’t even know how long I’ve had a YouTube channel. I’d have to look, but maybe that 10 years I created it. And occasionally I had little whiteboard behind my desk. I’d record a little video. If I felt something that I love whiteboarding, like my customers that I whiteboard everything,

Ashish Rajan: you’re an architect.

So I’m not surprised

John Savill: concepts that words alone, or maybe difficult to convey. So I would create a little video, but very, very rarely. I was really focused on kind of the FAQ’s and there may be two years ago. I started to, I stopped doing the FAQ’s and I started to do actually I enjoy doing the video stuff more.

So I did a couple more videos, but it was 18 months ago. I kind of set up a board at home and that the touch display and I started doing it a lot more frequently. And so now I do about three videos a week about technology. Most, mostly Azure. I do like a weekly what’s changed in Azure. So I post that every Sunday about nine central.

And that’s just not me, 15, 20 minutes about all the new features, any kind [00:45:00] of big things. And then I’ll normally post Tuesday and Thursday about some aspect of Azure. So yeah, and then maybe Friday I do like a mini mentoring video. Why I got into it is if you ever look to me, I believe in kind of five core rules that govern me and I’ve always lived by a certain code.

I kind of discovered these by Arnold Schwarzenegger he had these five Wars for success and it’s kind of have a vision. Don’t think small, ignore the naysayers, work your butt off, but give something back. And I’ve been blessed that I have a great job. I enjoy my job and earn a good living and provide for my family.

And so for me, that gives something back is my YouTube channel. So I have no advertising. I have no patron. I have nothing. I have no money through that channel. It’s just a way that I can help people learn the technology and I enjoy doing it. It’s something that it’s my hobby. It’s my kind of passion creating the videos.

I can’t draw, but maybe it’s my little canvas. I like creating these things. I like [00:46:00] to think these things out. It helps me learn it better. If I’m explaining it to someone else, I have to go and learn it at a deeper level. Yeah, I just enjoy doing it. And I’ll be honest. I love it when someone comments, Hey, this was great.

I finally understand that, Oh, I got this certification because of this or this really helped me out. I’ve got this new role. So I get pleasure out of that. When it does that I saw a comment, you and Ozzie, and I’m going to take great. Great. No, I’m not. I mean, if one asked me you’re Australia, I’m from the poor bit of England.

So I have the staff of the river act and saying,

Ashish Rajan: I’ll say these are the poor English people,

John Savill: not the pool and the pouring this person. I don’t hold a queen. I’ve got the common up. I’m from South London, which is why lots of people say, Hey, you are Australian. It’s like, no, I’m just poor.

Ashish Rajan: That’s right.

you’re a poor Australian who just happens to be. So the next question that I have for you, because I wanted to touch on this as well, because a lot of, I feel like the lot of the next generation of [00:47:00] people coming in, they connect with the videos more, we’ve been answering questions around Azure, this in terms of going into what’s the right foundational pieces.

Where do you start learning? I think as a question, a couple of questions around from Chris and Vineet and, other people as well. What I wanted to know is for people who are from, I guess, upcoming generation, they love. Watching videos, they love creating videos. And for people who are trying to get into this, cause technology is not something people go and search for.

Well, I guess I hope people go and search for YouTube videos and technology. That’s how people like you and I will be found, but it, for people who are new like what do you recommend for them in terms of where should they start? If they’re trying to create YouTube videos or just videos in general for the technology space.

Is there any like advice that you have for them consider you’ve been doing for some time, for some

John Savill: time now, Janell? I think my advice would be, what is unique about you and what are you confident on? What do you enjoy? Like when you think about videos, well, I could do technical how to videos.

I could [00:48:00] do reviews. I could do opinion pieces. I could do just pay your phone, the screen. I could do PowerPoint. I could do whiteboarding. Don’t feel pressure to do what someone else does that may not be your style. Everyone is unique. They have their own way of doing things. and what do think you’re passionate about?

Don’t pick science. You think, Oh, it’s going to be popular and I’ll get a bunch of views, but you don’t like it. It’s going to show through. You want to be passionate, so you enjoy it. So you keep doing it. Don’t make it something forced. So find a medium that you are comfortable with and find St. You care about you’re passionate about it because that will come through in the content and have a goal.

Like my goal is I want to try and help people. And I don’t really have an ulterior motive behind it. That’s my goal. Now, again, I’m lying. If I said I didn’t get pleasure when people write comments, say, Hey, this helped me or whatever. That’s great. I love that. But think about why you’re doing it. If it’s an entirely selfish goal. [00:49:00]

I think, again, it will kind of show through ideally your goal with stomach about what the audience cares about something that’s going to benefit them. And I think if, if my mindset is, Hey, I want to do X for the people watching. It’s maybe educating them. Maybe it’s entertaining them. That should be top of mind.

And then sure that there’ll probably be benefits that come to you. But I think the first thing should be what can I do for my audience? And then over time, Hey, they put a big, the audience does for you. But I think you have to start off with that mindset. What can I do to help the audience or entertain or whatever that might be and what am I comfortable with?

And you can grow initially. Maybe I’m only comfortable with PowerPoint and I’m doing a voiceover. That’s great. At least what you’re comfortable with. And maybe over time, I can add a little webcam to the corner or something else, but you can evolve [00:50:00] it.

Ashish Rajan: It’s worthwhile calling out. Right. I think people like you and I may do video, but that’s not the only medium for people to share and help other people that’s like, cause you were doing blogging for a long

John Savill: time.

I mean, again, it comes back to you’ve mentioned video, which is why I said video, but yeah, of course. Yeah. I think again, find the medium that you are comfortable with. Maybe I’d rather do just text. Maybe I’ll just do like an audio podcast. Type thing. Maybe I want to do video, but again, don’t feel pressured by someone else.

Your style. You may not want to do an audio, but Hey, I’d love to share and help things. I’ll do written word. That’s fantastic. Everyone has different preferences. Some things work better from one medium or another. There’s not a right or wrong. So I would say, be true to yourself. What am I comfortable with?

What, what am I passionate about? And take it from there.

Ashish Rajan: Perfect. And I know kind of hitting the one-arm Mark as well. So I wanted to ask you one question. That’s just because I’ve seen you do [00:51:00] motivational videos as well now in terms of what’s your learning process to stay up to date, say motivated and like, you know I guess in terms of achieving life goals, like, what’s your recommendation for that?

Cause I think I’ve seen, you mentioned the five.

John Savill: I got my five rules, but I am super disciplined. So I, I honestly believe, and it’s funny, I just posted a video Friday about how do you gain discipline? It’s like 20 minutes long. I think you have to be disciplined. I think you have to listen, right? You have to get out.

What do you want most discipline is what do I want most over what I want now? Hey, what I want most is to learn this technology. What I want now is to sit on the couch and watch TV and eat donuts. Oh, I love to do

Ashish Rajan: that.

John Savill: You have to get disciplined. If you get discipline and you can focus on what do I want most in life?

What is that vision? That big vision. That’s the key to success. And I, I’m lucky. I’ve always had good discipline. I get up at 3:00 AM every day I work out, then I learn stuff. I [00:52:00] create videos. Then I work. Then I, some family time. Then I do some more work and I go to bed at eight o’clock every single day, Monday to Saturday.

That’s my routine. Sunday I sleep until 4:00 AM and then I work till about 4:00 PM. So I am a creature of habit and discipline. So I’ll say this has been discipline

Ashish Rajan: discipline. Oh, so that’s a foundational piece to kind of I guess, build on something that, to your point about what do you want versus what do you think you need right now?

Kind of, what

John Savill: do I want most? What do I want most over what I happen to want at this particular minute, which might be to lay in bed a bit longer that’s discipline. And that I think is key to succeed in life.

Ashish Rajan: Very well said, John very well said. I just want to say this was really awesome. Thank you so much for taking the time.

It was really good cause I, was I’m glad we were able to kind of add a few more layers to Azure security, best practices from what we’ve done in the past. To what we are doing it now. And plus we could talk about arm and bicep as well. No pun intended there, but I do appreciate this. And for people who want to reach out to you for follow up questions, [00:53:00] where can they find you on social?

John Savill: So again, I don’t, funnily enough, do a lot of the social stuff. So I have Twitter, I have LinkedIn, but really it’s just to let people know about the video is the best way to talk to me is about one of the, I read the comment section of my YouTube videos. So if I have a question I’m very active looking at the comments that that’s the best way to kind of interact with me.

Ashish Rajan: Awesome. All right. I’ll definitely recommend people do that and I’ll leave you a YouTube channel in there, which I definitely recommend people checking out, especially if you’re trying to keep yourself up to date, not just in Azure, but also different architecture patterns as well. I learned a lot of services from your videos, so I’m sure other people would find value from that as well.

We will see you on the next week clubhouse room, I guess. And I’ll see everyone on the live feed , on next week as well.

But thanks everyone for coming in and I’ll see you next week and you may see John on his YouTube videos next second. See everyone. Thank you.

More Videos