How to implement Zero Trust - Jesper Kråkhede

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

source i use it in my day-to-day work where i get all the azure updates and stuff so it's really useful so join it if you like and with that we want to get started i just want to say a couple of words about jesper he's uh actually the first i.t consultant i interacted with 98 1998 something like that and uh the the company i worked for we needed some help of course so jesper came knocking and i mostly opened the doors and gave him coffee and such and he installed windows server 2000 i think it was we had an nt4 at that time and uh yeah it was really cool but oh yes we're always talked fondly about it industry so eventually i figured i'll try it out he warned me though he said he will have homework forever and he wasn't lying uh so that's fun but on the security part we actually got hit by a famous virus back in the days called nimda and we called called for some help and yes we came and fixed all of the stuff but he got me running around the business building installing all the computers with a disk i think it was 20 of them so i had to reinstall them download all the stuff reboot and so and so on and uh yeah it was a good learning but that was kind of my first interaction with any security breach or security stuff and uh eventually told me that neema is admin backwards so if you didn't know that now you know it so yeah with that i want to hand over to you jesper lovely thank you and actually the first that my first training and making people run and i having coffee and that's what i normally do um i drink coffee that's what i would say my main profession is because security takes a professional coffee drinker let's see if we can get the picture running here so got it to my end now we've gotten i really love hello for business when it works there we go perfect how to implement zero trust so my name is jasper crocada and if you never ever heard the name crochet before you could just imagine how it is to work in an international setting they normally call me crackhead so yeah it it is a bit challenging but it works out so zero trust is something brand new it's only been around for like 18 years or something i started working with zero trust i think it was 2005 2006. know what was it called jericho or jericho 2.0 part of the open group jericho forum and it's kind of interesting to see how it emol i remember when i had my first training sessions about year ago that we call it then and trying to explain what you needed to do people just looked at me can't we just use a firewall and i still hear that i was actually the customer two years ago and told them you actually would need firewalls first those customers actually exist interesting i had the wrong presentation in my computer let's see so i have one presentation in at my laptop and one on the screen and that didn't work out there we go help me resume slideshow i love technology i really love technology so let's stop perfect and full screen now it is perfect so why do we talk about zero trust what has happened so my main profession at microsoft is i'm working what's called crisp crsp and if you call me that's bad news because that means you've been hacked and that means that you need some help and a normally quite devastating attack so if you call me if you if you want not only want help but actually want to have what should we do before that's a good thing then i would love to come i don't love to come out when you have been hacked because it's quite disastrous and everything why are people getting ahead why are the companies getting hacked well we know it is complex when we started out we started running out around with disks fixing things you know you've re-installed the computer i actually start to work with it with punch card computers so that's how old i am it3 is complex as you've seen with this damn powerpoint presentation we have many devices and we also see with with the covert situation that suddenly the network that we used to work in the secure network actually had stretched out into our homes or into our cars or cafes wherever we were working so yeah it's kind of complex we tried the networking thing trying to have the secure network firewalls and everything and it did work quite well for a while and the only chance we have we were discs sometimes and male still a problem with males but we also learned that when you breach the network you're in and that happens quite frequently if you're watching swedish television svt there's a serious miniseries called hakkad hacked i really urge you to see it it's quite interesting what i see what i see in that from my perspective is that all those that are breached they don't deploy zero trust that's the old-style security hackers got in they managed to sniff the network find the active directory server and the home free or they took the home network have you seen the service why on earth would someone have a router outside standing and just exposing their network well we know trusted network doesn't work it still has a function absolutely but it's not enough and that's the key thing it's not enough we need to do something more we also have a lot of other interesting stuff like bring your own device mobile device actually don't know what wfh stands for right now soft services i might be could be work from home that's a good thing yep perfect then i learned something new today good day today and also the hackers are quite advanced they move forward so they realized okay that five was quite hard to breach but if you send someone a mail and ask them to click a link they will click the link and people are doing that i i did a test once where i took a file with the malware and i encrypted it within zip i sent the file to people with the password telling them do not open this file that is an and a word document with the malware in it don't do it 70 downloaded the file decrypt it then click the link adjust so that's why where we are that's why we need training for people not to trust all of this but people do it and what we are seeing is that identity theft because what what are we interested in as a hacker we want to have that person's identity because then we can start doing things in that person's name so very nice with the firewall but if i have the right to get access to that server no matter firewall will pass that so and but we actually have had an evolution of the firewall during the years so the the firewall actually start with the physical firewall the building so if we were inside the data center we couldn't get access to any information then we start with this network thingy so and that's where we still are today secured network so we had a logical firewall i'm still talking about firewalls today but now talk about identity firewalls so the things that protect the information we have that i authenticate through my identity and that type of firework is of course encryption and if i have my data encrypted it's no matter where it lies it will still be protected as long as i can authenticate to it and no one else can authenticate to it so and that's one thing that we also achieve with zero trust to actually enable us to work from wherever where we ever want to work not only from the office not only from home but when i'm on an airplane when i'm waiting in the lounge when i'd cafe i can work wherever i want i do seven sorry i do 30 of my work nowadays for my mobile phone that's kind of interesting we're looking what i normally do but all my mailing i prefer actually to do it on my phone rather than sitting on my laptop reading documents i can gladly do it on my phone not while i'm driving though but still and we also enable all this iot stuff with self-driving cars and all of that by the way self-driving cars and algorithm and everything do you realize that when we are moving more to self-driving cars we will have a challenge with the roads because all cars tries to go in the same lane same way and if you have a if you have a tried self-driving cars you will see that it always is in the worst part of the road because everyone is driving there but that is kind of interesting it has nothing to do with zero trust but the key thing with zero trust is the policy engine or policy engines and to be able to have a policy engine it needs to be accessible it needs to be accessible wherever i am and that means it has to be published on a big network and so far the biggest network we have is called internet so probably there's way we need to publish it another key thing when we talk about zero trust is what we call raising the attacker's cost and now we're moving a bit into secured architecture and reasoning of security so we mainly have two big types of actor when it comes to security or actually the threat actors so we have the more famous one nation states nubellium is one of them who lay behind the kind of more interesting attacks they can read about and we also have all the threat actors that makes money on this and there's a lot of money in i.t security or for in the attackers part uh we actually surpassed narcotics in uh turnover i think it was 199 2019 or something that's a huge amount of money uh we saw in the news just a few days ago that the media marked in germany was hit by big ransomware so that's what my normal that's my normal life not with the media mark though but other customers it pops up like in my mailbox like fem 10 companies 5 10 companies each day and that's just the biggest one that can afford to have microsoft working there but so so we know there's a lot of money we also know that to be able to protect this you need to follow best practice you need to know what is actually working when it comes to security there are a number of what you call known attack playbooks uh mitral attack spelled m-i-t-r-e attack uh it's a very good framework to start looking at playbooks there are a number of others you might heard of the secure previous access from microsoft kill chain and everything those are known playbooks that we know this is how an attack works and this is how we block it and this default behavior many of the iso standards and many other standards are sort of known attack playbooks that we have solutions to protect interesting thing here is that if you don't do all of this if you don't follow best practice you don't manage the standard attacks then there's no way in hell that you actually could protect against everything else because you will have lost hair very nice of this shiny firewall and encryption solution blah blah blah if your users are still clicking on a mail you do not protect against a simple malware from there so first things first start with this one start with basic hygiene updates you know making sure running windows updates on microsoft updates nowadays update all applications second part and this is a bit more for zero trust rapid response and recovery you need to be active you need to monitor you need to find the information know what's happening at microsoft we of course are running our own sock internally 100 of our in cases that happens internally are solved within five minutes that's the baseline five minutes how many of you here have do have a sock that works with that type of efficiency yeah uh secured operation center sorry about that good good catch so secured operations that actually monitor us and see what is happening in the network where on the map where they connect it they're using different type of tools like sentinel see what is happening and if something is happening react fix it normally the normal response i see at the customers that are hacked is a response time somewhere between two days and hundred days hundred days actually happening we had one interesting customer where they have a very good sock they collected a lot of network information network logs ids information and they were totally blind because the hack happened on a user that also was an administrator of course they jumped into the active directory took full control turned off on and the anti-malware logs weren't sent to the sock in the first place so they were totally blind and this happens all the time all the time so when you do break in the known attack playbooks you do the monitoring you make sure that you actually can act then we can talk on the more interesting security stuff that you probably would need to do but make sure you spend the money right so let's dive in a bit more into zero trust and the principles of zero trust so the name is quite interesting zero trust i don't trust anyone and that is correct i don't trust anyone how do you sell that to ceso asking that's a bit so we have this oh we need to trust our users yes and we implement zero trust bad wording but that's how it is we use least previous access so i shouldn't have more access than i actually need so when i'm come out on an assignment the customer asked me what type of account do you need i need the account i can get access to the coffer machine but that's more that's it that nothing more that's where i start and then we'll see if i need more and we assume breach we actually assume that the laptops can be hacked or are hacked so we verify everything so we verify user identity of course logged in we verify the location where i am we do different type of checks okay suddenly jasper is not logging on from home he's logging in from malmo for cafe okay might that be good yeah well he's using mfa so yeah we can probably allow it this and see what it does and then what i do what type of applications i open i say okay still open powerpoint it's still crashing powerpoint okay that's jasper so go with that so that is the part of verify verify everything verify the computer and give access based on the risk we take zero trust is risk based it's not on and off is that either a secure oh i'm not secure it's risk bait we make a risk value evaluation and see okay bad place good computer good identity good mfa okay we can get access to that and suddenly i try to do the same thing for my mobile that's actually my private mobile so oh no you shouldn't get access to that information or it might they will be allowed to read it not edit it so it's risk-based remember risk-based that's important i talked about least previous access the number of those types so one thing is not having a domain admin account if i don't need it or global admin is called nowadays in sure we make sure that we check that okay what time is it should i should my account actually be active i can activate my account for one hour it's not the best protection if if my workers as an administrator i would still have the same i would still have to do my work eight hours a day or something so then just in time wouldn't be it but if i'm using my account to access a database that i'm normally just doing some minor admin tasks on i might be good enough i will talk a bit more about how you can reason surrounding that and as i mentioned assume breach and that means monitoring make sure that you get the logs that you see what's happening and automate automate all the actions that is important as well because there are so many things happening that you can't keep up as a person the time when we actually saw it was reading logs on our computers it doesn't happen anymore we automate stuff get the logs automated there are a few things that this leads to first of all we get increased security and that's good because we are not only relying on firewalls anymore we're protecting the identity but also increased productivity security doesn't become a blocker anymore there is a really good british series called the computer says no if you haven't checked it out do check it out it's quite fun but the security department was previously known as the department of no we want to do this no we want to access this sas service i have a customer right now that has procured quite a large uh service within a specific industry and now the security department says oh this public ip with this public api no it has to be surrounded by vpn but our users need to have access for wherever they are and the the our customers need access to it but then they need vpn doesn't work out doesn't work out and that's that's the department i know and that is something we see within different security departments if they haven't been trained in how serial trust works and this i won't call it modern type of security it's still 18 years old but it's still it's another way of thinking it's another way of moving the security perimeter and if they're not trained in that you get this type of knee-jerk reaction so vpn is the solutions for everything used to be a firewall now it's vpn you will have micro-segmentation as well as the solution to zero trust is one tiny component we also talked about modern secops so everyone wants to talk about devops secops whatever ops you can put after it's quite interesting we used to think that first we develop the application then we test it and give it to administrators and they deploy it and then we have operations that doesn't work anymore because things are going faster that's why we add ops to everything and then we have ot operational technology meaning old style security old style service i actually had my hands on the old windows nt4 running a power grid a few weeks back but that's that's okay so we're looking at real-time technology it could be within an operating theater where surgeons work with monitoring your heart rate and whatever they do as i mentioned power grid so things that actually work in real time that has to be certified that always have to work there were kind of interesting incident uh it went well gladly i think it was 2006 where there was a par supposed to start a surgery a heart surgery open hearts are you on a patient and just before starting just check the equipment and suddenly the machine managing the heart just rebooted that's not allowed to happen she is not allowed to happen and it was rebooted because someone with it saw oh this is effective with the malware and went in removed it and rebooted because someone connected that to the secure network that is a key thing for me when we talk about zero trust this shouldn't be happening but we have ot we still need to manage it we can't manage that with zero trust we need to have the combination have the hybrid of it but this is something you need to be aware of when you're going to read about zero trust you will see a lot of things that says this is zero trust this is zero trust this is zero trust and there's also a lot of things that are implicit for zero trust to get it to work one part is what i call key management and encryption key management is challenging and key management is so many things so you have sort of the obvious certificates network certificates that they need to manage you have key management for api and normally if you want to register a service for wealth you will get this key that you need to insert into application and actually how do you manage to copy that insert it into application and do it in a secure way and possibly log it somewhere because you get access to it that is kind of interesting also part of key management and then so there are a lot of things to do and then it comes to encryption just a few days ago a customer reached out we want to do like this okay you want to create your own encryption system yes because that's more secure than all the known secure encryption systems yep please go ahead we have this compromise recovery service so we're glad to come and help you uh after a few minutes of laughing when he realized that that was a faulty thinking but it still is something you need to manage and if we're working in bigger organizations whether then you have to look at how do we manage encryption over the company how do we make restore how do you make sure that you actually can restore something on a service that is encrypted how do you manage your administrator so they don't get access to data because because that could lead to gdpr uh challenge so there are so many things to manage within encryption we also talk about secure development life cycle i presume at least a few of you are working within development how many of you have read sdl hands up a few good i'm glad uh those who haven't and are working with development please go read if you ever want to apply as for a job at microsoft as a developer if that's mandatory reading and training annually at least sometimes even more that also includes threat modeling risk analysis if you haven't done threat modeling that is something i really strongly urge you to start doing because it's one of the most it was one of the best tools to understand where are my threats within the application dissolution i i actually do threat modeling for a component within the car actually car you know real car manufacturing so it's kind of interesting to see how it actually works out one other thing is continuous security testing so how did we do before yeah we did this pen test so we did we employed some sort of white hat hacker they did the security test we got the report like two three weeks after someone read it there was a list of things we needed to fix six months later we probably deployed that windows update has been there for two years that doesn't work anymore security testing should be continuous almost every line of code as soon as you hit enter it should be tested making sure that it works security station should be included in the whole develop development process and you should have what we call blue team red team actually something called purple team as well continuously working making sure that we get the security tested because we are publishing things on internet that's what we do we create our website we create our applications our apis whatever and they are on internet and when i say internet so we talk about secure network did you know that when you have i think it figures around 120 computers on a on a network at least one of them will have a malware and that means someone else is in control controlling it meaning that this network isn't secure anymore so that's the definition of internet more than 120 computers just you are aware of it last thing and i mentioned quite a few times speed you have to act within minutes preferably with automated actions i have to make sure that you collect the right logs and one customer that during the last five years to implement this amazing ids solution so um intuition detection system on all the network gadgets and devices they had all over the internal network and that's good after three years the devices start to go end of life and need to be replaced but they weren't done with the project they were five years and they still weren't done we're at 75 percent so it started failing from there already second part that they took all those logs they got and dumped it to the sock and that was a huge amount of information and if you ever bought the sock you know it's quite costly you pay per gigabyte so they dumped on this log to the sock and run out of space also whatever they want to pay for so they didn't get all the other interesting part like authentication logs from active directory to give you a simple one they were breached kind of interesting so getting the right logs knowing what to actually what actually means something where you can identify the attacks this one is a kind of messy i will not talk through everything about it but look at the broader things so when we talk about zero trust where do we actually focus so we're looking at the user and the user in this case would be me i talked about the risk signals knowing so we look at my behavior what type of applications do i normally do how do i work when do i log on which i p do i come from and there are a number of tools for checking like microsoft defender for identity it's the on-prem version of identity protection that is in azure but just looking at my behavior so they have what you call behavior analytics we look at the authentication part so hello for business do i use my camera do i use my you know i actually had to use my password at la for long going to microsoft recently due to an application that was faulty and i realized i have gotten it because i haven't used my password last year we're going passwordless at microsoft we actually have a boundary system do you have an application that needs vpn or use using password and do not provide integration windows with hello for business we actually can get a bounty for it so that's kind of cool but we want to increase trust in the user and that also means that we're looking for leak credentials so if you you might have seen that in uh if you're using edge you can see that something you get a list okay here's your your password that's known to be found in breaches and then you have a long long long list of 100 sites where i need to change your password i realized i don't use those sites anymore and i don't care but it's kind of interesting that is something that is happening that is integrated and that is also why we want to come away from passwords because the password can be used anywhere you are i want to be more excited by anyone anywhere without you being there so that's what we're looking at when we look at multi-factors i need to have something more like my face for example i normally have it with me it's kind of good thing we also look at device so can we trust the device do i have a azure join device that has the right security tools like uh defender for endpoints is it what you call in tune managed you're all aware within tunis i don't need to what type of threats and risk signals do i get from this one have i decided so to install some type of game might be okay have i installed a crack for it ah bad thing reports and someone calls me that wasn't a good idea no i don't do that just be clear so all of that makes checks that i'm compliant so okay i fulfill all those access policies and that's good and if i'm not fulfilling those it could be some type of remediation and then i could get different type of access depending on how trustworthy my machine is so i could have lower access if there's a restricted session because i'm not using my standard device could be that okay we we might we could we increase the monitoring for this session because i i might have requested an admin uh to administer a solution that i norm it's part of my work but i normally don't do it so and it's a kind of risky login yeah let's activate more monitoring to see what is happening and then assume breach something is happening so bang turn it off directly and of course we have all the approved apps that we are using we can use legacy apps that has been published through app proxy this is part of what we call the microsoft cyber security reference architecture we will be posting a link about that as is actually up there ak dot msl mcra um even better that's what i talk about speed that's how it works you get the information directly information at your fingertips i think big bill gates said so this is actually quite lengthy presentation um but it's really valuable when you're looking at how to use it this is of course the microsoft products you might have mentioned that i worked there but you can use it to monitor to map other type of applications you have that to see does it actually fit the bill does it work in the context of my security you might have heard of what we call secure previous access secure previous access is about how do you secure your administrators you might have heard of what we call the poor previous access workstation so this is one of the core security components that we urge our customers to deploy especially if they are really already are hacked so we need to secure we need to have something called a trust anchor and the trust anchor is our dedicated devices so if i were an administrator at microsoft i would have my standard workstation and then i would have my poor then we have all the other use cases so if we only have this device and then my paw and i'm doing part administration where do i draw the line of what is standard administration what is not standard administration and what is my standard user behavior and this is what we call the enterprise access model so we are looking at what we call previous access previous access is for for example global admins security admins so the high previous account i can reach everything as you're working with sure you know perfectly well which account i'm talking about intune admin might be there as well then we have what we call the management plan the management plan are administrators but they access management tools they could be like the security reader in some cases they could be resources for administers a number of service or power service or other services for that matter that the core thing is we need to make sure that we get hold of it and make have the full management of them no matter where they are then we have the data workload plane data workload so that's where we look at the information in itself so i might not be an administrator for the server itself but i might administer the database that contains a lot of customer information and that could be sensitive due to legal legislations and then we have the standard used to access so if you heard about the tier model tier 0 tier 1 to 2 this is the new model previous access control plane management plane user access data workload plane what you should start looking at and this is how we reason about it and when we look at zero trust from this perspective we talk about enterprise security specialized security and private security private securities there's our pause there's our workstations and dedicated physical workstation with a trusted keyboard you need to trust the keyboard you need to trust the rest of it where we have our previous account so you have dedicated administration accounts always a mat challenge for the soccer and know that admin yes because and yes but croquet is actually the same person so there need to be correlation there then we have the previous intermediate intermediary where it could be a sort of jump server could a bastion host or whatever and the previous interface so if i'm doing administration it should be through a dedicated administration interface and this is more for ite operations if you look in the back end of azure those that actually manage the real thing they're using these type of tools i actually use something called a saw secure admin workstation that is the dedicated operating system for that specific task that is the level so we actually remove all the files 100 all the files that isn't needed so it's kind of interesting then we have the enterprise security so that is my standard device this one is what they call enterprise security which is my user device am i a local admin this month this one yes i am most of us at microsoft are i would love to say that we don't need to be but yeah we work in that type of industries we actually need it then we have what we call a specialized security and that is the mix and match between those actually mix and match between enterprise security and specialized security that's the way you look at how do you actually secure your device in such a manner that is good enough to fulfill the secure the risk analysis we've done so we see that okay i'm a database administrator i don't need this type of security because the risk analysis doesn't point to that but i probably would need to have application locker i probably would need to have a dedicated admin account for this device i probably just using the standard sql server admin interface and i don't need a jump server and that would be fine for that type of work so this is a part where we're looking at how do we create the application how do we create our azure setup to fulfill the needs of administration so it would be part of devops setup when we talk about administration there are a few things that we need to take into account and that's what we call closed loop administration so i talked about the poor the trusted system or the specialized security device so we need to trust this and when i mean trust this this means that everything is updated under my control so if i'm up updating the bios i download the bios twice different network connections compare the hashes and know that okay this is actually secured and then there's everything with the same operating system patches applications whatever i need to trust everything i have my isolated credential so i have my admin account i have my dedicated admin account i won't go as far as stating you need to have one admin account for each task because then it's not workable but you should at least have your dedicated admin account and not mix it in the same machine as you're using your standard user account to make it simple no mail no internet on your admin machine that is the easy task and how to get to azure portal without internet it kind of challenging so that's when we we deploy a sinkhole proxy or something just make sure that you're allowed to go there at least and then we have conditional access in the other end and just say okay this machine those settings that name that user okay you're allowed in and then you have the break glass account because something will go wrong and you couldn't get in otherwise so please have a break loss account i might have implemented specified time so i'm only allowed to do administration between eight and eight that's good or i could activate it so someone tells me you're allowed to do administration now for one hour if you work in a service desk you know that you might have this type of question so up you're allowed to administer this machine for one hour and then it's closed again delegation delegation is good you don't need to be a global admin to for example set up a new server you don't need to be a global admin to do whatever you else would need to do there are different type of roles and you should actually work with that if you're the sole administrator of your company yeah of course you'll probably do everything with your global admin and not so but then you need to have your poor for doing everything if there are many of you if there are many administrators then you should look at how do you actually delegate things making sure you have as few privileges as possible and then we're talking about the defined network and i talked about zero trust the internet is our network and now it's talking about defined network there are cases where we actually need to make sure that the network is secured and that is what we're talking about when we talk about zero trust it's a way of thinking it's the security model mainly based on users user management user experience then we have all the server admins we have the server network we might have everything in azure but still there is a security part where we have our servers that need to communicate with each other that's where we talk about secure previous access and possibly a defined network drilling down into assure the real azure the real service somewhere way below you will find something called a hardened forest and you might heard of it we don't recommend that anymore well we do in specific use cases and running ashore is one of them so that's actually somewhere and that is very very secured so during the pandemic our administrators were still on site and they will be on site and staff and stop when that's opened up as well so i have two more slides where are my time-wise three minutes left yeah yeah i just it's awesome so what we did we did we do at microsoft to implement this so first of all we verified the identity and that was a huge task i would love to say we only have one ad yeah right we had a few we still have a few but if you're looking at having multiple active directories or other ldaps and trying to get all that to work and then try to sync it to azure id might be challenging you need to select a central repositor that is your identity you need to move away from all those identity repositories that is the biggest type of without a working identity zero trust will never work you need to start verifying the device if you're upgrading to windows 11 you probably will start looking at doing intune management and this one is quite simple to get to work you start verifying the access and by verifying the access is as simple upgrading network protocols and we had one copper mice recovery recently where we fixed everything hacker was out secured the environment and then custom customer like two hours later started applauding i said why are you uploading now oh you implemented ntlm via version one on all your domain controllers again the one that actually got you into the trouble in first place how what were you thinking of then we started the training so verifying access means that make sure that you can verify that the one logging is actually the one logging and not using vulnerability somewhere this was by the way uh due to that had an old as400 that wasn't updated and the same as 400 we have at michael's company and then you start verifying the service you verify everything you have zero trust we start verifying last slide i promise there is a model called ramp so zero trust rapid modernization plan if you are looking at how do we want to implement zero trust this is what you do you start validate trust you start first of all go mfa on all user accounts start with that if you're not using mfa today please do it's actually free you can't enforce it but you can actually activate it so please go do and you start verify the devices if you are going to upgrade to windows 10 11 preferably 11 start looking at how can we do it with with intunes if you're not there already so if you're still depending on on-prem solutions not a good thing it will be challenging moving forward then you start increasing increasing security so secure development make sure that this everything is secure you write secure code you don't do those kind of stupid mistakes that we normally do you wouldn't want me to see see the code i wrote like 2003 or something when i stopped coding it was all spaghetti and protect the data make sure data is encrypted if you're using uh sql as a pass service encryption is actually included in the license so just start encrypting and there are a number of interesting solutions because i'm not allowed to say anything what is legal and not legal because i'm not a lawyer i let the lawyers do that and we don't do i don't let the lawyers do the technical part that's my thing we have a guy here in the publicum that will be able to answer legal questions i won't but but that said there are a number of ways to know that if you are in control of your own encryption key and that and then you store your data in a show then obviously microsoft can't access that type of data so that might be a solution to get around it but as it might be i don't know i'm not a lawyer and then you start modernizing your secured operations you make sure that you actually see what is happening and you see it now you don't need to integrate and blog and move and suddenly it's all down in an on-prem solution with a bad network connection that sometimes work and you don't know what's happening or you're doing integration and it doesn't work and you blame microsoft that has happened uh so yeah start making sure you get there so zero trust isn't challenging but it's the worst thing you will ever do i have to say it because if you are stuck with old solutions and it's challenging to migrate due to old applications and business uses then costs and everything you're into a world of pain because if you're not moving into zero trust and whatever will come afterwards you're still staying on the old on-prem security you will be breached and i know it five to ten companies each day that is in my mind my mailbox that's all for me [Applause] time for pizza break and we could have the discussions in the during the pizza or and i'm sorry folks on on youtube you can still send some questions to jasper and he will be happy to answer them so yeah no legal questions though if your central just pass them to robot okay thank you thank you you

Info

Channel: FooCafe

Views: 193

Rating: undefined out of 5

Keywords: Learning, Sharing, Software Development, Agile

Id: qAwLL6Pqrgw

Channel Id: undefined

Length: 47min 58sec (2878 seconds)

Published: Thu Nov 11 2021