Simply Resilient Conversations
What does it take to build true cyber resilience?
In Simply Resilient Conversations Geoff Burke, Veeam Vanguard and Senior Technical Advisor at Object First, explores this question through engaging discussions with our ACES community members. Join us as we break down complex cybersecurity and data protection topics into accessible conversations that help IT professionals keep their production workloads running and their data safe!
Simply Resilient Conversations
Entering Entra ID With Veeam Expert Michael Paul
Hello, everybody, and welcome to my nude new podcast. Not nude podcast. It's a podcast, so you wouldn't see anything anyways, but just in case that came across wrong. So we decided to create a podcast here because uh research says, survey says, that people still like to listen. So, in other words, they're driving and they can't watch while they're driving, because most countries that's illegal. Um, also, uh, people like to um, you know, sit there and just sometimes close their eyes and listen. People get tired of video. So, amazingly enough, podcasts are still fun. Blogs seem to be going down a bit, apparently, um, which is very difficult for me because I have a lot of trouble getting myself motivated to write a blog. And so when I think no one's gonna read it, it's even less motivating. Okay, so let's get to the um the podcast itself. So it's a brand new podcast. Um, I'm calling it Simply Resilient Conversations. Now you might say, no, why are you calling that? What people fall asleep when they're talking to you because you talk so much? Possibly. In fact, simply resilient is the new motto of the company, so I figured that'd be a good idea. And we're talking about data protection and simple resilience to make things simply resilient. Okay. Now, so this is the first show. So expect a lot of mistakes, gaps, things you can laugh about. And if they don't happen, it just shows how much my I and my guest and I are great professionals. So I'm kind of setting us up for uh a big, a big task here. All righty, so I will start off. First of all, today's show, the first show, show zero one, okay, is called Enter into Enter ID. So that's just right off the back. Wow, it's it's it sounds interesting, it sounds scary, and that's what it is. But we got someone who's gonna allay our fears because the person's an expert. First of all, start off some object first quick news. Quick news, you might have noticed we did a revamp of our brand. I'm not gonna go into details about it. Go to objectfirst.com and take a look. Brand new, very flashy colors. Um, I'm not gonna steal the show. Go and see for it yourself. I can't show you in a podcast, so there's no point in me trying to describe it with words. Okay, so enter into intra ID. Um, the guest I brought in here, and I'm the reason I'm doing this, is because I was thinking about, well, Jeff, I've been into data protection for a long time, but there are certain things, you know, there's always new things popping up. There's certain things that just kind of pop up all of a sudden, and it's like mainstream, and I have no clue what they are. And I don't know why I missed the boat, and I'm going, wait a minute. And so I thought this might, and I talked to some other people too who said the same thing. And what's this entra ID? Is like a pass to Disneyland or something? Um, no, it isn't. So I thought, well, who to talk to about entry ID? Well, well, just happens to be that I have one of the top experts in entry ID. And as we were walking to dinner in Prague enjoying the sites, I said, hey, what's entra ID? Which I'm certain, you know, this is the person's day job. So I'm certain they were thrilled together in Prague, you know, all these things, Christmas markets, and they're being asked about entry ID. Nevertheless, I got an answer, and it was a great answer. So, with no further ado, this is Michael Paul from Veeam, uh, who I met because he was an original legend. So the Veeam Legends, part of the Veeam community, had an original group, the first group, and he was a member of that first group, which is a great group. Many of those people in that first group have gone on to work for Veeam, gone on to work at great places. I I I hey, I've done well too. Object first, I'm I'm pleased. But some of these people like Michael have just their careers have rocketed up. So it's a special uh memory for all of us, and it also is convenient for me because I can actually bug these people. Um, so with further, no further ado, uh, this is Michael Paul. Welcome, Michael Paul. First of all, can you introduce yourself? Tell us about your experience in ID, in ID, enter IDs. I'm totally brainwashed now in IT and um your journey that eventually landed you at Veeam.
SPEAKER_00:Absolutely. So thank you for having me, Jeff. It's always great to catch up. We don't get enough time to do so. You're absolutely right. You know, the uh the original Veeam Legends class. We're uh both alumni of that, and it's great to have all these connections that have lasted for these many years. So, yes, I'm Michael Paul. My job title, as it is today, I'm a Veeam Data Cloud Solution Engineer working at Veeam. I specialise in enter ID and Microsoft 365. Those are the two elements that I live and breathe day in, day out. Um, which is, you know, you joke that oh, here he is, Michael's got to talk about his day job, but no, it's great. Uh I enjoy talking about this. I've always enjoyed sharing what little knowledge I have, and then people like you talk me up as if I know more than I do, but I'm happy to share what I can. In terms of my you know, career history in IT, I've been blessed with many roles, you know, just falling on my feet at the right places at the right time has always helped. But I've had many different hats, which has given me great perspective, I would say, of the different optics that sometimes people miss. I started out as in-house IT, uh, I became an IT manager, I ran an entire IT team, and that allowed me to first of all be a jack of all trades. So I got to see many different aspects, I got to see identity, I got to see security, I got to see storage, backup, you know, a story for another time potentially. But yeah, when I first returned to an organization as a senior IT, they didn't even know they had a ransomware attack taking place. And then yeah, Veeam was there saving the day, and that was one of the first times I was cutting my teeth with it. So long, long experience with Veeam, long, long experience with ransomware. You know, I was in that role for quite a few years, and then I relocated to a different part of the UK. I now live in the southwest where it's beautiful sunshine, sometimes mostly rain, it's still the UK. Um, and you know, being by the sea, being with the family, that's that's what life's all about. But I moved down there, I worked for a regional managed service provider, so I then got to see things from a different side of the coin. I then went from there to becoming a consultant and a principal consultant, helping some of the largest organizations around the globe. You know, their um their preferred client base was top half of FT250. I mean, it's everyone's preferred client base, of course, really dealing with those kind of scales and the bank balances that typically come with it. But yeah, they they walked the walk, they talk the talk, and yeah, I got to work with some fantastic organizations, and then yeah, roads ended up leading to Veeam. I spent so much time working with Veeam technologies, implementing them, designing them, architecting them, that I eventually joined the mothership, so to speak. So I did that just shy of 18 months ago now, and I joined as a Veeam Data Cloud Solution engineer, and that has been my role since. So there we are, happy to talk about this.
SPEAKER_01:And the ransomware birth of uh of fire in ransomware. I mean, that some people might have just closed the door and gone to you know the Starbucks and started working at Barista after that because uh Baptism on fire. So before you joined Veeam, um you worked for a cloud provider, you worked from other roles, but obviously you'd become quite an expert in M365. Uh how did that happen? Was that a choice or was it like forced? Uh, in the sense that you know the companies that you were dealing with simply had that as a big thing on their list, agenda list.
SPEAKER_00:So when I was an IT manager, they were very cloud averse, interestingly, because it was well, as a lot of these mindsets were at the time, we've already bought this software, why should we go and pay monthly for it? Which it's interesting how that mindset has shifted. You know, if you look at the likes of Adobe, for example, they were one of the pioneers of this with the creative cloud element, and then of course Office 365, as it was at the time. Again, that adoption of a different mindset, and then we've seen it in many different related elements, the rise of the hyperscaler as well, renting compute rather than going out and having that traditional CapEx model. So when I was internal IT, the organization was very much we want to host it all ourselves and we want to run with it. Looking at the company from across the fence, I've seen that they have since changed their path, but you know, not everyone works at the same speed because they've all got different goals, different objectives, and different regulatory needs to hit. My embrace of the cloud really came much more when I worked for an MSP. And interestingly, it didn't come from the traditional avenue of right, we want you to just go admin any of these mailboxes or SharePoint sites. It actually came from telephony. I had already worked with quite a few different phone systems in my time. I'd worked with Nortel, I've worked with Avire, I'd worked with Shortel, I'd worked with FreeCX. And then when I joined this MSP, one of the things that are quite interesting was, okay, so you actually understand how SIP works, what we could really do with some of those skills. So they did a lot with Link Server, Skype for Business, Teams, which is of course uh quite a big one these days, it's safe to say. And that was how I then really started to step more into the cloud. I already knew how Exchange worked, so thankfully working with Exchange Online wasn't too much of a leap. The same with SharePoint, but Teams was that real change to see the collaboration over time and you know, especially when I mean someone's got to talk about it at some point, when there was the rise of COVID, so to speak, and everyone had to pivot to remote working. Teams coped. I can count on one hand the amount of times that teams failed during that period, which is a huge testament to the success there. And I say failed, the scenarios that come to mind were back when I was dealing with you know daily stand-up calls and a lot of systems would have buckled. Only twice did we pivot over to Skype for business because Teams was having some bandwidth issues. And that was for singular calls. Other than that, we were all in on Teams. So many organizations did that. So yeah, I spent a lot of time working with that. I was spending a lot of time working with M365 as a general because from that productivity angle, Teams is so heavily integrated to SharePoint, OneDrive is so heavily integrated to SharePoint Exchange. You know, certain elements such as unified messaging were integrated regardless. And yeah, it just kept building and building. And as a technologist, I'm someone that's always interested in well, how does this work? You know, the idea of the cloud being this invisible presence that doesn't resonate with the technical how does it work for me. So understanding at that technical deep layer, okay, this is what we can do with it, this is what we can't do with it, these are the differences in mindsets we need to work with. It was a huge undertaking, and you know, I went from when I joined the MSP, although I'd cut my teeth in all these various different roles, I said, you know, Jack of all trades. I didn't actually have any kind of certifications because working for internal IT, there wasn't the same value to that piece of paper. So they kind of did a trial by fire when I joined it. Okay, how many certs can we get this guy to do? Because he's got a fairly strong foundation across all these things. How do we smooth out the edges and qualify it? So yeah, I think within three, four months of joining, I had my first Skype for business certification, and then from there it went to okay, let's round out the edges with M365 in general and Azure, and it kind of built from there. So and the nice thing about M365 and Azure is they've got enter ID in common, and all these pieces just kept falling into place, so it has really helped carry me far to where we are today.
SPEAKER_01:So that's a really good lead-in to enter ID because you just mentioned it, and that's where I want to go next. So I've and I think a lot of other IT people have dealt with Active Directory. I mean, you must have, uh, you know, just restoring users and whatnot. So pretty good idea about that. I also did some M365 more, uh, creating the actual setup at a service provider. Um, and this is even before object repositories. So uh there was no encryption, um, and it was a jet Microsoft JET database. So that's kind of my level of understanding. When I first, I don't remember when I first heard Entra ID, but Microsoft just they come out of someone, well, this is this, and everyone knows. Like, whoa, I don't know. And I think they do that on purpose, so it creates the fear of missing out, and you quickly, you know, grab the documentation. So this is my perhaps very warped understanding of enter ID. Now I did check the documentation a bit, but this is like you know, 20 minutes ago. So basically, and and also we had a conversation in Prague, okay? Um basically entry ID, entry ID is it's identity management. It is an extension of Active Directory because it's also encompassing cloud features. Um, also, I I also remember, you know, with these Microsoft applications, you've got the service principle and all these things. That's kind of my rough understanding of it. So could you start out by just very uh in a very basic form, say what is enter ID? How perhaps does it compare to Active Directory or interactive Active Directory? And anything else that you want to say at an introductory level for people like me who are clueless.
SPEAKER_00:Absolutely. So the first thing I would actually like to say about Entra ID is how fundamental it is to security these days. And I say that because object first, you know, you've got this out-of-the-box immutability stance, simply resilient is your new tagline. It's all about web security. Whether we look at it from immutability because we're expecting a threat. If we cast our mind to old world, you know, on-prem, I'm gonna have some people hate me for calling it old world, but it's the way that we've known for a long time, right? If you think about how security looks or does look with private data center, on-prem, uh you know, branch office, whatever you want to look at, it typically starts with the firewall. Because that is your demarcation point between the public internet and quote unquote trusted network. Now, we should be zero trust anyway, right? But it's what we would trust more than the internet. And it's always been the firewall. But if you have a compromise of identity, if you have a compromise as a result of that of your public SaaS workloads, whether that's M365, whether that's sales force, whatever SSO you're doing today, or again your hyperscales, you know, if you're using SSO to access Azure, Microsoft aren't going to switch off enter ID because your tenant has been compromised. They're not going to switch off your M365 tenant because it's been compromised. The ownership is effectively temporarily, I hope, changed. And when you compare that to what happens in a cyber attack with on-prem, was the first thing anyone does, they go for the internet cable, they go to pull it, they go to isolate. And you can't do that. So whereas we think about the firewall and we think about the WAN as that first line of defense and the first way to kick out, when we think about identity in the public cloud, identity is the new firewall. That's the one tidbit I'd love for people to walk away thinking. I must start with identity because I cannot shut down these public SaaS services. I cannot, you know, shut down Azure, AWS, GCP, name a name a hyperscaler. They're gonna be there, they're gonna be running, but you need to have your security mindset starting with identity. So how does this then relate to Active Directory? The way that it relates is that really it's an enhanced version of Active Directory. Because again, Active Directory, we think about that and you know elements like group policy, locally managed DNS, it all starts from that element of trust, because there is trust within your environment, because your computers have to trust your domain controllers to communicate. It's a relationship, effectively. But when we think about a lot of that, we think about it from a basic authentication standpoint. I am user, I sign into my machine with username and password, and I'm in, I access my resources. Okay. Whether that's NTLM, whether that's Kerberos, it's still at the highest level that kind of basic authentication. And that doesn't translate well enough into what we need in the modern world, which is why Microsoft have this idea of modern authentication, and we can kind of come back to that as we go a bit more in depth, but it is moving beyond username and password, it is moving to you know proving who I am via what I have, what I know, what I am. Okay. That is a lot of enter ID. Now there's other parts as well, which again we can get into more, but at a high level, it's moving beyond username and password, just something I know to the multifaceted, if we think about MFA, multi-factor authentication, it is moving identity towards that by default. So in a nutshell, yeah, that's what I would like to say as a baseline. Identity, it is the new firewall you need to start there, and there are many, many mechanisms you can do to really make that work for you.
SPEAKER_01:That's really interesting. And one thing, um, I was an auth Zero ambassador for a while, so I actually got some free course. You know, you always join community, get free courses. And I got some free identity management courses, and um, some of the things that stuck out authentication, authorization, two separate things. Um, authentication is to let you in the door, authorization is what which doors inside the house you can get to. Those were simple concepts that really stuck with me, and I think is is what you're talking about. Um, the other thing too was that uh in the old days, especially the perimeter, it was, as you said, just the firewall inside were safe and cozy. But um, this was one of these um community shows or one of these um meetups I went to. Uh someone came from a bank to discuss identity. He said, Well, the problem is, think of this. The minute all these gadgets were introduced, all these gadgets, following these things became very difficult. And he said, identity with human beings is pretty much under control to some extent. I mean, you know, much better. But then there's machine identities, which are just like he's a lot of customers that he deals with or that they uh consult with, um, have no clue of all these identities. They know the people, but they don't know the little, you know, the little gadget or the the Google thing that turns off the lights or whatever. So there's that. And then there's the new thing, which I've talked about a lot, is then there's AI identity. So if you have a little gadget which is turning off your light, okay, maybe it can control your light, maybe it can control your beer fridge and not open the door, and that's a big catastrophe. Okay, I get it. But if you've got an LLM, agentic AI, which learns and can start doing more. So first it controls your beer fridge, but then it controls your fridge, that controls your front door. This to me, and I don't know like how Microsoft is addressing this, is identity management nightmare. Because if you don't have control over those identities and what they can do, and if they are not just static identities, not some machine that's sitting there guzzling electricity, but something that's actually thinking and thinking, well, my goal is this, and to do it, I need to hack the whole system. Okay, I'll hack the system. What have you seen in that department?
SPEAKER_00:Well, what we've seen already with ENTRA is ENTRA's approach is to look at the likes of app registration service principles to give non user identities a real object and a permission structure to work with. You know. If we go on a pivot for a minute and think about how we protect Microsoft 365 data, okay, we don't want to impersonate users. That is old world thinking, and again, we think about basic off in that same breath. We think about okay, here is a username, we think about a password with hopefully a real high level of entropy there, that it's not just going to be dictionary cracked in a few seconds, but it's just a static set of credentials. And what good really is that when a fun fact for you enter ID there's over 600 million attempted attacks on it per day. Okay. It's a publicly accessible resource. You know, if you were to do a packet capture on your own residential internet to just see who is port scanning at any point, okay, there's constant threats out there. And that is just look at an IP to say, okay, what is there? Now think about going, okay, this is enter ID. We know what this is, it is a publicly accessible resource. Let's go try and hit it, let's go see what we can do. That's when you start looking into the realms of the likes of dark web, you know, credential leaks and people reusing passwords and social engineering. You can go down that entire rabbit hole with users, which is why a username password is never going to be enough. Bringing it back to AI, bringing it back to non-user identity. We shouldn't be impersonating users. We should be using the likes of service principles, app registrations. Because then we get to a very specific element of control. Because then we can start to look at things such as secrets or certificates, which again enhances that security further. Then we can look at the permissions that they have. Again, we think about users and, as you said, authentication, authorization, what doors am I allowed for as a user? What data should an application be permitted to see? What resources should it be able to touch to interact with? Whether that's read, whether that's to modify. So something that Veeam already publicly announced at VeeamON earlier this year is our intent to adopt MCP, model context protocol for those that don't know it. And if you want to think about model context protocol in its simplest state, think of it like USB, think of it like HTTPS, think of it as a defined protocol for connectivity. But in this case, it is for AI systems to interact. Okay, and that might start to scare some people, but again, it is the way that these systems are going. So when Veeam have talked about this, they've talked about some high-level potential use case scenarios, such as, you know, wouldn't it be amazing if all the fret information that we can provide as to okay, here's what looks like ransomware attacks, here's what looks like malware, here's what looks like anomalies. It's great that we could surface that in the likes of Veeam Data Cloud, but we're not the only system there. And you might have a preference to say, okay, here is a tool that is already gathering signals from many different endpoints. Let's start to pull that information out. So again, what should that be allowed to see? Should it be allowed to see signals? Should it also be allowed to see data? And again, VeeamON global launch took place last week, and we were talking about the concept of what if you're using AI to query Veeam Data Cloud, not just to query backup data. I mean, Veeam has always had a strong message around data reuse, putting your backups to work. And if we think about that in the old world, we can think of things like okay, I spin up my backup in isolation, I can make sure it's recoverable, maybe I do some querying against a database. Data reuse from say M365 would look very different. And the scenario that they gave as an example was what if I'm using AI to interact with Veeam Data Cloud to query against the data set, say I'm looking for information of this, and Veeam Data Cloud can pass that back, but not to a user but to AI. And then that AI system processing that data to maybe generate an overview or a brief from that search set. Wouldn't that make things such as e-discovery cases much easier? If rather than okay, here's the rough data set, what is my underlying concern? What is my purpose for this search? Go process that data and get me to that end state. You see all these elements of efficiency gains in different markets. I remember the first time I used the likes of Tableau and I moved from, okay, let's generate reports to let's have dashboards, let's have insights, let's get real-time answers to questions. I remember presenting this to the HR department because they wanted to know about you know absence and whether that was you know authorized or sickness and how many occurrences, and they were saying we just need a spreadsheet of it. Okay, why do you need a spreadsheet? Why do you need a table? Because then what we want to do is we want to do this and we want to do that. Okay, well, let's take that step out of the equation, let's go further, let's get you to that end state immediately, because the faster you're at that end state, the faster you can ask the next question. So bringing this all back to identity, it's great to talk about this pathway, but we need to still think about what that AI, what that application can access, the minimal amount of permissions to access it and controlling that. So again, we come back to the root of it all, identity. There's going to be an app registration or a service principle. It's going to then have the permissions for what it can read, what it can write, and that's where we govern from. Okay, we need to control the authentication, make sure that it's secure in a modern world, and we need to manage that authorization of what it can see, adopting zero trust principles of least privilege.
SPEAKER_01:So yeah, no, and that that fits in pu uh really uh well to bring it back down. We've gone very high up in that deep philosophical, which is great by the way, no one's gonna fall asleep. Bring it back down to a level of what it is. So does enter ID, can it interact with on-prem active directory?
SPEAKER_00:Yes, it can. And a lot of organizations are doing that. So you would have typically a master, whether you want to make your master enter ID and sync in that back into AD, or as a lot of people have already had AD for a long time, using AD and syncing that into the cloud. Now, as much as it sounds like that's a one-way street, you've got a lot of two-way options there. You've got the ability to write back password changes, so you might say, right, end user can self-service password reset within entra and then it writes that password back to AD. There's all these elements to it, and it doesn't need to be a one or the other, but quite often it's both for organizations. And why? Because we've already discussed it's not just users, it is also the objects. If you think about just simple dumb technology such as printers, well, a lot of networking people have focused on okay, what if we use it 802. Is it 11x? I'm forgetting all my uh protocols now, someone will smack me on the wrist for it. But effectively, the concept of you know, like radius authentication, well, again, that's still the concept of potentially having a device authenticate so it's allowed on the network. All these devices, do we want them reaching out to the the internet to be able to authenticate locally so that someone can print? No, that's probably overkill. So, yeah, we're still gonna have this on-prem identity for a long time. But the world is moving to hybrid, you know. End users, they're not typically having desktop machines these days. It's more of a here's a laptop so I can work wherever I need to be, whether that is because I'm doing hybrid work in from home, from the office, or traveling to meet someone. Things change. And that is a lot of where that boils down to. So yes, you've got your AD, you've got your intro, and they can talk to each other. But moving beyond that, there are certain elements that only exist in one world or the other. So if we think about AD, you've got group policies. Well, they don't exist in the cloud. But instead you've got in-tune. Okay, and with in tune, you can look at not just the policies you assign to these devices, but what then makes a device compliant or not. We then have standards that we're holding these things to, and again, that's where we eke into modern authentication because it becomes less about okay, I've got this machine that is trusted, and I've got this username and password that matches, and it becomes okay, why are we trusting this device? Well, we're trusting it because we know that we're managing the device, we've got healthy heartbeat signals coming from that device. We can see that it is compliant with all of our policies. We can see that the user is not just signing in, so it's a username and password with a device that we already say we trust, but we can also challenge them for a multi-factor. Okay, here's a notification to your phone. You need to authenticate that because that's then another device that someone is maybe authenticating with their face. Again, it's these layers in depth that can then create identity much more resilient to something that is publicly accessible.
SPEAKER_01:Right. So that that, yeah, I mean, that sounds really interesting. And uh one thing I I thought of when we were talking you were talking just there is that entry ID, in a sense, is like is it's become like an umbrella for all of Microsoft. So I'm assuming this M365, R0, it can be active directory. So in effect, you can use this as your single sign-on across the board.
SPEAKER_00:Absolutely. So if we look at Veeam Data Cloud, well, it's Veeam, that's not Microsoft, but we support entra ID single sign-on. Why do we do that? Because organizations have already invested a huge amount of resources in securing entra ID. You've got your conditional access policies, which to level set for everyone here, if you've not worked with them. The idea of a conditional access policy is not just as we talked about with you know the basic authentication of got a username and password. Instead, it becomes, okay, you are allowed to access this resource provided you meet this criteria. So this is something sensitive, it's our backup data. So we don't want you just logging in. We're going to challenge you for MFA every time. Or we're going to also mandate that you are connecting from a trusted location, so a public IP address that is associated with the company. So again, that is a signal that you can't just impersonate with credentials. You've got to be there, you've got to have some kind of remote or local connectivity to go via that IP address. So then you're looking at maybe a VPN or being somewhere. You then look at the likes of okay, what about things such as a unrealistic travel scenario? And this suddenly, you know, we're going deep again, but think about if I sign in to Veeam Data Cloud, Entra, M365, whatever I'm looking at, if I sign into that from the UK where I'm based, and five minutes later someone tries to sign in as me from it, sounds like you know, a typical adversary. I'm I'm just referring more to distance of travel. Toronto, Canada, say it, say it. No, it could be Canada, it could be China, anywhere that in five minutes can I get there? I'd love to imagine a world where we could get to China in five minutes, but it's impossible for now. It's impossible travel, therefore. If I've just authenticated myself and I'm a real low-risk sign-in because it's a public IP that I'm always using, because it's my home IP, and I've answered my MFA and everything else, and then five minutes later someone attempts that sign-in from China, it's impossible travel, so we can just block that immediately. Even if they are given the right credentials, instead, we should be flanking up that okay, someone's got my credentials, but they've tried to sign in somewhere else. Let's rotate them. The compromise hasn't happened because of these signals that can't just be quantified as username and password. But bringing it back to Veeam Data Cloud, as I say, it's not a Microsoft product, but we can use Entra ID because we can then inherit this security posture or that investment in conditional access policies. If you think about some of our capabilities, we've got self-service capabilities where users can go in, recover emails from their backups, recover OneDrive files from their backups, they don't need to be an administrator, it's something we support. Again, if you can then say, right, I know that when an end user is accessing Veeam Data Cloud, I've got a really strict policy. They need to be using an In-Tune compliant device, so it's a work machine. They need to be connecting from the office. Maybe we don't want it to be a remote worker, so I've got a trusted location as part of a conditional access policy with MFA challenges. Again, you can see how you can layer this as much as necessary, depending on how paranoid you are. And I welcome a healthy bit of paranoia in this case, because we want to make identity tough to crack. We don't want it to be prohibitive to our users, but we still want to make sure that we can keep our data safe because that's really what the identity is safeguarding that access to the data. That is the gold mine. So, yeah, that's one of the reasons why we use NT-ID SSO, because that way it's an easy adoption for our users to know that.
SPEAKER_01:So you're not reinventing the wheel, so to speak. Also, another thing which I would mention here, I assume that uh, you know, this is also a component is data sovereignty, the fact that you want to keep uh at a national level your your resources, your your access inside of your your own country. So I think that's another thing too. Um okay, let's pivot now to actually backing this up. We've avoided data protection just because, well, we've touched on it, um, but I felt that it was really uh good to get a global understanding of what this is. It's more than just basic identity, it's more than just active directory. Uh, Microsoft has gone the next level. Things like, as you said, the I really like the condition, uh conditional policies there because you're right, it's it's gonna be challenging, different challenges. And I'm assuming, I'm actually pretty certain, this is all log, too. So for auditing purposes, it's extremely important to know. Um, you know, if your next door neighbor starts trying to spoof your IP address every five minutes, you know, you've got a problem, right? They parked in your driveway or something. Um, okay, so we understand, you know, at a certain level what entry ID is. What are the threats, apart from breaking into it, because that's obviously a threat. But the question would be um, and I say this because I have my own little quick story about M365. Back then it was O365, I don't know what it was. Um, at the place I worked, we actually created um a product very homegrown to back up uh Office 65, because we had a um very big corporate user CEO who didn't understand ActiveSync and thought, well, I don't want all these folders on my phone, so I'll just delete them all. And they went away from it. So that was a big tragedy because it went to Microsoft. Microsoft said sometimes they can recover something, they can't. It was kind of basically this is the what is it called? The the divided trust model where you're responsible for getting a lot of shared responsibility model. Shared responsibility, yeah. I don't even know the name of it because I hate responsibility, but um, but basically that's what happens. So people weren't aware that this wasn't just backed up by some genie up there that's free. Um, so that's where it came about. So we all know that there's attackers, they're threats. That's probably the biggest thing. There is self-induced pain as well. Um, interesting question. Uh do you have statistics on what like your restores the the the the kind of percentage of what is like mistakes and what is attacks?
SPEAKER_00:I would love to have those numbers because I think that would be truly interesting to see. But in terms of that as a high level, let's talk about what mistakes and attacks look like because an attack will typically be one of two things. It's your external adversary, someone has you know broken into your identity, okay, because maybe you didn't have a conditional access policy, maybe they managed to harvest a token. That is an attack into your identity, and then they start moving. They use the identity to get to the resources they need to plant a sense of persistence within that identity layer to gain access to more and more resources. You then have the insider threat who they will be able to overcome all of your conditional access. Because, okay, you need a corporate device? I have one, I'm an employee. You need to answer MFA, not a problem. I'm already enrolled on my own phone that you very happily gave to me as a corporate device. Again, all of these elements can be overcome. And when it comes to an insider threat, I always say, in my opinion, that the best defense against an insider threat is auditing, immutable auditing, with a clear communication policy. Without the communication policy, you'll still have the attacks, you'll just be better at identifying them. But to pull that together, if we're auditing what users are doing, then we can track what they are doing. If they cannot opt out of that audit and it is immutable, then we know that we are capturing everything and it is not tamperable. But then if we aren't telling those employees that there is an audit policy, they don't know that their actions are being recorded, they're more likely to try and abuse them if they're a disgruntled employee or whatever scenario we want to fabricate here. But by communicating that back, by being clear as anything, that here we are, this is what we're doing as part of our security policy. Well, then I know I'm going to get caught. So why would I do it?
SPEAKER_01:You know, that's brilliant. That's that's you know what that's old school preventative medicine. Just tell them they're being watched, you know. And uh yeah, that actually, you know, we we tend to think about all these, you know, control access policies and you know, cameras and bioscans, just tell them you're being watched. And oh okay, absolutely.
SPEAKER_00:That is it. It's it's such a simple but effective measure. Now, you can't prevent that insider threat in the way of you are trusting them to do their job. Ultimately, that's why you've hired them, that's why you've granted them the permissions that they need. There are certain additional mechanisms you can take, such as privileged identity management, which we'll kind of park and come back to because I think it warrants pulling out a bit more. But at the high level, if you are communicating that, unless someone really has a lapse of judgment and they forget they're being audited, then it is going to be in their mind that actually no, I I shouldn't do that. Okay. Now, pivoting aside from the attacks to the original topic that you mentioned there, not just attacks, but also, you know, accidents effectively, what does that look like for identity? Well, from identity, think about things such as policy changes. Something that is worth knowing, when you make changes in enter ID, whether it is updating a user's attribute, whether it is editing a policy, there is no change control. So if you think if you're a developer, quite often you work with Git, you'll pull out that repos that repository, for example, and you'll push back in any of your changes, okay? But there's versioning. You can see exactly what was changed, any conflicts you can merge, etc. No, you're working live. And to use the old saying, everyone has a test environment. Some people are lucky enough to have a separate production. Okay. And it's true because you're making these changes and you can't always quantify that impact. So if I start editing policies, I have no undo. So I need to protect them because I need to know when things are changing. Okay. I need to know what the known good state looks like because then I can roll back to it. Otherwise, if I delete that policy as well, some objects within Entra have a recycle bin, but not all of them. So you delete a user, it goes to a recycle bin. You delete things such as a conditional access policy. Microsoft have now added a preview of tracking that, but it's not a generally available feature. So typically you delete the policy, it's gone. You delete your in-tune policies, they're gone. Okay. So when you think about it from that perspective, you need to still be able to rebuild to recover, and that's where protection of identity makes a huge amount of sense from those two optics of something has been deleted and we need to get it back, but something has been changed and we need to roll back.
SPEAKER_01:So yeah, no, and you know, just from my healing of Active Directory, um, I remember that before Active Directory restores, it was very difficult because I know I think there was a tombstone, whatever, but I mean this if if someone was lead, like for instance, someone left the company three months ago and then they had to check something. Okay, what exactly did they have right? I remember that was a problem because it was gone from the tombstone, and you know, they wanted to check how the access worked to recreate the use the same way. And I remember with Active Directory Revieam, this was wonderful. You could just restore and it was back the way it was. And so what you're talking about, I can see, especially if these policies are complicated and took a while, and a whole bunch of trial and error to get them to work exactly what you want, and you didn't document or you didn't have time to document exactly what you did, which of course none of us have that problem, right? Um having a one-click Veeam button is again something that I think all Veeam users will know and remember. Okay, so this, I think, you know, the accidents, the insider threats. I think the threats we're talking about, we kind of see everywhere in data protection. They're they're very similar. Um, this is more dangerous in the sense that it's giving you the keys to the castle if you get all the keys in that sense. But let's just talk about how it works on the Veeam side. So I did a bit of my homework and I looked at the user guide and whatnot. And the one thing I'll mention here, because Veeam 13 just came out. Um some of us will remember from user guides, Veeam user guides were like 100 pages. Hey, it's you look go through them and reread them, you say, Well, I reread the user guide. I just looked at the Veeam 13, 7,000 pages. So uh this is where I'm gonna, you know, leverage rag technology AI and give me a summary. Um, but I did go through a bit, and so it looks to me, uh, there's some interesting things that I kind of didn't wasn't aware of, but it looks to me to be very much like unstructured data uh backup because you're using these general purpose proxies. It's within the Veeam console you do them. Um, and I'm assuming uh you also have things like a log backup. Um, you also backup to Postgres, into the Postgres database, as I understand it, right? So this is interesting. Could you give us a kind of overview of that? Maybe not going too deep, but for Veeam users who already know Veeam, where this kind of correlates.
SPEAKER_00:Absolutely. So you're right, we're using Postgres when you're running it within Veeam backup and replication. Obviously, with Veeam Data Cloud, Veeam is doing all of that heavy lifting, managing the data, the resiliency of it. But in essence, you know, let's talk about why we are using a database as opposed to if you're familiar with Veeam and backing up with VBR, you think about VBKs, you think about VIBs. So for those that aren't as familiar, full backup files, incremental backup files. Why are we not doing that? Well, with a database, a database is great for relational data. An entra ID is all about relationships. Think about a user. A user is probably a member of one or more groups. If you think about a user, they probably have one or more roles. If you think about an administrative unit, then there's quite often a match in between them again there. So because of all these different relationships and tracking them over time and all of the attributes that are related to that, a database makes a huge amount of sense there. And that's one of the reasons why Veeam did what they did. Okay. So keeping that in a database, it is performant, it is resilient in terms of again, we're tracking everything here because we're used to working with these objects that naturally tie into each other. That makes a huge amount of sense. So from a Veeam perspective, if you wanted to protect a tenant, it is as simple as adding your tenant, and then we can back up the objects and we can back up the locks. You're absolutely right there. You did your homework. Well done. In terms of objects, it's worth calling out what we actually do today because it's a huge amount. But just looking at over the past year, the amount that it has grown as well. And one of the things that I've always loved about Veeam, you know, even prior to working at Veeam, was the depth that they went to with this. Now, we're not gonna really make this podcast make people go to sleep and start reading out all the different attributes that we back up, anything like that. But again, help center documentation, it's got it all listed there. And it's dozens of attributes per object type. But let's talk about what Veeam backs up today. They back up users, they back up groups. Okay, so far so related to Active Directory, and here's where we really start to diverge. They back up roles. Roles that don't really exist in the AD world. What is a role? A role is a set of permissions. So potentially you would say, here is a role that has access to my Azure environment, and here are some of the permissions that it can have. Here is a role that grants me all these different capabilities within ENTRA, effectively. Okay. So groups can be many different things. It can be, you know, whether it's a distribution group, whether it's a security group, whether it's an M365 group for collaboration, but a role is very much about those permissions. Okay. Then we get to the administrative units that we also protect. Why might you use an administrative unit? I see this with some of the large enterprises out there that rather than having different tenants for say branches, if you think about public sector, or different organizations under a singular parent, rather than having completely different tenants and having to federate between them, instead they use administrative units in a single tenant to say, okay, these IT guys, rather than just looking after exchange as a whole, they can look after exchange for these users, and it becomes subset segmentation of data. So again, that is an enter ID concept because if you think about AD, then okay, you've got your organizational units, maybe you have cross-forest trusts, but it sits in a complete different architecture. Then you get to applications. So whether you're familiar with enterprise applications or service principles, you might know them as, or app registrations, again, Veeam is protecting that. So these are the non-user identities that we are using to access data. Okay, and they can also be leveraged for different purposes, such as Veeam uses an enterprise application with lease privilege permissions, of course, for our single sign-on. So that way we can identify who the user is, what VDC organization they are attached to, and send them on through. Okay. So you've got the applications and then things that were added over the kind of past year. You've got conditional access policies, so those things that we love. Again, we need to make sure that we protect them so Veeam can protect those conditional access policies. When we talk about conditional access policies, not everyone has access to them. So something that again diverges from AD is with AD, I've got my active directory, I license my users, whether it's user cals, device cals, I really feel like I'm going back in time now talking about those licenses, but it still exists. Um but then when it comes to enter ID, you've got the kind of free version, and then you've got premium P1 and P2, and they expose different capabilities. So one of the things that P1 and Above grants you is conditional access policies. So again, it's worth looking at as an organization. And then very recently we added support for Intune device policies as well. So again, looking at the policies that apply to the device. And this is really important for users to consider or administrators to consider because when we think about the device, that device's policies will then ultimately control how it is viewed from Entra as to what resources it can access. So again, this user's working remotely, they now can't access this resource. Let's look at whether the user's permissions changed over time, and what about the policies that that device had and how they might have changed? So it all ties together. So those are the objects that Veeam protects, and when you do a normal entry ID backup, that's what it looks like. But then we also have the logs as well. So we protect the audit logs, and again, this is something only exposed if you've got entra premium. But we protect the sign-in logs. Why? Because audit logs and sign-in logs have different retentions based on what you're licensed for. By default, I believe it's audit logs have 30 days of retention, and sign-in logs have seven days. But because it's read-only in that state as well, we can't access it via the API to back them up. If you go to premium, those retentions increase, and then we can also read that data to back up. But we do call out in our applications, you know, what we can and can't protect based on the entry ID SKUs, because it's what Microsoft let us have access to. But those logs, the idea of backing up those logs isn't to restore them, because if we think about everything we talked about, what 20 minutes ago about auditing and the insider threat, it would be really bad if we were backing up these logs and then we re-injected them into your logs. Because then we've tampered with the authenticity of your audit and sign-in logs. But if you did have an inside threat or an external threat, and suddenly we can't rely upon those logs, if there needed to be some kind of legal case that then took place, we've effectively proven that the logs aren't all genuine actions. That would be really bad. So instead we back them up, they're JSON compliant, and then if you want to input them into a log analytic tool, maybe to analyze after a cyber event took place, maybe you're even passing it over to a third-party SOC because you haven't got those skills in-house. Again, industry standard JSON, there you go, you can then process them. But for everything else, those objects is very much around both the kind of bulk recovery and the granular look at the attributes, what's changed recovery elements.
SPEAKER_01:That's a really important point, by the way, uh, because you're talking there about forensics exercises. And one of the important things to always do in forensics is you take a quick image of the disk and it has to be uh untouchable basically because it can be tampered with. Question I have right off the bat is one thing I did love. I'm thinking back to my time of Active Directory. I love the compare. Do you have the compare there too? We can bring up and see what's because you mentioned something change of user uh permissions, whatever, and I used to use that all the time. So what is what was it two weeks ago before I fiddled with it?
SPEAKER_00:So yes, it's a great feature within AD. I'm happy to say that whether you're looking at VBR or VDC, so I appreciate I'm getting into acronyms, VBR, Veeam Backup and Replication, part of the Veeam Data Platform, and VDC being Veeam Data Cloud, the backup as a service offering from Veeam. Regardless of which tool you choose to use, it doesn't matter because you can still use all that compare functionality. So you can look at an individual object and we can both compare it to production. It doesn't matter that entry ID is in the cloud there, we can compare to production based on any backup point in time. So by default, if we run in a backup daily, for example, then you can step back through every day and see everything that has changed there. And you don't need to compare to production either. If you want to compare two backup points in time, not a problem as well. So it really does let you view day by day what has changed, which again, when we think about forensics analytics there, that can be of a lot of importance because we might need to tie in, okay, this is when the compromise took place, and then it looks like this account was used. So what was then changed at that point? Because then we can look at things such as when roles have potentially appeared, when roles have been assigned. We're looking at the escalation of privileges, because there's two schools of fault, and depending on what security vendor you're looking at, you either hear, you know, they're breaking in, they're encrypting data, they're exfiltrating data, they're hitting you fast and hard, and then you also hear the okay, they're getting in, they're staking their claim for persistent access, they're taking their time, and then they're striking. And both are true because it's not one person somewhere in the world out of 8 billion people that is attacking, many different groups of people, and those could be you know nation state actors, they could be independent groups, it could be individuals. So to say one size fits all is false. So there's absolutely two mechanisms. So whether you need to look at someone that has taken their time, laterally moved, again, there's been quite a few stories around ransomware as a service where you get different groups of people that will say, right, this group is focusing on breaking into organizations, planting that persistence, then they're selling that access to someone else to actually invoke the ransomware attack and take that extortion payment effectively. There's a big market to it, which is quite scary, but very interesting to look at objectively. So it doesn't matter which way around. The important thing is we need to know what is changing, whether it is from an attack perspective or whether it is from just a whoops, now no user can sign in because I edited a conditional access policy and I can't remember what I changed. Oh which is probably my case.
SPEAKER_01:Yeah, my case. So a question, a follow-up question about that. Simply resilient conversations here. So I'm gonna always bring up simply resilience. Um, how just for someone who let's say knows Veeam but doesn't particularly know this part of the technology, how do you incorporate things like 321, especially if it's Postgres database? Do you do you like how would you have do you can have a backup copy job of this? I know in Office 65, you can M35 you can do that. You can do that here too, I presume is right to have multiple copies of your data.
SPEAKER_00:So we've got more functionality coming out with that as time goes on, because again, it being a database, it is different. Um, there are certain things you can already do, such as backing up that database server and application aware processing. And again, if you look at Veeam Data Cloud, because we're governing that for you, then you'll find that you know it's multiple copies of all of that data within different zones in a region. So again, it's making sure that it's multiple copies without violating any data sovereignty requirements as well. So there's always going to be that element of trade-off. But yes, absolutely, there are options available, and we're constantly working to make that easier and easier for our users.
SPEAKER_01:Okay, well, that's fantastic. And I mean, after this conversation, you know what I want to do. I want to go out and learn this stuff and practice it, but I don't want to pay. So you did mention free tier, and whenever I hear free tier, it's I get all excited. Um, so let's say I'm a data protection specialist, but I have not worked venture ID. Um, or M365 for that matter, are there and I know for M65, I think there is a or Office 65, there's a developer um license where you can get like maybe 10 or something. If you want to practice and learn this and you're in your home lab, what can you do?
SPEAKER_00:So what you can do anyway is entra is free. Okay, you can have the non-premium version, and if you are completely working standalone, getting started, first we'll have a look at Microsoft Learn because Microsoft Learn has a lot of resources, a lot of sandboxes that you can play with, so you don't need to spend money to learn. And they really do have a lot of good programs as well around helping people with the fundamentals to understanding that and getting certified either cheaply or in some cases free. I know in the past they've done um different programs where you know Microsoft Ignite, which was on you know last week, the week before, depending on the time you're listening to this. But they have in the past said, okay, whilst Ignite is on, do a learn track, and then we'll give you a free exam take for one of these different exams. Now, fun facts, yeah, I did that to get my Azure certification. I did one of the tracks, I already knew some of it, and then I went and sat my exam and away we went. So you've got that as an option. Something else that you can do is if you want to play with some of the premium features, but again, it's not having that commercial outlay, you can request trial licenses from Microsoft. So if you are maybe working towards an exam or just interested in the short term, you know, I want to test this functionality, request some trial licenses from Microsoft. But then above and beyond that, depending on your organization, there's also things such as the M365 Developer Sandbox, whereby they'll grant you, for example, 25 licenses, E5 functionality, and then you can go through and play with that. That's normally tied to Visual Studio. It doesn't necessarily have to be there, but again, I'm not Microsoft, I don't know every single in and out of that program. But it's something that I myself have used in addition to for my own personal lab, you know, prior to joining Veeam, I just paid for one seat of M365 and Intra because that way it was still quite cheap. I could play with all the functionalities there.
SPEAKER_01:That's that's a really good um list, and and I'm certain you know, anybody who wants to start this track, uh, the free resources are always very important, especially talking about students and people like that. Okay, well, I I love this conversation because I feel now I'm an expert and I go out and send my resume. No, I'm joking. But um, I found this very interesting. I want to ask you on a final note, what would you want to say about Veeam particularly, VDC entry ID, uh, as one of the most important things, one of the things that you like the most, uh, and what you think is most expedient?
SPEAKER_00:That's a great question. And that's probably the one that stumped me the most because we're not talking about technology specifically here, but in terms of Veeam, I would say the Veeam Data Cloud offering is fantastic because Veeam have focused on this unified experience with Veeam Data Cloud. The idea of having multiple workloads and you can govern them from that single pane of glass. And when you look at Veeam's philosophy as an organization, they've had their five data pillars of data resilience for a long time. They care deeply about the data backup, making sure that they understand all the various ways to protect that data, which is the easy part. They then focus on the data recovery, making sure that there are the various different ways that you can restore that. If you look at the amount of different recovery scenarios that Veeam offers across all those different data types. That I mentioned earlier on, you know, whether it is comparing attributes and performing restores, whether it is performing the entire object recovery, things we've not even talked about, such as, because again, Veeam tracking those relationships, we also have the option of recovering from the recycle bin, because not every attribute can be read. Some can be read, but not restored, things such as GUIDs, things such as creation date timestamps as examples. But a question I get asked all the time is applications, do you back up the secrets? Do you back up the certificates? And I flip the question back because if you think about what you're really asking, it's does Microsoft allow via an API, one application, to see all of the secrets and all of the certificates of any other application? That's a huge security risk if they did. And they don't. So what can we do in this scenario? Well, assuming it's not a cyber incident where we want to rotate all the secrets and all the certificates anyway for good practice. If someone has say deleted that object, then when we restore it, we can use that recycle bin object as a baseline. We can then revert any attributes that have changed and differentiated from whatever backup point in time you want. But it means that things we can't see, such as the secret, such as the certificate, we never needed to see it. It's back with the object if it's still there, and we will just reset that object. If not, okay, yes, you need to set up a secret, you need to set up a certificate. But it has really simplified that process. If you then look at Veeam's kind of wider strategies, so we talked about backup and recovery there, you then move on to the elements of the security, of the intelligence, of the data freedom. You know, Veeam's exit strategy is a brilliant example of this. If you look in the market as to SAS, it typically ends up a bit of a golden handcuff situation where you know an organization might say, You can't have your data back, you've got to pay for as long as you need to retain it, which with backups could be years. Or they'll say, You can't have your data back, but look at us, we're great. We're gonna sell you at say a 50% discount, a restore-only license, because you're not gonna back up anything new. Right? Okay, we're we're still shackled to you for these 10 years, or they might say, Okay, you can have your data back, it's just gonna be a data dump. It's gonna be completely uncompressed, not data efficient. He has every single file, you know, email, whatever it is, and you're gonna have no search, no recovery of any of that. And then you've got the Veeam approach, which instead, if you look at all of our tooling, we have the community editions. What was one of the core purposes of the community edition? If someone has been attacked and they can't get in to get their license, let's not prevent them performing a recovery. Grab the free community edition, all the recovery options are completely unlocked, and you perform your restore and then you just relicense it. Okay, you can't do new backups other than you know the customary free 10 workloads, free 10 users that we give. But it still means you can perform your restores, perform your searches. So when you look at Veeam Data Cloud, what that means is you leave us, okay, we will transfer that data back to you so you can pay the likes of say Microsoft to store it directly without Veeam being a middleman taking a cut every month. And then use our free tool that still gets patches, still gets best effort support, and you can perform all of your searches, all of your recovery against data sets that are still compressed, still data efficient. It keeps your cost down, it keeps the fully rich recovery process, and that is huge in itself. Okay. So that's what I'd say about Veeam and the Veeam Data Cloud. When you put all of that together, you see that it's not just about okay, yeah, we can tick a box and do backup because that is easy. It's about that flexibility in how we recover what it looks like if you want to leave, and then everything else that we were kind of teasing earlier on about you know threat detection from that security mindset, analyzing that data, data reuse, huge, huge amounts that's going on there all the time.
SPEAKER_01:So that's a that's a great example. And I mean, that's what you call not having vendor lock-in because nobody cares about backups, everybody cares about successful restorers. And so if a vendor is letting you back up and restore, and then you leave and they say, Oh, well, guess what? You're locked in, that's not good. So, Veeam, in that, in that sense, you've uh you've probably just touched on something that is probably one of my most loved features about Veeam that they allow customers to do that. And I bet you the lot, even if customers do leave, they'll probably come back because of that kind of mentality. So that's that's fantastic. Look, Michael, this has been a great call. Um, I can just go on forever. Unfortunately, time runs out. I want to thank you. Um, I also would like anyone, uh, I'm gonna set up uh uh an email address called podcast or something of that nature. I'll I'll announce this later on. Where if you have any questions from Mike or myself, I don't want to give out his email because you know he'll just get in and date, he'll never show up again. But um if you have questions about this, that you can actually direct us to the podcast email and we'll be able to answer uh the question. Well, I'll we won't I'll forward the question to Michael and then so anyway, thank you very much, Michael. This was our first podcast, and I I learned a lot, so I I'm gonna listen to it again. Thank you very much, and uh I will talk to you soon. We'll hopefully have you again as a guest here.
SPEAKER_00:Thank you. And I'd just like to say from me, it's been an absolute honor, especially to be number one on the podcast. It's always great to catch up with you. Brilliant questions, and yeah, looking forward to speaking again soon. Thank you very much.