Speaker 1: 0:07

Hello everyone, welcome to Microsoft Community Insights Podcast, where we share insights from community experts day-to-day in Microsoft. I'm Nicholas. I'll be your host today. In this episode we'll dive into Zimature same as yours. But before we get started, just remind us to follow us on social media so you never miss an episode. And today we have a special guest called Santosh Kumar. Could you please introduce yourself?

Speaker 2: 0:35

Hi, hi, hi everyone, hi, nicholas, thanks for having me. I'm Santosh Kumar, my name is Solenti. You can call me Santosh. My name is Solenti, you can call me Santosh. My full name is Santosh Kumar Anandakrishnan. I'm based out and living in Melbourne, and basically from India, in the southern part of Chennai, and I'm holding my Azure MEP, networking and Security one. My specialty and skill set relies on infrastructure, cloud security, with both public and hybrid cloud.

Speaker 1: 1:05

That's me, okay. So before we dive into the main theme of this episode, we just want to get to know a bit more of guests. So, uh, santosh, can you tell us, like, like what, where you work and who you are?

Speaker 2: 1:22

yep, sure, um, I, as I mentioned, I'm based in Melbourne. I'm just doing some work for a company, my own company, called Skyline Technology, which I'll do basically on consulting with my professional clients and just get them to understand, migrate and adapt cloud technologies in Azure Cloud. That's my key focus area. That's predominantly working with the client to understand the requirement, convert it into a business requirement, into a technical one, and just implement them for them and bring them into the digital transition, into the face of cloud.

Speaker 1: 2:00

Okay, so you're like a consultant.

Speaker 2: 2:03

Yeah, he's a consultant. Yeah, correct. Okay. So what's a consultant? Yeah, he's a consultant, yeah, correct.

Speaker 1: 2:06

Okay, so what's your typical day like Santos?

Speaker 2: 2:08

Oh yeah, it differs right. So it's mainly being to the customer phase adapt to their requirement, get that translated into a technical equipment and making sure you capture all their requirement and present back to them with the different solutions and adapt that as part of their architecture thing and mainly create some diagrams, work with them to get the documentation and present back to them with the ideas and solutions which will making sure it's been part of security, it's part of their equipment. Everything translated back into the solution yeah, it's been enough requirement. Everything translated back into the solution. Yeah, it's been on and off. That's what it is as a consultant, as an architect, just be on toes on every day.

Speaker 1: 2:54

What are some of the most interesting projects that you've done so far as your consultant, as your role?

Speaker 2: 3:02

I've done multiple things. The reason why I can pick it up is Azure Identity, b2b. I have done B2B. I have done on B2C as well and more on Azure Migration from on-premise to cloud. Making sure from the start of the client starting from just new to as a fresh as a greenfield setup I would say not a fresh greenfield setup, starting from a client where they will just want to have their migration back from on-premise hypervisor back into Azure cloud, starting from a networking connectivity back migration of thing. Those are the recent one I have done at the moment that I can think of, at the moment at least.

Speaker 1: 3:50

Okay. So someone like, for example, migrating from on-prem to Azure itself and lots of greenfield projects and stuff. Migrations yes, correct, yeah, okay. Of migrations, yes, correct, okay. So moving ahead. Today's theme is Zero Trust. For those who have no idea what Zero Trust is, do you want to explain what Zero Trust is and why it's important?

Speaker 2: 4:21

Pretty much. Zero Trust is a security strategy. It's not a product or a service. I just want to make sure clear. Some people just think it's a service which is available. You can consume it. No, it's not a product or a service. It is a security strategy which any organization needs to adapt. The reason they won't adapt is like if you look at the recent Microsoft has published 2024 statistics which says that the threat attackers tracked. If you look at the recent Microsoft has published 2024 statistics which says that the threat attackers tracked by Microsoft in 2024 has been 300. In 2024, it has become 1,500. The number shows that how big the threat attack has been growing. With this latest digital landscape with AI coming in play, it has increased five times actually the speed and scale it is. Attackers are getting more. Cyber attackers. Happening is more To have this digital modernization with the dynamic approach currently happening across the globe with organizations like Productivity, anywhere, anyone can work from anywhere.

Speaker 2: 5:21

It's not just come to office, it's no more. It's gone. You work from anywhere, making sure the device is authenticated and it's been secure. You can work from anywhere. And the second thing, as I mentioned, the cloud migration. The digital transformation is happening across the globe, with the cloud, with modern workplace and 365. So these things makes the zero trust has been kind of today's organization needs a new security model which effectively adapts uh to the complexity of what the trend has been changing.

Speaker 2: 5:51

So the three things I would say in the zero trust is productivity anywhere, cloud migration with the digital transformation. And the last one is you how quickly you mitigate your risk. These are the three things in addition to that. Right, uh, zero trust helps you with three principles. It these are the three things In addition to that. Zero Trust helps you with three principles. It works in the three principles like always verify, verify explicitly. Second is assume the breach, making sure you restrict the lateral movement. And the third one is with that has been implemented, you can have more privatizing of data. It won't get into the cyber attackers as quick as possible. That way you can be most authenticated, authorized and continuously validating your devices and identities and organizations can implement that way, which gives you the greater confidence making sure the right people with the right device and it does not go into the cyber attackers. That's how it has to be in that way.

Speaker 1: 6:50

How would someone start like implement zero trust in their organization? Do they have to start it from ground up when they want? To embed security in the project and stuff. Or can they start in the middle and stuff, or do you just can just start in the middle?

Speaker 2: 7:06

See, what happens is in the earlier to zero trust. Organizations will be thinking like with lateral knowledge, saying that everything behind the firewall has been protected. It's not that way. It is no more. The zero trust assumes that inside risk management as well. What does it mean is anyone within the organization can be a risk for the data, for the devices. So you have to do in both ways. So you have to start from the fresh and it has to be part of your culture. And security is not just one person's job, it is everyone's within the organization and the project. It has to be the culture change. That's the first thing. And the second thing what I want to say is zero trust is a strategy. So I want to put a picture to understand what everyone likes. Take an example you are in a library or a museum. So when you are in a library or a museum, how do you consider that zero trust? I want to put it in layman terms so that it can be easy to understand. As a librarian in olden days or in the later days, you trust anyone who comes into the library is making sure they are coming to read a book, to access some device or get some information. In zero trust model. You have to treat everyone as being holding a library card, making sure they have the valid identity card to make sure they are verified. That makes the zero trust first principle gets validated. That's a layman term. The second thing is the least privileged access Library will have different sections, right For kids. They have books within their underage. There'll be some rare archivals which can be used for historical information, so you have to segregate that. That way you can just have your least privileged access. The last one is assume the breach. You have to make sure you have right access to the right person and, like you have to have your security cameras or something to making sure it has been captured and you have some information on that.

Speaker 2: 9:01

As going back to where do we start it? It has to start from the start of your project. You have to make sure it has been captured. The security has been responsible of everyone. It has started from the development. Some people I, when I'm interacting with some people they say, okay, in the development side we just have very less security. The broad we just do more security. No, that's not. It has to be. It has to be from the start, because if you have any change you make it in the production you might break up something so you might not be able to fix it in the last minute. So it has to start from the day of the development of the park. Where you have something is a start to the fresh, then it has to be carried forward towards till it goes to product.

Speaker 1: 9:39

That way it makes life easy yeah, so it's best way to start it when you start a new project from ground up. Yeah, exactly yeah, and it's similar to like, for example, devops itself, because DevOps is all about culture and security is about culture working together as one team exactly that's it.

Speaker 2: 10:01

That's correct. It's a culture change. It has to be culture change in the organization, making sure it's responsible for everyone, not just one security team which sits behind everyone to just chase it up.

Speaker 1: 10:11

Okay, so what are some of the best practices that you've seen in your experience of? How would you of people organization that you've made Zero trust in organization? Yeah, so zero trust has. At least I would say that implement.

Speaker 2: 10:23

Okay, zero trust organization. Yeah, so zero trust has, at least I would say, five pillars. One thing is the identity. Even though we have three principles, there are five pillars Identity, data, application, interaction and network. These are the five core pillars of it. So each pillar has to have its own services and technology to a combination of it, like, say, for example, in identity and devices as part of Entra.

Speaker 2: 10:49

Entra gives you a vast future of services that can be combined and used, like Entra ID governance, which can protect you from accessing your devices, making sure it's been restricted, only verified the device which is compliant, making sure they get access and it. It has something called intra function management services which always make sure that it does give access only to specific people on specific time, and so it's kind of just in time access. That way you just restrict your access. And coming back to the network, you have to make sure you have a network segmentation for your application. Each application has to have their own landing zones. It has to have their own network.

Speaker 2: 11:30

All the network has to have the traffic inspection, has to make sure it has been firewall. It can be an Azure firewall, it can be anything which you use as part of your vendor specific. It has to make sure all the traffic comes in and waits out. It has to be verified. On the data side, making sure everything is data encrypted, and on the application side, make sure it's in end-to-end TLS encryption. Start from the workload in the backend and in the frontend you just make sure you have something you can layer 7, like application gateway, or the front door with the WAF, with the web application firewall, making sure application on the layer 7 to layer 3 has been protected. So that way. These are the first things to making sure it starts in the principles way, which aligns towards Azure as well. Security by default is one of the simple terms. Everyone says it, but you have to make sure it is security by default.

Speaker 1: 12:22

So is there any challenges that from implementing a wrong zero trust that didn't implement it? Currently Is it just the communication between different teams.

Speaker 2: 12:34

See, there is not a wrong way, I would say, but people will try to make it that design doesn't adapt to the zero trust technology. You have to make sure everything is being verified. Say, for example, you have a virtual network in Azure and you have three subnets within the virtual network and you make sure every subnet traffic between one subnet and another subnet within the virtual network. Some people say we don't need to verify it, but what happens is in a later moment. Say you got some malware, phishing in one of your virtual machine or database somewhere in the one subnet. What happens if you don't have as explicitly verify that traffic between two subnets within the virtual network? It carry forwards to other thing. So you have to make sure it has been isolated and you stop the lateral movement. That is one big thing which I seen recently with customers and clients. So they say okay, that's okay, it makes more congested, that's fine, but you have to make sure your performance has been second thing and security comes in the first.

Speaker 1: 13:32

Okay. So since you mentioned that in order to fully know Zimba Trust, you need to know the pillars, the five pillars. I guess if someone were to learn identity network security and be proficient in five of them, would they be more of a better position to implement a good zero-trust system.

Speaker 2: 13:59

Yes, they just need to have some knowledge. Say, for example, zero-trust team right, it should be common as different SMS. Not everyone can be a jack of everything, so you have to have the team the right way. It's structured with identity, network and data and application. So once you have that combination, you can make sure you protect your identities. Devices, making sure you protect and isolate the application making sure it's not been for a little moment and protect your application, making sure it's not been for a little moment and protective networks make sure you have a firewall. You have in and outbound has been verified. So you need to have a combination of team of people with SMEs to making sure that's been captured.

Speaker 1: 14:35

Okay, yeah, so you have to work with different teams Different, yeah yeah. Data identity security teams, yes, yes, I guess one of the drawbacks could be the miscommunication between teams and projects that people have. Yes, and in order to get something right, yeah yeah, correct, Okay. So from your experience, what does a good like a perfect Z-Witress mean? Does it mean meeting all the pillars or doing it well? That makes it a standard for Microsoft.

Speaker 2: 15:11

Yes, microsoft has something called Secure Future Initiative, which has been started in November 2023, which gives you information about how do you do a security by culture and governance, security by design, security by default and security operations. So you have to start that adaptation from the start. One, so set your priorities, measure the progress. So, even though you have five pillars and three principles, that three principles and five pillars has to be verified across each pillars. So, set your priorities. How do you want to make sure the six pillars or the five pillars are objectives to focus on your zero trust and measure your progress? And, as I mentioned earlier, you have to align the culture. The security culture has to be part of the organization, the team. So then the third part is security as a governance. So you have to have your strong SICOPs team which has been monitoring and adapting your logs and stuff like vulnerability management, threat protection.

Speaker 2: 16:06

These are the three things I would say. To start, set your priorities against your pillars, against your zero-trust principle, and align the culture within the team and organization. The third thing is strengthening your security governance. That way you can protect. If you don't have that right setup like SICOP's monitoring or security monitoring for protection management, which you can't see, you can't protect. That's a simple way they say right, if you can't see anything, if you can't view a resource, you can't protect anything and you'll be missed out. It won't be in your ladder at all.

Speaker 1: 16:40

Okay, yeah, I guess, in order to in that terms, you have to visually see what's like simply on a portal before you can protect something. Okay.

Speaker 2: 16:53

Oh, sorry, is that my? Was it the same? Thing, yeah, yeah, correct. You need to make sure everything has been captured, everything is within your radar and if you miss something, then you lose something and you're not monitoring it regularly and that might be a threat as part of that missing piece of the resources that can inflate into your environment or the network.

Speaker 1: 17:14

That's amazing. How would you someone get started in Zero Trust and learn about it? Is it just Microsoft documentation or is it? What is your best resource that you use?

Speaker 2: 17:28

Oh yes, microsoft Learn has very good documentation about Zero Trust implementing and it helps you to whatever I spoke about, like network segmentation, firewalling, waf and Layer 7. It has detailed information about how do we start it and what other resources can be used and consumed, and how it can be practical guidance. It has to be practical guidance Instead of what we speak about. It's all the strategy way, but Microsoft Learner is a document which has been helpful for you to have a starting of how to implement like and, in addition to that, cloud Adoption Framework, as, by default, security by default has been captured as part of CAF as well, so the CAF plus the Zero Trust documentation as part of Microsoft Learn Document will help you to kickstart for someone who wants to be the initial frontrunner of the Zero Trust principles.

Speaker 1: 18:17

That's brilliant. So, as this episode is coming to an end, I would love to get to know guests. So, Santosh, I saw you're quite active in the community. Do you want to go into some of the amazing community work you've done?

Speaker 2: 18:30

Oh yeah, thanks, mate. Thanks again for you as well. You've been doing a great thing. As I mentioned, I'm part of Melbourne and Australia and I'll be mostly actively in the LinkedIn and I have an Azure meetup group which is called Azure Builders Melbourne Meetup, which we run it on two months, once as part of the year, probably five times or four times, which we run it across within the Melbourne.

Speaker 1: 18:57

It's an in-person one, and I'll be more active in the LinkedIn as well. Okay, so it's. It's an in-person event at Melbourne that you just have to organize, like throughout the year. Okay, that's cool how long you've been an MVP for it's first um, this is my second time, okay, starting from January. Oh, so you're in the same year as me, the second year.

Speaker 2: 19:23

Yes, yeah, it's a similar year. Nice yes, this is my second year and this time I got dual MVP on Azure Networking plus the cloud security. Nice Brilliant.

Speaker 1: 19:38

Are you heading to the VP Summit next year?

Speaker 2: 19:40

Hopefully, man, I missed last year. Hopefully I won't make it this time. Since I'm on the other side of the world, I have to make a bigger travel to make it to the Seattle.

Speaker 1: 19:50

Yes, 27 hours probably yes exactly, exactly. That's correct.

Speaker 2: 19:58

Yeah, Exactly that's correct yeah.

Speaker 1: 20:00

Okay, so what do you normally do in your spare time? Santish.

Speaker 2: 20:06

Do you?

Speaker 1: 20:06

normally aside from community works and yeah other than. Yeah.

Speaker 2: 20:12

Other than the community work. I mostly do cricket. I play cricket. Most Indians do that cricket. I play cricket, most Indians do that. I play cricket. In addition to that, I've been started recently got injured in my. My arm has got injured. I cannot bowl anymore so I transitioned myself into a cricket umpiring as part of Cricket Victoria within the state, just trying to be closer to the cricket do you play cricket in a club?

Speaker 1: 20:41

in a cricket club?

Speaker 2: 20:42

yes, yes, yes, I was part of a club. Now I just got I injured two years back. Cricket is no more in life, so I just want to be closer to the cricket, so I just converted myself into a official ipiring.

Speaker 1: 20:57

Okay, you just paired with someone too. I'm sure you probably go back to play cricket, it won't?

Speaker 2: 21:04

be, temporary. I want to be. Let's see how it works out.

Speaker 1: 21:08

Yeah, because where I'm from, I think there's a lot of England or UK. They love to play cricket as well. Cricket and football.

Speaker 2: 21:16

Yes, recently we had a match right India. The series was great yeah, okay yeah.

Speaker 1: 21:22

I think India was playing something like football or cricket previously, so are you going to any tech events later? Are you going to ignite?

Speaker 2: 21:36

not not ignite this year for sure, but I'll be focusing on my MEP summit for the next year, which I missed the previous one, so I don't want to miss it in time. I'll be there and I'll see you in person.

Speaker 1: 21:48

Yeah, see you in person. Yeah, same like last year. Yes, yes, okay Now. Thanks a lot to join this episode, sanjay. So I hope that thanks for sharing your knowledge about Zingles Trust, and I hope other people learn more about Zingles Trust and know how important it is for using it and implementing it in your organization, because it's very crucial in for remote working as well. So when people work remotely around the world, it's very good to use Trader.

Speaker 2: 22:26

Trust. Thanks, nicholas. Thanks for having me hope you would add something.

Speaker 1: 22:29

No worries, thank you no worries, thanks a lot.

Speaker 2: 22:31

Bye take care bye.