Security Unlocked 8.11.21
Ep 40 | 8.11.21

Making the Leap to the Cloud


Nic Fillingham: Hello, and welcome to Security Unlocked, a new podcast from Microsoft, where we unlock insights from the latest in news and research from across Microsoft Security engineering and operations teams. I'm Nic Fillingham.

Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research and data science.

Nic Fillingham: And, putting forward some of the fascinating people working on artificial intelligence in Microsoft Security.

Natalia Godyla: And now, let's unlock the pod. Hello, everyone. Welcome to another episode of Security Unlocked. I have big news today before we start discussing the upcoming episode. We are officially part of the CyberWire Podcast Network. So you can find-

Nic Fillingham: Hooray.

Natalia Godyla: ... yeah, very exciting. You'll be able to find us on the CyberWire site. And for those who have just recently found us through the CyberWire site, welcome, welcome. We are thrilled I mean, we have known of the CyberWire Podcast Network for some time. CyberWire is definitely a mainstay in the security industry. And their podcasts are extremely influential and well done. So, achievement unlocked for us.

Nic Fillingham: Yes. And if you haven't listened to the Security Unlock podcast before, uh, as Natalia says welcome, super quick overview, Natalia and I are both Microsoft employees. In this podcast, we talk to other Microsoft employees that also work in security. But, the amazing thing about Microsoft is there's literally 1000s and 1000s of different people working in security all the way from data science through to security researchers and sort of everything in between. And this podcast is a vehicle for us to bring them on the mic and have them tell their stories, how do they get into security, and also have them share some of the amazing work they're doing. And again, as Natalia said, we're just so excited to be part of the CyberWire. On the podcast today, Natalia, who do we have?

Natalia Godyla: So, for episode 40-

Nic Fillingham: Did you say episode 40?

Natalia Godyla: I know. I had to plug it.

Nic Fillingham: I am wearing my Ruby encrusted, uh, smoking jacket because that's 40 years celebrated through rubies, I think.

Natalia Godyla: Yeah, I think we need to add a video element to this podcast just so everyone can enjoy the Ruby jacket as much as I am.

Nic Fillingham: (laughs).

Natalia Godyla: So we are joined by Sarah Armstrong Smith, the chief security adviser at Microsoft. She is joining us again to talk about the back half of her four part series on building resiliency. So in the first discussion on episode 38, we talked about talking cybersecurity with non security professionals, how to frame the conversation, how to introduce cyber security. And, in this episode, we transition a bit to a discussion on Cloud.

Nic Fillingham: As per every episode, we'll have links to all of the, uh, various posts and assets that are mentioned in the show notes. One of those things is the Cloud Adoption Framework that we're gonna spend some time talking about in this episode. It's a really valuable resource. And I encourage you all to go check it out. But enough of us, how about we get on with the pod.

Natalia Godyla: On the pod.

Nic Fillingham: Sarah Armstrong Smith, welcome back to the Security Unlocked podcast. Thanks again for your time.

Sarah Armstrong Smith: Delighted to be back, Nic, thank you.

Nic Fillingham: We only spoke to you just a, a couple of weeks ago. Um, but that first episode is out. I'd love to sort of know, any feedback you got from, from colleagues from, from peers, the, the LinkedIn verse, uh, you know, what were folks' thoughts on your perspective here on how to have security conversations with non security people?

Sarah Armstrong Smith: Yeah, so positive. I had some really great feedback from people. And it really resonated across the board, from security pros, business pros, all of those types of things. So I had a really interesting, uh, conversation or a message from somebody actually to say, "Yeah, but what if, what if they don't listen? Can I just use the big stick to say, my CEO told me so."

Natalia Godyla: (laughs).

Sarah Armstrong Smith: (laughs) Now, of course, that's an option. But really, if you just use the stick to try and get people to do things for you, are you're really gonna get the buy in? So, I, I think as much as possible, like we said, it's really about, you know, finding what's gonna work for them, having the right conversation. And I'd probably say the last, last resort, if you really had to go down there, we'd say, because I told you, so (laughs).

Natalia Godyla: (laughs).

Sarah Armstrong Smith: Obviously, we're trying to avoid that as particularly as we're the vendor, so that wouldn't go down too well with it. But it's not as great. It's really good feedback. And I've actually had some people also saying that can't wait for part two. So, here we are.

Nic Fillingham: Awesome. Well, yes, I'm excited for part two. And for those of you listening that don't really know what we're talking about, check your podcast que, go-

Sarah Armstrong Smith: (laughs).

Nic Fillingham: ... go back a couple episodes, episode one, or I should say the first part of this conversation, uh, with Sarah Armstrong Smith, where we, we had a conversation about how do you have a cybersecurity conversation with folks, uh, in your organization that don't understand this world? So, maybe pause here, go back listen-

Sarah Armstrong Smith: (laughs).

Nic Fillingham: ... to that episode first and then, and then jump forward and listen to this one 'cause today, what we're gonna talk about is, okay, now you have this new toolkit, you have this new sort of language, you have this new sort of approach for how to have these conversations, we're gonna talk about how do you go and land a conversation about adopting the cloud for security. And we are gonna talk about the Cloud Adoption Framework. We're also gonna be referencing the parts three and four of your blog series, Sarah. So could you just tee that up for us? What's in part three and part four? And then what are we gonna discuss in today's episode?

Sarah Armstrong Smith: Yeah, so it's really around, you know, how to actually frame cybersecurity from a risk perspective. So, in part one, it was really about, you know, just what is risk? And that was quite a loaded question. Thanks for that, Nic (laughs). But it was really about, you know, how do you have those conversations with non business people. So, I mean, we use a real life example of ransomware. Um, and then in two, three, and four, we pick up some other examples, and then really try to bring it to life a little bit, as we sort of said. So, assuming you're now on the same page, you understand the risks, you understand the what's on the horizon with some of the cyber threats? What's the kinda the so what, what should we be doing about it? And as we were talking about, you know, what is the benefit between staying on that on premise environment moving to the cloud? What's the advantages of being in the cloud? And then how do you adopt the cloud in the most efficient way that actually builds in security? So, that's kinda what we're gonna be delving into today.

Nic Fillingham: I think, Sarah, the first question that we're gonna, we're gonna tackle here, it's a very, very big one. But le-, let's-

Sarah Armstrong Smith: (laughs).

Nic Fillingham: ... this, this is gonna lay out the roadmap for the next, you know, 30 odd minutes of conversation. Why should you consider the cloud for security? Why is the cloud the, the, the end goal, the, the ultimate, uh, in, in creating a sort of a security architecture that is gonna work for your organization?

Sarah Armstrong Smith: Yeah. Thanks for another loaded question Nic there.

Nic Fillingham: (laughs).

Sarah Armstrong Smith: (laughs).

Nic Fillingham: This 30 minutes of that coming up, buckle in.

Sarah Armstrong Smith: (laughs) Just reminding you of that fact. So, thanks for leading with that big open question. Uh, well, I think-

Nic Fillingham: Before we get into that, what is the meaning of life?

Sarah Armstrong Smith: (laughs) Uh, 42, I think is the answer to that. Yeah.

Natalia Godyla: (laughs).

Sarah Armstrong Smith: It's hikers guide to the galaxy in case people forget that reference as well (laughs). Maybe we'll put that as part three, shall we?

Nic Fillingham: Part three, yes.

Sarah Armstrong Smith: (laughs). Well, yeah, I think one of the things we were talking about, and the blog, really, and one of the things we're reflecting on part one, is just how adaptable the attackers are, and really how they're evolving their tactics and techniques. And so, uh, and then a static technology focused strategy on cybersecurity doesn't potentially give you the flexibility and agility to deal with these type of attacks. So let's give another example. So last time, we talked about ransomware. So let's bring another example, which is quite topical. And it kind of brings it to life a little bit. Probably a few months ago, people remember the HAFNIUM, Microsoft Exchange Server attack, um, which was a nation state attack, very much focused on Exchange servers. Now in this particular scenario, um, the attackers actually launched their attack from an on-premise, um, environment. So this was not in the cloud, it was the neutralizing Exchange servers or vulnerabilities in unpatched servers in particular, to launch their attack and say, "Well, why? Why did you start an attack from an on-premise perspective?"

Sarah Armstrong Smith: So one of the benefits and the ... from utilizing the cloud, um, we talk a lot about the shared responsibility model. So, in that scenario, the infrastructure, the platform itself is actually managed by our cloud service provider, uh, or Microsoft, as we're talking about. Now, every single day, we collect process, analyze over 8 trillion signals. And that's coming from the cloud, it's coming through endpoints, it's coming through Bing, Xbox, and we're turning all of that into actual intelligence. So, arguably, when you utilize a cloud, and obviously we're talking about Microsoft Cloud, as an example, here, you get the benefit of all of that threat, intelligence, all of that capability built in, and all of that visibility that comes with it. So, the reason why they therefore go to the on-premise in the data center, is arguably because they can stay hidden for longer.

Sarah Armstrong Smith: Now, we go back to the kind of like, you know, what are they trying to do so in, and they're still trying to elevate privilege, they're still tryna laterally move, they could be trying to move from the on premise into the cloud environment. They're still trying to get access to data. So, they're still trying to do all the things that we spoke about. But actually, if you're doing it all in an on-premise, it's all down to you to have to manage your security, manage all of the, the patching, the servers, the governance

Sarah Armstrong Smith: ... all of those things. So as we sort of said, one of the big advantages of utilizing the Cloud is you have the power, and size and agility and flexibility of the Cloud service provider that comes with it. So that's kinda one of the big reasons why the- there's a benefit of moving to Cloud. But obviously that's not the only reason, but it's a big reason.

Natalia Godyla: So the threats are On-Prem, that is just one of the many threats to your resilience as an organization. But this is just one that you've outlined in, uh, a set of five recent cyber attack trends that organizations should be paying attention to. So could you walk us through a few of those other trends?

Sarah Armstrong Smith: Yeah. Uh, I think that it's fair to say that the, uh, cyber criminals, as we sort of mentioned last time, will mean- will use any which way in to your organization. So last time we talked about, you know, they've utilizing phishing, credential theft. And with this particular scenario, with the exchange, they were utilizing vulnerabilities in the servers. So we know there's a big challenge with a lot of our customers with just regarding patching. Um, and just in terms of maintaining legacy environments, and keeping on top of all of those things, and understanding who's changed in the environments is incredibly hard, and this is where we're having to then think about, you know, well many customers working in his hybrid environment. What does that mean?

Sarah Armstrong Smith: We've also seen a big increase in inside-of threat as well, and it's fair to say not all of them are malicious. Sometimes this can just be down to people making a mistake and this has been quite prevalent, particularly with the, uh, pandemic more people working remotely, more people utilizing different devices, different policies, data, huge amounts of applications and services. And there's a little bit of frus- frustration. So they may be downloading things off the internet that introduces a shadow IT, and that just kind of re... perpetuates a lot of the problems that we're talking about. And then we have issues with regards to, you know, just the volume of attacks and the volume alerts. We then have the kind of issues with analysts fatigue, and security operation.

Sarah Armstrong Smith: So you know, if you've got all these different attacks, you've got different devices and you've huge amounts of applications and services. And when you're overlay the problems, then of having multiple different tool sets and technologies, it's incredibly hard and difficult to stay on top of all of those things. So I think it's just fair to say, though, when we're talking about the environment, the environment we're working in... and it's not just IT, as well, we've also got the challenges with OT, and IoT, when we bring all that into scale as well, and the perimeter is just growing exponentially as well. So actually tryna just get visibility, understanding of all of those threats combined. You can see it's, it's a huge challenge for many organizations.

Natalia Godyla: I'm just gonna pretend for a minute here. I'm a, I'm a security leader, right? And I have gone through the process of aligning with the business leaders in my organization. Um, we've aligned on the business risk, business priorities. And I am starting to apply that to my security strategy. How do I communicate that back to my team? So while I've learned how to think in a business language, and to apply that to security, I, I want to still explain to my team, why we're doing the work this way, why we've prioritized specific processes, workloads, how can I communicate that? And are there, are there challenges and ever trying to translate that back? So, translating the business language back to the security practitioners in your team?

Sarah Armstrong Smith: It's really just trying to level playing field with regards to the understanding the why, and the business motivation. And because as you sort of said is, if the objective really is to just do cost saving-

Natalia Godyla: Mm-hmm (affirmative).

Sarah Armstrong Smith: ... are you going to get the best solution to... having a cost saving could be, um, you know, one of the drivers behind, um, what you're trying to do-

Natalia Godyla: Mm-hmm (affirmative).

Sarah Armstrong Smith: ... but it's not the only driver. Actually, when we see it as a purely from a cost saving perspective, you're probably not gonna get the full benefit of the Cloud experience. So when we see customers looking at it from the, "What's the advantages? What's the opportunities for me to innovate?" Now, we know that one of the best things about adopting the Cloud is the agility is the flexibility, it's the speed in which that you can just spin up projects, you can do proof of concepts, you can run huge amounts of analytics, you can get insights into a lot of these things. And as soon as we start sort of showing the added value of that innovation, we're driving better customer experiences and engagement, we're able to open up new markets, we're able to test these new products and services, all of a sudden you're coming at it from a completely different perspective, from just, you know, cost saving, or reducing that kind of tech debt, as we were sort of saying.

Sarah Armstrong Smith: There's actually... there's a huge amount of opportunity that comes with what we're trying to do, and it's just bringing people kind of on board with that. So it's kind of like, "Okay, we're gonna... we're gonna transform, we're gonna migrate." Ideally, we'd, we'd want to then be exiting our data centers or, or at least reducing some of that infrastructure down and utilizing the Cloud more. But we don't wanna think, think about, "What... How is this gonna benefit us in the long term? How do we get the longevity of this experience where it doesn't just feel like more cost that we're adding to the business." And I think the real exciting bit really does come down to when you can drive those business insights and data and those customer experiences and start to really take it to the next level, which are hopefully is... it's really what the long game is with this.

Nic Fillingham: We all work for Microsoft. So, so-

Natalia Godyla: (laughs).

Nic Fillingham: ... we have a... we would, we would love for you to consider, uh, Azure and, and Microsoft Security Solutions. But pretty much everything that you said here is, is, is sort of applicable, sort of, regardless of vendor, especially if it's a very, very large vendor that has this sort of scale and sophistication of, of a company like Microsoft. We wanna make sure that here on the, on the podcast too, we're sort of being... it's, it's sort of somewhat agnostic. We, we, we obviously want folks to consider Microsoft, but everything that you're saying... and please tell me if I'm wrong here, but everything you're saying about the benefits of the Cloud, and about how to better utilize the Cloud really is sort of... it is sort of agnostic, right? It's not just... You're not just talking about Azure, we know, we think Azure is great, and does some great stuff-

Natalia Godyla: (laughs).

Nic Fillingham: But the Cloud is really a superior architectural solution versus On-Premise, especially for security, and especially in this, this modern age.

Sarah Armstrong Smith: 100%. Yeah. So when obviously we're talking about Azure, we're talking about M365, and also dynamics in terms of, when we talk about a Microsoft Cloud, it's kind of all three of those. But really what we're looking at is we've taken all of the lessons learned and we've taken all those best practices and, and looked at, "How can we help customers drive Cloud adoption in the most efficient and best way?" And that therefore is completely technology-agnostic when we're talking about Cloud adoption. Um, and obviously, we built a framework about how to adopt that in a Microsoft and environment. But as we touched on, many customers are running Hybrid or Multi-cloud. So it's really about then how would you enable security, compliance, innovation, all of those things in that environment. So I think people sometimes misconstrue that when we're talking about Microsoft, we only manage Microsoft, (laughs), which actually isn't the case. So a lot of the capabilities that we have that are built into Azure and M365 actually enable customers to still run Hybrid and Multi-cloud, but run it from within the Azure environment.

Sarah Armstrong Smith: So there were actually a huge opportunities to take advantage of, but really, as we're sort of saying, when we're talking about just how to have the conversation, you know, even before you've even selected what vendor you're gonna have, you know what I mean? You know, we've talked about, um, you can utilize Azure, Amazon, Google kind of the, the big ones there, um, where it's not a case of either or you know, it could be that you wanna utilize different Cloud services and applications and technologies to do different things. And that's cool, that's fine, (laughs). But really, what we're sort of saying is just do it in the right way for the right reasons. But I, I think I'm, I am... I'm gonna be biased and say actually our, our security capability is pretty cool. (laughs), so why wouldn't you wanna base it on Azure?

Natalia Godyla: So can you talk a little bit about the differences in h- in Cloud models? So 100% Cloud, Hybrid, how you think about adopting those, how you think about securing them?

Sarah Armstrong Smith: Yeah, and I, I think it kind of comes down to, um, first of all, understanding the scenario that you're going for with regards to what are you trying to do? How are you trying to do it? Is it about cost saving, and we're trying to do alignment. So we've seen a lot of companies that have actually are trying to move away from their big, clunky, bespoke applications. We still got our number of customers that are running on mainframes, believe it or not. And they just think huge advantages from taking advantage of software as a service, for example-

Natalia Godyla: Mm-hmm (affirmative).

Sarah Armstrong Smith: So being able to utilize, you know, lots of different Cloud applications and then move them away from having to just bespoke different things. Uh, and some of the customers, they wanna keep control over what they're doing and how they're doing it. So for them, it's about infrastructure of a service. But we see a lot of the benefit really from if it's just a lift-and-shift, so what I'm sort of saying is just taking all the data and all of the services in your On-Premise world and moving it to the Cloud. That's one example and you can do that, but that's probably not going to give you the best advantage. So there's actually a huge amount of opportunities

Sarah Armstrong Smith: ... Opportunities to even streamline your data, to get some insights on the data. And we can even run a- analytics across the type of data you've got, how it's being utilized, it's, if there are opportunities to archive it or del- even delete it before you move it to the cloud. So I think is, is really trying to understand the scenario and what we're trying to do to see where you can leverage the most value. So there a like lots of different options dependent on what it is you're trying to achieve. The further you kind of move up from that infrastructure of a service to platform up to that kind of software as a service, obviously, it's all cloud-enabled, but it just gives you a lot more efficiencies. There's a lot more built-in capability, which ultimately means that you don't have to sit there and design and build it yourself (laughs). And I think one of the advantages are therefore is just as we sort of say speed.

Sarah Armstrong Smith: The speed is of the essence in terms of your ability to speed up your development time, get these products to market, do lots of innovative things, and just get your people working on really cool, interesting projects. And I think then, and we see the same for security as well. So if we can remove some of the kind of the day-to-day blockers and the fatigue that they may get from these constant alerts, and obviously, when we're looking at security at scale and the value that the cloud provide, what we're tying to do is, is automate and block known threats as much as possible across the entire estate so that we try and get these really high fidelity, the real interesting things in front of the analysts.

Nic Fillingham: I wonder if this is a good time, Sarah, to sort of switch over a bit more sort of, uh, directly to the Cloud Adoption Framework. So we've mentioned it a few times. So if you go to, and we'll put the link in the show notes, but it's up on the side, which is a, a, a pretty amazing side if you haven't spent much time in, in Docs. There's a lot of fascinating frameworks and, and architecture and, and information there, really, on, on sort of everything, not just Microsoft related. But go to Docs, search for, uh, the Cloud Adoption Framework and then it's a really, really comprehensive, uh, set of, of documentation here. The Cloud Adoption Framework, who is it for? Is it for the security professional? Is it for the security leader? Is it for the CEO? Who utilizes this and how, and, and sort of putting that into perspective with what we're sort of talking bout here. So we're trying to help security professionals and maybe even security decision leaders convince, really, or, or influence their leadership to adopt the cloud, and as you say, move probably from IaaS to platform and then ultimately to sort of full cloud or hybrid cloud. How should they be utilizing the Cloud Adoption Framework? Who's it for and where do you recommend they start?

Sarah Armstrong Smith: Well, what we've done is from a different, uh, perspective as you try and say for, uh, first of all, we tried to keep it as agnostic as possible. So we're not going too deep into the technology per se. We're trying to make sure that we are talking generically with regards to the Cloud Adoption and how to do it and those type of things. So it's, it's really written to be as straightforward and in plain English as possible. And when we're talking about the best practices and the documentation and the tools and those type of things is we're really looking at it from a number of different perspectives. So we're looking at it from the cloud architects' perspective, the IT professionals, but also the business decision leaders. So when you go to the Cloud Adoption Framework there's a huge raft of information about even just setting and understanding your strategy, understanding your motivation. So as we were sort of saying, before you've even got to the, um, you know, who's the vendor, who, how are we gonna design it, how we're gonna migrate? Is really understanding the strategy, the business justification, what are the outcomes? And that's kinda where we were talking about, you know, sort of about landing that really big picture understanding from a business's perspective. We've got this strategy, what do we do next?

Sarah Armstrong Smith: So we're then planning what does this digital estate look like, what's our readiness plan, what's our transformation program look like? Are we gonna retain some of that, as we said, the hybrid world? Are we gonna move fully to the cloud and what's that gonna look like? What's our timeframes? And then we're gonna have to kind of get ourselves ready. So we're having to not just build the infrastructure. I think building the infrastructure, educating people, getting them used to this new ways of working is one thing, um, but actually, there's a huge amount of education that has to go into, um, the business itself in terms of these changing business models, the opportunities, the changing business processes, how are they gonna adapt their policies and all of those? And then, obviously, there's the, the migration part, there's a governance. So it's looking at what, what the benchmarks we're utilizing, what the best practice is. And then, if you then overlay, potentially, you might have regulatory requirements. So we have a lot of baselines that people can turn and up and down. But to get this to a level of simplicity, so as you sort of said, there's a huge amount of information and it might be a little bit overwhelming if you're kind of starting from the very beginning and going all the way through it.

Sarah Armstrong Smith: So what we've tried to do is we, we've also looked at it from two perspectives. So we've created a number of videos and we've done this from a, um, IT professional's perspective. So what is it they need to know, particularly from a security perspective? And then we've created some videos as well, which, uh, kind of talks them through these principles and processes and where to go for information. If you're just the layman, if you're just, you know, someone in the business who's got an understanding, needs to be able to explain a lot of these things. So we're trying to look at it from different perspectives and, and, you know, some people are very new to the cloud. It's just their first, um, time of even thinking about moving to the cloud right through to those enterprises that have kind of got used to, uh, one cloud and they go multi-cloud (laughs). So when they're dipping their toe all over the place.

Sarah Armstrong Smith: So, so then it's, uh, really what we're trying to do is, you know, customers don't want to be locked in, they wanna be able to move around and to take advantage of all this technology and innovation and all of these type of things. So as much as we're letting them help them to migrate to the cloud, we also wanna make it as simple as possible to exit the cloud as well. So, obviously, we don't want you to exit from Microsoft, we want you to stay with us. So we wanna make-

Nic Fillingham: (laughs).

Sarah Armstrong Smith: ... (laughs) we wanna make sure you have the option and we wanna make sure that you've kinda all of these things are built in as standard, you know, in terms of that governance, management, strategy, all of those lovely things we're talking about really.

Natalia Godyla: What informs the Cloud Adoption Framework? Is this based on our experiences with customers, our own experiences as Microsoft? Is it, uh, based on any particular approaches or frameworks in the security sphere?

Sarah Armstrong Smith: It's all of the above actually. So I will probably, just to put things into perspective, so Microsoft has more certifications than any other cloud service provider. We have to adopt all of our customers' regulations as well. So when we think about, you know, we frameworks like NEST, you might have ISO [20000-1 00:27:17], you've got GDPR, all of these different things. So some of the, uh, certificates, some of the controls are very specific to different sectors. They might be specific to different regions or they could be global. So with Microsoft having to comply and certify to all of those standards by default, and we have to do that to make sure that customers have the right le- levels of assurance that they can provide to their stakeholders and their regulators. So you think about all of those different certifications that we have to abide by. There's potentially thousands of controls that (laughs) that are built in, um, different standards and all of those types of things. So we try and take all of those things together and then we elevate. So we kind of look at, "Okay. So we wanna make sure that we're being dynamic to all of these different threats and the changing scenarios that we're talking about."

Sarah Armstrong Smith: We're constantly talking to different regulators and different customers about their challenges. And all of that goes into a big feedback loop. So as I sort of said, there's a huge amount of capability at your disposal in terms of the capabilities that are built in, not just from a security perspective, but also from a compliance perspective. So if you need to be able to meet specific data protection controls or be able to give assurances to your regulators or to your customers, we will help you in terms of how to do that. So we're constantly evolving. So some of this is, you know, c- controls that we have to meet. It's about those best practices and we're sharing those best practices all the time, constantly refining the technologies, the policies, the processes.

Sarah Armstrong Smith: And as you've seen, with regards to the Cloud Adoption Framework and just the, there's a huge raft of information that we're constantly sharing with customers, so their, you know, they can take the best advantage and the best approach, um, in terms of adopting the cloud, but doing it in the most efficient way for their business and the future of their business as well.

Nic Fillingham: Sarah, I wonder if there are a couple of sort of gotchas or some sort of pitfalls that, that you sort of wanna call out here when folks are starting this conversation with, with leadership and with peers about how to, how to adopt the cloud. And maybe the answer is none. Maybe like, "Cloud Adoption Framework is perfect. If you follow it from the beginning to the end you'll be, you'll be, you'll be, you'll be sweet." So that's, that's an acceptable answer, but I, I do wonder if, if maybe, you know, do some folks get a little too sort of excited about one particular area and maybe forget to do some, some groundwork? Is there any sort of gotchas that you think folks should sort of just keep in

Nic Fillingham: If they mind.

Sarah Armstrong Smith: One thing that probably trips some customers up a little bit is they're trying to take that old-world way of doing things, so how they operate in a lockdown on-premise environment is much different to how you operate in the cloud. So they're trying t- to hone their policies and processes in and maybe that doesn't work as well, or they're putting layers and layer of security in. But ultimately, we're building trust. We're building a- a trust between the cloud, the different environments, and all of those type of things. So we do find that, um, customers potentially have to go on a bit of a journey with regards to the changes that need to happen and the benefits that they can actually adopt by moving to the cloud.

Sarah Armstrong Smith: So if it's literally as we sort of said moving from A to B, following the same policies and processes the way- the way we've always done it, then you're probably not going to get the most benefit. So I think there's an opportunity to really think about how you can use like DevOps is- is a really good way of, you know, utilizing the cloud and utilizing it with code, a lot of these built-in best practices. So we'll even give you the best practice in terms of how to spin up a VM, how to actually overlay a lot of the security controls, how to tweak those controls, how to report on them. We even give you some advice and guidance about how to set up your security operations and how you can continue to evolve all of those things.

Sarah Armstrong Smith: So it probably sounds like we're trying to be all things to all men. (laughs) Because of the way that we've written it.

Nic Fillingham: All people.

Sarah Armstrong Smith: All- all- all people I should say, yeah. Thank you for that and being inclusive and everything. But I think what we're trying to do is just get that baseline to give you those best practices, but you do have to be able to adapt them to your own business, your own sector. Another... So we have a huge array of partners, as well, so it's not just Microsoft. We've got, you know... We have a big partner network that can also assist in terms of, you know, making sure that you can get the very best out of what we're trying to achieve now and into the future, as we said.

Natalia Godyla: So if we have a listener today who is thinking about their cloud journey and just starting out on it, what do you recommend they go do now to start preparing? I mean, we've talked about aligning with the business early on, but is there anything else they should be thinking about before they start making some of these decisions?

Sarah Armstrong Smith: Yeah. I think it's twofold, really, as we sort of said and we touched on in the- the first episode about aligning about the business. You know, that's so important that we're not just kind of making these considerations from a technology perspective. We understand and we're aligning to the risk, the business, um, models, their risk and resilience strategy, and then we're overlaying some of those foundation principles that we talked about, particularly with security, making sure that it's built in by design and not an afterthought.

Sarah Armstrong Smith: So I think that, first and foremost, it's- it's really about getting them, um, business alignment first and then looking in terms of how we can optimize some of the controls, how we can do better, how we can get the best advantages from what we're trying to do with the cloud itself.

Nic Fillingham: Obviously, you as an individual human, don't scale to every person out there in security land that might have questions about this, but I wonder what sort of forums exist for people listening to the podcast as Natalia just sort of like framed for us that are like, "Okay. I think I'm ready to have this conversation with leadership. I'm... I think I'm ready to start talking about adopting the cloud for security or moving some of our security services and functions into the cloud." Obviously, the cloud option framework, we'll put that link in the, uh... In the show notes. Are there any other places that folks can go to? Are there any sort of Microsoft communities? You know, can we give people your phone number?

Sarah Armstrong Smith: (laughs)

Nic Fillingham: Um, what- what... How- how else do we support sort of customers and folks sort of thinking about this?

Sarah Armstrong Smith: I think there's probably different- different options dependent on maturity, so for an existing Microsoft customer, you've got your account managers and- and partners, and those type of things that are... That you've already got at your disposal. But, as you said, we've a got huge amount of community, so you got tech communities as well as education. So if you want to get really deep into Sentinel and- and those type of things, we've got, um, communities within Microsoft, but we've also got the tech community, so you can actually ask questions of your peers. So you don't always have to come to Microsoft. You can, uh... Directly. We just have lots of different forums available to- to talk about different technologies or different things.

Sarah Armstrong Smith: We've got huge amounts of webinars. We've got the security blogs. We've got, uh, so much stuff. (laughs) Loads of stuff at your disposal, and sometimes it can just be, as you sort of say, ask Microsoft or asking a peer in terms of how to do something. But we also do peer-to-peer conversations as well, lots of round tables, so if you want to know how... Know a customer... A competitor, even, in your industry is doing things and how they're doing it, we can actually help to have those conversations with your peers as well.

Nic Fillingham: And I guess if you want to argue about anything that you've heard on today's podcast or the cloud option framework, you can also find you on Twitter, Sarah. Is that right?

Sarah Armstrong Smith: (laughs) Twitter and LinkedIn, yeah, but hopefully you won't want to argue. You'll just say you agree with everything said because it's cool.

Natalia Godyla: (laughs)

Nic Fillingham: Awesome. Well, Sarah Armstrong Smith, thank you again for your time on Security Unlocked. I think this was a fantastic part two to a conversation on how to talk cybersecurity to non-cybersecurity people. Again, we'll have all those links in the show notes, but I'm pretty sure we'll be talking to you at some point in the future back on the podcast again, Sarah. Thanks for your time.

Sarah Armstrong Smith: Fabulous. Thanks, Nic. Thanks, Natalia.

Natalia Godyla: Well, we had a great time unlocking insights into security from research to artificial intelligence. Keep an eye out for our next episode.

Nic Fillingham: And don't forget to tweet us @msftsecurity or email us at with topics you'd like to hear on a future episode. Until then, stay safe.

Natalia Godyla: Stay secure.