[Show theme music] HEIKE RITTER: Hello! Welcome, everyone, to another episode of the "Virtual Ninja Show." Today, I have Clay with me. Clay, I'm super excited to have you finally on the show. Please introduce yourself. CLAY TAYLOR: Heike, thanks so much. Like, honestly, this has been something I've been looking forward to. I'm glad that, you know, I'm finally able to get our schedules lined up so that I can actually come onto your show, and I'm really looking forward to talking to you today. I'm a principal architect, part of the Intune product group, but one of the other roles that I've been playing for the last few years is I actually lead our zero-trust deployment v-team and a lot of our zero-trust efforts specifically around devices and device protections with, you know, a zero-trust mindset at Microsoft. HEIKE: Yeah, and before we get into the topic, which is the workshop that you developed together with your team, can we start by explaining a little bit about how Microsoft approaches zero trust? CLAY: Sure. So, you know, Microsoft has taken a simplified approach to zero trust. If you go look at a lot of the other zero-trust sources out there, like The Open Group, for example, which by the way, a lot of Microsoft employees actually sit on the board and are members of The Open Group, but they have broken it down to 10 or 11 commandments for zero trust, and you see that pretty much everywhere. And at Microsoft, we condense those down to what we call our "Three Principles for Zero Trust." And the simplicity is just a way for us to be able to tell the story easier. And I really do feel like it works. And if you, you know, look at these three principles, the first is verify explicitly. You know, this one is fairly self-explanatory, but it's constantly validating every single authorization, attempt, every identity, every device, making sure it's healthy at all times before they're able to access corporate resources. And you know, at Microsoft, this is really our Conditional Access story with, you know, Entra Conditional Access and things like Intune compliance policy, where we can actually enforce this. The second is least-privilege access. And this is one that, you know, I've been talking about least-privilege access for 18 years. You know, it's been around for forever. And to me, even though it's been around the longest, it's actually the hardest to implement in practice. And that's because it has the most impact on your end users. Finally, assume compromise. Assume compromise is basically just limiting your blast radius. It's saying," Hey, at some point I am going to get successfully attacked and an intruder is either going to get access, either fully or partially, to an identity or to a device, and I just need to make sure that I'm not letting them pivot to other resources. I need to make sure that, you know, I'm basically stopping them in their tracks." And as I said, limiting your blast radius in the event of a breach. And the last one you'll see, it's not actually bolded and it's kind of hidden there. And that's because this is not an official Microsoft principle, but I like to call it, you know, a Clay principle. And this is "Securely enable the business." And you know, to me, I've done now hundreds of deployments with customers, you know, with zero trust, and in the Zero-Trust Framework. And what I've found is that you have to really have all three units--business, security, and IT--working together. And if you don't, honestly, I've seen it fail. And it's really important to have these three groups talking together. And not just a one-way street. You know, there's a lot of different back and forth here. It's not just the fact that if you turn security controls too tightly that your end users are going to suffer. But it's also, you know, the business needs to tell IT and security what are my most important assets? What are the things that are really going to cause me reputational harm if they were to get access by an intruder? And that's where you have to have this two-way communication and have all three of those groups working together. And if you do, it will be successful. HEIKE: Hmm. We will talk about this a little later again, as well. So, you know, zero trust is really also a very strong word. So when it's zero trust, how can I trust you? How can I trust Microsoft? How can I trust a Word document? Like, it's zero trust. CLAY: I knew you were going to ask the hard questions. So, you know, it's really more about zero "assumed" trust, and the fact of the matter is, zero assumed trust doesn't have the same ring to it as zero trust. And it's just "zero trust" is just more catchy, but it really is about zero assumed trust. It's about not making, you know, false assumptions. And you know, it's basically, once again, constantly verifying trust. And you know, we used to have the phrase, "Trust but verify." And you know, it's at that point it was a, hey, you know, once you verify once, it's OK, but now, it's about verifying explicitly. It's about constantly verifying, you know, all those authorization attempts, everything that's going on in your environment to make sure that it can be trusted, you know, throughout the entire, you know, access period. HEIKE: But you know, I know we talk about ZT, but if we had the zero assumed trust, we had ZAT, like a nice new acronym. CLAY: You know, until just now, I've never thought about that. But that's also a great point. And that's... [Heike laughing] HEIKE: I know you worked a lot on the NIST framework as well with of course, zero-trust deployment. Can you tell me a little bit about it and how that zero trust fits into that NIST framework? CLAY: Sure, so. HEIKE: Whoa. CLAY: Yeah. Exactly. We actually worked with NIST very closely, and myself, Tarek Daiwu, many others, you know, across Microsoft, we actually met with NIST. Sometimes, you know, anywhere from 3 to 10 times a week and starting back in 2023. And we worked with them to actually help them build out their zero-trust story and their zero-trust lab. And you know, one of the things that stood out was our broad coverage across zero trust. I mean, as you see here on this slide, there is no other competitive vendor out there that even comes close to us when it comes to our coverage across all the pillars and across all these areas of zero trust. And we actually even used our learning with NIST to figure out where we had gaps. And you know, you'll actually see some new products on here that weren't there when we started. And those actually came about when we started saying, Hey, you know, NIST is saying we need this thing, and it is something we probably need to focus on, so let's go build that product. And some of these products were actually developed after our engagement with NIST started, when we started filling in these gaps, and we're constantly doing that today. HEIKE: So, when I look at this packed slide, there is a lot of areas, like resources, and then there are products protecting those resources. And when I think about customers going like, "Yeah, yeah, let's go zero trust," how can they turn all of this on? I think it's so complex and so complicated, and this is where your workshop comes in. I read a lot about it, and maybe you want to tell us a little bit how this workshop works? CLAY: Sure. So honestly, you hit the nail on the head. You know, it's something that we started noticing. We started going through, and I'll just give you a little backstory here. You know, we started telling this very simple story about zero trust about 5 years ago. And we basically said, "Hey, you know, zero trust is simple, and we broke it down into these six pillars, you know: identity, devices, data, apps, infrastructure, and network." And we said, "Here's six pillars." And we did a bunch of hand wavy stuff and we're like, "OK, go do it." And you know, turns out that zero trust is a lot more complex than that. And you know, this is a slide, I call this the spaghetti slide, but you know, it honestly shows the complexity of, you know, implementing an actual security story. And this is a very popular slide. This is called our MCRA, or our Microsoft Cybersecurity Reference Architecture diagram. You can get to it aka.ms/mcra. It is popular with our customers. In fact, it's so popular someone actually made a bedsheet out of it and called it their security blanket and said, "You know, this is so important, I feel like I need to sleep with it at night." And I thought that was a little weird. But at the same time, you know, it does show how important this is at the same time is that it also shows the complexity, and every single one of these boxes, Heike, could actually have anywhere from 50 to 1,000 steps. And wow, we started looking at this and we said, "You know, we have a problem here." And we started writing down all the steps involved with zero trust in a spreadsheet. We got to over 2,000 items, and we weren't even close to halfway done yet. And we're like, "OK, we have a real problem here." Like, how are customers supposed to actually go do this? And so that's where the Zero-Trust Workshop was born. You know, that's actually what started this. And we basically said, hey, you know, we don't have a great deployment story. We can't just give a customer a list of 2,000 items to go do and say, "Hey, go do it." You know, we need to come up with a way to actually make this a process and to actually give you a starting point and to have goals and to actually measure your progress along the way. HEIKE: So then, Clay, how is that workshop going? Are customers coming to you? Are they meeting in a classroom? Are you going to them? Or can they run it by themselves? Do we have partners? Or how is the workshop being delivered? CLAY: Great question, Heike. And honestly, the answer to all those questions is "yes." You know, it's something that as we've developed and as we have started going through this, we honestly fought really hard to make this [1] a free offering, [2] an open source offering where anyone can edit it and make changes themselves. But we've also wanted to make it publicly available. So today, you can actually go to aka.ms/ztworkshop. It doesn't matter if you're a Microsoft employee, if you're a customer, if you are a partner, you can all access the workshop from that URL. And the great thing is that, you know, when we design this, we've actually made it easy to edit. We've made it where you can walk through this on your own. We do actually offer this as a delivery at Microsoft. Right now, we're working on our scale motion. We have a very small number of customers that we run through this with today, but we're actually scaling out to our Fast Track program now. And we've also started partner training, and we actually have a lot of our deployment partners that have already started using this workshop on their own to actually walk through the same thing with their customers. So, actually helping their customers deploy zero trust using our tool. And we are 100% OK with that. We honestly want partners to use this and to help us make it better. HEIKE: So, this is great that actually it can be delivered by partners or customers can do this. How does it work? When I go to the website, then what's next? CLAY: Great question. So, once you're there, you'll notice that we've actually broken down the workshop into two pieces. And the first is an automated portion where you can come in and run a PowerShell module on your environment. HEIKE: Zero trust. Clay: zero trust. You can't just trust a PowerShell script. [laughs] CLAY: Yeah, great point. We do have the permissions listed. I will say it's read-only permissions that are required, but you can actually go run this PowerShell script that's going to just pull down information in a read-only manner from your environment that's going to actually give you great information and basically give you this high-level overview about, you know, what your environment looks like today on your zero-trust journey. I'll say that to me, this is probably the least important piece of the workshop because this is the least detailed piece, but it's a great starting point. And I'll also tell you this is a sneak peek. We are actually in the process of version 2 of the assessment tool, which is going to have over 100 checks it's going to do in your environment. And a lot of this is based on our, what we call our "Secure Future Initiative," our SFI learning internal at Microsoft. So we're going to actually be improving this greatly over the next month to 2 months. HEIKE: Do they need something specific? Is this all written out on the documentation? Like, do they need admin rights... CLAY: Yes. HEIKE: ...to read all of this? Can this be a user, this is all specified? CLAY: So, all of the rights that are needed to run this are all included on the website. We actually even have an instructional video that walks you through step by step on how to run the tool. The other thing I'll call out is that we don't get access at Microsoft to any of this data unless you share it with us. You know, if we were to do a workshop in person, this is only for you. So when you run that tool, no one is going to have access to that unless you give them access to the output from the tool. And the other thing I'll just call out really quickly is that it's also going to even, you know, take all of your policies and do a dump of your policies for both Intune and Entra. So you can actually then go and do what I think is one of the most important pieces of IT today, and that's hygiene on your policies. And it's something that, you know, as I've started going through these workshops, one of the biggest learnings for me is that, you know, policy hygiene is hard when it comes to security. And customers don't know, you know, that a policy that they set 5 years ago and was possibly set by someone who no longer works at their company, probably needs to be updated every 3 to 6 months. And you know, being able to go and run this tool and actually see, "Hey, you know, I probably need to go update that minimum operating system version to a more recent one." Or, you know, "Hey, I didn't even know that this new feature was available, and I see I don't have it set. I probably need to go set that in my tenant." And it's something that has just come up over and over again and working through these workshops is that, you know, hygiene is important and it's something that is very difficult to keep up with. So, having this tool to check and run through every 3 to 6 months has been a great help for our customers. HEIKE: Yeah, it's the cleanup. It's the merging policies because, you know, you just set up a maybe new one or a new team does something. So I understand. Luckily, we also have Secure Score, which could help with what is missing besides, you know, especially when it comes to the specific settings. But now, let's talk about the manual approach because this was the automated one. You run a PowerShell script, it gives you a lot of details, and then we have the manual part. CLAY: Exactly. And to me, this is really the most important part of the workshop. And you can go download this Excel spreadsheet, and a lot of people say, "Wait, what, it's in Excel?" And yes, it's in Excel, but I'll also tell you it's actually been called the "Seventh Wonder of the Excel World." And people have just been blown away that we were actually able to pull this off in Excel. And I will just call out really quickly to Merill Fernando based out of Australia. He's part of our identity architect team. And a lot of this was his vision, and a lot of this was, you know, his work that actually made this possible in Excel. We started out trying to build an app, and we were like, you know what? "You know," Merill said, "Hey, let's try this in Excel." And what he's come up with is just fascinating. And it's something that, you know, is not only easy to use, it's something that you can actually edit on your own. If you want to change one of the boxes, you can actually just go do that because it's in Excel. But it also makes it very easy for us to be able to share it, to be able to pull data into other sources. And you know, it's something that I think that you'll really appreciate as a customer, you know, that you know, hey, this is actually done in something that I can go edit myself. And there's a lot of other reasons, as well, which we'll get to in just a second. But yes, the manual part of this workshop, you know, this is what it looks like. This is an example from the "Devices" section, and if you look down at the bottom, you'll see that we've actually divided up into pillars. And so, you know, these pillars are not product based. This really could be done with any third-party product. You could actually go through and do these same checks. The one call that I'll say there is some of these are named after our product names in the actual boxes above, but you know, at the same time, it's something that you could translate over to any third-party product and use it there. But it is today based on the pillars. HEIKE: So, in talking about the pillars, you usually have in bigger organizations different teams. A person is...a team is responsible for securing devices, managing IT devices. Then, there is a group that cares about identities. And we talked about this at the very beginning. You were saying people need to talk to each other. How do you make them talk to each other? CLAY: Yeah, that's a great question. And that's something that has really come out of these workshops, as well. You know, we really recommend for these workshops, just for the devices, for example, that you not just limit it to your device admins, to your MDM admins. You also want to have your identity admins in there. You're going to want to have some of your network admins in there. In some cases, you want to have your infrastructure and apps admins in there. And it's something that what we found is that if you don't have those people in the room, then you're not going to have all the answers as you go through this. So it's actually really great to start, you know, with all those people in the room. And we actually have a list on the website of who should be present during each of the workshops. And as I said, it just really helps with the conversation. And as we start going through this, what I've also found is that, you know, if you're in a room together going through this as a group, there's a lot more back and forth. I will say that most of the deliveries that I personally give are remote deliveries, and that's totally OK. But we don't get as much back and forth. And I think a lot of that is because of some of that's occurring behind the scenes in Teams. But I will say that the best workshops are definitely when you can get people in a room, lock the door, and say, "Hey, we're not going anywhere till we get this done." And, you know, it really does work. It really does bring out conversation, and you have teams talking together. A lot of times, probably haven't talked about these things in years, but you start to realize that, you know, it's a group effort. It's not just one team that's doing this, it's something that everyone needs to participate in. HEIKE: So Clay, I'm not going to ask all the things, like, where to start, you know, because I think it might be different from company to company, or maybe the Zero-Trust Workshop gives them exactly, that's the roadmap where you should go. But I see from the products, not everything that we have is currently listed there. So, is your team expanding the workshop to other products in the future? CLAY: That's a great question. And you know, you definitely noticed the right thing. And right now, you know, it's only for devices, for identity, and for data. And the answer is, we actually have already built some of the other pillars. So, we're getting ready to release the workshop for both infrastructure and network. In fact, we've actually already started testing those with customers, and we're getting ready to release it publicly on the website in the coming weeks. And then, after that, we will focus on some of the final remaining areas around some of our security products as well as, you know, our apps pillar are going to be a big focus area for us in the coming months. HEIKE: So, I assume that there will be a new Excel version when there are new products coming. And even though it doesn't look like Excel, because this is so beautiful, and just see the icon. So, but how do customers use that tool? Like, all these little boxes. Tell us about it. CLAY: Yeah, great question, and let's just through that really quick. So basically, you know, as I said, you'll notice at the bottom that it's divided up by pillar. So you'll just click either the "Devices" or "Identity" pillar, whichever one you're starting with for that day. And then, you're going to notice that in the side panel, you're going to see that it's actually broken up by intuitive problem areas. So we basically have broken this down--like for Devices, for example--you'll see a section for "MDM for Windows," a section for "MDM for iOS," a "MAM" section. For "Identity," you're going to see a "User identity" section. You're going to see a "Security" section on securing your identities, and we've broken it down by problem area. And then, inside of the actual spreadsheet, you're going to see a lot of little boxes, and all these boxes have their own category. And the really cool thing here is that for each one of these boxes, you can actually click on them, and it's going to take you to documentation where we actually explain, you know, each of these concepts to you. We have links to, you know, different MVP blogs and our internal Microsoft documentation. On each of these items, you'll see things like screenshots. You're going to see slides for some of the boxes. And as an FYI, we're in the process of redoing a lot of those boxes and adding a lot more content. So in actually the next 30 to 60 days, you're going to see a ton of new documentation and content. And the really awesome thing is that we've started recording videos for each one of the boxes, and we've already got around eight of them for devices recorded by one of my colleagues, Jason Sandys. We've just started on the "MAM" section, where we're going to have, you know, for mobile application management, we're going to have little video clips for each box that are going to walk you through how you could talk to your customers or to your own team about these items. Things that we think that you should think about as you're going through this, and you're actually going to have a video option for each box in the spreadsheet. HEIKE: Wow. CLAY: Yeah. It's a lot of work, but you know, we think it's important and we've had such a positive response from customers when we do these in person that we want to make sure that everyone has the same opportunity to hear how we talk about these as we go through the Zero-Trust Workshop with our own customers. HEIKE: Wow. Yes. So, and then the videos will also be a link behind each box that they can? CLAY: That's correct. They'll actually be embedded in the Docs page. All the docs are hosted on GitHub. If there's something you don't like on the Docs, you can actually submit a GitHub change request. We triage those every Tuesday. So once again, we're trying to make this open source and allow our community to get involved because we really, you know, understand that we don't know everything, and we really do want to make sure that our customers' voices are heard. And so we actually made it where you can actually submit your own requests to change our Docs if you think something could be said in a better way. HEIKE: Big love for our community. Please help. This is... CLAY: Yes, please. HEIKE: Yeah. Yeah. CLAY: That's for partners and customers. It doesn't matter. Like honestly, we want to hear from you. We really do. So, we talked about each one of these boxes having a link. So as you go through this, what you're going to do is actually click the drop-down box. You'll see that each one of these boxes has a drop-down menu. And when you click on that, you're going to be given a lot of options. And what's available in those drop-down menus, you know, it's things like where you are on that particular item. So, as you walk through this, you're going to say, "Hey, this is already planned. It's in progress." You'll see buttons like "Follow up," and those are usually, if I'm walking through this and I say, "Hey, I actually don't know a lot about this. I haven't implemented it yet. So, I'll mark it as a follow-up, and I'll say, 'Hey, you know, I need to have a follow-up session.'" If I'm a partner that's giving this workshop or you know, if this is me as a customer going through this, I can say, "You know what? I need to have a follow-up with my team" or just, this is a note to me to go back and actually go see if I need to implement this today in my environment and go through change control process, etc. And so you can actually mark each one of these items. If you're using a first-party product or a third-party product, you can mark those here. You know, we have a lot of different options for you to be able to mark your progress. And the goal is to eventually get to green and mark them all as completed as you walk through the workshop on your own. HEIKE: So, everybody starts with all black. CLAY: Yes, they start with all black, not started. And that's the way it starts. And then you go through and manually change each one of these boxes on your own or as a partner, you're marking these for your customers as you have the conversation. HEIKE: This is so cool. CLAY: So, some of the other questions that I get asked are, "Is it possible to take notes?" And there are actually two different ways that I've seen people take notes here. And the answer is yes, you can. And so for each one of these boxes, when I'm walking through this with the customer, I actually add a comment. And so I just click "New comment," I type my notes in the comments, and that way, when I'm done, when I give the customer the handout at the end, all the notes are right there, and they can click on each box and see all the notes for each section right there in the "Comments" section in their document. The other way that I've seen this done is through, you know, notes, and you can actually add a sticky note for each one of the boxes, instead. If you don't like the comments, you can use sticky notes. And some of my coworkers prefer to use the sticky notes. I just happen to prefer the comments. But there's different ways you can do it. Because it's in Excel, you know, honestly it's very easy to do. And it's something that, you know... HEIKE: I was I about to say, there we have the beauty about having it in Excel because you have all the collaboration tools in it. Sticky notes... CLAY: Exactly. HEIKE: ...comments, whatever. Awesome. CLAY: Yep. And the other thing I'm going to call out is that, you know, as we're going through this, I also need ask, well, I don't know if I have the license. I don't know what license I need. And so now we've actually added little boxes that say, hey, this particular item requires Intune P2 or Identity Entra P2 or Intune Suite or Entra Suite. And we've actually, you know, marked each box with a tinier box that tells you what license requirement is actually needed for these. And just a little bit of a private preview as far as you know what's coming, we're also looking at ways where we could actually tag these items to show you which of these are part of the NIST framework for zero-trust or CIS benchmarks or the Australian Essential Eight or the European Union regulations. We're looking at ways that we can actually add boxes either here or at least the documentation to be able to tell you which ones are these items are most important for those regulatory bodies. HEIKE: I actually want everybody to just go out now and download that Excel spreadsheet and start changing from "Not started" to "In consideration" or "Completed" or even for themselves to have an amazing overview of what their infrastructure looks like, their services, and yeah. Wow. So those were my final words. Go download. What are yours? CLAY: Same thing, honestly: Go download the workshop today. Like, we really want to get your input. We want to see if it works for you. Please let me know if not. There's actually quite a few different ways that you can submit your feedback from the website. You know, you can actually submit changes to GitHub. You can submit feature requests. If you're a partner and you're running this with your customers, you can actually say, "Hey, I'm going to go fill out this form and tell Microsoft that yes, I'm actually running this with my customers." So there are a lot of different feedback forms available on the website, and we really do want you to just go try it out. If you get stuck, please let me know because we want to fix it. And, you know, Heike, I can't thank you enough for having me on the show today to let everyone know about this. And you know, it's something that I am very passionate about, as you can probably tell. And we really do think that this is a way to actually transform the way our customers are doing zero-trust deployments. HEIKE: Yes, you know, I'm so excited, too, that you are on the show now, and I couldn't have asked anyone better to join for this topic because you are so passionate about it. I could feel it through the laptop. Thank you so much. I hope everyone out there also enjoyed this episode and already started to grab that Excel spreadsheet and start working on your zero-trust journey. It's a journey. It will take time. If you have feedback, use the feedback that's here on the screen. You can also add comments below the video. And I hope I see everyone again soon. Bye. [Show theme music]