Modernization Hub

Modernization and Improvement
Top ten mistakes companies make in getting started with Azure – BRK3263

Top ten mistakes companies make in getting started with Azure – BRK3263


A LOT OF THINGS GOING ON. I PROMISE YOU IT WILL BE WORTHWHILE. IF I DON’T COME THROUGH, YOU CAN TALK TO ME. I’M NATHAN LASS NO KI, I’M THE CHIEF FINANCIAL OFFICER. I’VE BEEN WORKING ON THE AZURE AS LONG AS AZURE HAS BEEN AROUND. AND MY INTENTION TODAY IS TO GIVE YOU TEN THINGS THAT YOU CAN DO WHEN YOU GO BACK TO YOUR BUSINESS AND START USING AZURE OR CONTINUE TO USE IT IF YOU’VE BEEN USING IT TO KEEP YOURSELF OUT OF THE DITCH. NOBODY LIKES BEING IN THE DITCH. MY KIDS AREN’T DRIVING YET, BUT WHEN THEY ARE DRIVING, I DON’T WANT THEM TO BE IN THE DITCH. AND I INTEND TO MAKE SURE YOU GUYS STAY OUT OF THE DITCH. I HAVE TEN THINGS, YOU MAY BE DOING FIVE OF THEM OR SIX OR FOUR OR SEVEN OF THEM. BUT PROBABLY ONE YOU’RE NOT DOING. WHAT I’M GOING TO DO IS GO THROUGH EACH OF THE TEN THINGS. I’LL GIVE YOU SOME BREAKDOWN AS TO WHAT THAT THING IS ABOUT. EXPLAIN IT, GIVE YOU SOME BACKGROUND, AND THEN WE’LL GO ON TO THE NEXT THING. AND HOPEFULLY EACH OF THOSE GIVE YOU THIS CHECK BOX THAT YOU CAN CHECK OFF YOUR LIST AND SAY, YEP, I’VE DONE THAT, YEP, I’VE DONE THAT. LIKE WHOA, I HAVEN’T DONE THAT. AND IT’S PROBABLY A PRETTY GOOD OPPORTUNITY TO MAKE A CHANGE. IF I CAN DO THAT AND YOU GUYS COME OUT WITH AT LEAST ONE GOOD IDEA, WE’VE BEEN SUCCESSFUL TODAY. THAT’S GOING TO BE MY MISSION. SO LET’S START WITH NUMBER TEN. THE NUMBER TEN WAY TO KEEP YOURSELF OUT OF THE DITCH WITH AZURE IS TO DEFINE AN EXCELLENT COMPANY STRATEGY. IT’S ABOUT DEFINING A CLOUD PROGRAM THAT ORGANIZES YOURSELF TO BE SUCCESSFUL. IT’S ABOUT BEING PRESCRIPTIVE OF HOW YOU APPROACH THE CLOUD. MOST OF US ARE FROM THE CORPORATE IT SIDE, THE CORPORATE IT SIDE HAS TO BE A LITTLE CAREFUL ABOUT OVERREACHING. THEY HAVE TO BE CAREFUL ABOUT OVERREACHING BECAUSE MOST OF THE APP TEAMS ARE ALREADY USING THE CLOUD ON SOME CAPABILITY OR THEY’RE STARTING TO. CORPORATE I.T. HAS TO EARN BACK SOME OF THE RIGHT TO BE RESPECTED IN THIS SPACE, BECAUSE SOMETIMES CORPORATE IT CAN BE PERCEIVED AS MOVING SLOWLY AND WE NEED TO RE-EARN BACK THE TRUST OF SOME OF THE APP TEAMS. SO WE HAVE TO BE CAREFUL ABOUT OVERREACHING. BUT WHEN WE EXECUTE ON BUILDING A COMPANY ADOPTION STRATEGY, IT NEEDS TO BE ONE TO BRING ALL OF THE STREAMS TOGETHER. SO LET ME GIVE A LITTLE BIT OF A WALK THROUGH OF WHAT THIS MIGHT LOOK LIKE. THIS IS AN EXAMPLE CLOUD PROGRAM THAT I’VE USED WITH COMPANIES THAT ARE IN THE FORTUNE 50 DOWN TO COMPANIES THAT ARE IN, YOU KNOW, THEY’VE GOT 500 PEOPLE, RIGHT? SO ANYONE KIND OF INSIDE THAT RANGE. SO LET ME BREAK DOWN THE COMPONENTS OF THIS. WE’LL TAKE A LITTLE BIT OF TIME ON THIS. BECAUSE I THINK IT’S IMPORTANT TO UNDERSTAND THE LITTLE BIT OF A ROAD MAP AS TO HOW WE ADDRESS AND THINK ABOUT HOW A COMPANY MIGHT CONSUME THE CLOUD. SO THE FAR LEFT-HAND SIDE OVER HERE, YOU CAN SEE THE IDEA OF A CLOUD ASSESSMENT. AN INTERESTING STAGE IN CLOUD ADOPTION RIGHT NOW. ABOUT TWO YEARS AGO, I FEEL A LOT OF COMPANIES IS TALKING ABOUT SOMETHING THAT THE CLOUD IS DOWN THE ROAD. SOMETHING THAT, YOU KNOW, FOR CERTAIN WORKLOADS, THINGS THEY WERE JUST INVESTIGATING, LAST YEAR, I HEARD A LOT OF — I AM WANTING TO LOOK AT THE APPLICATIONS TO UNDERSTAND IF THE CLOUD IS FOR ME. I’M GOING TO MAKE A BUSINESS CASE TO START INVESTING IN THE CLOUD. THAT’S SOMETHING LIKE AN INTERNAL ASSESSMENT OF YOUR ORGANIZATION’S ASSETS AND YOUR APPLICATIONS COMES TO PLAY. WHAT I’M SEEING MORE SO NOW IS THAT THE BUSINESS IS STARTING TO SKIP OVER THAT STAGE AND THEY FOUND, YOU KNOW WHAT? WE ARE INVESTING IN THE CLOUD. WE KNOW THAT. IT’S BECOME SOMEWHAT INTUITIVE. WHETHER WE HAVE A HIGH DEGREE OF INVESTMENT ON PREMISE OR WE HAVE THE HIGH DEGREE IN THE CLOUD OR SOME KIND OF MIXTURE OF EITHER, WE KNOW THAT THE CLOUD IS GOING TO BE SOME ASPECT OF THAT. WHAT I’M FINDING IS THAT A LOT ARE START RIGHT HERE. THEY’RE STARTING WITH THE IDEA THAT I NEED TO OPERATIONALIZE THE CLOUD. YOU MIGHT CALL IT A MVP. YOU MIGHT CALL IT A OPERATIONAL PROGRAM. YOU MIGHT CALL IT A VIRTUAL PRIVATE CLOUD. WHATEVER YOU CALL IT. IT’S ABOUT POSITIONING THE CLOUD TO BE AN OPERATIONAL PLATFORM THAT YOUR GOVERNANCE APPLIES TO, BUT GOVERNANCE IS COMBINED WITH SPEED. ONE OF THE WAYS TO THINK ABOUT THIS IS YOU MAY BE A MULTI-CLOUD ORGANIZATION OR A SINGLE CLOUD ORGANIZATION. MANY BUSINESSES HAVE GONE DOWN THE MULTI-CLOUD ROUTE. THAT MEANS YOU MAY EVEN HAVE TWO CLOUDS OR THREE CLOUDS THAT YOU’RE OPERATIONALIZING TO BRING GOVERNANCE TO. SO THAT’S WHAT THE FIRST WORK STREAM IS ABOUT. IT’S ABOUT POSITIONING FROM A CORPORATE IT DOWN, A BUILDING FOR YOU TO EXECUTE. THE NEXT ONE MAY BE THE DEVOX SCALE WORK STREAM. NOT TO SAY THAT YOUR APPLICATION TEAMS ARE NOT ALREADY THINKING ABOUT THAT. IT’S A WAY TO NORMALIZE THE WAY THE ORGANIZATION EXECUTES ON CENTRALIZED CODE RELEASED DEPLOYMENT, PARTICULARLY IN TERMS OF HOW IT PRESCRIPTIVELY GOVERNS THE CLOUD. SO IT STARTS TO LOOK AT THE CLOUD AT JUST ANOTHER OPPORTUNITY TO USE DEV-OPS. SO THERE’S OPPORTUNITY TO BUILD THAT IN. THE NEXT SECTION IS THE IDEA OF BUILDING AN AP RATION PROGRAM. SOME COMPANIES ARE LOOKING AT HOW THEY — WHETHER OR NOT THE CLOUD IS SOMETHING THEY WANT TO GET INTO. AND THEY’RE LOOKING AT A RATIONALIZATION TO BE ABLE TO DETERMINE IF THEY TAKE THAT STEP, THEY PUT THAT FOOT IN. THAT’S THE FIRST THING. THE PROGRAM ASSUMES THAT THE CLOUD IS SOMETHING THAT YOU WANT TO GO DOWN THE ROAD OF, BUT YOU’RE LOOKING AT YOUR APPLICATIONS AND DISCERNING WHAT ARE THE RIGHT PLACES FOR THEM. SO YOU’RE MAKING A DISCERNMENT OF IS THIS AN IS MIGRATION WORK STREAM. IS IT A PAS MIGRATION OR REFACTOR. YOU SEE THAT IN SLIDE DECKS OR OTHER GUYS. THEN THERE’S THE DO NOTHING AND DECOMMISSION WORK STREAMS WHICH WOULD BE, IT’S NOT GOING ANYWHERE, IT’S MY AS-400, MY OLD PLATFORM. NOT GOING TO LIFT AND SHIFT IT. IT’S NOT SOMETHING THAT’S VALUABLE FOR ME TO MOVE OUT OF MY CENTER. THEN THERE’S THE DECOMMISSION WORK STREAM WHICH MEANS YOU GET RID OF IT. AT THE BOTTOM HERE, YOU SEE SOMETHING LIKE THE COST ANALYSIS WORK STREAM. HERE’S HOW IT USUALLY GOES. A COMPANY DECIDES TO START USING A CLOUD AND THREE MONTHS LATER, THEY START GETTING BILLS. AND THE CIO IS LIKE, WHAT THE HECK IS GOING ON AROUND HERE? WHERE DID THIS BILL COME FROM? WHO’S CHARGING IT? WHY DOES IT KEEP GOING UP. EVERYBODY STARTS TO FREAK OUT. AND IT TAKES SEVERAL OTHER MONTHS TO RATIONALIZE WHERE THE COSTS ARE COMING FROM AND YOU GET MOVEMENT AROUND TALKING ABOUT THOSE PEOPLE. AND SIX MONTHS OR A YEAR HAS GONE BY AND YOU’RE TRYING TO GET YOUR ARMS AROUND IT, RIGHT? ONE OF THE KEY SUCCESS FACTORS THAT I’VE SEEN IN BUSINESSES THAT HAVE RUN CLOUDS WELL AND BUSINESSES THAT RUN THEM POORLY IS THEY START IMMEDIATE LY THE COST ANNUAL NICE WORK STREAM. WHATEVER THE WORK STREAM IS, WHATEVER YOU PUT INTO IT NEEDS TO PAY OFF IN A TWO-TO-ONE BASIS. INTERNALLY, YOU ALLOCATE EIGHT HOURS A WEEK, TEN HOURS A WEEK, 16 HOURS A WEEK, OF A PERSON WHO’S ENGAGING IN ANALYZING CLOUD SPEND. ANYTHING YOU INVEST IN THAT PERSON NEEDS TO PAY OFF TWO-TO-ONE. I GUARANTEE YOU IT WILL. WHAT HAPPENS IS PEOPLE LEAVE MACHINES ON. THEY DON’T HAVE COST MANAGEMENT. IT’S LIKE SOMEONE HAS BAR TAB THAT’S OPEN AND THEY JUST KEEP SPENDING, RIGHT? SO ALL OF THESE EXTREMES COMBINE TOGETHER ARE HOW YOU START TO BUILD A MATURE CLOUD PROGRAM. YOU START TO PUT YOURSELF IN A POSITION TO BE SUCCESSFUL BECAUSE YOU’VE BEEN INTENTIONAL ABOUT HOW YOU’RE WALKING DOWN THE ROAD. IS THAT MAKING SENSE SO FAR? YEAH, OKAY. ALL RIGHT, NUMBER NINE, COMPANIES THAT DON’T BUILD A RETRAINING OR RESTRUCTURING APPROACH FOR EXISTING EMPLOYEES ARE GOING TO HAVE CHALLENGES IN EFFECTIVELY USING THE CLOUD. YOU FIND YOURSELF USING CONSULTANTS, RESISTANCE, AP TEAMS GOING AROUND THEM. IT’S JUST A REALITY. PARTICULARLY PERVASIVE IN LARGE ORGANIZATIONS THAT HAVE EXTREMELY SILENT TEAMS. SO LET ME GIVE YOU BREAKDOWN OF THIS. SO THIS IS A TRADITIONAL ORGANIZATION ON THE LEFT. YOU CAN SEE THAT WE’VE GOT A WHOLE VARIETY OF TEAMS. NOW, YOUR ORGANIZATION MAY NOT HAVE ALL THE SAME TEAMS BUT I KNOW ORGANIZATIONS THAT HAVE MORE TEAMS THAN THAT IN THEIR CENTRAL IT ORGANIZATION, AND NONE OF THEM REALLY TALK REALLY WELL. AND THEY’VE ALL GOT MANAGERS AND THEY’VE ALL GOT SILOS AND THEY’RE ALL FOCUSED ON THEIR THING. YOU MIGHT HAVE, YOU KNOW, MAYBE THESE GROUPS ARE COMBINED — OOPS, MAYBE THESE GROUPS ARE COMBINED OR MAYBE THESE GROUPS ARE COMBINED. YOU KNOW, YOU MIGHT HAVE SOMETHING A LITTLE MORE CONSOLIDATED THAN THAT. BUT WHAT YOU’RE SEEING HERE IS IN A TRADITIONAL I.T. ORGANIZATION, YOU START TO HAVE THE TEAMS THAT DO THEIR THING. WHAT I’M SEEING AS COMPANIES MOVE TO A CLOUD ORGANIZATION IS THAT SOME OF THE RATIONALE START TO DROP OFF. YOU’RE NOT AS CONCERNED ABOUT STORAGE OR THE WORKING OR WINDOWS VERSUS LINUX VERSUS HYPERCONVERGED OR HIGH OR ANY OF THESE THINGS. START TO BLEED BETWEEN EACH OTHER. EVEN IN CONSULTING ORGANIZATIONS LIKE MINE. WHEN I LOOK AT SCALING UP MY TEAM, I LOOK AT HOW DO I COLLAPSE SO MANY OF THESE TEAMS TOGETHER. BECAUSE I FIND THERE’S A LOT OF CROSSOVER. SO WHAT MOST ORGANIZATIONS ARE SUCCESSFUL HERE ARE DOING IS THEY’RE REALIZING THAT THEY’RE MOVING AWAY FROM CLOUD DELIVERY TO CLOUD ENABLEMENT. CLOUD DELIVERY TO CLOUD ENABLEMENT. AND CLOUD ENABLEMENT MEANS SOMETHING VERY DIFFERENT. MULTI-SKILL, IT MEANS GOVERNANCE, BUT NOT CONTROL, NOT BLOCKERS. SO THEY’RE FORMING THESE TEAMS. AND WHAT’S HAPPENING IS THE OPERATIONS SIDE, THE OPERATIONS SIDE, MOVING OVER HERE IN THE APPLICATION GROUPS. I WAS LISTENING TO A TALK BY MICROSOFT IT GUY, AND ONE OF THE THINGS THAT HE WAS SAYING IS REALLY INTERESTING TO ME. HE SAID EVERY DEVELOPER IN MICROSOFT OPERATES IN SOME CAPACITY. THAT IS A TELLING COMMENT BECAUSE IT GETS TO WE’RE MOVING TO A WORLD WHERE THE IDEA OF OPERATIONS AND APP TEAM BEING SEGMENTED FROM EACH OTHER IS REALLY DROPPED OFF. WE’RE ASSUMING THE PEOPLE BUILDING THE SOFTWARE ARE INVOLVED IN THE PROCESS. SO APPLICATION TEAMS HAVE TAKEN ON MORE OF THAT LOAD AND THEY’RE MORE CLOSELY CONNECTED TO THE CUSTOMER. THE SECURITY TEAM I’M FINDING CONTINUES TO BE SOMEWHAT SEGMENTED FROM THE OTHER TEAMS. THAT’S FOR GOOD REASON. YOU TEND TO HAVE A TEAM THAT NEEDS TO BE AROUND TO AUDIT OTHER TEAMS AND ENSURE THAT THAT CONSISTENCY OF DELIVERY IS SUCCESSFUL AND THE RED TEAM APPROACH STILL EXISTS. SO WHAT I’M FINDING IS THAT INCREASE DEPENDENCY ON MULTI-SKILL FRAMEWORKS, PEOPLE THAT HAVE AN ABILITY TO ENGAGE, THAT KNOW ABOUT STORAGE NETWORKING COMPUTE DEV-OPS, ETC., START TO COMBINE THE SKILLS TOGETHER. NOT THAT YOU HAVE A PRIMARY AND A SECONDARY, BUT THE TEAMS START TO MERGE, DOES THAT MAKE SENSE? YEAH. OKAY. NUMBER EIGHT, NOT STRUCTURING THE AZURE ENVIRONMENT PROPERLY. BOY, IF I HAD A DOLLAR FOR THIS ONE. THERE’S A LOT OF BADLY STRUCTURED AZURE ENVIRONMENTS OUT THERE. THIS IS PROBABLY ONE OF THEM BECAUSE I KNOW THAT MINE MAY HAVE BEEN ONE OF THEM AS WELL. THE PROBLEM WITH THIS CONSTRUCTION IS THEY’VE CONSOLIDATED EVERYTHING UNDER ONE SUBSCRIPTION. A COUPLE OF PROBLEMS WITH THAT APPROACH. THE FIRST PROBLEM IS THERE ARE SUBSCRIPTION BARRIERS, THERE ARE LIMITS. SO, ESPECIALLY WHEN YOU GET TO SCALED ORGANIZATIONS, YOU SIMPLY CAN’T FUNCTION AT THAT LEVEL. SUBSCRIPTIONS NEED TO SCALE OUT IN ORDER FOR YOU TO HAVE AN EFFECTIVE ORGANIZATION. THE SECOND PROBLEM HERE IS THAT THEY’VE CONSOLIDATED THE BROAD, DEV, AND QA ORGANIZATION FUNCTIONS UNDERNEATH ONE SUBSCRIPTION AS WELL. THEY MADE IT COMPLICATED FOR THEM TO BE ABLE TO HAVE ANY LAYER OF REALLY TEST, QA AND PROD BECAUSE THE ENVIRONMENT THAT THE CORP. IT IS SERVICING, LET’S SAY THEY HAVE TO DEPLOY ACCESS ROUTE, AFTER DIRECTORY, CORE NETWORKING, EXTERNAL-INTERNAL FIRE WALLS, ALL OF THAT STUFF HAS TO EXIST, RIGHT? HOW DO YOU TEST THAT EFFECTIVELY IF IT’S ALL IN ONE SUBSCRIPTION? YOU CAN’T. IT BREAKS DOWN TO THE LEVEL WHERE YOU CAN’T EFFECTIVELY TEST. IT PUTS YOU IN A POSITION WHERE ALL OF THE OTHER BUSINESS UNITS ARE DEPENDENT ON THE FUNCTIONS BUT THEY CAN’T EFFECTIVELY TEST. ALSO, BUSINESS UNITS ARE RIGHT INSIDE OF THE SAME SUBSCRIPTION. SO YOUR CORP. I.T. GUY HAS WAY TOO MANY RIGHTS OVER THE BUSINESS UNIT’S FUNCTIONS AND LEADS TO A LOT OF CROSSOVER WHERE THERE SHOULDN’T BE CROSSOVER, PARTICULARLY IN THE SECURITY SPACE. SO THIS IS A VERY INEFFECTIVE STRUCTURE. HERE’S ANOTHER INEFFECTIVE STRUCTURE. IT LOOKS LIKE A LOT OF YOURS. [LAUGHTER] ANYONE STARTED WITH AZURE WHEN I DID BEFORE ARM EXISTED. OKAY, SUBSCRIPTION, SUBSCRIPTION, SUBSCRIPTION. THAT’S THE LIFE. NOT MUCH I CAN DO. THIS IS THE BEST PRACTICE STRUCTURE. THIS MIGHT BE A LITTLE DIFFICULT TO READ. SO I’LL JUST KIND OF EXPLAIN IS. DON’T KILL ME ON THE LACK OF ZOOM. SO, THERE’S A CONCEPT THAT HAS BEEN BUILT OUT CALLED MANAGEMENT GROUPS. HAVE YOU GUYS HEARD OF MANAGEMENT GROUPS BEFORE? IS THAT NEW? YEAH, OKAY. COOL. SO THIS IS REALLY RECENT. THIS IS A VERY, A VERY RECENTLY G-8 SERVICE. THIS IS A LAYER ON TOP OF YOUR SUBSCRIPTIONS. SO YOUR SUBSCRIPTIONS EXIST AS BUCKETS AND IN MANAGEMENT GROUPS EXIST TO PROVIDE ORGANIZATIONAL STRUCTURE AND SECURITY AS WELL AS POLICY APPLICATION ABOVE THE SUBSCRIPTION LAYER. WHICH IS WHAT I’VE BEEN DESPERATE FOR FOREVER SO I’M SO GLAD THEY BUILT IT. SO SUBSCRIPTIONS CAN GO SIX DEEP. THAT’S IN ADDITION TO THE RUT SO YOU GET A RUTS MANAGEMENT GROUP. UNDERNEATH THAT, SIX DEEP, THEN YOU CAN GO 10,000 OF THEM. OH SOUNDS LIKE A LOT. IT IS. YOU CAN DO 10,000 MANAGEMENT GROUPS. SO THE YOU GET TO A POINT THERE WHERE IT’S LIKE, WOW, OKAY, I CAN START TO ACTUALLY SCALE THIS. YOU START WITH THE RUT MANAGEMENT GROUP AND A CORP. I.T. MANAGEMENT GROUP WHICH SHOULD BE SUPPORT FUNCTIONS. THIS IS NOT LIKE APPLICATIONS LIKE CENTRAL APPS. IT’S LIKE YOUR CENTRAL EXPRESS ROUTE CONFIGURATION, THE NET WORKING, THINGS OF THIS NATURE. AND UNDERNEATH THERE, YOU HAVE PROD, DEV, AND QA MANAGEMENT GROUPS. NOTE THAT IT’S UNDERNEATH SUBSCRIPTIONS. SO I’M PUTTING SUBSCRIPTIONS WITHIN THE MANAGEMENT GROUP. SO AS I TEST THE CONFIGURATION, I CAN DEPLOY A WHOLE NEW CORP. IT CONFIGURATION TO THEEST THE 1R50IR789 AND MAKE SURE I GET WHAT I EXPECT. WHY DEV AND QA? YOU NEED TO BE ABLE TO EVALUATE WHAT YOU’RE DOING IN QA, IN TEST — YOU NEED TO BUILD STUFF, TEST IT OUT, MAKE SURE IT’S WORKING PROPERLY. AND YOU DEPLOYED A QA WHICH IS AN EXACT COPY OF PROD. THEN YOU GO TO PROD, RIGHT? SO THIS IS BUILDING OUT YOUR CORP. IT ENVIRONMENT AS CODE. YOU HAVE THE APPLICATION TEAMS UNDERNEATH IT. THE APPLICATION TEAMS MEANING GROUPS OF TEAMS LIKE NOT EVERY SINGLE APPLICATION GETS THE MANAGEMENT GROUP, 10,000 MIGHT NOT BE ENOUGH FOR THE ORGANIZATION. UNDERNEATH APPLICATION TEAMS, LET’S SAY YOU BUILD AIR CONDITIONERS AND YOU HAVE AN AIR CONDITIONER GROUP THAT BUILDS DIFFERENT APPLICATIONS FOR THE AIR CONDITIONER SERVICE, THEY WOULD THEN POTENTIALLY HAVE A SINGLE OR MULTIPLE SUBSCRIPTIONS AND RESEARCH GROUPS UNDERNEATH THAT. THE COOL THING IS UP HERE AND HERE, I COULD START TO ATTACH POLICY. SO AT THE MANAGEMENT GROUP LEVEL, I’M ATTACHING POLICY THAT CASCADES, SO I SPIN UP A NEW SUBSCRIPTION, IT GETS THE POLICY ATTACHED TO IT. INSTEAD OF THE WAY IT WORKS RIGHT NOW, WHEN SOMEONE SPINS UP A SUBSCRIPTION AND I’VE GOT TO FIND I WANT, I’M LIKE, HEY, YOU OVER THERE WITH THE SUBSCRIPTION, JUST SO YOU KNOW, I’M CORPORATE I.T. AND I WANT TO MAKE SURE YOU DO STUFF RIGHT. THAT’S HOW IT WORKS NOW. THE WAY YOU WANT TO WORK IT IS WE ACTUALLY HAVE A POLICY APPLIED TO THE OVERALL STRUCTURE. COOL? ALL RIGHT. SO YOU CAN TUNE THIS A LITTLE BIT IF YOU’RE LIKE, HOLY COW, THAT SEEMS A LITTLE BIG FOR ME. 500 PEOPLE. THAT MIGHT NOT BE WHAT I NEED. YOU CAN — YOU CAN REMOVE ONE OF THE MANAGEMENT GROUP LETTERS AND YOU CAN GO STRAIGHT FROM THE — LIKE THE CORP. I.T. MANAGEMENT GROUP AND THE BUSINESS MANAGEMENT GROUP DOWN A SUBSCRIPTION LEVEL. SO THE ONE THING I WOULD SAY, THOUGH, IS MANAGEMENT GROUPS ARE PRETTY FLEXIBLE AND EASY TO IMPLEMENT. I WOULD SIDE TOWARD THE FIRST ONE SIMPLY BECAUSE IT’S A LOT MORE — IT’S LIKE CLICK, CLICK — HERE’S MY MANAGEMENT GROUP, RIGHT? SO IT’S PRETTY STRAIGHTFORWARD IN THAT SENSE, SO I WOULD SIDE TOWARD THAT, EVEN IF IT IS A BIT MORE COMPLICATED. OKAY, NUMBER SEVEN — IGNORING IDENTITY R-BACK AND CONDITIONAL ACCESS. EARLIER THIS WEEK, I DID A TALK ON TOP TEN WAYS TO SECURE THE AZURE ENVIRONMENT. AND THIS IS BROKEN OUT TO FIVE DIFFERENT THINGS. SO THIS IS LIKE ONE BIG SHOTGUN BLAST AT ONCE. BUT THE IDEA HERE IS YOU NEED TO SECURE THE AZURE ENVIRONMENT AND YOU CAN’T JUST SAY, OH, I’VE GOT TO BE IN THE BUILDING AND I HAVE TO HAVE THE KEY CODE TO GET TO THE DATA CENTER AND IT’S GOT TO BE ME AND I’VE GOT TO BE PHYSICALLY THERE. THAT DOESN’T EXIST ANYMORE. IDENTITY IS YOUR FIRE WALL. SO LET ME GIVE YOU A COUPLE OF THINGS YOU GOT TO MAKE SURE YOU DO. THE FIRST IS, PLEASE ENABLE MULTIFACTOR AUTHENTICATION IN AZURE FOR YOUR ADMINS AS THEY GET TO YOUR AZURE SUBSCRIPTION. IF YOU HAVE NOT DONE THAT, THAT’S THE ONE THING I WOULD WALK OUT OF HERE AND DO. SO IF YOU HAVE NOT DONE THAT TODAY, THAT’S THE ONE THING OUT OF EVERYTHING ELSE I’M TALK UGH ABOUT, ENABLE, PLEASE, PLEASE, PLEASE. AUTHENTICATION PREVENTS YOUR PASS WORD BEING THE ONLY THING THAT PREVENTS SOMEONE TO TAKE YOUR AZURE ENVIRONMENT. PRETTY SIMPLE. USE THAT AZURE BUSINESS MANAGEMENT AS AN EXTRA STEP. SO THE BEST PRACTICE FOR ACCOUNTS LOOKS LIKE IS, YOU HAVE YOUR E-MAIL ACCOUNT THAT IS HOW YOU LOG IN AND USE YOUR E-MAIL AND, YOU KNOW, EXPERIENCE NORMAL LIFE. THEN YOU HAVE THE A ACCOUNT, WHICH SEEMS PRETTY INTUITIVE, MOST OF US HAVE THAT. AND THEN WHEN YOU LOG IN WITH YOUR A ACCOUNT, YOU ACTUALLY REQUEST ACCESS WITH AZURE PRIVILEGE ACCESS MANAGEMENT. SO LET’S SAY I WANT TO DO A THING — I REQUEST ACCESS TO THE OWNER FUNCTION USING AZURE PRIVILEGED ACCESS MANAGEMENT. THAT’S REALLY EASY TO CONFIGURE. IT’S NOT LIKE THIS OH, MY GORE, I HAVE TO IMPLEMENT G AND I HAVE TO GO AND SYNC. THIS IS REALLY SIMPLE. SO THIS STEP IS AT EVEN IF I’M LOGGED IN AS AN ADMIN, I HAVE TO DO SOMETHING TO USE ADMIN RIGHTS. AND I’M ASKING FOR SPECIFIC, A –S — ADMIN RIGHTS, NOT ALL OF THEM. IT LEADS TO A MORE SECURE APPROACH. THE SECOND THING IS I ENABLE CONDITIONAL ACCESS. CONDITIONAL ACCESS SAYS NOT ONLY DO YOU HAVE TO BE LOGGING IN AS A PERSON WHO HAS THE RIGHT RIGHTS, AND MAYBE YOUR MULTI-FACT TO RECALL AUTHENTICATION, BUT YOU HAVE TO HAVE A HEALTHY DEVICE. SO IF YOU’RE USING SCCM, ENABLE CO-MANAGEMENT USING IN TUNE OR GO TO MODERN DEVICE MANAGEMENT WITH IN TUNE, THAT WILL DO THE SAME THING, SO EITHER ONE OF THOSE, YOU CAN TIE TO CONDITIONAL ACCESS AND SAY AM I ON A HEALTHY DEVICE THAT I OWN. SO HERE’S THE SCENARIO. SO SOMEONE GETS AHOLD OF ADMIN CREDENTIALS HALFWAY ACROSS THE WORLD FROM YOU. WHAT STOPS THEM FROM GETTING IN THE AZURE SUBSCRIPTION? NOTHING, UNLESS YOU HAVE MULTIFACTOR AUTHENTICATION OR ENABLED DEVICE COMPLIANCE AND YOU’RE ON A CORPORATE DEVICE. SO THINK ABOUT THOSE TWO THINGS. THAT’S GOING TO BE A MUCH MORE SECURE ENVIRONMENT. THERE’S MORE MANY STEPS THAT A PERSON HAS TO GO THROUGH TO BE IN YOUR ENVIRONMENT IF YOU HAVE WHAT’S ENABLED. AND THEN THE THIRD HERE IS MAKE SURE THE APPLICATIONS HAVE CONSISTENT R-BACK APPLIED. YOU CAN FORCE THAT WITH BLUEPRINTS AND POLICIES. SO SORT OF THE BLUEPRINTS FEATURE. SUPER COOL FEATURE, YEAH? THAT FEATURE CAN FORCE POLICY TO ENSURE THAT YOU HAVE RBACK APPLIED ON THE APPLICATION GROUPS SO THE RIGHT PEOPLE TALK TO THE RIGHT PEOPLE, RIGHT? SO THE RIGHT APPLICATION OWNERS GET TO THE RESOURCE GROUPS AND CAN USE THEM BUT THEY CAN’T GO TO SOMEONE ELSE’S AND START USING THEIRS. SO WE — THE MAIN GOAL THERE IS YOU SHOULD ALMOST NEVER NEED TO BE AN OWNER OF THE SUBSCRIPTION. ALMOST NEVER. SUBSCRIPTION OWNERS, ONLY NEED TO EXIST TO DO REALLY HIGH LEVEL SUBSCRIPTION THINGS. THAT’S NOT SOMETHING WE NEED TO HAVE. AND THEY’RE WAY TOO OFTEN, I SEE THAT DEPLOYED THAT WAY. ALL RIGHT? NUMBER SIX. THIS IS — THIS ONE DRIVES ME CRAZY. SO LET’S TALK ABOUT THIS AND TRY NOT TO DRIVE OURSELVES CRAZY. TRYING TO INTERMEDIATE THE CLOUD UX TO CONTROL THE DEPLOYMENT. NO ONE LIKES TO GO THROUGH LINES. I HATE LINES, EVERYBODY HATES LINES. MY WIFE TELLS ME IT’S AN OPPORTUNITY IN SACRIFICE, TOTALLY RIGHT. MY KIDS MADE A SACRIFICE BEAD FOR ME. I’M IN A LINE, I’M MOVING THE BEAD — I’VE BEEN MOVING THIS TOO OFTEN, TOO MANY LINES. SO WHAT PEOPLE TRY TO DO, THEY TRY TO DO THIS. THEY TAKE WHAT THEY DO AND SAY I’M GOING TO DO IT IN THE CLOUD. I WANT TO BE ABSTRACTED FROM THE AZURE ENVIRONMENT. I DON’T WANT TO BE LIKE STUCK. SO THEY SAY, YOU KNOW WHAT I’M GOING TO DO, I’M GOING TO BUILD A PORTAL. I’M GOING TO BUILD A PORTAL THAT EXISTS BETWEEN ME AND AZURE. I’M GOING TO BUILD IT IN A SERVICE NOW OR WHATEVER, OR I BUILD MY CUSTOM ONE. I SEE PEOPLE POUR MILLIONS OF DOLLARS OF CUSTOM PORTALS IN FRONT OF AZURE. YOU MAY HAVE ONE, YOU MAY HAVE DONE THIS. THIS PROCESS IS A TERRIBLE ASSUMPTION. IT SLOWS YOU DOWN. AND YOUR USERS WILL NOT USE IT. YOUR CUSTOMERS WILL NOT USE IT. THEY WILL JUST CONTINUE TO GO AROUND YOU. SO THE GOAL DESTINATION, AND THIS MAY SEEM — THIS MAY SEEM LIKE SHOOTING FOR THE MOON, I MIGHT GIVE YOU A STEPPINGSTONE TO GET THERE. THE GOAL DESTINATION SHOULD BE THE AZURE ENVIRONMENT IS LARGELY THE — THE AZURE PORTAL IS LARGELY READ ONLY. LARGELY READ ONLY ONLY. YOU HAVE A LITTLE BIT. IT’S LARGELY READ ONLY. YOU CAN TROUBLESHOOT, YOU CAN VIEW THE ANALYTICS, YOU CAN MOVE STUFF AROUND, YOU CAN SEE STUFF, MAYBE THE QA ENVIRONMENT ISN’T, BUT THE AZURE PORTAL IS READ ONLY. THE WAY YOU DEPLOY TO THE ASSURE ENVIRONMENT IS WITH CODE. AND YOU TEACH THE APPLICATION TEAMS TO USE TEMPLATES, ARMED TEMPLATES, OR RELEASED MANAGEMENT PIPELINE, WHATEVER YOU’RE USING, YOU MIGHT HAVE SALT, PUPPET, WHATEVER IN THERE. AND YOU’RE TEACHING THEM TO USE CODE TO DO THE DEPLOYMENT OF THE SERVERS, THE DEPLOYMENT OF THE APPLICATION, AND HOW TO RELEASE MANAGEMENT PIPELINE. I’VE SEEN FORTUNE 50 COMPANIES FORCE THIS ON THEIR USERS. AND WHAT THEY’VE GOTTEN OUT OF IT IS THEY’VE GOTTEN THE — THE OPPORTUNITY FOR THEM TO BE ABLE TO ENSURE IS THAT THE APPLICATIONS THAT ARE BUILT ARE BUILT IN A CONTINUOUS DEPLOYMENT CYCLE. YOU MIGHT BE LIKE, LIKE MY USERS ARE TOTALLY NEVER GOING TO BE ABLE TO DO THIS. LIKE I GOT — I NEED TO DO A SELF-SERVICE REQUEST AND THEY NEED TO BE ABLE TO DO IT — YOU CAN DO IT FOR THEM AND TEACH THEM. WAY TWO, YOU CAN DO IT AND YOU CAN USE A STEPPINGSTONE. SO A STEPPINGSTONE IS APPROPRIATE IN CERTAIN CIRCUMSTANCES. SO, A STEPPINGSTONE ON THE AZURE PORTAL SIDE IS STILL VIEW ONLY LARGELY, BUT YOU’RE GIVING THEM RIGHT ACCESS IN QA AND DEV ENVIRONMENTS TO — ACTUALLY THE DEV ENVIRONMENT TO PLAY AROUND. SO YOU’RE SAYING LIKE OKAY, I REALIZE THAT YOU NEED TO PLAY AROUND, SO IN THE DEV ENVIRONMENT, I’LL LET YOU PLAY AROUND. YOU CAN PROVISION STUFF, YOU CAN EXPORT THE ARM TEMPLATE AND BUILD THAT IN YOUR RELEASE MANAGEMENT PIPELINE AND DO IT THAT WAY. I ALSO MIGHT GIVE YOU A CUSTOM PORTAL. GASP — A CUSTOM PORTAL — THAT LETS YOU PROVISION SETS OF THINGS AS A LEARNING PROCESS FOR YOU, BUT THAT’S ALL IT DOES. IT PROVISIONS A SET OF SOMETHING WITH THE RESOURCE GROUP AND THEN AFTER THAT PROVISION, EVERYTHING ELSE HAS TO BE DEPLOYED AS CODE. YOU GET THE CODE I USED SO THE JOB IS TO BE A LEARNING TOOL. EVEN THEN, I’M A LITTLE BIT SKEPTICAL ON IT. BUT THAT’S A STEPPINGSTONE THAT YOU CAN USE. BUT ABSOLUTELY DO NOT BUILD A CUSTOM PORTAL TO DO PROVISIONING MOVE AD CHANGES AGAINST YOUR ENVIRONMENT. YOU’RE GOING TO REFRET IT — REGRET IT LATER. I PROMISE YOU, I’VE SEEN IT OVER AND OVER. I PROMISE YOU THIS. IF YOU DO IT, COME BACK NEXT YEAR AND WE CAN TALK ABOUT IT AND HOW BAD OR WONDERFUL THE EXPERIENCE WAS. NUMBER FIVE, IGNORING THE RECOVERY FOR THE SERVERS. RECOVERY IN PARTICULAR. SO LET’S BREAK IT DOWN TO PIECES. ASSUME REDEPLOYABILITY DEV-ONES AT EVERY LEVEL. WE TALK ABOUT DEV-OPS AS IT RELATES TO APPLICATIONS. WE HEAR THEM SAY I’M GOING TO DO CONTINUOUS DEPLOYMENTS, EVERY TIME THIS IS DEPLOYED. EVERY SINGLE TIME, THE MOST RECENT COPY, RIGHT? I HEARD ABOUT THAT A MILLION TIMES. BUT WHAT WE DON’T DO IS WE DON’T DO THAT FOR CORP. IT. WE DO CLICK CLICK FOR CORP. IT. I SEE IT ALL THE TIME. CLICK, CLICK, NEW THIS, THIS, THIS, NEW SERVER, LOG INTO IT, CONFIGURE, CONFIGURE, THAT’S MY CONFIGURATION. SO WHAT HAPPENS IS CORP. IT ISN’T FOLLOWING INSTRUCTORS’ CODE TECHNIQUES SO IT GETS TO THE POSITION WHERE IT CAN’T REDEPLOY. THE BEST ENVIRONMENTS I’VE SEEN ARE ONES WHERE CORP. IT’S CONFIGURATION IS COMPLETELY REDEPLOYBLE AS COPE. THEY CAN WIPE IT OUT AND REDEPLOY THE THING FROM SOURCE CODE. YOU’RE TEACHING THE CORP. IT TO DO THE SAME THING AS THE DEVELOPERS DO. THAT’S A HUGE SECURITY BENEFIT AND RECOVERY BENEFIT. IF SOMEONE MESSES SOMETHING UP, WHICH THEY WILL, PARTICULARLY IF THEY HAVE WRITE ACCESS TO THE CORPORATE PORTAL YOU’RE GOING TO HAVE TO REDEPLOY. IF YOU DON’T, THE BETTER. BECAUSE YOU CAN SEND THE CODE THROUGH DEV-QA PROD AND TEST IT. SO, CORP. IT BEING BUILT INTO RELEASE MANAGEMENT PIPELINE BOTH ENSURES THAT YOU HAVE THE PREVIOUS VERSIONS OF THINGS AS WELL AS ALLOWS YOU TO REDEPLOY THE ENVIRONMENT EFFECTIVELY. THAT’S STEP ONE. STEP TWO, LEVERAGING THE AZURE BACKUP FOR ALL RESEARCH GROUPS. THE WAY YOU BACK UP IN THE CLOUD IS NOT THE WAY YOU’RE GOING TO BACK UP ON PREMISE. AND THAT’S SOMETHING THAT WE INTUITIVELY GET, BUT SOMETIMES WE FORGET TO ACTUALLY CONFIGURE IT. WE HAVE THE BACKUP SYSTEM. BACKUP SYSTEMS CON YOU TO BACK UP STUFF. WE ONLY HELP THEM GET THERE. SO ONE OF THE THINGS YOU CAN DO FROM AN OVERALL AZURE EXPERIENCE IS MAKE SURE IS THAT THE BACKUP CONFIGURATION IS SOMETHING THAT IS BUILT INTO THE WAY YOU PROVISION. YOU TEACH THEM HOW TO DO IT, YOU ALSO TEACH THEM HOW TO ENSURE THAT THE PROVISIONING PROCESS INCLUDES BACKUP AND THEY HAVE A WAY TO MONITOR IT, MANAGE IT, AND MAINTAIN IT. THAT’S AN IMPORTANT STEP. YOU CAN FORCE THAT WITH AZURE POLICY OR YOU CAN BUILDE IT WITH SOME SORT OF SCRIPTING IDEA. ALSO, LEVERAGE SOME CROSS REGIONAL BACKUP. SOMETHING YOU NEED TO DO WITH CROSS REGIONAL. THAT’S SOMETHING YOU NEED TO MAKE SOME ASSUMPTIONS AROUND AS WELL. NUMBER FOUR, NOT FOLLOWING NAMING CONVENTIONS FOR RESOURCES. YOU SEE THIS IN THE DEMOS AT IGNITE, DON’T YOU? PEOPLE LOG IN TO THE EXPERIENCES AT IGNITE AND THEY’RE LIKE, BOB’S SYSTEM, JOE’S TEST. AND NATHAN’S SUCH AND SUCH. AND LIKE, DON’T YOU GUYS USE NAMING CONVENTIONS? COME ON, MAN? LIKE THIS IS A REALLY IMPORTANT STEP BECAUSE IT ALLOWS US TO KNOW WHAT’S GOING ON, ALLOWS US TO FIND THINGS, UNDERSTAND THINGS, AND MANAGE THEM. THIS HAS PROVEN ITSELF IN OPERATION. OBJECT NAME, BUSINESS UNIT, DESCRIPTOR, PROD OR NONPROD QA AND THEN THE AZURE REGION AND THE 0122 DEPENDING ON THE THING YOU GOT. SUPER, SUPER USEFUL. IT TOOK ME A LOT OF TRIAL AND ERROR TO COME UP WITH THAT ONE. OUR TEAMS HAVE BEEN USING IT PRETTY IF CONSISTENTLY. IT’S WORKED IN ENTERPRISE SPACE. YOU CAN ADJUST IT, GO FOR IT, MAKE SOME MODIFICATIONS, THAT WILL BE CERTAINLY FINE, IF YOU FIND YOU NEED SOMETHING THERE. SO THERE’S THE EXAMPLE, RIGHT? THE BOD BOTTOM YOU HAVE RESOURCE GROUP, INFRASTRUCTURE, DEMAND CONTROLLER, PRODUCTION, AND THEN THE REGION. VERY HELPFUL. NOW, I HAVE HEARD SECURITY GUYS SAY, LOOK, IF YOU NAME THESE THINGS, SOMEONE CAN EASILY FIGURE OUT WHAT STUFF IS INSIDE OF YOUR ENVIRONMENT. IF YOU DON’T WANT TO INDICATE WHAT THINGS ARE AND THAT’S A SECURITY BENEFIT THAT YOU WANT TO IMPLY, THEN YOU HAVE TO HAVE A WAY TO FIND STUFF. BUT STILL DON’T CALL IT NATE’S DOMAIN CONTROLLER, OKAY? SO NAMING CONVENTIONS ARE PRETTY DARN IMPORTANT AND IT’S SOMETHING THAT IT’S JUST LIKE ALMOST EVERY SINGLE AZURE ENVIRONMENT I’VE SEEN THAT THE NAMING CONVENTIONS ARE TERRIBLE. SO THIS IS REALLY HELPFUL. YOU CAN FORCE THIS WITH POLICY. THIS IS ANOTHER GOOD REASON TO USE POLICY IS YOU CAN FORCE NAMING CONVENTIONS, RIGHT? SO YOU’RE NOT TELLING THEM WHAT THEY HAVE TO NAME IT. BUT YOU ARE TELLING THEM THAT THEY HAVE TO NAME IT SOMETHING. THAT IT HAS TO FIT YOUR CRITERIA. ALL RIGHT, NUMBER THREE. ASSUMING THAT YOUR CLOUD ENVIRONMENT NEEDS TO FUNCTION LIKE THE ON PREMISE ENVIRONMENT. A LOT OF COMPANIES HAVE ON PREMISE ORGANIZATIONS, DON’T THEY? AND THE COMPANIES THEY HAVE ON THE PREMISE ORGANIZATION TEND TO WANT THEIR TOOLS TO WORK THE SAME WAY IN THE PUBLIC CLOUD ADDS THEY DO IN THE PRIVATE CLOUD. TO A CERTAIN EXTENT, IT’S OKAY. TO A LOT OF EXTENT, IT’S NOT OKAY. THE CLOUD FUNCTIONS DIFFERENTLY. A COUPLE OF THINGS TO KEEP IN MIND HERE, DON’T ASSUME THE CURRENT TOOLS ARE MOVED TO THE CLOUD. USE IT AS A CATALYST TO RE-EXAMINE THIS. SOMETIMES THEY DO. SO, FOR EXAMPLE, I’M WORKING WITH A CUSTOMER RIGHT NOW. THEY HAVE AN SCCM ENVIRONMENT. THE AZURE SOLUTION IS NOT AS FUTURE RICH AS CCM. IT’S NOT. LET’S SAY IT LIKE IT IS. WE DECIDED FOR THE TIME BEING WE’RE GOING TO PATCH THE MACHINES ON AZURE THE WAY THEY PATCHED THEM ON PREMISE. WE’RE GOING TO GO TO THE AZURE PATCH MANAGEMENT SOLUTION BECAUSE IT’S BUILT INTO THE PLATFORM. I DON’T NEED THEM TO DO THAT. THEY WERE NOT PATCHING THEIR LINUX SYSTEMS WITH SCCM AND THEY DIDN’T HAVE A GOOD SOLUTION TO PATCH THEM WHICH IS BEYOND THE POINT. THAT’S THE STATE THEY WERE IN. SO WE DECIDED TO USE THE AZURE PATCH MANAGEMENT SOLUTION FOR THOSE SYSTEMS BECAUSE THEY DIDN’T HAVE ANYTHING IN THE FIRST PLACE. SO PUT THEM IN A POSITION TO BE ABLE TO START USING THE TECHNOLOGY, GET COMFORTABLE WITH IT, AND START MOVING DOWN THE ROAD. THE POINT OF THE MATTER IS THAT THAT TOOL WE DECIDED TO USE IN THE CLOUD, BUT IT DIDN’T MEAN THAT EVERYTHING CAME ALONG WITH IT, RIGHT? SO WE DIDN’T BRING BACKUP. WE USED AZURE BACKUP, WE DIDN’T BRING MONITORING, WE USED AZURE MONITOR. AND APPLICATION INSIGHTS. SO WE STARTED TO CONVERT THEM OVER TO USING PUBLIC CLOUD SERVICES THAT ARE ALREADY THERE IN THE CLOUD TO MANAGE THE CLOUD RATHER THAN MOVING THEIR CURRENT ON PREMISES SERVICES UP IN TO THE CLOUD WITH IT. ALSO, DON’T ASSUME THAT CORP. NET NEEDS TO BE THE HUB. THE CLOUD IS NOW STARTING TO BE THE NEW SOURCE OF THE DISTRIBUTED NETWORK. SO, ON PREM OUT TECHNIQUES TEND TO THINK OF CORP. NET LIKE ON PREM CORP. NET AS THE PLACE WHERE EVERYTHING NEEDS TO TALK TO. EVENTUALLY CORP. NET WILL BE ANOTHER BRANCH AND THEN EVEN MORE SO, CORP. NET WON’T EVEN NECESSARILY FUNCTION LIKE A BRANCH BECAUSE A OH DESK TOP COMPUTER IS NOT PART OF CORP. NET IN THE FIRST PLACE. IT’S A GUEST NETWORK. MOVING TO A STAGE THAT MAYBE A COUPLE THREE YEARS DOWN THE ROAD, MANY OF YOUR SYSTEMS WON’T BE ON CORP. NET AND YOUR SERVERS, A GOOD CHUNK OF THEM, WILL EXIST IN THE CLOUD AND YOU’LL HAVE A DIFFERENT IDEA AROUND WHAT CORP. NET EVEN IS. SO THINK ABOUT THIS AS A REPOSITIONING OF THE HUB IN THE BUSINESS COULD BE. AND THAT SECURED APPLICATION TRAFFIC DOESN’T NEED TO RIDE IN CORP. NET. THAT’S AN IMPORTANT POINT BECAUSE SOMETIMES PEOPLE ARE CONCERNED THAT LIKE I HAVE A SECURE APPLICATION THAT NEEDS TO BE ON THE CORP. NET ITSELF. ALSO, PEOPLE AREN’T BUILDING NEW APPS ON THE DM ANYWAY. I DON’T KNOW HOW MANY OF YOUR CONTAINER THINGS YOU’VE GONE, NONE OF IT RIDES ON CORP. NET. IT RIDES ON A AZURE NETWORK AND MAYBE AZURE AND THE SEGMENT OF THE AZURE ENVIRONMENT FOR THE APPLICATION, BUT IT’S SOMETHING IS THAT YOU NEED TO THINK ABOUT. KIND OF REENFORCE THIS POINT, THERE’S A MOVEMENT TO A VERTICAL NETWORKING DESIGN, SO ONE OF THE BIGGEST — AND I COVERED THIS IN THE SECURITY THING, BUT I THINK THIS IS ONE OF THE BIGGEST BENEFITS OF MOVING THE CLOUD AND IT’S TOTALLY UNDERSERVED. PEOPLE SAY, HEY, I SHOULDN’T MOVE TO THE CLOUD, I’M STRUGGLING TO MOVE TO THE CLOUD, THIS IS BY FAR ONE OF THE BIGGEST REASONS TO MOVE TO THE CLOUD, TO IMPLEMENT MICRONETWORK SIMULATION IN THE ENVIRONMENT. SO MOST NETWORKS LOOK LIKE THIS DESIGN ON THE LEFT. SEE HOW EVERYTHING TALKS TO EACH OTHER LIKE THAT. THAT IS HOW MOST OF THE CORPORATE NETWORKS LOOK LIKE TODAY. NOW, I WAS TALKING TO A SECURITY GUY THE OTHER DAY, I WAS LIKE, YEAH, MAN, WE IMPLEMENTED ALL OF THE STUFF ON PREMISE, YEAH, SURE, SURE YOU HAVE. LIKE OKAY, MAYBE HE’S LIKE 10 OR 50 OR 60 OF THE WAY THERE. BUT HE’S NOT ALL THE WAY THERE, RIGHT? SO A LOT OF CORPORATE ENVIRONMENTS HAVE A WAY — WAY TOO MUCH LATERAL MOVEMENT, WHICH IS WHEN YOU START LOOKING INTO HOW PEOPLE ARE TAKEN ADVANTAGE OF, THAT USUALLY IS HOW YOU’RE TAKEN ADVANTAGE OF, RIGHT? SOMEONE TAKES — SOMEONE GETS INTO A LAPTOP, MAYBE A PARTNER, AN END USER, THEY MOVE FROM THE LAPTOP TO A SYSTEM, TO ANOTHER SYSTEM, TO A CORPORATE SERVER, TO ANOTHER CORPORATE SERVER AND THEY GET ON YOUR DOMAIN CONTROL AND TAKE YOUR FILE AND THEY’RE OFF TO THE RACES BECAUSE LATERAL MOVEMENT IS EASY ONCE YOU’RE IN IT. IT’S LIKE A THIN CANDY SHELL AROUND A CHOCOLATE INSIDE. SO VERTICAL NETWORKS ARE DIFFERENT, RIGHT? SO IF YOU PROVISION A SERVER IN AZURE, YOU GET THIS SEGMENTATION, YOU GET A RESOURCE GROUP INTO WHICH THE SERVER LIVES. AND THE APPLICATIONS WITHIN THAT RESOURCE GROUP CAN TALK TO EACH OTHER. YOU MAY APPLY ADDITIONAL CONTROLS EVEN THERE. BUT I’M SAYING BLOCKING AND TACKLING, USE THE CATALYST IN MOVING THE SERVER TO THE CLOUD TO IMPLEMENT MICRONETWORK SEGMENTATION WHERE EACH OF THOSE RESOURCE GROUPS USES THE NETWORKS SECURITY GROUP TO SAY, NO, YOU CAN’T ACTUALLY TALK BETWEEN THOSE TWO APPLICATIONS BECAUSE YOU HAVE NO REASON TO. THERE’S NO VALUE IN THOSE TWO APPLICATIONS TALKING. SO WHY AM I LETTING THEM? THIS IS THE OPPORTUNITY TO BE ABLE TO DO THAT. AS YOU MOVE EACH APP, YOU CAN APPLY THE NETWORK SEGMENTATION RULES AROUND THE APPLICATION AND DRASTICALLY IMPROVE INTERAPPLICATION SECURITY AND MINIMIZE LATERAL MOVEMENT. THINK HOW COOL IT IS. LIKE, WOW, MY SERVERS CAN’T TALK TO EACH OTHER IN THE SENSE IN WHICH THEY COULDN’T BEFORE? WHAT A BEAUTIFUL THING. SO THAT OPPORTUNITY ALLOWS US TO BE ABLE TO BUILD ON A NETWORK THAT LOOKS LIKE THIS. SO YOU CAN SEE EACH APPLICATION IS IN ITS ONE, TWO, THREE, RIGHT? SO EACH APPLICATION IS IN ITS OWN RESOURCE GROUP. BUT I CAN’T TALK TO YOU — MAYBE I CAN TALK TO THESE, BUT I CAN’T TALK HERE, BECAUSE I HAVE NO REASON TO. SO I’M BUILDING IN THAT NETWORK SEGMENTATION WITHIN THE AZURE ENVIRONMENT. AND THIS IS JUST HOW YOU DEPLOY AZURE. YOU CAN’T REALLY DO THIS REALLY WELL BECAUSE BACK TO HOW THE ORGANIZATIONAL DESIGN SITUATION, THE NETWORK TEAM IS OVER HERE. THE APP TEAM IS OVER HERE, THE WINDOWS TEAM IS OVER HERE. WHO WILL TALK TO EACH OTHER TO BUILD A SEGMENTATION THAT WAS WORTH ANYTHING? NOT TO THE EXTENT TO WHICH YOU WANTED. NOW, THE APPLICATION IS WRAPPED, IT’S BUILT IN CODE. I CAN BUILD THIS AS PART OF HOW I DEPLOY. AND THE AZURE FIRE WALL MAKES IT BETTER. SO THIS IS SOMETHING THAT OH I WOULD URGE YOU TO LOOK INTO AND USE THE — DEPLOY THE APPLICATIONS, PLEASE, USE THIS AS AN OPPORTUNITY TO IMPROVE SECURITY. ALL RIGHT, NUMBER TWO, BUILDING THE GOLDBERG MACHINE ARCHITECTURE. I THINK RUBE GOLDBERG MACHINES ARE PRETTY COOL. JUST NOT IN AZURE. SOMETIMES COMPANIES JUST TAKE THIS IDEA THAT MAN, LIKE LET’S MAKE THIS DO THIS THING AND THIS GROUP DO THIS THING AND THEN LIKE — [HUMMING THE CIRCUS THEME] OKAY, HERE’S THE AZURE ENVIRONMENT. IT’S TOO MUCH. SIMPLE WINNINGS, SIMPLE ENVIRONMENTS ARE GOOD. YOU WANT A SIMPLE ARCHITECTURE, YOU WANT IT TO FOLLOW A NORMAL PATTERN THAT YOU CAN MANAGE, THAT DOESN’T MEAN YOU’RE USING THE INFRASTRUCTURE AS CODE. THE PROBLEM IS WHEN YOU USE IT AS CODE, I GO TO THE SERVICE PORTAL, I CLICK, I TYPE IN THINGS, I CLICK NEXT, I SUBMIT, SOMEONE HAS TO APPROVE IT. I SUBMIT IT HERE. THIS HAPPENS, THIS HAPPENS, I FINALLY GET A MACHINE. PEOPLE HATE IT. THEY DON’T WANT YOU TO DO THAT. IF THEY FIND OUT, THEY’LL START SPINNING UP THEIR OWN SUBSCRIPTIONS WITH THEIR CREDIT CARD AND DOING THEIR OWN STUFF. THEY DON’T WANT THE CORPORATE ROUTINE. THEY DON’T WANT THE RUBE GOLDBERG MACHINE. IT’S COOL. A LOT OF PEOPLE TRY TO CONVINCE YOU HAVE THIS STEP AND THIS STEP, TRY TO SIMPLIFY IT. SO SIMPLE IS NICE. ALL RIGHT, NUMBER ONE. STABLE STAKES, COST MANAGEMENT AND TAGGING. COST MANAGEMENT AND TAGGING. IF YOU DO NOT DO TAGGING AND EFFECTIVE COST MANAGEMENT, YOU WILL HAVE DRASTIC PROBLEMS IN MANAGING YOUR AZURE ENVIRONMENT. IT WILL BE INCREDIBLY DIFFICULT AND YOUR FINANCE DEPARTMENT WILL HATE YOU. AND I.T. IS GOING TO LOOK LIKE ITS COSTS ARE OUT OF CONTROL. THE BEST THE BEST COMPANIES ARE TAKING THE PROVISIONING PROCESS AND BUILDING TAGGING AROUND THE THINGS THEY NEED 20 — TO TRACK SHIFTING THE COSTS TO THE BUSINESS. THE BEST ONES ARE SHIFTING IT TO THE BUSINESS BECAUSE THEY’RE MAKING THE IT COSTS JUST OPERATIONAL AND THEY’RE MOVING EVERYTHING ELSE TO THE BUSINESS WHERE IT BELONGS BECAUSE THE BUSINESS IS WHAT NEEDS IT. SO, HERE’S THE CRITICAL TAG EVERY ENVIRONMENT SHOULD HAVE. OWNER, THE BUSINESS UNIT THAT’S USING IT THAT COULD BE APPLICATION GROUP, IF YOU DON’T HAVE BUSINESS UNITS, THE COST CENTER, EVEN IF THIS IS LIKE A IT COST CENTER, BREAK IT OUT. YOU’LL THANK ME LATER. DECOMMISSION DATE. THIS IS FOR ANYTHING THAT’S GOING TO BE DECOMMISSIONED. YOU KNOW, SAYING, YEAH, I DON’T NEED THAT ANYMORE. OR WE’RE NOT GOING TO USE IT. WHEN YOU’RE PAYING FOR IT AND IT COSTS YOU $153 A MONTH, YOU WANT TO KNOW THAT YOU’RE GOING TO GET RID OF IT AT SOME POINT, RIGHT? ESPECIALLY IF IT’S SOMETHING THAT YOU’RE NOT GOING TO BE USING. DECOMMISSION DATE, REALLY IMPORTANT. PRODUCTION NONPROD-QA STAGE. WHERE IT LIVES IN THE ENVIRONMENT, WHAT THE PURPOSE IS, TAG IT. ANOTHER ONE IS A TAG AROUND WHAT LEVEL OF SECURITY IS APPLIED OR NECESSARY FOR THIS PARTICULAR ROLE. AND ALSO, YOU KNOW, IS THIS — IS THIS A — YOU KNOW, DOES THIS HAVE THIS PARTICULAR APPLICATION HAVE A SECURITY CLASSIFICATION THAT REQUIRES US TO APPLY DIFFERENT POLICIES TO IT. NOW, WHAT’S COOL ABOUT THIS IS AS YOU TAG SOMETHING IN AZURE, I CAN THEN APPLY POLICY RULES THAT THEN GOVERN DIFFERENTLY. SO, FOR EXAMPLE, IF SOMETHING HAS TO HAVE A CERTAIN LEVEL OF COMPLIANCE OR SECURITY, I CAN HAVE THAT LOOK DIFFERENT WAYS IN AZURE SECURITY CENTER. OR I COULD APPLY DIFFERENT PATCHING RIGHTS TO IT OR RULES TO IT. I CAN APPLY DIFFERENT AUTOMATIONS TO IT OR LET CERTAIN PEOPLE MANAGE IT BASED UPON THE WAY I’VE CLASSIFIED THE PROVISION RESOURCE GROUP OR THE APPLICATIONS WITHIN THE RESOURCE GROUP. SO TAGGING IS ABSOLUTELY CRITICAL. AND WHEN I FIND ENVIRONMENTS THAT HAVEN’T BEEN PROPERLY TAGGED, IT’S SO HARD TO GO BACK AND FIX IT. IT’S REALLY, REALLY DIFFICULT. BECAUSE YOU END UP HAVING TO GO BACK AND FIND THE APPLICATION GROUPS BUT THE PROBLEM IS YOU DON’T KNOW WHO IT IS, RIGHT? BECAUSE IT WASN’T TAGGED WITH THE PERSON WHO PROVISIONED IT AND THE OWNER IS. AND THE PERSON WHO PROVISIONED IT DOESN’T WORK HERE ANYMORE. SO YOU GO THROUGH THIS LIKE SLEUTHING PROCESS AROUND THE ORGANIZATION TRYING TO FIND WHO’S WHO AND WHO PROVISIONED WHAT. AND IT’S SO MUCH TROUBLE. IT MAKES THE WHOLE COST MANAGEMENT WORK STREAM NEXT TO IMPOSSIBLE. I WOULD URGE YOU TO START USING THE AZURE COST MANAGEMENT FEATURE. YOU DON’T HAVE TO GO OUT AND BUY SOMETHING, GUYS. YOU DON’T HAVE TO DO A CUSTOM POWER VI. I BUILT THOSE BECAUSE BEFORE CLOUD EXISTED I HAD TO HAVE THEM. YOU HAVE STRONG STUFF WITHIN AZURE RIGHT NOW AND IT CAN DO AWUS COST MANAGEMENT. SO I WOULD STOP WITH THAT AND IF YOU NEED — START WITH THAT. IF YOU NEED MORE, EXPORT THAT TO POWER VI, DO SOME COOL WIZBANG STUFF. YOU DON’T NEED A CUSTOM APP, YOU DON’T NEED SERVICENOW. I’M NOT HITTING ON IT IS A NEGATIVE WAY. I USE SERVICENOW, WE IMPLEMENT IT. BUT I’M SAYING IF SOMETHING IS IN THE PLATFORM, LEVERAGE WHAT’S IN THE PLATFORM FOR FREE BEFORE YOU BUY SOMETHING ELSE. THAT’S AN EXTRA TIP. MAKE SURE YOU GO DOWN THAT ROUTE. AWESOME. ALL RIGHT, WELL, I HOPE AT LEAST ONE OF THESE WAS NEW FOR YOU. AGAIN, THIS IS MY TWITTER. YOU GUYS CAN CATCH UP WITH ME. THESE DECKS WILL BE AVAILABLE AT LEAST WITHIN TWO DAYS. I DID CHECK WITH THEM. IT SEEMS LIKE A LOT OF DECKS ARE AVAILABLE. IT SAYS AT LEAST WITHIN TWO DAYS IT WILL BE AROUND, SO YOU CAN DOWNLOAD THEM. I HOPE YOU HAD A GREAT TIME. I LAD A GREAT TIME TALKING TO YOU.

Leave a Reply

Your email address will not be published. Required fields are marked *