Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform.

Hey everybody, welcome to Episode 66. This week, it's myself Michael, Sarah, and Mark. Glad this has taken a little bit of a break. We have a guest this week, Joey Snow, who's here to talk to us about some identity stuff. Rather than talking about identity in terms of people, we're talking about workload identities. So with that, let's take a little lap around the news first. Mike, why don't you kick things off?

So a couple interesting things that we released recently. For those of you that are kind of ancient, like Michael and myself, you may remember something called the immutable laws of security. And in the process of switching over from a tech net to the modern docs now Learn site, some of that stuff was sort of like dropped into an archive and really hard to find. So as we were in the process of resurrecting it, we kind of brought it back. But we also realized that there was this need for a new layer or a new altitude of them around cybersecurity risk because we saw some really key sort of truths and that needed to be sort of understood, that kind of debunk some myths. And so we put those up there. And so just the AKMS slash security laws, of course, the links will be in the show notes. And we kind of cover a lot of things like not keeping up as falling behind. Disrupting attacker ROI is really kind of the goal of security. Don't solve a technology problem. Excuse me. Don't solve a people or process problem with a technology solution because it won't work. Things like that. So that's out there. Really love to get some feedback on that. And see what you all think. Another thing that we're working on is sort of the opposite. So the opposite of the best practice is anti-patterns because sometimes those are really illuminating. Like, hey, I didn't realize we were doing it wrong. But now that you describe it that way, that does sound kind of dumb. And so we've been really kind of collecting some of those. I've got a little LinkedIn post going on. So I'll send that out for the folks that are interested and have some to contribute. Some of my favorites are collection is not detection. And we've got a whole slew of them for patching there. And then, compliant is not secure. I can't tell you how many people I've met that think that, hey, we're compliant. So therefore, we're secure. Gotcha. Not really. But just all sorts of things. There's also the user world of using the same password. You know, throughout the SOC and identity world and all that. So we've heard there's a lot of good ones out there. And we'd love to get your thoughts on ideas on that. And then the last one I just wanted to highlight real quick is around the CISO workshop. So that is something that we've had the videos posted for a couple of months now. And we've been training some folks internally, getting them all ready to deliver. And so, yeah, this is something that we actually do deliver, not just, you know, set one recorded time on the internet that you can enjoy in perpetuity. But also, we do that delivery with customers, you know, for with CISOs, CIOs, security directors, IT directors. You know, oftentimes bringing teams together, helping them sort of connect and build a common strategy. You know, understand the latest trends in zero trust and how do you actually apply that? What does it really mean to a program, to a strategy, to all those kind of elements? So that one as well as our end-to-end security architecture, the architecture design session one, are actually something that we're starting to do deliveries on. And, you know, shadowing and reverse shadowing and leading a couple of those.