Do you know how asymmetric encryption works? While at the Kansas City Developers Conference, Richard sat down with Eli Holderness to discuss many of the encryption technologies being used today—and the new options coming in the future! Eli talks about how symmetrical encryption and public key encryption have been the focus of modern encryption, especially on the web. But the ongoing security arms race means we have to keep tweaking encryption—what if we made a bigger leap? Asymmetric encryption offers huge potential - but there's still a long way to go!

Links

• Passwordless Identity with Eli Holderness
• Elliptic-Curve Cryptography
• Shor's Algorithm
• Isogeny Key Exchange
• Learning with Errors
• Chrome and Hybrid Kyber KEM
• liboqs
• Lets Encrypt

Recorded June 27, 2024

What can you do to Microsoft 365 with PowerShell? Turns out - almost anything! Richard talks to Tony Redmond about his ongoing efforts to educate sysadmins about the vast array of capabilities in M365, including all the PowerShell cmdlets that can let you retrieve and control everything in M365. There's now so much information that Tony and his team have created a separate book explicitly focused on automating M365 with PowerShell. The conversation also turns to the role of Copilot - GitHub Copilot- in helping you write better PowerShell and the challenges around M365 Copilot. The goal is to take advantage of the Microsoft Graph - all that information about your M365 Tenant and what is happening inside it.

Links

• Office 365 for IT Pros
• Practical 365 Blog
• Automating Microsoft 365 with PowerShell
• Microsoft Graph SDK
• Copilot for Microsoft 365
• Microsoft Entra PowerShell
• GitHub Copilot
• Overview of Microsoft Graph

Recorded August 8, 2024

How is generative AI evolving, and what can we do about it? While at NDC in Oslo, Richard chatted with Alison Cossette about her work as a data scientist before the ChatGPT explosion in November 2022 and what life has been like since the LLM came to town. Alison talks about the rigor of building AI models using generative AI before ChatGPT and how many of those efforts have diminished when confronted with a friendly, confident language model. Eventually, this rigor will be needed - as the dangers of not managing language models cause problems, and the need for rigor will re-appear. Alison describes steps you can take today to understand how the LLMs you are using are trained and how they are tested. Generative AI is evolving, and you can be part of making it better!

Links

• GitHub Copilot
• Fairly Trained

Recorded June 12, 2024

Leadership wants to get on the AI bandwagon - what are the security risks? While at the Kansas City Developers Conference, Richard sat down with Steve Poole to talk about his experiences helping companies manage the risk of bringing AI into the company. Steve talks about the impact of introducing a new development stack, especially open-source stacks where you aren't sure of the providence of the code - sometimes there's malware in there! The conversation also moves to the various sources of language models and the potential risks. There's an urgency to move quickly on this technology, but don't allow that urgency to shortcut the safety your company will need - you can do this properly!

Links

• Hugging Face

Recorded June 27, 2024

What are the threats your cloud application and infrastructure are facing? While at NDC Oslo, Richard chatted with Daniela Cruzes and Romina Druta about their work building threat models for cloud-based applications. Daniela discusses how modeling helps to understand security concerns before applications are deployed and attacked - often, security retrofits are time-consuming and expensive, so thinking them through beforehand has enormous benefits. Romina dives into the supply chain side of threats - open-source libraries with backdoors, even down to development tools with malware. There are a lot of threats - but when you look, there are often great solutions as well. You'll need to collaborate with development to secure things, but security isn't optional and is worth fighting for.

Links

• Cloud-Native Application Protection Platform
• Argo
• VSCode Malicious Extention Threats

Recorded June 12, 2024

Are you ready for passkeys? Richard talks to Tarek Dawoud from Microsoft about the evolution of passwordless access with passkeys. Tarek talks about the FIDO alliance and the ongoing effort to create authentication strategies that are mathematically impossible to phish - no password stuffing under the covers that might get exploited by a man-in-the-middle attack. The conversation also dives into the passkeys name and how it's a rebranding of passwordless authentication to make it easier for everyone to understand that you'd rather have a passkey than a password. The products involved are still evolving, but there's plenty you can take advantage of today and make your organization more phishing-resistant than ever!

Links

• Fido Alliance
• Yubico
• Windows Hello for Business
• Microsoft Digital Defense Report 2023
• Accenture Passwordless Journey
• Conditional Access
• Temporary Access Pass
• Enable Passkeys For Your Organization
• Web Authen
• CTAP
• Microsoft Password Guidance

Recorded June 3, 2024

What does it cost to recover from a disaster? While at NDC Oslo, Richard chatted with Natalie Serebryakova about her work helping companies understand their disaster recovery costs and what that process can teach you about your infrastructure. Natalie talks about different types of disasters, from the deletion of a production server to a major outage caused by a fire at a data center - and the power of working through the scenario to determine what needs to be backed up and what it takes to recover. The conversation also dives into the scrutiny of implementation - often, decisions are made that are no longer understood, or systems have changed enough that they could be improved. The result can be lowering DR costs, improving performance, and reducing operating overhead!

Links

• SOC2
• DataDog

Recorded June 12, 2024

Ready to move your device certificate authority to the cloud? Richard chats with Richard Hicks about Microsoft Cloud PKI - certificate management for devices and people as part of the Intune Suite. Richard talks about it being early days for Cloud PKI, so not everything you want is there yet. The only way to get a certificate onto a device is through Intune, so some devices, like servers, don't have a way to play yet. However, there is a bridge between Active Directory certificates and Cloud PKI, so you can bring your new devices in through Intune and ultimately unload a lot of your on-premises certificate infrastructure. And that will make everyone's lives easier and more secure!

Links

• Conditional Access
• Active Directory Certificate Services
• Microsoft Cloud PKI
• Microsoft Intune
• Intune and SCEP
• Certificate Connector for Microsoft Intune
• Bring Your Own CA in Cloud PKI
• SCEPman
• Keytos
• Microsoft Entra Certificate-Based Authentication
• PKINIT in Kerberos
• minikatz
• Network Policy Server

Recorded June 3, 2024