Break Glass Account using FEITIAN FIDO2 Key

I was invited by Della (FEITIAN Technologies) to review one of their FIDO2 products. Out of their range of products I choose the K50: USB A-Type with Fingerprint.

There is one particular use case for using a FIDO2 Fingerprint Key I’d like to examine. The Break Glass (Global Admin) Account. By now, in 2023, we all agree on Multi Factor Authentication for ALL Users and we’re moving fast forward to Passwordless Authentication. In the Trainings I deliver and in conversations with my Customers we always discuss the “Break Glass Account” for emergencies. Shouldn’t we have a non-MFA-enabled Account for that? Write a very complex password on a piece of paper and put it in a safe?

No more. For daily use of both normal users and privileged users the Authenticator App works just fine. I’m not so much in favor of adding another device. For privileged accounts we should add Conditional Access policies like Device Compliance (Windows 11 Enterprise with all Security Features enabled), location and such. And Privileged Identity Management to harden access security (Principle of Least Privilege and Just-Intime Access).

And then we run into an emergency situation….. the hardened workstations become inaccessible or cellular Wi-Fi Services become unavailable (no push notification to Authenticator app) or whatever trouble.

In situations like that, having some FIDO2 Keys on some Break Glass Accounts can be a very good solution. Restrict these accounts to authenticating ONLY with a Security Key. Have 3-5 Accounts and a couple of these Keys (you can add up to 128 accounts on 1 Key). Enroll all 3-5 accounts on all Keys and keep the Keys in separate places for redundancy. Don’t forget to put PIM on these Accounts!

Et voila! We have a very decent solution in place, compliant with the MFA Policy for ALL users and also Passwordless.

 

Break the Glass safely!

Microsoft Operating Systems and Me

People who know me, know that one of my slogans is “Who needs an Operating System”. Through some mysterious pathway I am currently taking some Operating System exams…. (MD-100 = Windows Client, AZ-800 and AZ-801 = Windows Server) Huh??

Organizations and their way of thinking IT only move so fast (actually real slow). Clinging to the Desktop, be it physical or virtual, and clinging to Servers, be it on-prem or in the Cloud. While the technology to rid of that ancient stuff has been out there for a while now. Who would need a full Desktop OS if all Applications were Web Apps? Why deploy IaaS solutions while PaaS and SaaS solutions are real?

So anyway, apparently, we live in a Hybrid IT world, in this context meaning that we are mixing and mingling traditional deployments with all the Cloud goodies. Which does not make it easier to use these goodies. And there pops up my reason to take another round (#8) at Microsoft Operating systems Certifications. To oblige as Trainer, Consultant and Advisor. Reality sucks , doesn’t it?

Happy Learning!

 

MCT: Delivering AZ-305, notes from the field

This week I did a first-time delivery of MOC AZ-305, Designing Microsoft Azure Infrastructure Solutions, towards Microsoft Certified Azure Architect Expert Certification. The Exam is still in beta, I took it a week before delivering the training. Making the time investment count double, preparing for both my Exam, and delivering the training.

I consider this training and this exam (topics, depth, and breadth) one of the better ones out of the whole Curriculum. The real “Expert level” deal. The 4-day training can be delivered without Labs, the GoDeploy Labs have no direct link with the course content but offer some great deep dives in specific technologies should they fall out of the knowledge scope of the participants. Long Labs, up to 3-4 hours. Each Module ends with one or more Case Studies, plenty of room to discuss various options.

After my preparation I had some concerns for the knowledge level of the participants, it happens too often that people over-estimate themselves in which case they might get lost on day 2 or so. The course really covers a lot of Cloud in just 4 days, the more knowledge the participants already have, the higher the value of this course gets. I would suggest to Microsoft Learning that the prerequisites (also for Certification) should be not just the AZ-104 Azure Administrator. Add 1 or 2 “electives” (as in the old days of MCSE Certifications). Electives can be almost any “Associate level” Certification (AZ-500, AZ-700, SC-300, AZ-204, etc.).

Luckily, the 6 participants in this group selected the right course, they were all very seasoned senior Azure Admins/Engineers and there was plenty of expertise in the (virtual) room on specific technologies like SQL and Kubernetes. But anyhow, take care of the intake of participants for this course.

I started of with a whiteboard session of the “Well Architected Framework”, to give some context on how to approach the content. So, in the discussions on the Case Studies, we could discuss possible solutions based on these principles. For in the Exam as well, references are made to these principles. Maybe a module on this could be added to the course. On day 1 and 2 (and planned for day 3 and 4) I allocated some 2-3 hours for them to work on the Labs. On day 3 however a request was made to not use course time for Labs and rather spend it on discussing the topics and the case studies. The vote on that was unanimous, Wonderful! We ended up in vivid discussions and we all learned a lot form each other. I invited them to look at becoming MCT! And I think some of them will take that path . As we all agreed that the Knowledge and Skills Gaps are a big showstopper for leveraging Cloud technologies. Do something about it instead of complaining about it.

Overall, I am very satisfied with this course and I’m looking forward to delivering it again (scheduled for March).

 

Happy Learning!

WVD Notes from a NO-SBC fan

People who know me also know that I am no fan at all about Server Based Computing (SBC). Remote Desktop Services, Citrix, VMware, VDI, WVD, it is all the same complex and expensive misery to allow Organizations to keep on running their legacy Win32 Line of Business Applications.

This racket of mine is not new. Back in 2007 I joined a Dutch company called Qwise, and Qwise was one of the major players in The Netherlands on Citrix and App Packaging and deployment. I asked myself and my colleagues: Why do we do this? Why don’t we make all applications web-based? Who needs a Desktop, who needs an OS? Because Organizations run shitty Line of Business Applications.

Now we are 2020 and nothing has changed. SBC is still expensive and it is still very complex (also in the Cloud) because Organizations still run shitty applications…..

Okay, anyways, I have been doing some playing around with Windows Virtual Desktop as a Pilot in our production environment. It took me like a day or two to get it all up and running thanks to this article by Christiaan Brinkhoff . It is great that Microsoft will now manage the RDS Roles in the background. That surely takes away some headaches. And of course, provisioning on Azure is fast. Currently I do all of my daily job in a Virtual Desktop except for Teams Meetings. Pretty happy with the fluency and the performance. I oversized the VM’s a bit, I have to admit, but no fancy GPU stuff. I am waiting for the A/V Redirect to make Teams Meetings working.

There are quit some hoops to jump through setting this all up. I wonder how that is for less experienced people, there is much to deal with. My 70+ Microsoft Certs are well spent on this endeavor . Inova Solutions, the Company I work for, is a “Cloud Only” Company. I abolished all on-prem stuff, got rid of Active Directory, all happens from the Cloud and in the Cloud. The biggest “bummer” of WVD is that it relies on Active Directory. So, either put up some DC’s in Azure or deploy Azure Active Directory Domain Services. Back to Active Directory feels like “legacy” after doing only Azure AD and Intune for the last 6 years. Back to NTLM Authentication and GPO’s. I consider that a huge step back.

We also need to manage, one way or another, the end user device to enable these users to connect to their WVD environment including local printers, scanners and other devices, secure Corporate data, etc. WVD is not replacing those devices, WVD adds another Device per user, adding work to IT Staff to manage and maintain the complete environment.

In my previous Blog I wrote about connecting to (legacy) Line of Business applications for Remote Work. Not much to be found on “best practices” for WVD and those LOB Apps availability.

I can see valid use cases for WVD but maybe not so much for SMB unless they are served by a Managed Service Provider, the SMB’s in my customer base simply do not have the Knowledge for WVD. The Total Cost of Ownership for WVD, as it becomes so clear with the monthly bill from Microsoft for Azure consumption, may be considered high, I tend to look at the Value more than at the Cost. Valid Business cases can be written for deployment of WVD.

Anyways, I’ll keep on experimenting, trying and find valid scenarios for #WVD

The Big Underrated Issue in Working from Home

Although the initial anxiety on COVID-19 has dropped by now, lots of Organizations are aware that Remote Work is here to stay. And we see lots of applicable Technologies that can facilitate that. But mostly just up to the point where we come to “Line of Business Applications” (LOBs).

Most of my Customers have a pretty traditional setup of their IT Infrastructure in a on premises data center. Active Directory, member Servers running (legacy) client/server applications in sometimes a 2-tier infrastructure. The Local Area Network (LAN) sits in the Corporate Building and all Desktops have connectivity to the local data center. Some of these Customers started with moving some workloads to the Cloud, mainly email that goes to Office 365. Adoption and moving more workloads or starting to use new things in the Office 365 platform is going very slow.

And now we need to work remote. Outside of the Corporate LAN. That poses several challenges. For the sake of the topic I refrain from looking at processes relying on physical paper although a lot of my Customers still do so. Of course, that makes the challenge of working remotely even more complex.

The Devices

In most Office buildings people have a Desktop, I think in most cases, even in this COVID-19 situation, people are not allowed to take that one home. And even if they are allowed, it will not be connected to the Corporate LAN, so work as usual is not an option. Also, things like Group Policies (including Security settings) will not be applied to those Desktops. Corporate laptops suffer the same unless they are decently prepared for remote work. Lots of people will work on their personal device from home, or even their family device, Organizations have to realize that those devices are totally out of control. Then, users will use anything trying to accomplish their tasks using any application they can find. That list is endless by now and 99% of it fits in the category of “Shadow IT”, corporate data can and will flow anywhere.

Business Applications

Organizations can use a lot of different applications throughout their companies, per department or division. Some of them will just be a standalone application, a lot of them will tie back into a backend in the datacenter. Are these Line of Business Applications accessible for Remote Workers? Can they be made accessible, in a secure and user-friendly way? Some protocols to connect to these backends are not that suitable to traverse Wide Area Network (WAN) connections, resulting in a bad user experience or very limited functionality. Some Organizations already have some of their Applications accessible from outside the Corporate LAN; email is probably the most common one.

In general, a Client device must be fully managed and sit as close to the Data Centre as possible, preferably over Corporate LAN Connections. Add to that, a decent Data Protection configuration. That is the ideal situation. Or is it?

There are numerous options to make LOB Applications accessible for use outside of the Corporate LAN, and they all have their pros and cons.

  • VPN into the Corporate LAN; applications may seem very unresponsive/low performance, a simple thing like browsing a File Server is hard over a VPN connection. Can the VPN-appliance on the Corporate LAN side and the Internet connection handle the load? Are the remote devices secure? Can the “client” side of the LOB Application be installed on the Remote Device?
  • DirectAccess. Only available for Windows 10 Enterprise domain member PC’s. Transparent end-user experience (Always on), very secure (IPSec), Certificate based authentication, fully managed PC through GPO. Can the Corporate LAN side appliance and the Internet connection handle the load?
  • Web-based applications. These are relatively easy to expose and authenticate to. The http(s) protocol is designed for WAN Connections.
  • Re-architect application to Web-bases applications.
  • Remote Desktop Services. The actual (virtual) Desktop runs within the Corporate LAN. Modern RDP Protocols (or the proprietary Citrix and VMware ones) are designed for WAN Connections. RDS or VDI Services are expensive, they require large amounts of resources: CPU, RAM, Storage, Networking. It also requires Infrastructure specialists and Application packaging specialists. Managing and maintaining a SBC environment requires a lot of IT Staff resources.
  • Move LOB Applications to the Cloud. Make them available and accessible from anywhere. For “legacy” applications there is still the issue about the distance between the client and the server though.
  • Move LOB Applications to the Cloud AND build SBC in the Cloud like Windows Virtual Desktop (WVD). WVD is not cheap (resource intensive) and almost just as hard to manage and maintain as an on-premises SBC Solution.
  • All the above scenarios leave the end user device as is, unmanaged and not secure (except for Direct Access). With Microsoft 365 (Office 365, EMS, Intune) we can manage any device (Windows, MacOS, iOS, Android), implement things like Multi Factor Authentication, Conditional Access, Information Protection, Threat Protection, and lots of telemetry to analyze that all. The Office 365 portion allows for Communication and Collaboration (Email, Teams, SharePoint). Implementing Microsoft 365 will make all of the above scenarios easier and more secure.

What we can see happening right now is a myriad of all these options, which is fine as long as there is a Strategy or Vision stating where it leads to. If a Strategy is lacking all we are left with is a pile of unmanageable “spaghetti”. In the meantime, all scenarios could be valid under some specific circumstances. There is not one right way of doing it.

My “prefect picture” would look like “All Applications deployed in the Cloud, preferably as SaaS or PaaS Solution. All Devices managed through M365”.

Integrated Solutions for #WFH

Now that the initial smoke has cleared a bit on the COVID-19 situation, the time seems right to think ahead when it comes to “Working from Home”.

We have seen all the “ad hoc”, almost panic-like, trials and errors on facilitating our employees to enable them to stay somehow productive. I believe it is chaos out there. The list of communication and collaboration tools is endless. And, some truly relevant ingredients are totally lacking; integration, security and governance. A lot of these tools could be set up for integration (through API’s for example) but that requires time and expertise. On the security and governance level I seriously have my doubts on most of them. Mainly because they are more “consumer based” than “enterprise grade”.

I have been “preaching” Office 365/Microsoft 365 for years now, and of the last 2 years or so, focused a lot on security and governance. Integration, security and governance is right there, out of the box, Built-in instead of Bolt-on. We should be starting to deploy that in a controlled environment, enabling our workforces to work from home effectively, safely and secure. While the Organization stays in control. It may take a couple of weeks to get it up and running, true. But if we don’t, the chaos and spaghetti that is being created right now, will only become bigger and bigger. No control, bad actors out there, no clue on who is doing what and how and where and when.

We should not forget that most organizations have their Line of Business applications and their File repositories in their local Data Centers without having proper remote access facilities configured. There are plenty of solutions out there to enable access to those resources remotely. We need to look at short term solutions and plan for long term solutions in parallel. The times of “ad hoc” and “panic” are over.

Now is the time to sit down and make a plan that enables Organizations and individuals to achieve more, even in these weird times.

Security: get the whole deal

By now we all know Microsoft has become a “Security Company”. Their current portfolio on Security, Compliance and Governance is unmatched. By now most Organizations realize their Security posture is not what it should be. Not to mention their Compliance and Governance posture.

Plenty of Office 365 customers come to me for a Solution for a specific issue they encounter. Ransomware, spoofing, account breaches, compliance requirements, you name it. They perform some searches on the Internet and find an Add-On Subscription to remediate their issue. That is reactive. Out of my experience I know for sure they’ll be back before long with another issue and another Add-On to remediate. Reactive once more.

Let’s stop doing that. Let’s start being pro-active. Digital transformation is nothing more than “loosing old habits and creating new habits”. How do we get there? Not by enumerating factsheets of the capabilities of the products. We get there by showing Business Decision Makers what the threats are from the Business and User perspective. Then we show them how to remediate those threats and what that looks like from the Business and User perspective. Loved by Users, trusted by IT. Pro-active. Let the always present Mr. Murphy die a slow but certain death.

Having these presentations and conversations with customers creates instant transformation: Value is more relevant than Cost. So, we can stop talking about Add-Ons and we can start talking about the complete packages. They bring Value.

Oops, is this a Sales pitch?

Happy protecting!

 

Training means Train!

Digital Transformation, Adoption, learning methods, Adoption Specialists, Onboarding specialists, migration specialists. We can do it cheap and fast. Ouch. There is no cheap and fast when looking at Value.

We, as in the “communities”, are making mistakes. We must distinguish between knowing how to do something and understanding why it must be done in a certain way. Sometimes knowing the how-to is good enough. But when we look at Digital Transformation and Adoption, the real Value comes from a thorough understanding by all involved on the WHY.

Why is a business process structured like it is? Understanding that, and only then, we can find new ways of getting the same results by effectively using the right tools in the right way. Efficiency is about “Doing things the right way”. Effectiveness Is about “Doing the right things”.

Basically, we need to do 2 things during the Journey of Adoption/Digital Transformation:

  1. Inclusion. From C-level Management to frontline workers, all need to be involved. Involved, get that?
  2. Training. It means Train!

Training is not the same as watching a “how-do-I-….” video on YouTube or attending a Webinar/Seminar. Training means practice, repetition, endurance, discipline, making mistakes, learning to understand why it is as it is. Training is an action, one needs to allocate time for it. Results will take a while.

A year ago, I bought myself a new Rickenbacker bass-guitar. I dream of being on stage, playing like Paul Grey or Bruce Foxton. Keep on dreaming, I pick up the instrument no more than 30 minutes a week. It makes no sense to go to the gym for 8 hours straight. When you look in the mirror the next day, you’ll see no difference.

As a Microsoft Certified Trainer, I tell my students that the Labs are not about getting them done successfully. The Labs are about spending time, practicing, learning to understand the why of the technology. The students train!

A new insight is not good enough if you do not practice the actions that come out of the new insight. The insight gives a moment of “aha”. After practicing it becomes obvious. You cannot learn how to ride a bicycle from a book.

 

Just saying: don’t go for cheap and fast! No such thing……

 

Happy Training!

 

 

 

VDI – Will it ever end?

There is a lot of buzz about Microsoft’s Windows Virtual Desktop, a VDI Solution running on Azure. Let me tell you this: VDI should not be around anymore, it should be buried, and the epitaph should read something like “Promising but never delivered”.

It’s not that I see no use cases for VDI Solutions, unfortunately we, as an IT Community, have allowed those use cases to still be out there. In 2007 I joined Qwise, a major multiple award-winning Citrix Partner in The Netherlands. I was a stranger there, I do Microsoft only. And seeing all the struggling, the complexity, the money absorbing craziness of all those efforts to give users access to their applications, it made me wonder if there was no better solution. And there was, and that solution is a valid one still in 2018. And I even think that a lot of people would agree me with me, and, we did nothing about it.

Already back then, in 2007, web applications were mature enough to regard them as a serious solution for the growing complexity of managing and maintaining the application landscape, both on local desktops and centralized desktops. My “SBC/VDI” colleagues agreed, but, they argued, we must also support the legacy and the traditional client-server applications. And now, almost 12 years later, I still hear that same argument. And so, we still need desktops and full-blown operating systems. To run legacy applications. And we did nothing about it, no vision, no strategy. Software vendors, software buyers, consultants.

Of course, that is not completely true, I really love the Office WebApps and plenty of legacy apps are now WebApps. They offer a good portion of functionality for most users. But still, the battle on the VDI market continues, where we now do “serverless” in the cloud, doing “who needs a server OS”. We are afraid Windows7 becomes the new Windows XP but Microsoft’s WVD allows for Windows7, even offering 2 years of extended support. Allowing us all to not move forward. Keeping the 2007 eco-system alive, making some bucks. But keep in mind, we are probably end customers of our professional customers so who are we kidding?

Just saying……

Cloud Adoption, where to start: CEO

This is the third blog in a series on Cloud Adoption and Cloud Migration. Previously I wrote “The GAP between Cloud Migration and Cloud Adoption” and “Office 365 and Bandwidth – Adoption to Cloud Computing“. This one is on Ownership of Cloud Adoption and Ownership of Cloud Migration. As explained in previous mentioned posts Adoption and Migration are two totally different things.

IT Departments are responsible for Cloud Migration(s). It’s about the technical challenges of moving workloads to the Cloud. Ownership of Migration lies with the IT Department, somewhat automatically delegated by the Organization. Not much to discuss here.

Now Cloud Adoption, who has Ownership of that? I have seen a lot of Migrations not yielding the expected results, not because it was a bad Migration but because the Organization did not benefit from it, or even worse, continued “business as usual”. Didn’t even have to do with Cloud Migrations; could be Onprem Exchange, SharePoint, Desktop OS or Office migrations as well. A lot of Organizations run the latest versions of those but still live in the dark ages when it comes to using them. Because nobody in the Organization took Ownership of the Adoption. Mostly that was left to IT Managers. But who listens to IT Managers, not the Sales and Marketing Managers for sure. They are busy. And so any free 1996 Pegasus mail server and mail client could actually do the job. IT should not be owner of the Adoption of features made possible by the Migration. It should work the other way around. First there is a Feature Requirement list made by the Business. Out of that an IT Project/Migration may get started.

That being said, Adoption first, leaves the question of who must be the Owner if not IT. The answer to that is very simple: the CEO. If the CEO is not the Owner of Adoption every IT Manager will set himself up for failure when engaging in whatever Migration. Adoption touches the very heart and nature of the way people work and thus the Organization. If that is not endorsed, empowered and owned by the CEO, well, good luck. All will trickle down into the Organization from the highest management making sure all is in place when the stages of Migration arrive. I have very good experiences with Migrating higher Management first. Let them “Walk the Talk” and show that “all is well”.

Also, when progress stops because of CEO’s are not taking Ownership, Shadow-IT becomes a painful reality. Percentages of users finding their own way to do their job are rising, IT loses yet more control as will the Organization itself. Mobile Devices, Tablets, Notebooks, Drop Box, Skype, OneDrive, unmanaged devices, unmanaged storage, where is the corporate content going? That makes any’s Organizations fear of safety in the Cloud a bit ridiculous, doesn’t it?

To set up that CEO’s come back in control IT Management needs to have good connections with the higher Management. As a Consultant I can’t do much if I’m stuck on the level of IT. IT may understand what direction to go or not, but if higher management speaks a different language then IT is also stuck. This morning I had a one hour conversation on this with the IT Manager of one of my customers. He’s stuck in that exact situation. I could only listen to him and coach him on how to repair the damages of the past in those lines of communication in order for his CEO to get aligned again and put his fist on the table to move forward. I asked him to keep me posted on how that will go.

Another Customer sits at the other side of this. His CEO is enrolled in Azure and they are really moving forward FAST now. The CEO knows nothing about Technology but he was informed in such a way he could endorse and empower the Organization to move in that direction.

Conclusion: Cloud Adoption starts at the CEO!

 

CEO’s, Happy Adopting!!! You really should!