Why Your Azure Backups Aren’t as Safe as You Think

1
00:00:00,000 –> 00:00:01,560
Administrator, do you hear that?

2
00:00:01,560 –> 00:00:03,280
The silence is lying to you.

3
00:00:03,280 –> 00:00:05,280
Backups you trust can vanish in seconds

4
00:00:05,280 –> 00:00:07,200
when one shadowed identity twitches.

5
00:00:07,200 –> 00:00:08,240
And here’s what actually happens

6
00:00:08,240 –> 00:00:09,800
when Azure Backups sits on defaults.

7
00:00:09,800 –> 00:00:11,440
Meet the backup operator from hell,

8
00:00:11,440 –> 00:00:14,560
rogue admin, stolen automation, careless consultant.

9
00:00:14,560 –> 00:00:16,560
You’ll watch soft delete fail to comfort,

10
00:00:16,560 –> 00:00:18,440
the purge attempt, the undead return,

11
00:00:18,440 –> 00:00:20,480
and the vault that locks even you out.

12
00:00:20,480 –> 00:00:22,400
Then the cure, vault protections,

13
00:00:22,400 –> 00:00:24,880
clean identity lines and eyes that don’t sleep.

14
00:00:24,880 –> 00:00:26,320
One rule to hold in the dark,

15
00:00:26,320 –> 00:00:28,320
if one person can kill your backups,

16
00:00:28,320 –> 00:00:29,520
you don’t have backups.

17
00:00:29,520 –> 00:00:31,880
Stay with me, the creature is already inside.

18
00:00:31,880 –> 00:00:34,920
Backups, the most dangerous fault sense of security.

19
00:00:34,920 –> 00:00:37,640
Administrator, let’s start with the lie you love,

20
00:00:37,640 –> 00:00:39,760
the quiet one, nothing screams.

21
00:00:39,760 –> 00:00:41,000
The blade is green.

22
00:00:41,000 –> 00:00:43,120
Job say completed in a soft friendly font,

23
00:00:43,120 –> 00:00:44,400
no pages, no smoke.

24
00:00:44,400 –> 00:00:47,680
So you file backups under, done, safe, routine, background.

25
00:00:47,680 –> 00:00:48,840
That’s where the rot starts.

26
00:00:48,840 –> 00:00:50,840
Backups are the last line, because they’re last,

27
00:00:50,840 –> 00:00:53,760
they decay first, they don’t shout when you overscope a role.

28
00:00:53,760 –> 00:00:55,880
They don’t groan when retention gets trimmed,

29
00:00:55,880 –> 00:00:57,480
they just keep producing points.

30
00:00:57,480 –> 00:00:59,120
Until the night you need to breathe life back

31
00:00:59,120 –> 00:01:01,480
into a dead system, then you learn what you really build.

32
00:01:01,480 –> 00:01:04,960
Name the villain, not ransomware, not fate, not oops.

33
00:01:04,960 –> 00:01:06,760
The backup operator from hell.

34
00:01:06,760 –> 00:01:10,400
It wears many faces, a long-lived owner at subscription scope

35
00:01:10,400 –> 00:01:13,560
kept for convenience, a token stolen from a build agent,

36
00:01:13,560 –> 00:01:16,320
steady and loyal to a pipeline that now serves someone else,

37
00:01:16,320 –> 00:01:18,600
an automation account with contributor on vaults,

38
00:01:18,600 –> 00:01:20,120
just to get it working.

39
00:01:20,120 –> 00:01:22,880
A consultant with a fast hand who left before the dust settled,

40
00:01:22,880 –> 00:01:24,280
malware that doesn’t encrypt

41
00:01:24,280 –> 00:01:26,640
it zeros your retention and smiles.

42
00:01:26,640 –> 00:01:29,560
They share one hunger enough rights to end recovery.

43
00:01:29,560 –> 00:01:32,680
Azure loves you, built in, official default.

44
00:01:32,680 –> 00:01:35,320
You enable protection, recovery points bloom.

45
00:01:35,320 –> 00:01:38,200
It feels sanctioned, your mind relaxes.

46
00:01:38,200 –> 00:01:41,000
Defaults promise safety in a world where nobody panics,

47
00:01:41,000 –> 00:01:44,360
nobody gets fished and nobody clicks cleanup at 3am.

48
00:01:44,360 –> 00:01:46,520
M, but people panic.

49
00:01:46,520 –> 00:01:50,400
An incident hits, noise, heat, someone barks, shut it down.

50
00:01:50,400 –> 00:01:51,280
Fingers start cutting.

51
00:01:51,280 –> 00:01:52,920
No one is mapping effective permissions.

52
00:01:52,920 –> 00:01:54,960
They’re hunting for buttons that stop the pain

53
00:01:54,960 –> 00:01:57,080
in that storm convenience turns lethal.

54
00:01:57,080 –> 00:01:58,960
That’s the failure, speed over structure.

55
00:01:58,960 –> 00:02:01,720
You architect at a path where speed can walk around safety.

56
00:02:01,720 –> 00:02:05,120
Then you praise the speed in that world, backups are not a net.

57
00:02:05,120 –> 00:02:05,960
They’re Tinder.

58
00:02:05,960 –> 00:02:08,680
One identity with the wrong shape can delete backup items,

59
00:02:08,680 –> 00:02:11,000
slash retention to zero, so time runs out,

60
00:02:11,000 –> 00:02:12,960
disable protection so no new points form.

61
00:02:12,960 –> 00:02:16,000
Perch, soft deleted recovery points if the vault isn’t locked.

62
00:02:16,000 –> 00:02:18,560
The portal whispers, delete, update.

63
00:02:18,560 –> 00:02:22,160
Change policy, harmless verbs, final consequences.

64
00:02:22,160 –> 00:02:24,560
You tell yourself backups are immutable.

65
00:02:24,560 –> 00:02:26,120
But immutability is not a word.

66
00:02:26,120 –> 00:02:27,240
It’s a set of teeth.

67
00:02:27,240 –> 00:02:29,120
Soft delete to force delay.

68
00:02:29,120 –> 00:02:32,240
Multi-user authorization, so one hand can’t pull both levers.

69
00:02:32,240 –> 00:02:33,720
Vault lock to weld the door shut.

70
00:02:33,720 –> 00:02:35,680
Without them, your backups aren’t immutable.

71
00:02:35,680 –> 00:02:37,320
They’re drywood stacked high.

72
00:02:37,320 –> 00:02:38,920
And the creature, it’s patient.

73
00:02:38,920 –> 00:02:40,440
It lives in permissions.

74
00:02:40,440 –> 00:02:42,400
Innested groups, in old custom roles,

75
00:02:42,400 –> 00:02:44,440
in inherited scopes, no one maps end to end.

76
00:02:44,440 –> 00:02:45,880
It waits in your CI secrets.

77
00:02:45,880 –> 00:02:48,120
It waits in a service principle with a guessable name

78
00:02:48,120 –> 00:02:49,600
and a stale certificate.

79
00:02:49,600 –> 00:02:52,200
It waits in a spreadsheet that lists reader

80
00:02:52,200 –> 00:02:54,400
while data actions whisper a different story.

81
00:02:54,400 –> 00:02:56,440
Quiet dashboards breed this.

82
00:02:56,440 –> 00:02:59,080
Completed blinds you to the crack-weird breathes.

83
00:02:59,080 –> 00:03:01,920
So here, this administrator, the silence is not proof.

84
00:03:01,920 –> 00:03:02,760
It’s camouflage.

85
00:03:02,760 –> 00:03:04,280
The monster hasn’t moved yet.

86
00:03:04,280 –> 00:03:05,120
You want truth?

87
00:03:05,120 –> 00:03:06,520
Look at effective permissions.

88
00:03:06,520 –> 00:03:07,600
Not titles.

89
00:03:07,600 –> 00:03:09,400
Look at activity logs that say backup item,

90
00:03:09,400 –> 00:03:11,960
delete retention policy change, recovery point purge.

91
00:03:11,960 –> 00:03:13,160
Look for the pattern.

92
00:03:13,160 –> 00:03:16,000
One identity, touching, deploy, and purge.

93
00:03:16,000 –> 00:03:17,120
Look for the smell.

94
00:03:17,120 –> 00:03:19,240
Contributor on a vault, owner on a scope,

95
00:03:19,240 –> 00:03:21,840
custom roles with sharp data actions buried deep.

96
00:03:21,840 –> 00:03:23,240
Most people think they have backups.

97
00:03:23,240 –> 00:03:26,720
But what they have is time until the wrong identity twitches.

98
00:03:26,720 –> 00:03:30,600
You think immutable, it isn’t, unless you make it bleed to live.

99
00:03:30,600 –> 00:03:33,360
Why Azure backup is not automatically secure?

100
00:03:33,360 –> 00:03:35,920
You think Azure wears a halo built in.

101
00:03:35,920 –> 00:03:37,360
Trusted, saved by default.

102
00:03:37,360 –> 00:03:38,720
But here’s what actually happens.

103
00:03:38,720 –> 00:03:40,680
Myth one, immutable by default.

104
00:03:40,680 –> 00:03:42,720
No, not until you chain the creature.

105
00:03:42,720 –> 00:03:43,960
Soft delete is the first chain.

106
00:03:43,960 –> 00:03:44,960
It forces delay.

107
00:03:44,960 –> 00:03:47,680
You strike delete and the item falls but not far.

108
00:03:47,680 –> 00:03:49,720
It lingers in a soft deleted state.

109
00:03:49,720 –> 00:03:51,160
Time buys you breath.

110
00:03:51,160 –> 00:03:53,280
And multi-user authorization steps in.

111
00:03:53,280 –> 00:03:56,320
Two hands, two humans, one cannot pull both levers.

112
00:03:56,320 –> 00:03:58,480
And last, the weld, vault lock, irreversible.

113
00:03:58,480 –> 00:03:59,600
You can’t lower retention.

114
00:03:59,600 –> 00:04:00,920
You can’t turn off soft delete.

115
00:04:00,920 –> 00:04:01,920
You can’t purge.

116
00:04:01,920 –> 00:04:03,920
Without all three, the door is open.

117
00:04:03,920 –> 00:04:05,280
Soft delete slows the blade.

118
00:04:05,280 –> 00:04:06,840
Mua blocks the single hand.

119
00:04:06,840 –> 00:04:08,560
Vault lock takes the blade away.

120
00:04:08,560 –> 00:04:09,560
Myth two.

121
00:04:09,560 –> 00:04:11,400
Only backup admins can delete.

122
00:04:11,400 –> 00:04:12,400
Contributor smiles at that.

123
00:04:12,400 –> 00:04:14,040
Contributor can delete backup items.

124
00:04:14,040 –> 00:04:15,840
Owner can purge soft deleted points.

125
00:04:15,840 –> 00:04:20,400
Operators with just the right data actions can neuter policies, shorten retention, and

126
00:04:20,400 –> 00:04:21,960
stage a delayed death.

127
00:04:21,960 –> 00:04:23,320
And there are side doors.

128
00:04:23,320 –> 00:04:25,000
Set retention to near zero.

129
00:04:25,000 –> 00:04:26,240
Wait enough days.

130
00:04:26,240 –> 00:04:27,880
Watch time erase recovery points.

131
00:04:27,880 –> 00:04:28,880
Naturally.

132
00:04:28,880 –> 00:04:31,240
Edit a policy so backup stop forming.

133
00:04:31,240 –> 00:04:33,080
Change protection from daily to never.

134
00:04:33,080 –> 00:04:36,160
No delete button pressed yet the patient still dies.

135
00:04:36,160 –> 00:04:38,360
That’s how the parasite pretends to be trusted.

136
00:04:38,360 –> 00:04:39,360
Myth three.

137
00:04:39,360 –> 00:04:41,200
More subscriptions make me safer.

138
00:04:41,200 –> 00:04:44,840
If the same identities span them, you just gave one key to every door.

139
00:04:44,840 –> 00:04:48,000
Cross subscription trust becomes a dark corridor.

140
00:04:48,000 –> 00:04:51,240
A group assigned at a management group leaks into child subscriptions.

141
00:04:51,240 –> 00:04:55,600
A service principle scoped wide for flexibility now walks wherever it pleases.

142
00:04:55,600 –> 00:04:59,040
Separation without identity separation is a stage set, not a wall.

143
00:04:59,040 –> 00:05:00,040
Myth four.

144
00:05:00,040 –> 00:05:01,640
MFA stops inside us.

145
00:05:01,640 –> 00:05:03,320
MFA stops the stranger at the glass.

146
00:05:03,320 –> 00:05:05,040
It does nothing when the face belongs.

147
00:05:05,040 –> 00:05:07,040
Privileged intent walks straight through.

148
00:05:07,040 –> 00:05:11,000
If the role allows harm and the person or process is approved, the system not.

149
00:05:11,000 –> 00:05:12,640
The horror isn’t bypassing MFA.

150
00:05:12,640 –> 00:05:14,080
It’s using it workload truth.

151
00:05:14,080 –> 00:05:18,520
Each prey bleeds different, VM backups suffer from item deletions and policy edits.

152
00:05:18,520 –> 00:05:20,600
Azure SQL has two throats.

153
00:05:20,600 –> 00:05:24,560
Pitter and LTR, shorten either, and history drains out.

154
00:05:24,560 –> 00:05:30,320
Azure files mixes snapshots with vault recovery, trim retention and both collapse together.

155
00:05:30,320 –> 00:05:31,320
Different cracks.

156
00:05:31,320 –> 00:05:32,320
Same bone underneath.

157
00:05:32,320 –> 00:05:33,320
IAM.

158
00:05:33,320 –> 00:05:35,400
And that’s why defaults are a lullaby.

159
00:05:35,400 –> 00:05:39,200
Azure backup will happily protect what you tell it, with the rules you chose, enforced

160
00:05:39,200 –> 00:05:40,440
by roles you assigned.

161
00:05:40,440 –> 00:05:41,440
It will do it fast.

162
00:05:41,440 –> 00:05:42,440
It will do it quietly.

163
00:05:42,440 –> 00:05:45,000
It will do it for the wrong hands with the same care it gives you.

164
00:05:45,000 –> 00:05:46,720
So what does secure actually look like?

165
00:05:46,720 –> 00:05:49,040
Soft delete on every vault, not optional.

166
00:05:49,040 –> 00:05:53,040
A forced delet so accidents panic or malice can’t end you in one motion.

167
00:05:53,040 –> 00:05:55,800
Multi-user authorization on destructive operations.

168
00:05:55,800 –> 00:06:01,000
Deletion, disabling protection, retention changes that lower safety require a second

169
00:06:01,000 –> 00:06:04,280
human from a different line, separation by design.

170
00:06:04,280 –> 00:06:06,520
Vault lock after you test resurrection.

171
00:06:06,520 –> 00:06:10,480
Prove the undead returns, delete restore, breathe, then weld the door.

172
00:06:10,480 –> 00:06:13,920
Start the pain, you won’t be able to lower retention later to save cost.

173
00:06:13,920 –> 00:06:17,240
That pain is your guard rail, identity scoped like a narrow keyway.

174
00:06:17,240 –> 00:06:23,600
No god mode, no shared service principles, no inherited owner at wide scopes for convenience.

175
00:06:23,600 –> 00:06:26,160
Permissions that deploy are not the permissions that purge.

176
00:06:26,160 –> 00:06:29,080
Break the hands apart because here’s the truth you can’t bargain with.

177
00:06:29,080 –> 00:06:31,080
Azure will not save you from yourself.

178
00:06:31,080 –> 00:06:32,280
It will mirror you.

179
00:06:32,280 –> 00:06:37,240
If your model allows a single identity to end backups, the platform will oblige, collitely,

180
00:06:37,240 –> 00:06:39,800
instantly, and with logs that read like a grocery list.

181
00:06:39,800 –> 00:06:45,120
You want it immutable, you want it safe, you get what you bind, lock, and split.

182
00:06:45,120 –> 00:06:49,360
Everything else is theatre, common attack paths that kill backups.

183
00:06:49,360 –> 00:06:53,320
You ask how the creature moves, it favors three corridors, each looks normal, each ends

184
00:06:53,320 –> 00:06:54,560
in silence.

185
00:06:54,560 –> 00:06:59,560
Path one, compromised automation, terraform with a slow leak, an innocuous repo, a pipeline

186
00:06:59,560 –> 00:07:04,240
file that once held a secret, a service principle with a neat predictable name, contributor

187
00:07:04,240 –> 00:07:06,680
on vaults for deploy speed.

188
00:07:06,680 –> 00:07:11,240
No rotation, no conditional access, it wakes at 0 3 12, it doesn’t need coffee, it doesn’t

189
00:07:11,240 –> 00:07:13,080
need approval, it runs.

190
00:07:13,080 –> 00:07:14,920
Cleanup is the first cut.

191
00:07:14,920 –> 00:07:17,600
Policies are reconciled to the new module defaults.

192
00:07:17,600 –> 00:07:21,480
Your custom retention vanishes under a tidy plan, daily protection becomes never.

193
00:07:21,480 –> 00:07:23,240
Weekly and monthly drops go missing.

194
00:07:23,240 –> 00:07:26,120
Then the knife turns, retention is written down to zero.

195
00:07:26,120 –> 00:07:29,680
Points now expire by the clock, the purge jobs strolls in a day later.

196
00:07:29,680 –> 00:07:31,560
Recovery points fade like breath on glass.

197
00:07:31,560 –> 00:07:36,640
Why it works, automation has steady credentials, it never argues, it moves at night and on holidays.

198
00:07:36,640 –> 00:07:39,600
Logs show routine operations by a trusted actor.

199
00:07:39,600 –> 00:07:44,160
Put policy, delete item, update vault, the parasite loves routine, it hides in it, and

200
00:07:44,160 –> 00:07:48,120
if the service principle is scoped at subscription, it reaches every vault you own.

201
00:07:48,120 –> 00:07:49,600
One leak, all doors.

202
00:07:49,600 –> 00:07:53,960
Path two, overprivileged rolls in the vault, contributor, everyone’s favorite blunt tool,

203
00:07:53,960 –> 00:07:55,600
it can delete backup items.

204
00:07:55,600 –> 00:08:00,480
Owner, the smiling executioner, it can purge soft deleted points, and since project ops

205
00:08:00,480 –> 00:08:02,800
touch the vault once they still can.

206
00:08:02,800 –> 00:08:07,240
That keys, shared doom, blurry boundaries do the rest, an engineer who deploys VMs also

207
00:08:07,240 –> 00:08:10,520
needs to check backups sometimes so they get contributor on the vault.

208
00:08:10,520 –> 00:08:13,920
Another team handles billing and troubleshoot retention so they get owner on the resource

209
00:08:13,920 –> 00:08:14,920
group.

210
00:08:14,920 –> 00:08:19,040
Combine them in one shift, one person, one click path from deploy to purge.

211
00:08:19,040 –> 00:08:22,520
Got mode in the dark, and remember the side doors, you don’t have to press delete to

212
00:08:22,520 –> 00:08:23,520
kill a backup.

213
00:08:23,520 –> 00:08:26,800
Lower retention beneath the age of your oldest point.

214
00:08:26,800 –> 00:08:28,040
Wait.

215
00:08:28,040 –> 00:08:30,720
The system erases history as configured.

216
00:08:30,720 –> 00:08:34,240
Disable protection for an item, temporarily, during maintenance.

217
00:08:34,240 –> 00:08:37,640
Forget to re-enable, no alarms that wake the non-initiator.

218
00:08:37,640 –> 00:08:42,520
The patient dies of natural causes, path three, shadow admins, inherited groups nested

219
00:08:42,520 –> 00:08:46,560
inside nested, custom rolls with data actions sharpened like hidden blades.

220
00:08:46,560 –> 00:08:51,040
Old grants at management group scope that nobody audits because we never change those.

221
00:08:51,040 –> 00:08:55,000
Reader on the surface, but with backup center data plane permissions tucked inside.

222
00:08:55,000 –> 00:08:56,600
And a forgotten scope boundary.

223
00:08:56,600 –> 00:08:59,760
Someone gave rights on the vault’s storage account so the creature crawls through the

224
00:08:59,760 –> 00:09:00,760
side.

225
00:09:00,760 –> 00:09:01,760
It looks like this.

226
00:09:01,760 –> 00:09:03,560
A user with reader on subscription.

227
00:09:03,560 –> 00:09:06,880
A custom roll with backup policies right bound at the vault.

228
00:09:06,880 –> 00:09:10,600
The user sits in a group that sits in a group that holds that custom roll.

229
00:09:10,600 –> 00:09:11,840
No one maps it end to end.

230
00:09:11,840 –> 00:09:15,440
They adjust retention by mistake at 2 a.m. or on purpose.

231
00:09:15,440 –> 00:09:19,600
The logs show a person with no obvious power doing very specific harm.

232
00:09:19,600 –> 00:09:23,000
Spread sheet illusions versus effective permissions reality.

233
00:09:23,000 –> 00:09:25,080
Here’s the strike you remember administrator.

234
00:09:25,080 –> 00:09:27,320
The biggest threat is not ransomware.

235
00:09:27,320 –> 00:09:29,320
It’s not ransomware is loud backup killers are quiet.

236
00:09:29,320 –> 00:09:30,320
It’s your IAM design.

237
00:09:30,320 –> 00:09:32,000
Your hand gave the creature its teeth.

238
00:09:32,000 –> 00:09:36,080
So what are the tells automation that can deploy and also modify backup policies.

239
00:09:36,080 –> 00:09:40,440
People who can purge and also approve their own access service principles with wide scopes

240
00:09:40,440 –> 00:09:45,400
for future projects and vaults when no one can answer in one breath who can delete

241
00:09:45,400 –> 00:09:49,080
who can purge who can change retention and who can approve those changes.

242
00:09:49,080 –> 00:09:53,560
You want a quick test ask for the identity that can deploy a VM register it to backup,

243
00:09:53,560 –> 00:09:56,400
delete its backup item and purge the recovery point.

244
00:09:56,400 –> 00:09:58,960
If one name appears you found the mouth.

245
00:09:58,960 –> 00:10:00,720
But here’s where it gets interesting.

246
00:10:00,720 –> 00:10:02,080
These paths aren’t independent.

247
00:10:02,080 –> 00:10:03,080
They braid.

248
00:10:03,080 –> 00:10:05,760
A leaked pipeline calls a roll assignment template.

249
00:10:05,760 –> 00:10:08,560
The template upgrades a person to owner temporarily.

250
00:10:08,560 –> 00:10:11,320
The person lowers retention to trim cost.

251
00:10:11,320 –> 00:10:13,680
The pipeline then runs cleanup to align state.

252
00:10:13,680 –> 00:10:15,680
The creature uses your tools against you.

253
00:10:15,680 –> 00:10:18,000
CI, IAC fin ops it mimics your posture.

254
00:10:18,000 –> 00:10:21,600
It smiles in your change log and through that gap even good intentions cause harm.

255
00:10:21,600 –> 00:10:23,160
A consultant rotates modules.

256
00:10:23,160 –> 00:10:27,360
A default flips soft delete off in depth for speed later copy to prod.

257
00:10:27,360 –> 00:10:31,040
A junior engineer removes an assignment to reduce risk accidentally replacing it with

258
00:10:31,040 –> 00:10:32,240
a broader built in role.

259
00:10:32,240 –> 00:10:34,720
You don’t see the fangs until the restore request fails.

260
00:10:34,720 –> 00:10:36,520
You asked how it moves now you know.

261
00:10:36,520 –> 00:10:41,360
Compromise automation over privilege vaults shadow admins three corridors one hunger.

262
00:10:41,360 –> 00:10:43,560
Everything changes when you refuse it a straight line.

263
00:10:43,560 –> 00:10:46,080
Two hands for deletion split deploy from purge.

264
00:10:46,080 –> 00:10:48,080
Managed identities scoped like pinholes.

265
00:10:48,080 –> 00:10:50,120
Audit nested groups until the tree ends.

266
00:10:50,120 –> 00:10:54,520
Your soft delete to drag time through every attempt because until you break these paths

267
00:10:54,520 –> 00:10:58,720
you’re not defending backups you’re feeding the creature the three step hardening strategy

268
00:10:58,720 –> 00:11:03,080
administrator you want the cure three cuts good friction only.

269
00:11:03,080 –> 00:11:08,800
Step one locked the vault start with soft delete it’s the force delay the stumble you press

270
00:11:08,800 –> 00:11:14,360
delete the item falls but not far it lingers in the soft deleted state half a life half

271
00:11:14,360 –> 00:11:19,160
gone like an undead thing you keep on purpose that delay buys you breath it buys your time

272
00:11:19,160 –> 00:11:23,440
for a mind to cool and that time breaks the single click kill turn it on for every vault

273
00:11:23,440 –> 00:11:27,640
not later not when budgets improve now then prove it delete one test item watch it sing to

274
00:11:27,640 –> 00:11:31,480
the soft layer restore it make the undead rise under your command if it doesn’t come

275
00:11:31,480 –> 00:11:36,040
back your safety window is a painting not a door but here’s where it gets interesting

276
00:11:36,040 –> 00:11:40,080
you can still stab at the corpse which is why you add multi user authorization and

277
00:11:40,080 –> 00:11:44,400
MUA is the second hand the second human one cannot pull both levers wire it for destructive

278
00:11:44,400 –> 00:11:49,280
changes deletion disable protection retention reduction below a known floor the system should

279
00:11:49,280 –> 00:11:54,140
whisper denied unless a second separate operator blesses the act not a group alias not a

280
00:11:54,140 –> 00:11:59,960
bot a different line a different soul two keys turned one cannot pretend to be two and

281
00:11:59,960 –> 00:12:05,000
then the well the vault lock this is the door you close and agree never to open irreversible

282
00:12:05,000 –> 00:12:09,680
configuration you accept future pain to prevent present death with vault lock you cannot lower

283
00:12:09,680 –> 00:12:14,280
retention you cannot switch off soft delete you cannot purge soft deleted points even as

284
00:12:14,280 –> 00:12:19,300
owner the platform itself becomes your stubborn friend you scream cost it refuses you played

285
00:12:19,300 –> 00:12:23,600
cleanup it refuses you bring your highest token it refuses treated like a one way fire

286
00:12:23,600 –> 00:12:30,080
door before you lock test resurrection verify alarms name your flaws only then welded shut

287
00:12:30,080 –> 00:12:34,240
order matters chain the creature in the right sequence first enable soft delete prove the

288
00:12:34,240 –> 00:12:39,560
rise second and force MUA on the cuts that bleed third vault lock to seal the ritual backwards

289
00:12:39,560 –> 00:12:47,520
you trap yourself out of order you leave a gap step two identity separation kill god mode split

290
00:12:47,520 –> 00:12:51,600
the hands backups are not built by the same fingers that can bury them create roles like

291
00:12:51,600 –> 00:12:57,000
prison wings backup admin they can configure protection assigned policies trigger restores

292
00:12:57,000 –> 00:13:01,120
they cannot purge they cannot change retention below the floor they do not approve their own

293
00:13:01,120 –> 00:13:06,040
MUA security reader eyes that don’t sleep they see the vault the policies the activity lock

294
00:13:06,040 –> 00:13:10,520
they cannot touch a single setting their power is sight that duty is alarm vault purge

295
00:13:10,520 –> 00:13:15,400
admin rare isolated never the same person as backup admin bound to MUA time bound by

296
00:13:15,400 –> 00:13:20,680
PM used only when a soft deleted item must truly die their footsteps are loud on purpose

297
00:13:20,680 –> 00:13:26,480
automation managed identity scope to inches not miles it deploys it registers items to

298
00:13:26,480 –> 00:13:31,040
protection it cannot delete it cannot reduce retention it cannot approve MUA it does one

299
00:13:31,040 –> 00:13:35,600
thing it does it well it does nothing else use PIM like snow underfoot just in time elevation

300
00:13:35,600 –> 00:13:39,760
approval required reason and forced duration short every step leaves a print no standing

301
00:13:39,760 –> 00:13:44,520
owners no sleeping contributors with forever teeth make access melt when the hour ends if

302
00:13:44,520 –> 00:13:49,360
someone needs it again they ask again fatigue is the feature friction is the guard hunt inheritance

303
00:13:49,360 –> 00:13:54,400
creep deny the shadow at the management group plays a deny assignment for dangerous combinations

304
00:13:54,400 –> 00:13:59,520
no contributor on vaults no owner on backup resource groups use as your policy to block unsafe

305
00:13:59,520 –> 00:14:05,160
states deny if soft delete is false deny if retention is below your minimum deny if MUA

306
00:14:05,160 –> 00:14:10,320
isn’t configured for the leads make the platform say no before a human gets the chance to regret

307
00:14:10,320 –> 00:14:15,840
yes step three isolation and monitoring give backups their own land a separate subscription

308
00:14:15,840 –> 00:14:20,400
for vaults one way trust from prod to backup production identities can register items they

309
00:14:20,400 –> 00:14:25,440
cannot purge they cannot reduce retention the purge lives elsewhere behind MUA behind PIM

310
00:14:25,440 –> 00:14:29,920
behind a different admin line cross subscription boundaries become real when identity is not

311
00:14:29,920 –> 00:14:34,800
shared if the same service principle spans both you build a door not a wall close it issue

312
00:14:34,800 –> 00:14:39,600
distinct managed identities per workload scope them to resource group never subscription

313
00:14:39,600 –> 00:14:45,320
never management group now eyes watch the scratch marks stream activity locks alert on backup

314
00:14:45,320 –> 00:14:50,480
item delete retention policy change recovery point purge treat each like glass breaking at

315
00:14:50,480 –> 00:14:54,960
night pair them with who and where was it a human was it automation was it off hours did

316
00:14:54,960 –> 00:14:59,720
PM grant rise minutes before did the same identity touch deploy and purge within the same

317
00:14:59,720 –> 00:15:04,160
window stitch the story with Sentinel write analytics that call out impossible travel

318
00:15:04,160 –> 00:15:08,600
sudden role assignments bikes and destructive actions outside maintenance windows

319
00:15:08,600 –> 00:15:13,320
take your vaults with a temper profile if cost pressure lowers retention demand a change record

320
00:15:13,320 –> 00:15:19,320
demand MUA demand a second person from a different team if no record alarms if alarms eyes

321
00:15:19,320 –> 00:15:25,040
if eyes action and for the final layer train your nerves run a drill simulate deletion confirm

322
00:15:25,040 –> 00:15:29,960
soft delete holds simulate purge confirm MUA blocks simulate configuration added under

323
00:15:29,960 –> 00:15:34,760
a vault lock confirm refusal the first time you feel the system say no to you you’ll sleep

324
00:15:34,760 –> 00:15:39,640
better because that’s the cure administrator chains separate hands walls that don’t pretend

325
00:15:39,640 –> 00:15:45,080
eyes that don’t blink and friction good friction that keeps the monster hungry and outside

326
00:15:45,080 –> 00:15:50,840
the prey VM backup as your sequel as your files administrator now we study the bite marks

327
00:15:50,840 –> 00:15:57,160
virtual machines first the favorite meal when ransomware hits it hits the VM noise panic

328
00:15:57,160 –> 00:16:01,240
someone scrambles into the portal hands shaking eyes hunting for relief backups look like relief

329
00:16:01,240 –> 00:16:05,320
but if contributors it’s on the vault one panic click can delete the backup item if the

330
00:16:05,320 –> 00:16:09,720
vault isn’t locked owner can finish the job purge the soft deleted point and salt the earth

331
00:16:09,720 –> 00:16:15,000
file recovery full restore both staff when recovery points are gone and that’s the trick

332
00:16:15,000 –> 00:16:18,920
you don’t have to smash the glass to ruin the room shorten retention beneath the age of your

333
00:16:18,920 –> 00:16:25,400
last good point then wait time kills quietly the next morning restore opens to a desert VM

334
00:16:25,400 –> 00:16:31,000
backups bleed fast because stress drives bad clicks and the path to delete is short if you let it be

335
00:16:31,000 –> 00:16:35,320
that’s why the weld matters soft delete slows the blade vault lock takes it away

336
00:16:35,320 –> 00:16:40,360
azure school is older blood rich long term retention sings to auditors yes sometimes

337
00:16:40,360 –> 00:16:45,880
but a single misset can drain it dry point in time restore keeps the recent past long term retention

338
00:16:45,880 –> 00:16:51,960
keeps the distant lower ptr days to the bone and history narrows turn off or shorten LTR and

339
00:16:51,960 –> 00:16:57,480
hold seasons vanish at server roles sprawl too many hands with too much reach and the feast begins

340
00:16:57,480 –> 00:17:03,720
the creature loves cleanup it frames it as cost control it smiles while months of restore points

341
00:17:03,720 –> 00:17:09,000
slip under the floor you never fixed guard rail save here enforce policy that denies low retention

342
00:17:09,000 –> 00:17:13,480
bind mua to any change that reduces time split db operators from vault power so the one who

343
00:17:13,480 –> 00:17:19,240
tunes performance cannot erase the past and lock after you test resurrection azure sql’s dignity

344
00:17:19,240 –> 00:17:24,200
is its history protect the calendar or the calendar turns on you as your files is shared memory

345
00:17:24,200 –> 00:17:28,760
departments live there old projects quiet folders no one wants to name but everyone needs at

346
00:17:28,760 –> 00:17:34,120
audit time one careless admin with vault access can wipe an era snapshots help but if retention is

347
00:17:34,120 –> 00:17:39,960
cut or backups disabled both fall together the parasite thrives in shared responsibility a storage

348
00:17:39,960 –> 00:17:44,200
admin who’s also a backup operator becomes a single point of erasure least privilege is the only

349
00:17:44,200 –> 00:17:49,800
antidote shares and vaults split across roles no shared keys no justice once elevation without

350
00:17:49,800 –> 00:17:55,000
pym reason and a time are ticking loud and eyes on deletions like fresh tracks in snow backup item

351
00:17:55,000 –> 00:17:59,160
delete retention policy change recovery point purge tied to alerts that wake a second team you

352
00:17:59,160 –> 00:18:06,840
notice the pattern different pray same fangs vm sequel files three bodies one skeleton beneath

353
00:18:06,840 –> 00:18:12,840
i am in friction when deletion takes two humans panic slows when retention floors are policy

354
00:18:12,840 –> 00:18:19,080
enforced cost cuts bounce when the vault is welded even owner is forced to wait to think to prove intent

355
00:18:19,080 –> 00:18:23,720
now you felt the teeth you saw the blood next we show the attempt and the resurrection you will

356
00:18:23,720 –> 00:18:28,280
press delete you will watch the fall then you will make the undead rise because you planned for it

357
00:18:28,280 –> 00:18:32,600
and when the vault refuses even you you’ll understand what safety sounds like silence

358
00:18:32,600 –> 00:18:39,640
that isn’t lying the demo show the monster then seal the door administrator watch closely we

359
00:18:39,640 –> 00:18:45,320
enable soft delete acquired checkbox safe nothing dramatic the delay is now a wall of time we attempt

360
00:18:45,320 –> 00:18:51,320
to delete a backup item click confirm the activity log breeds backup item delete the item falls but not

361
00:18:51,320 –> 00:18:59,080
far it lingers soft deleted half gone half yours we restore select the fallen thing recover it rises on

362
00:18:59,080 –> 00:19:04,520
purpose the undead returns when you call now friction we enable multi-user authorization destructive

363
00:19:04,520 –> 00:19:10,120
acts demand two humans i try the same deletion denied the second hand is missing good we apply vault

364
00:19:10,120 –> 00:19:16,040
lock the weld i lower retention refused i try to switch off soft delete refused i attempt a purge

365
00:19:16,040 –> 00:19:21,480
of the soft deleted point owner token still refused your keys don’t matter here only the weld does

366
00:19:21,480 –> 00:19:30,200
lesson defaults trust enforced friction survives enterprise scenarios evidence the horror is real day

367
00:19:30,200 –> 00:19:36,680
o3 12 an automation secret leaks pipeline wakes contributor across vaults cleanup rewrites policy

368
00:19:36,680 –> 00:19:43,240
retention to zero points age out activity locked trails retention policy change backup item delete

369
00:19:43,240 –> 00:19:48,600
sentinel whispers anomaly soft delete holds vault lock would have ended it sooner another shop terraform

370
00:19:48,600 –> 00:19:53,720
module drift dev copied to prod soft delete of weekly gone cost optimized a midnight incident

371
00:19:53,720 –> 00:20:00,840
deletes fly no time window nothing returns a third devops with vault owner temporarily p_i_m_ left open

372
00:20:00,840 –> 00:20:06,600
weekend maintenance one person deploys deletes purges recovery point purge at zero to 41 i sleep

373
00:20:06,600 –> 00:20:12,120
monday nothing restores tools didn’t fail identity did chains were missing friction absent the creature

374
00:20:12,120 –> 00:20:17,640
walked straight through tools you will use to survive administrator gather your wards recovery

375
00:20:17,640 –> 00:20:21,560
services vault as your backup vault this is the center of gravity this is where you enforce

376
00:20:21,560 –> 00:20:26,840
soft delete where you require multi user authorization where you apply a vault lock and accept the weld

377
00:20:26,840 –> 00:20:32,520
every pray you protect must answer to this vault first as your policy carve the rules in stone deny

378
00:20:32,520 –> 00:20:37,320
if soft delete is false deny if retention dips below your floor deny if mua isn’t bound to

379
00:20:37,320 –> 00:20:43,080
destructive acts at deploy time for safety no exceptions no polite warnings deny and as your

380
00:20:43,080 –> 00:20:48,520
monitor and activity logs wire the glass break sensors alerts for backup item delete retention

381
00:20:48,520 –> 00:20:55,480
policy change recovery point purge tie each event to identity scope and time of hours louder non

382
00:20:55,480 –> 00:21:02,600
initiator louder automation louder still Microsoft Sentinel analytics stitch the tail impossible

383
00:21:02,600 –> 00:21:07,560
travel coupled with a role assignments bike p_m_ elevation minutes before a destructive action

384
00:21:07,560 –> 00:21:12,840
a vault touched by the same hands that deployed the workload correlate rank wake the right people

385
00:21:12,840 –> 00:21:18,840
terraform and azure c_l_i codify your safety managed identities not secrets scopes as narrow as a

386
00:21:18,840 –> 00:21:25,000
keyhole modules that set soft delete on immu a required vault lock staged behind manual approval no

387
00:21:25,000 –> 00:21:31,000
variable that let’s a junior flip of the world entra rolls with p_m split duties clean backup admin

388
00:21:31,000 –> 00:21:36,200
security reader vault purge admin approval chains that cross teams just in time elevation with

389
00:21:36,200 –> 00:21:41,560
reason required timers loud and audit trails that never age out break glass accounts locked in a vault

390
00:21:41,560 –> 00:21:46,760
tested in drills never left warm cross tenant subscription design put backups on their own land

391
00:21:46,760 –> 00:21:51,800
one way trust inbound for registration no shared keys no wide service principles drifting

392
00:21:51,800 –> 00:21:57,160
across subscriptions for flexibility every boundary backed by identity that cannot leak these are not

393
00:21:57,160 –> 00:22:02,760
props these are bars chains alarms use them together or the creature finds the gap and when you feel

394
00:22:02,760 –> 00:22:08,440
the system refuse you that’s not friction that’s safety breathing one truth remains if one person

395
00:22:08,440 –> 00:22:14,760
can end your backups you don’t have backups only quiet dry wood waiting for a spark if this pulled the

396
00:22:14,760 –> 00:22:20,600
mask off the monster subscribe then go watch the deep dive on our back traps and sentinel detections

397
00:22:20,600 –> 00:22:25,400
set the alerts split the hands and lock the vault before midnight stop the creature at the door