CCT 040: Manage identification and authentication (CISSP Domain 5.2)

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey, all this is Sean Gerber, with CISSP Cyber Training. How is everyone doing today? Today is another gorgeous day and we are going to talk about cybersecurity and we get to enjoy the beautiful summer weather. Actually, it's not quite summer yet, but it's getting there. I am in Wichita Kansas, if you don't know, if you're just listening. That's pretty much the middle of the United States and it's a really pretty nice area right now. I'm very, very happy It hasn't hit July. So once July hits, then everything here turns dry and it dries up and you basically have scorched earth policy as it relates to Wichita Kansas, but before then it's very nice, it's raining and it's got a very pleasant temperature outside. I've got a couple of kids that are graduating I actually have one child graduate high school, so we're working through that today and we have a couple more. I have a wedding coming up in about a week and a half, so my life is extremely busy at this point. I am recording this podcast to get this out there. Guys. I actually recorded this a little bit early just to make sure that I have time to spend some time with my grandchild and with my children. Grandchild's much more fun than the children, that's for sure. If anybody out there's listening and has grandchildren which you probably don't, because you're all super young, i'm sure But if you have grandkids, grandkids are awesome. Children, yeah, they're interesting, they're very interesting, but we're not here to talk about kids. This is an parenting podcast. This is a podcast on cybersecurity And we're going to get into identity and access management. Yes, a very riveting topic, one that will keep you awake all day, so no reason for having any energy, drinks or coffee, because just listening to my sultry voice and listening about identity and access management is enough to keep you going. Yeah, right, no, not really, but we'll talk about it anyway, because you all want to pass your CISSP exam, and this is domain five. It's pulled into domain five of the CISSP domain, so let us go into and begin this process. So what is identity and access management? We talk about it in domain five of the CISSP And really what it comes into is it comes down to what are the ultimate authentication aspects that you can use to gain access to data within your network. Now, depending upon the size of the company that you go work for, that will determine a lot about what is configured for your environment. So, when we talk about authentication methods, there's various methods available to you, such as passwords, tokens, biometrics, multi-factor authentication those are just to name a few. Now, obviously, passwords is one of those that it was developed. This whole password concept was developed back in the 70s, 1970s, when not 1870s, 1970s years when computers brought or came into being, and because of that, we unfortunately are stuck with this legacy of just painful passwords forever. And this is. Everybody knows that we need to get away from passwords. However, it's a very hard process, especially since the momentum has taken. Computers have taken over, so there's always a password associated with it. So, yes, that's one of the authentication methods. Also, when you're studying for this test, besides understanding the authentication methods, you're going to really need to understand some of the strengths and vulnerabilities around each of those. That's an important factor, because they want to know that you don't just understand what is a password, what is biometrics, that you understand some of the challenges that go with each of those. Now, as you're going through this process, you'll know. The thing you're going to have to understand as we're looking at the CISSP is you're going to have to understand how is authorization of granting and denying access to these resources are set up based on the privileges that you have configured. Now I will tell you I've run into this time and again and if you all are starting in the CISSP or you've been doing this for a while, you can understand this. So if you're going to college, you understand that if you've been given access to certain data at your local college, then you probably, as you go from freshman on up to senior, they probably don't remove that access A lot of times. Whatever access you had, you pretty much carry with you And we call that credential creeping. And it's the same thing when you get into corporate America is you run into credential creeping because people gain access to certain data. Then what ends up happening is they keep it as they move throughout the organization into new roles. So you're going to have to understand how to combat that, especially when you look at the CISSP and the importance of that. So you also need to understand, as we're looking for, the importance around cybersecurity and the CISSP and identity and access management. We're going to get into some key, important factors that you're going to have to understand Now. We talked about preventing unauthorized access. That is an aspect that you're going to have to deal with through passwords, multi-factor, whatever that might be, and what unauthorized access means. It means a way of preventing people that have potential legitimate access from accessing data that they don't necessarily need, and so you're going to that's the hard rub. Now. You're going to go to an organization that maybe doesn't think of identity and access management as something to be too concerned about will grant access to everything for people, and that's just because they don't want to have to deal with the IT ticketing system. And you know what? Bill doesn't have access to this SharePoint site and Fred doesn't have access, but they're supposed to because of this project. Well, let's just grant them access, it's not a problem. Well, when the process of granting Bill and Fred access to the SharePoint site, you realize that there's a lot more people that are coming to need access here in the near future. So what do you do? Well, let's just grant the entire organization access. So you're going to have to work on preventing these unauthorized access areas. You're also going to have to help safeguard sensitive data. Now what? when you're dealing with identity and access management, it does allow organizations to control the access of this data. Now consider sensitive data is not just the secret sauce of Coca-Cola. Sensitive data is anything that's related to business confidential information. It is an important factor that if it's important to the business and they don't want it exposed on Twitter, then guess what It's sensitive. And that's something that you'll want to make sure that you work with your people in your organization to help you understand that When you're having, when you're safeguarding this sensitive information, you want to ensure that only authorized individuals can view, modify or share this sensitive information. Now, this comes down to what we call granular access controls, and your organization should have this put in place. Now, here's the here's the rub. If you go, depending on the size of the company you go work for, you may not have people that are dedicated specifically for identity and access management. It may be you. You might be the person. You might be the person that grants access, removes access and then also, in turn, does an audit or security review of this same access. Now we want to understand we talked about in previous podcasts the separation of duties You do not want you to have that ability to that you grant access and then turn around and remove the access. However, that is a potential possibility. So you'll, once you, if that does happen within your organization, you will need to work about how to get that, that capability of creating access to someone else or you have an outside third party, whether it could be a different colleague or it could be an actual company. Come and do an assessment of the accounts that you have access to, because what you don't want is somebody that can provide, give, remove and basically then also is the overseer, because that things can go bad very quickly. The other part of route why we want to do IDM, or would you? when I'll talk about identity and access management, we'll talk about IDM, that's India Delta Mike and you may see this on your test. They may talk to you, as you'll see it, in a couple different ways. You may see India Delta Mike, idm. You may see India Delta Alpha Mike, which would be your identity and access management, but they use them synonymously in many cases just because it's funny, because AWS I was talking to an individual yesterday about AWS and the term IDAM India, delta, alpha Mike is one of those. That is a, i guess, a bad word in the AWS community. I don't quite understand it why that is, but if you live in that world it's something that they don't like to use. So there has been a push to change IDAM to IDM. I don't quite understand it, but hey, whatever, if you see it on the test, know that they work synonymously. As well as you're dealing with enhancing compliance, regulatory requirements, i talked about, identity and access management is an important factor when you're dealing with compliance and regulatory requirements. This comes into GDPR. It also comes into HIPAA. There are requirements in each of those legal ramifications or legal documents or legal standings that require you to have some sort of identity and access management in place. Now it's not just GDPR in HIPAA. I've seen it with CMMC, which is Charlie, mike, mike, charlie. I see it with the Chinese cyber laws. Pretty much any organization out there or any country that is requiring some sort of regulatory requirement on how you protect your data is going to want a way that you can differentiate access to this data. Now we talk about, identity and access management could be as simple as a username and password. As much as that's not recommended, that could be it. So as long as you meet those requirements, then you should be fine. The challenge is that don't just assume that, because, well, i have username and password on all of my equipment, that you are going to be in compliance with those regulations. That may not be the case, because guess what, if you don't have a full active directory structure, you just use username and password, and your username and password is the same and everybody shares it. It's pretty much a useless control. So you want to make sure that you have those types of things in place. But again, when you do have IDM in your environment, it does help in just demonstrating to the inspectors or to the people that have that legal requirement that you have a mechanism for authentication, access controls and the various audit trails to ensure that track you, that you can track user activities with it. Now, another thing to think about is is, as relates to identity and access management, is streamlining user management. Now, what does exactly that mean? Well, like we kind of hinted to it when I talked about it earlier, is about the provisioning and deprovisioning and then the access revocation that you may need as it relates to identity and access management. That streamlines that overall process. So you want to make sure that you have that in place and it does help minimize the administrative overhead. It does reduce risk of errors and ensures consistency across user accounts, and I'll give you an example of how this is important. Most organizations do not have good automation as it relates to accounts, so an account will be created. As that account is created, it's never removed. So this happens frequently when it comes to the relationship of service accounts. So we talk about different accounts and you have your administrative type accounts local admin, you have your domain admin, you have maybe a group admin and then you have service accounts. Now, the admins typically are tied to individuals At least they should. Then you have service accounts, which are usually automated accounts 24 by seven type accounts that you put in place for a process. So you have a machine that maybe makes, that does manufacturing, or maybe a sewing machine. Let's just say it's a sewing machine that makes the covers for vehicle seats And so, as a sewing machine is works its process for it to adequately work, rather than having a person doing the sewing, this robot does it Well. It needs a service account to be able to one get the orders that come in, be able to tell the the brain if it's SAP or some type of other maybe Salesforce that it is complete. So a service account is a 24 by seven type account that will give allow access to these devices, and it's typically tied to a machine or some sort of automated process. Well, what problem is is when people create service accounts, one a lot of times they don't do them well And so, from a hacker standpoint, i would leverage service accounts. So if you get in with an organization, you want to make sure that you clean up as many service accounts as you possibly can. You need those for your organization, but you want to make sure that you do. You have a good process, like what I'm talking about here, for streamlining that when an account gets created, it is that kind of created specifically for that one task that it's meant to do, and then if, for some reason, that machine, that process, goes away, you now should go in and remove that service account, because what'll happen is an organization, very quickly, over a period of a few years, can go from maybe 2030, 50, 100 service accounts to 1000s And it can get out of hand very quickly. So that's why streamlining your machine user management is so important. You want to facilitate business collaboration. These things also help when you have IDM allows you to work between organizations And it's basically you now don't have to have the ability to share passwords, like we'll use single sign on. You can log into one company And it carries with you to another. So it's there's lots of great capabilities when it comes to identity and access management. So, as we're looking at IDM, the definition of it is it's basically a process for managing and controlling user access to a system or a network We talked about before. It is critical that you have this in place to protect your sensitive data, and it does. The key around it is it allows only authorized individuals to have access to it. Now, there's three main components of IDM. There's identification, authentication and authorization. Okay, so when you're dealing with the process of users, you want to have a unique way of identifying them. Now, that could be through username, could be through email address, could be through I like. When I worked at Wichita State College, it had a different username that wasn't even tied to my name through the email, or even like Gerber S Y Z Z. It was like a very weird name. It was just a bunch of letters and a bunch of numbers. Now, authentication involves verifying your identity by validating other credentials, and we talk about that with passwords, smart cards, biometrics one of the things that you see like if you have an Apple, you have biometrics with your finger scan Now that I know Windows does a face scan to allow you in. So there's different ways to get the authentication that you need. It could be out of band type things like Google Authenticator, but they're out there. There's various aspects you can do. Now, authorization does involve determining what the user is authorized based on their role or level of access, and it's important that you do understand that before you even start granting access, you need to make sure that you have a good strategy in place, otherwise, real quickly, your identity controls will just pretty much go out the window. Now we talk about the importance of having IDM within your organization. You need to have it. It's basically protects against unauthorized access. Right, you have individuals who don't need access And this could come from both a non malicious and a malicious standpoint And it ensures that these people have the access to the resources they need, but it also ensures they do not have access to the resource they don't need. So you want to. You want to give as much access to for individuals to be successful, but not anymore than they actually need to do their job. Now the other part. We talked about compliance already. There are various requirements around having identity and tying it back to an individual When you get into GDPR. The main thing around that obviously is you want to have some sort of anonymization. Yeah, i can't say it And I'm in a bit D, that's a big $10 word. I can't say it. You want to be not known. Anonymize, that's it. Yeah, okay, you guys are just laughing at me right now because I can't even say that word, but you know what I'm talking about. It's anonymizing, but with a different flair at the end that I just can't say. So, yeah, it must be an old senior moment, it must be gosh, i'm getting old, but that's it. So you know what I mean. Simple management of, also user accounts. This helps you reduce the complexity of managing gobs and gobs of accounts across multiple systems, you don't? one of the big issues that we've had with usernames and passwords is you got to remember all these passwords. Well, what do people do? They keep it the same one And then they probably have password like monkey butt or something along those lines or something maybe a little bit more risque, but at the end of it, they have the same password that they share across multiple computers. So it's important that you have something in place to monitor, manage that. The other thing is increased accountability. You want to make sure that you have accountability to people. So, as an example, with that, if you have an individual who's working on a highly sensitive information situation or classification project, you name it. So you have an individual doing that. All of a sudden, the information goes missing. Well, if you don't have good accountability where it's tied to a person's name let's say it's Sean, right, so Sean is shipping data out of the internet through his private Gmail And you don't have usernames that are tied to Sean is pretty much all open You have no idea if Sean did it, bill did it, fred did it. You have no idea who shipped that information out of your organization, and so therefore, you need that accountability to make sure that you can track it. It also helps with cost savings to. It does reduce the risk of security incidents. It will not limit or stop them completely, but it will reduce them dramatically within your organization by having an identity and access management program in place. So you want to make sure that you have that as to help resources within your organization. When you're going and say you are now proposing a good identity and access management solution to your company, you can tell them it's going to be saving you money, and you could. Why is it going to save them money? Less investigations, you have less people that are managing this information. You have opportunity costs. There's all kinds of things that you can build into the proposal that you're going to give to your senior leaders on why identity and access management is important. So now I'm going to kind of go over to some best practices when it comes to dealing with identity and access management. One of the best practices clear and comprehensive policies. So you want to have good policies in place around identity. Take out the ambiguity it does. By having ambiguity and not having it well defined, now there's a problem. I'm really quickly backtracking on what I just said. Having defined policies are important. Having them defined in a way that is logical, understandable and, in some case, educational for people is important. The problem, though, is is you can go off the rails real quickly on this whole process by making your policies extremely complex or extremely detailed. If you make them too detailed, it can cause lots of drama, because now, if it doesn't meet a certain criteria, it now forces you in a certain manner, and I'm just going to say you must log in using a username and password that has a 26 character password, and all applications are required to have a 26 character password. That would be a policy that you would put out around identity and access management. Now, the problem with that is is if, depending on where you work and what type of systems you work on, these older systems can't do passwords like that. So now you're in a situation where you're already violating your policy. So you need to be very careful on how you craft those, be very thoughtful and plan those out well, because if you don't, it will cause you more problems in the future. You also another best practice is strong authentication and authorization framework. You want to develop one Now. That could be through multi-factor authentication, password policies, role-based access controls, which is RBAC, romeo, romeo, bravo, alpha, charlie man it's been a long time I forgot my phonetic, but that's role-based access controls. Those are a very strong thing that you need. So if Joe is in this role, he has this access. If Fred is in this role, he has this access. So role-based access controls Counts need to be created and managed efficiently and effectively in this, by basically the adding and modifying of individuals. You also need to look at automated identity tools, such as governance administration tools. Governance is an important factor. How do you automate and govern these accounts? We talk about governance a lot in the CISSP and that is just overall management of it. How are you going to manage these accounts? How do you manage these passwords? How do you maintain control of these? You also want to look at privileged access management solutions and what is a PAM? A PAM is it's not the spray you put on a dish or on a skillet that you're trying to fry up. Now you do have PAM for that, but this PAM is something like what we call cyber arc is one of them. There's multiple ones out there, but basically it's a credential keeper. You could look at what do you call it? The last pass as a PAM? Now, do not use last pass as a PAM. I would highly recommend that you do not use that Now just because of the recent breaches they had. I used last pass for years but moved away from it right before the breach that occurred, just because I didn't like where things were going. That's an option. It can be dependent upon your organization and how much you're willing to spend. Cyber arc, as an example, is extremely expensive. Other PAMs keeper, security, dash lane. There's other ones out there that you can use. They are less expensive. You lose a lot of the bells and whistles with these cheaper solutions but, depending on the size of your organization, those smaller PAMs might be useful for you. You want to review access controls. Again, that is important, but you need to determine how much and how often do you do that. Some organizations do it. They're regulated to do it every quarter. Some are regulated every year. I would recommend that you do look at your accounts, probably at least once a year, just to verify. If you can get into a good habit of doing that, then it will help keep the credential creep from growing beyond something you can actually manage. You want to establish policies for monitoring and logging user activities. Again, that is an important factor. You now have the individuals that are logging into your environment and you have their usernames, but if you never go and look at one, if you don't collect logs, and two if you don't ever go look at them, it is just pretty much a placebo. It's not doing you much good. You need to make sure that you have some level of automation around your folks and that they're monitoring their activity but then at the same time they have a way to alert you in the event that something is not correct. You also need just helps to train employees about proper password management. That is a big factor, right, we talked about earlier monkey butt is not a good password. You can crack that password. Now you can put in multi-factor authentication to help avoid the monkey butt syndrome. But you need to make sure that you do teach your employees positive aspects around passwords and password management. Then again, lastly, you need to continually evaluate and improve your processes around IDM. Okay, so I have been a little long winded, so we're going to kind of roll through a couple more here real quick. The bottom line is we're going to get into accountability, session management, federated identity management and then single sign on. So those are some key points we're just going to quickly go over. We talked about accountability already and the individuals, how their actions, decisions, will impact others, and that's the part that you're going to have. The great part about identity and access management is it does give you a level of accountability and ensures that you have the appropriate actions are taken and the appropriate ability for them to be able to gain access is there. Now, as it relates to IDM, this is designed to it maintaining accurate records and basically who has access to what, and tracking their activities. We've talked about it earlier is having accountability around these accounts is extremely important, but then the flip side is you need to have the ability to enforce that's that's a tough word appropriate consequences for misuse or unauthorized access. If you don't have an enforcement policy basically a stick to slap people over the hand, saying don't do that then it comes down to is you really don't have much of a policy. So you need to have some level of enforcement. Now you may not define what that enforcement is, but you need to work with your leaders to come up with what that could be. So, as an example, i have individuals that have sent data outside the organization. We have a policy internally amongst ourselves that we will contact the individual. Depending on the, the nature of the data leaving. We'll contact the individual and say, hey, what's up, what are you doing? And we'll talk to their supervisor. Now, depending upon the data and depending upon the number of times this individual does it, if we have to constantly keep talking to them about shipping data out, they will be fired. Period If they are sent out to sensitive data and they did it in a way that is not following our code of conduct, they'll be fired. Those are pieces around that. Do we have that defined already? Now, it's very squishy. It's not something that you just come out and say, yeah, based on this, if you don't do it, we're going to fire you. No, that's not that aspect. But the bottom line is you need to be talking about this before it comes up, because it will come up guaranteed And you'll want to have that kind of defined and worked out with your senior leaders. The importance of accountability, also within your organization, is it helps identify responsible parties. So when it comes to specific actions, decisions or access to resources, if you define who's responsible, who's accountable for approving or removing this access, this is extremely important. I deal with this currently with my organization. I have very clear definition of who can allow access. Now, in some cases I don't, and so therefore we have to work through it. There's been cases where you will find a gap and you go wait a minute, who is the approving authority for this? I don't know, we don't know. So then you have to take the time, step back and define who those people are, tell them what the expectations are and ensure that they know what the expectations are for their role, because it can come go sideways real quick because they start all of a sudden just approving everything. It acts as a deterrence. Knowing the actions are being monitored And this works really well. Knowing the actions are being monitored, people will act differently, and if you can have that traced back to them that we are watching, then they will act differently. I see this time and again. Have people say this to me going yeah, i didn't know you guys were watching. Yeah, well, it's in our policy that we're watching. Now we don't physically watch you, and that's the other part you'll want to work through is we don't physically watch them. We have robots that do that And that's one way for you to get around And I said getting around is not the right word To work with regulations in various countries is I don't have human eyeballs necessarily looking on these. We have robots that do that And then, once they go to a certain level, then you triage that and you have individuals with eyeballs looking at that. Unless you have one eyeball, then you have one eyeball looking at it. But, bottom line, we have people looking at it When you. Also, it's helpful in detecting and investigating incidents. The accountability mechanisms enable organizations to detect security incidents quickly and effectively, and it does help you identify suspicious or abnormal behavior. This works very well And now you will find gaps, but it does help you determine if there's issues going on within your organization. I already talked about regulatory and compliance requirements. That's that's a given. Now, when we're talking about session management, this refers to the process of a mechanism used to control and monitor user sessions. Now, what a session is? it's a period of interaction between a user and a system. Now this this starts when a person logs on and then it ends when they log out. The problem is in many cases is people will log on and never log out, right? So there's tools to help you disconnect that session And that's something you may want to add into your identity and access management plan is something that can control the session management. This will ensure one, it's secure. So do you have the right controls for the session to be in a secure communication path? Two, do you have it where that it will time out and run its course if it's left logged in? Because, again, many of this is browser based, as you all know. You log in through your browser, you type in your credentials and then you get on with your business, but you forget about it because you're like my wife, with eight gazillion browser aspects open, you will forget. And if you forget now, the session stays open and potentially could be intercepted by an attacker. So you need to have some level of aspects around your session termination. Now, when we talk about I'm going to kind of talk about some key important aspects around session management in preventing unauthorized access. So there's basically four. You have user authentication. Now this is again this is where users are properly authenticated to access the data which we've been talking about for the past 25 minutes. Right, obviously, passwords, biometrics, all of that. The session tracking this keeps track of all user activities and their interactions within the system. Now, the one thing if you're going to do that, you need to have a good logging and monitoring solution. One bad thing with logging and monitoring which you've probably heard me talk about on the podcast a few times is the cost. It can get very expensive. So you want to make sure that you have the logs and you do have a good method to manage those logs. Timeout we talked about timeout periods and inactivity. That's an important factor. You want to ensure that you have that so that someone else doesn't gain access to the system. And then termination you want to have a ability for them to close any active communications that are operating. So again, session management in preventing authorized access, there's four areas user authentication, session tracking, session timeout and session termination. So, when you're doing the best practices around session management, one of the key ones to think about is your, obviously, your transmission. You want to ensure that it is in an encrypted format, such as HTTPS, if you're using a web browser, and that's an important factor, because these different sessions, especially as you're operating within web browsers, if they're operating in a fact that is not encrypted, they are subject to being sniffed And that therefore and I've did that in the past we would watch what people would look at online And therefore you because I just didn't have good encryption in place You also need to have session validation and reauthentication. So basically kicks people out and puts them back in. Depending upon how often you do that, you may allow them to store their credentials for a period of time, but at the end of it, you need to be able to reauthenticate people talked about logging and monitoring is another best practice, and then user awareness and education is one that I'd say we probably don't do enough of, and it's an, in fact, a very important factor to ensure your people do understand need to understand how to handle their overall identity and access within their organization. Now a quick talk about some key points around federated identity management. So what is federated identity management? It's like the magic passport. It's like a magic button where you go in and allows you to go multiple places without needing separate IDs. So you go to your Google login or Facebook. You'll go to a website. It will have federated identity management, which basically is a big $10 term for saying you can use Google to log in. It takes the identity from those various applications Facebook, google, whatever it might be and then it allows it to provide you access into that environment. So we talked basically, if you got I've got different accounts that I use to make this podcast. Well, rather than using my username and password which they do have, which is complex, by the way, so nobody try anything by using a SSO, or, i should say, using a federated identity management solution, i'm able to log in using Google or Facebook or something like that. So, again, it's a really great way of allowing you to go from one website to another and without having to remember all these different passwords, but it basically it works like a single identity and your website will recognize this button, this magic passport, and it will consider from a trusted party and consider it as you. Now, sometimes you may have an out of ban request where, like in Google, it will actually say put in a number that your Google authenticator is set up with. But at the end of the day, it's allowing you to be trusted across multiple websites and services, and so it does help a lot from having the multiple usernames and passwords. The other part about that is, if you have one, like your Google account, that is super complex. Then now you run the, you reduce the risk of people buying or buying of using more or different passwords that are reused against multiple different applications. So, again, that's federated identity management. It's just one thing is where is your stuff federated across multiple parties? Single sign on is that also a mechanism allows users to access multiple systems as well using various one set of credentials. Now, single sign on sign on will allow you to reenter your credentials, but it's based on just who you are. A lot of organizations will use a single sign on so you may use the federated identity through Google, but in your organization you may have a single sign on option where maybe it's ping ID or whatever that might be, that it federates you. So you have the external federation, which is your Google and your Facebook, and you may have an internal federation, which is your own identity access provider, and so it works. The same, very similar, very same concept, but instead of having and you can use internally to your organization I'll just take one step back an organization can use Google as their federated identity management solution within their company. Now, depending on the size of your company, i would recommend that's probably not a bad idea for a smaller company. For a larger company, usually an identity and access provider outside of the Google and Facebook is probably a good idea, just because you can't really control the username and password that are associated with your Google accounts, but I can control it if it's set up internally. So if I, if I say Sean's Google account is meeting Google's requirements for passwords and monkey, but 25, 36, 22, with an exclamation point meets that criteria, great, well, i could set up something very different within my organization that doesn't allow monkey, but it basically says there's no words, it has to be all complex, upper, lowercase, 26 characters, yada, yada, yada. So I could force that within my organization, whereas if I allowed Google into my company to be my federated environment, then our federated identity provider, i couldn't necessarily control if monkey butts involved or not. So I kind of like monkey but yeah. So one of my ops is a different. On a quick digression, one of my operations I did as a red team was we had an operation called voodoo monkey And yeah, that was pretty cool. I got a cool patch. If you guys, i see my videos that I have on my on reduce cyber, on CISP cyber training, you'll see my patch. It's got a voodoo monkey patch is pretty cool, it's pretty awesome. But bottom line is a single sign all works really good within an organization, all right, that is all I've got today about identity and access management. It is a lot. I threw a lot at you. If you want more information, go to CISP, cyber training. I've got lots of information out there, including the patch. You can see a voodoo monkey And well, actually it's not on the site, but if you see my videos you'll see it, i guarantee you. And try, i dare you try to look for it. But short of that, i hope you all have a beautiful, wonderful day and we'll catch you on the flip side, see ya.