CCT 058: Identity Unlocked: Unraveling Identity Management (CISSP Domain 5)

Ever get tangled up in the complexities of identity and access management? Tired of letting confusion rob you of effective cybersecurity strategies? Well, it's time to tune in and simplify it all! As your resident cybersecurity expert, Sean Gerber, I'll be taking the reins in this exciting journey into the heart of identity and access management. We'll tackle the big three – identity management, federated identity management, and credential management systems. Believe me when I say, by the end, you'll be navigating these concepts like a pro!

Are you ready to discover the true value of identity and access management? We all know security is paramount, but have you considered the benefits to productivity, user experience, and cost savings? Let's uncover these hidden perks together! The aim isn't just to understand but to utilize this knowledge effectively. We'll discuss the crucial importance of timely user removal and how to tackle challenges head-on when the system breaks. The big bonus? We'll also dig into how IAM aids in meeting those pesky compliance requirements and how automating processes can really save you a penny or two.

No cybersecurity journey would be complete without a deep dive into SAML, OAuth2, and OpenID Connect. Sounds complicated? Not for long! I'll be your guide as we examine these protocols and their roles in transferring authentication and authorization data. By the end, you'll understand SAML assertions, OAuth2's tokens, and how OpenID Connect is built on top of OAuth2. And, because we believe in value beyond theory, we'll explore real-world examples too. But that's not all! Stick around as I share how you can access free CISSP questions online and why joining the CISSP cyber training community is a game-changer. So, are you ready to revolutionize your understanding of identity and access management? Let's rock and roll!

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey all, it's Sean Gerber with CISSP Cyber Training, and today is a beautiful day here in Wichita, kansas. Hope you all are having a wonderful day, wherever you might be around the globe. I know there's a lot of crazy things going on around the world, especially as it relates to these fires that have been hitting Enoghri. So hopefully you all, if you're in that area, you are safe, because it's crazy how hot it is this summer. It's just been a very, very warm summer. Well, today we are going to be talking about identity and access management. This can get a bit crazy and a bit confusing, so we're going to try to break it down into a way that is hopefully digestible and understandable by you all, because it can be a bit challenging at times. I know I even get confused when I start walking through these. What does each of these things mean, and so, therefore, we're just going to kind of go through and see how it relates to the CISSP. There's some key concepts you're going to have to know for the CISSP around identity and access management. Now you can dive deep into this and it gets extremely technical, which can be problematic as it relates to the CISSP. Again, as we talk about that exam, one thing you want to keep in mind is that this is designed for managers or senior level people within an organization. So like people like me, right. So I'm right now I'm a Chief Information Security Officer with a large company. As a Chief Information Security Officer, I deal with the high level aspects of it. I don't necessarily get down in the weeds. I do have to understand those specific topics, but I do not understand the real high technical pieces of this. So that's a bit of a challenge that people have to work through, and so we're going to try to get into that. We're not going to try. We are going to get into those concepts, but we're going to get into it in a way, hopefully, that you will be able to understand it and then utilize it on the exam that you'll be taking the soon. So that is the ultimate goal. Okay, so today we're going to talk about some three main topics identity management, federated identity management and then the credential management system. Now you might have been seeing stuff about a credential management system in the news recently with Microsoft and that the compromise of their CMS to gain access to various pieces within Microsoft 365. It looks pretty interesting to see how that's going to play out. That's a pretty big deal if their CMS was compromised. So, and also keep in mind, a CMS is used in many different ways. You'll use it in AWS. Use it in this case, as it relates to identity and access management. It's just a term that deals with storing of the credentials. So don't glob on to the fact that if you have a CMS in AWS, well, there, it's the exact same CMS that's used within your identity provider. They are not there. The terms are used interchangeably, but the systems are different. Okay, so let's get into what is identity management Now, as it relates to identity management, it is known to basically as identity and access management, depending upon where you go and depending on. I hear people talking. They mentioned AWS and I am, and they go. That's like a dirty word. I don't quite totally understand that, but I basically know that I am is used primarily throughout the environment or involved throughout the security space as identity and access management, and you will see that on the exam. That that's what they're going to be referring to. Now it's a process of identifying, authenticating and authorizing individuals, or potentially even groups of people, to have access to applications, systems or even networks. So it's the way that this the keys that allow people into an environment. Now these can be associated with user rights or they can be established identities that have were created through another method or means. So it's the ultimate goal is just identity, to prove who you are, to get allow you in and access to these systems. Now, identity management does include a lot of processes and technologies to make this happen, and the processes are designed, and the technologies as well, to help make your overall experience much easier, much better. But right one of the things that you don't want to run into you it's awesome where you can have the least amount of barriers when you go and you log into a system. You log in one time and then it carries those tokens, it carries that knowledge of you into other applications. That is the seamless experience that people want. They don't want to go okay, I log into my application a, great takes my password. Then I log into application B takes my password, application C and so on and so forth. They don't want that. They want to have the ability to log into one system and then that information is stored and then carries with you as you log into various other applications throughout the internet, and that is the new identity and access piece that has come up and it's now. You'll see, we'll talk about some of the technologies that allow that to occur, but that is what people expect to have happen. So, as you're looking from a CISP standpoint, know that your customers, that is what they're going to want, and so, therefore, you need to understand how do those various technologies work, because you need to educate leaders on putting those technologies within your company. As an example, I've worked with a small company in the past and this company had a situation where they didn't have any sort of multi factor or single sign on put in place, and it was the CISO's responsibility to help educate them in a way that would benefit them one from a security standpoint, but also from a point of view where the employees would enjoy something like that Right. They don't have to have those various barriers to gain access. So that's the security person's responsibility and we talk about it in the CISP. It's not just taking a test, it's about influencing people and helping them understand the security mechanisms, but also ways to help them understand the technology in a way that can make their lives better and easier. Now there's some primary components as it relates to identity management. One you have users, systems, policies and procedures. These are the primary components that are tied to this. Now, users these are individuals who need to access the network or their applications or the data. These are the individuals that getting access to this could be an employee, could be contractors, could be partners, could be just pretty much anybody and they have been given a unique user ID that allows them specific rights and privileges within your environment. So this can be set up, automated. It can be you have a person that just automatically, or that puts, creates an account for each person when they start. It can be done different ways, but the user is the person who gains access to the data. Then you have systems. Now this includes your hardware, your software, even your network infrastructure that needs some level authentication and access control to gain access to these same very applications that the users are using. Now it can include databases, applications, file servers, cloud services, you name it. They can pretty much have anything, and you're gonna wanna understand that users and systems they do work they do need the same types of accounts. Now, as you get down the path of allowing them access, you understand that systems and users may have very different needs, but they both are gonna need some level of access inside your environment. Now, policies policies are the rules. Do we talk about what is a policy? When I first started working on my CISP, I didn't understand what a policy was. I thought it was a bunch of politicians putting together some draft documentation and these are the policies that you followed. And in reality, those are the same, but in the security world they're a little bit different. Then the fact that these are the rules that help dictate who can access the resources and when. So, as an example say, you have a policy around an administrator, so you have people that have administrator access, and I have a policy that says if you have local admin, you are allowed only access to the device than which you are logging into. Now, if I say that, then those are the rules in which I have to operate, which then, in turn, works with the network people to ensure that these accounts have access only to the system that I'm working on, versus. If I have local admin and I just make it a wide group, I could have be local admin on every device, and that would be a very different policy than if I said I need to have local admin on only the device I'm logged into. So those are key pieces to keep in mind. Now, again, these can include password complexity, frequency of password changes. They can also be basically for granting, modifying and revoking access. So all of those are tied to policies. Now, procedures these are the steps that are taken to enforce these policies. So these are the steps you must go through to gain access. So this could be a user access capability, it could be the monitoring aspects of it, it could be the auditing piece of this or the assessment piece. It could be the procedures in dealing with an overall incident. How would you handle those? So, again, the primary components are users, systems, policies and procedures, and if you keep those in mind and try to keep it as simple as you possibly can as it relates to identity and access management, if you do that, it'll make your life a whole lot easier, and it will also make it easy to communicate with others around. What you're actually asking for Now what are some of the benefits of implementing identity and access management within your organization? So we've got really six areas that we're gonna kind of roll through, and each of these are a very important factor of why you should implement IDM within an organization. Now also, when you're deploying identity and access management within your company, keep in mind that you don't have to necessarily go to the largest possible deployment you can. Where you all have Ping Identity, there is limited logging capability. If that is where your goal is, how do you then migrate to get to that position? And so don't just think well, I've got to do all of these things between multi-factor and single sign-on. I just I got to put it all in place and you do. It's a highly recommended that you do implement these, and they have a lot of really easy tools to help you do this within a small company or within even medium-sized companies. But there's a lot of great tools to help you integrate that within your environment. But don't get so focused on how big this is and how hard it is. You need to just focus on what is one step I can do this year or the next six months that can move me down this identity and access management path. That it's the important thing to keep in mind around security is. If you try to look at this from a holistic standpoint, it can become very overwhelming. So it is important that you take this in a step-by-step approach. Okay, so some of the benefits of implementing this within your company is security, right? So we just talked about that and you're listening to the CISSP Cyber Training Podcast, and so you are trying to study for your CISSP, which ties to security. So guess what? It's one of the most important pieces, right? So by managing user access, you can ensure that only the authorized users or individuals have the access to the most sensitive data within your company, and at this will this reduce the risk of breaches, incidents and so forth? So having this in place is like a safety blanket. It really does work. When we didn't have identity and access management in place in various companies I've worked with, even through the military, it caused a lot of drama. There's a lot of churn that went into place, but once we got a good provider that dealt with identity and access management, it became very simple and the responses or the service desk calls, the tickets that came in, were much reduced because of the fact that we put in an identity and access provider. Now it's especially important, especially when we're dealing with this world that we live in, where the security and cyber threats are completely sophisticated or becoming more and more sophisticated. It's just you gotta do it. So, again, you're here to study for your CISSP, but you will graduate, you will get your pass, your certificate, and when you get that, you are gonna move on to a small company. So something to really keep in mind about employing identity and access management Productivity again, it can dramatically increase the speed in which you can be giving users access to the systems and the data they need, and it will make people happy. Now the challenge that comes out of this this is a bit of a challenge which we'll probably get into down the road a little bit is that it becomes so easy that when it does break, users scream. So it is important to keep that in mind. It works very, very well and users come to expect it, but when it does have challenges, it can be very detrimental to your organization. Automated processes this is another thing when it comes to productivity. Wise, it allows for automated processes to basically streamline your onboarding and offboarding of users. So you have individuals who leave your company and they exit, right. So when they exit, how do you remove those credentials quickly? That's always been a challenge. You'll see this a lot within a company. You'll go to this company, you'll pass your CISSP, you'll go there and you'll have all these great plans to be able to go make a change and you'll look at the blocking and tackling. We talked that as the basics of security and you'll see that Billy Bob, george, fred, yee-ching whoever you may have within your company, wherever you may be, was a contractor three years ago and that contractor is no longer in the system. That contractor is no longer working. Well, guess what? That contractor's activity is still there. So that's a bad thing, right? So you wanna make sure that you have this in place because it helps removing users that have been there for a while and it helps reduce the burdens on your IT department. We've talked about the user experience with use of single sign-on. It is something that people love and once you put it in place, they will assume it is the standard and if it breaks or goes away, they will not be happy with you. It also improves user experience, but it also reduces the chance of password-related security incidents. It does so that now people are reusing passwords. It helps reduce some of that challenge as well. Compliance, again many industries do have regulations that require companies to have some level of control around the access, and so this will help dramatically to reduce your compliance burden that you may have. This can when you're dealing with putting this in place, especially when you're dealing with regulated environments let's just say you're dealing with CMMC for the US government and they are asking for that specific topic this will help dramatically reduce your risk and it'll also help show that you have met the compliance requirements around it. Cost savings obviously, by automating these processes it can cost a little bit coming up front, but by not having individuals to do this manually and then also by avoiding errors, it will give you a very substantial cost savings in the future. It's worth every penny that you spend on it. It's just sometimes it's hard to justify that at the beginning if you don't have all of that outlined. And then auditability Basically it allows individuals to come in to your organization either through third parties or internal audit, and then be able to determine who had access to what resources when they did, and so forth. I had a situation a few years back where a system went down and it dealt with the auditing capability within SAP or within an ERP environment, and that can be a problem, right. So it allows people access to an environment, but auditors use those. Well, this is a great way of having single sign-on that will allow auditors to see when people logged in and when they are logged out. So now I'm going to get into this identity and access management systems and the technology that's associated with it. So we're going to talk just mainly about three different areas Single sign-on, which is also called SSO, multi-factor authentication or MFA that's Mike Foxtrot, alpha and then biometric authentication. So now single sign-on. What exactly is that? Well, what it is is it's a session and the user authentication service that permits a user to basically have one set of logging credentials, a name and password. You'll see this when you go into some of the social media sites. That it will say login using Facebook credentials or login with Google or with whatever provider you may have, and if you log in with that, it takes that the normal logging credentials you would have with Google and it applies them to the application you're logging into and basically it allows the end user for all those applications that have been given rights to, and then it eliminates any further prompts when you try to log in. So it's just single sign-on you single time, one time you sign on and it gives you the access to this. Again, I've got some. If you look at the videos, you'll see the videos on YouTube and if you through CISSP cyber training, I have those videos as well. One of the use cases it talks about is on the screen is how a large corporation with numerous internal and external services wants to streamline the login process. Right, so you have multiple things in place, multiple applications that you use. You then would implement SSO and now you go to your workstation on one morning you log in and then, when you log in, it allows you access to these various applications and databases and whatever else within your organization. It's very good. People love it. Your employees will thank you for it. Actually, they probably won't, because what ends up happening is, once you put it in place, they just assume that that's just part of the deal. Now, multi-factor authentication, or also known as MFA, multi-factor authentication, is basically a security mechanism that requires basically one method of authentication from independent categories of credentials, right? So it basically is designed to create a layered defense or a layered approach to identity and access management. So we got a situation let's just use. Most people have banking credentials. You have a username and password that allows you to log into your bank. When you log into your bank and it says Sean Gerber, at blank, here's your password. You know QWERTY. You know Q-W-E-R-T. One, two, three, four, five, six. That's your password. Okay, if you're listening to this and you're CISP, that's a really bad password, but let's just use that your password for today. So your QWERTY, you put your password in the moment you log in. Then it's going to ask for another form of authentication. Now this can be done in multiple different ways. It can be done through a physical location. It can be, as an example, where it knows that by you're in this physical building, you have access to it. It'll allow you. In that way, it could be set up to where you have a PIN that you have to enter. That would be part of something that you know in your mind and that you're going to have to put it out there. It could also be something that you are, ie biometrics or a fingerprint that would allow you access. But it's another layer defense that's going to help mitigate the issues of people trying to steal your credentials. Now, the one thing you want to watch out for when it comes to MFA now as a CISP multi-factor is something you really need to push to ensure that it goes in place with whatever company you go to. But one thing you want to keep in mind is getting MFA information on SMS, which is basically your texting. It's a simple messaging service. If you get a text that says here's your PIN, that is not the most efficient or the most secure way of getting that information. You need to act as a multi-factor layer. It's used all the time, it's used everywhere, but it's not one of the better solutions to use. Ideally, you'd want to use a different type of authentication. So when you're dealing with authentication I kind of thought alluded to it earlier, but you want to focus on something you there's the three things that we focus on Something you know, something you have and something you are. Now something you know would be obviously a PIN. Do you know that PIN? Maybe your PIN is a four-digit PIN that you enter in I know in Netflix, because my kids get into stuff they shouldn't get into. I put in a PIN to go into Netflix so you can log into my account. If you don't know my PIN, you ain't getting into Netflix, so that is something that I know. When it comes to something that I have is there's on your phone, you can get an authentication application. Google has it, microsoft has it. Various other companies have these authentication applications. It does a time sync to the application in the cloud so that if I log into your password provider, for an example, you log into your password provider and you enter in your username, your password. It then prompts you for an authentication mechanism. You go to your app that's on your phone or your computer, wherever you may have it, and then you, as it's rotating through this code. You then take that code and you place it inside the application. It syncs with the application in the cloud. It says, yes, sean is that person, because it's something he has, allow Sean in, and so there's, that's something you have. Then we get into the something you are. Piece of this is you get a text from your bank saying, hey, we see someone is trying to log in. Please use your, your device and multi factor and log into your bank and so you can use the face ID or you can use your thumb on your biometrics. They're getting into now retina scans and so forth. So there's lots of ways for you to get some level of authentication into your environment. But multi factor authentication is just another layer that you will go through to allow you access to the application or the database or whatever it might be that you're going into. The next one is biometric authentication. Now, biometric authentication is a security process that relies on unique biological characteristics of the individual right fingerprint, eyeball, face, something like that. Now, when you're dealing with a, depending upon the level of security where you're going, you may implement these biometrics into gain access. In the military, we had various biometrics to gain access into specific locations. Challenges is they worked really well. Sometimes they didn't work at all. So you have to define which one is the best for you and your company. Do you? Is it something as simple as a, as a fingerprint, or do you have to have a retina scan? There's various pieces around this, but bottom line is that they use these to gain authentication to systems and to various applications around there. So you need to kind of keep in mind. When would you use this and when they're asking you questions on the CISSP, when? Where are those types of questions that you would use? Okay, so we're going to roll into Federated Identity Management, or known as FIM. Okay, so what exactly is FIM? Well, fim is going to be there. It happens in various health sectors, to include healthcare, education, government, you name it and what it's done to do. What it's done to do, it didn't make any sense at all. What its purpose is is to help increase productivity, convenience and also allowing for administrative overhead to be reduced dramatically. Now, when you're dealing with FIM, there are some various protocols that you're going to be focused on and you'll see these in the CISSP exam and these are something you need to be aware of and how to deal with them. Now we're going to talk about SAML, oauth2 and OpenID Connect. Now, what is SAML? It's not a camel, it's SAML, right? So a camel if you're someplace other than Kansas, that's a, an animal that has a hump on top, maybe two humps and has very long legs and usually in very hot locations, but that's, that's a camel. We're talking about SAML. So SAML is Security Assertion Markup Language. Now, this is an open standard for authentication right. It exchanges authentication and authorization data between parties and you're going to want to understand the differences of these and why we want to use those. It will basically transfers data between the identity provider, which you'll normally see an acronym called IDP, which is India Delta Papa, an IDP provider, and that's used a lot in the commercial spaces for what an identity provider is, which you need to understand that that is an important factor in your overall identity and access management plan. And then so it will. It basically talks between the IDP and the service provider or the SP. It does allow you to log into multiple services, like web applications, single using a single set of credentials. So that is the purpose of SAML. One of the things that I deal with is, when I'm looking at security assessments, if a SAML, if I'm dealing with an application that utilizes SAML, that is an important factor. If this application that I'm working with does not utilize SAML or OAuth2, then I would look down upon that application Because in most places today, from a security assessment standpoint, you do want SAML to be used. You want that information. You would like an application because it works and integrates well within your organization. So SAML is an important factor. Now, if this works, by passing information about a user between identity provider and the service provider in what they call SAML assertions, so the IDP, the identity provider, will send an assertion to the service provider when the user tries to log in. So that sends that to the SP. This includes information about users, such as username, username, email address, something along those lines. It does not include anything that is sensitive. It's only those key aspects that it would be as a person to allow them to log in. Now, that's a key factor because you're gonna see questions in the CISP that may ask you around that they may send secure the username's password. That is not the username's password is not sent through a SAML assertion, so it's important to keep that in mind. This is when you're dealing with any sort of credentials. That is outside of the SAML aspect. Oauth 2, this is a protocol that allows applications to request access on the user's behalf without getting the password Very similar, right? So you got SAML and you got OAuth 2. This will allow one application the ability to access data from another application. Now this one in OAuth 2 will grant a token. So you got assertions and you got tokens. So those are key terms that you're gonna see the difference between them. This token gives the application a certain level of access to the user's data in the application. So that's the OAuth piece of this. Whereas the assertion is sending out information such as your email username and so forth, the OAuth is using a token, that which grants the access to the user's data. A lot of times, oauth will be used in applications such as APIs, which will be tied to the individual's user username. One thing you wanna avoid, obviously with APIs is adding credentials into the API, hard coding that into the API. Don't do that. If you can avoid that at all costs, it would be, and now I say that you can't always get away from that. Sometimes you have to implement the credentials into the API, depending upon the application you're using, but try to avoid that at all costs. So an example you can basically be is around a user wants to gain access to, let's say, google Calendar. The user doesn't give the third party application their Google username. Right, you don't wanna give them that, but instead you authorize the application with Google to basically work between the calendars. So you're not giving them the username, but you're saying, hey, google Calendar, you can work with this application and then they sync up together. So you have OAuth and then you have SAML. Saml deals with the credentials and assertions. Oauth deals more with the tokens and the application talking and you gaining access to data. Now, openid Connect is an authentication standard built on top of OAuth 2. Now, so we got again. So don't think of OpenID as its own protocol in that regard, it works in conjunction with OAuth 2. Now, it's built on top of OAuth 2 and it doesn't allow the application to verify the identity of the user based on the authentication performed by the authorization server. Now this is done by returning an ID token along with the access token. Like we mentioned, tokens tied to OAuth, assertions tied to SAML. So those are key. I've said it a couple of times, so hopefully you pick up on that. So the ID token contains a list of user attributes that they call these claims. So you got claims, you got tokens and you got assertions again. More terms getting confusing. These include information about the identity, such as their name, email address and so forth. So this gives OAuth that SAML capability. Lack of a better way of kind of explaining that. Now these claims are digitally signed by the authorization server and can be verified by the client. Okay, so how does this work? So we'll give you an example around this. You have a user that logs into a mobile app using your Google account. The app then sends the user to Google. This has happened numerous times to me. Right, happens all the time. Right, where this is where they log in and they authorize the overall app. Then Google will send the app and the ID token with the claims right. So claims is open ID connect about the user's identity and the access token that the app can use to engage Google's API on behalf of the user so you can kind of break that down a little bit is the fact that it's allowing you get access to Google's API with using your credentials, but that's, the credentials you have are tied to open ID. Now what complicates this again even more is the fact that these protocols can be used independently, but they're often used together. For example, you may get OAuth2 is often used to SAML or open ID connect to provide both authentication and authorization. So you're just gonna have to, when they ask a question, the CISP parse that down and I would recommend that, if you don't have a good understanding of this, get smart on it, because there's a lot of questions that are around SAML and open ID. From what I've been told, and I think, because it can be confusing, it's one of those areas where they will focus on because it's confusing and they kind of want to trip you up. They don't want to trip you up, they just want to make sure you know what you're talking about. Okay, so the credential management system what is a CMS? This is a system designed to manage user credentials, including creation, issuance and revocations of the access rights. Now, they can be a very important factor that you have within your environment and you need to consider using a CMS. Now, cms can. It's from a security standpoint, it's holding the credentials, but it also can be a requirement based on the regulatory aspects that you may have within your company. They may be required to have a CMS to store the credentials of your identity and access management environment. So keep that in mind. So, if you hear people talking about CMS, it is a credential storing, credential management system. Now, there's some basic components to that, but we're gonna kind of roll into the deep dive around what are the pieces of it. But when you're dealing with the basic components of a CMS, you have a user enrollment, identity proofing, credential insurance issuance, credential renewal and then credential revocation. So if you walk through that, it makes sense, right? You enroll them, you show that's who they are, you provide the credentials, you renew the credentials and then you revoke the credentials. Those are that's pretty basic right. Those are the basic components. So when you're dealing with the components, let's do with identity provisioning. This deals with creating the. There's basically about eight different or nine different components as it associates with the CMS. There's identity provisioning. This provides, obviously, provisions your identity, and this ties into Active Directory. It allows the credentials to be created and assigned and it may also involve setting up the initial roles and the permissions for the user. The next one you have is authentication management. Now, this is responsible for verifying the identities of the individuals, kind of like the proofing right Identity proofing which we talked about. This makes sure that who you say you are is who you are. This can be usernames and passwords, it could be biometric data associated with you, it could be other multi-factor authentication mechanisms that are tied into the authentication management piece of this, and this will a lot of this will depend upon what securities needs are for the organization. But you have identity provisioning authentication management and then you have authorization management. Now authorization management is the user, just basically once the identity has been authenticated, right. So now you've proofed them, it needs, the CMS needs to determine what the user is allowed to do, what are the roles and permissions that the person can and cannot do, and that's tied to the authorizations. So they Sean can gain access to this, because I've identified who Sean is, I've confirmed it who he is, I have his information and now Sean has access to X, y and Z. Then we look at the credential storage. Obviously, this is the secure storage of my credentials to ensure that if they were compromised that's what secure means what would happen? Can they gain access to my credentials? We see this a lot. Most hackers will go after their credential storage areas because why they can then steal those credentials and utilize them in other places Also, people reuse credentials a lot, so therefore, if I steal them from one place, odds are high they're going to log me into many other locations. But again, it needs this needs to be a very secure location to prevent anybody that had unauthorized access, and this can involve using various encryption type techniques hashing, salting and encryption. That's a different section of the CISP. But again, that can be done in various ways. Password management is another part. This is the creation, storage and maintenance of the user passwords and this is tied to the requirements you may have set up as it relates to complexity, rotation, history, etc. Next one is access management. This includes both giving physical and logical access to the resources, and this includes can set up it controls in different parts of the building or network, depending on what you want to have. A lot of access into Audit and compliance. Again, this is a way that your compliance folks can come back and look at the credentials, look at the logging and monitoring that was in place. And then, did people have the right access? Did people log in when they were supposed to? Did people have the ability to gain access to these systems? They shouldn't have. We've used these areas when we're trying to determine employee work ethics. Are they working a lot? Are they not working? Are they just going working from home and they don't ever log in? You'll utilize the identity and access providers to help in those areas as well. Identity Federation this is for organizations have multiple systems for third party services. Again, this ties into SSO and using SAML and open ID. That's the identity Federation part of this this is where you have a centralized management of identities is all pulled into this part of the CMS. And then life cycle management. Again, this incorporates the user credentials from creation to deletion. All of those are when your person gets to the company. They sign up their username and password, they log in, they're now in the system, they now leave the system and then when they leave the system, how are those credentials removed from the environment? All right, that's all I have for today. I hope you guys have a wonderful day. It's been an amazing adventure talking to you today and I go check out CISSPcybertrainingcom. Go check out the website. You get some really great stuff out there. Also, you can go to free CISSP cyber, free CISSP questionscom, and you can get access to free I say free CISSP questions. You get 30 free questions each and every month that will come be sent to you that you have access to, and so you can do that just by signing up for my emails. You'll also get access to various other CISSP related information just by being part of the CISSP cyber training community. All right, I hope you guys have a wonderful day and we will catch you on the flip side, see you.