February 18, 2025 • 31 mins
The Institute of Internal Auditors Presents: All Things Internal Audit Tech
In this episode, Bill Truett talks with Nick Lasenko about the critical role of identity and access management in today’s organizations. They discuss common risks, best practices, and the impact of AI on identity and access management. The conversation also covers frameworks, regulatory requirements, and real-world use cases.
Host:
Bill Truett, CIA, CISA, senior manager, Standards & Professional Guidance, IT, The IIA
Guest:
Nick Lasenko, CISA, CISSP, cybersecurity, privacy, and risk management practitioner
Key Points
- Introduction [00:00-00:00:07]
- Overview of identity and access management [00:00:08-00:00:31]
- The financial impact of data breaches [00:00:32-00:01:26]
- Challenges in detecting and responding to security incidents [00:01:27-00:02:26]
- Common identity and access management risks for auditors [00:02:27-00:03:26]
- Weak governance and its implications [00:03:27-00:04:26]
- Siloed organizations and identity and access management complexities [00:04:27-00:05:26]
- Regulatory frameworks and standards [00:05:27-00:07:26]
- Identity and access management controls and data governance [00:07:27-00:09:26]
- Real-world use cases and security incidents [00:09:27-00:11:26]
- Horror stories and lessons learned in identity and access management [00:11:27-00:13:26]
- Best practices for managing user access reviews [00:13:27-00:16:26]
- Continuous authentication and its challenges [00:16:27-00:18:26]
- Privileged access management and audit considerations [00:18:27-00:21:26]
- The impact of AI and machine learning on identity and access management [00:21:27-00:23:26]
- Final thoughts on strengthening identity and access management controls [00:23:27-00:25:26]
- Closing remarks [00:25:27-00:31:43]
The IIA Related Content Interested in this topic? Visit the links below for more resources:
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:02):
The Institute of Internal Auditors presents all
things internal audit tech.
In this episode, bill Truitt talks
with Nicola Sanko about the critical role of identity
and access management in today's organizations.
The conversation also covers frameworks,
regulatory requirements, and real world use cases.
(00:22):
So Nick, um, let's just start it off.
Can you gimme, uh, an overview of what identity
and access management entails
and why It's, uh, critical for organizations?
Identity and access management is paramount.
It's the frontline, it's the nexus.
A malicious hack, data breach incident is essentially
unauthorized access.
It's absolutely paramount.
(00:44):
I could talk a little bit of the, the cost.
I love that because we get
to tie the business side with the technology.
Mm-hmm. Um, that's really valuable
for making cost benefit decisions.
A recent IBM cost of a data breach report, uh, kind
of mentioned some costs and, uh, a bunch of other sources.
So they vary from 1.3%
(01:07):
to 1.9% of revenues all the way to 25% of revenues.
If you look at the Verizon report, uh,
specifically about ransomware, so across the industries,
profit margins vary from 2% to 20%.
So you can have a breach incident,
wipe out the entire profit margin for the year. Yeah.
(01:28):
Or at least a very good percentage of it.
And that's never a good sign to, to show on your,
uh, your financials.
That's right. It also gives a way to measure the value of,
uh, good identity and access management, uh,
because that's, um,
an important component in our control environment.
It's even more important now.
Costs of breaches have increased 10% over the past year,
(01:51):
and leading attack vectors are phishing stolen credentials,
and those are the ones with a higher cost email compromise.
Malicious insider attacks are less frequent,
but also as costly.
So you can see how everything ties to identity.
And for incidents, security incidents, uh, cyber attacks,
(02:13):
on average, we're getting better at containing them about
two months to identify.
It used to be two and a half months.
It's still a lot of time. So the more time
passes, the more damage is done.
So again, that's, that's critical's,
That's it's good to hear that they're, they're,
they're getting, they're improving on, uh, time to identify
(02:34):
and then, you know, once they have identified, then we'll,
they can respond and react to, uh, to the breaches.
That's right. Now some of the biggest challenges to deal
with that and respond have been, um, just
if there's a malicious insider, for example, uh, we need
to distinguish between legitimate and malicious users.
And if there's weak identity governance, it's very hard
(02:57):
to dig through the environment
and the data we have, uh, to get to the bottom of it
to determine if it's a malicious actor or a legitimate user.
Yeah. So that, that's kind of one of the challenges we have.
Nice. So kind of digging more into, uh, identity
and access management, what are some
of the most common risks
that internal auditors should be aware
(03:18):
of? In, in this area?
It's weak governance, and that is the foundation for
a solid cybersecurity environment.
Mm-hmm. Control environment.
When you're talking about weak governance, would you say
that would include poor password controls, uh,
poor just identity management, you know,
like IDs not tied to single people.
(03:40):
Can you maybe give some examples of
what you would consider to be weak governance?
Sure. When we have, uh, a clear path forward,
it's really easy to navigate,
to move forward when there's clarity of vision, uh,
good governance and identity is clear vision in terms of
how is identity defined, what are the rules,
(04:03):
what are the policy standards?
And by the time we get technical with the tools,
with the processes we're implementing, with rigor,
with clarity, and with risk management in mind,
and of course,
always keeping the business interest at heart.
Yeah. So setting kind of a, a, a strong
(04:24):
and clear tone at the top
and have everything trickle down from that.
That's right. And it's difficult
to do when you have a large multinational organization
because there's silos, uh, there's different platforms.
There's OnPrem, there's the cloud, uh, mishmash together.
There's employees remote on kind of onsite.
(04:46):
There's non-employees that have access.
And when you try to improve an existing system,
it's really difficult.
Um, and takes a lot of time and analysis to go through
and improve and rebuild the governance.
That's kind of the, the core challenge, uh,
moving mountains.
Yeah. I had had previously worked at a very large, uh,
(05:08):
bank and it was almost like,
it was like 12 different companies each with their kind
of own silo and ways of wanting to do things
that were just kind of loosely tied together.
So like, definitely, you know, a, a strong, uh,
governance position, um, would definitely be, you know,
beneficial for those situations to get some, uh,
uniformity across kind
(05:29):
of all the different lines of business.
Yep, that's right. Uh, lots of, um,
financial institutions, big banks, healthcare enterprises
have a similar scenario where, where they're siloed.
They're, um, I've seen multiple environments where,
where there's just, um, things are all over the place.
Uh, a lot of manual effort.
You know, there's one or two people managing access, um,
(05:53):
for thousands of employees, and they're about to retire.
So it's challenging.
Um, it's challenging that, that was kind of an example
of some of my projects.
And the, the e to success is, like you said,
top down, uh, governance toned from the top,
and leadership, the leadership has interest
(06:14):
and the will to implement the solid governance,
solid identity and access management.
And then that is, that is the core to the success.
Um, before we get to the, you know, technical, you know,
the encryption, key management mm-hmm.
Authentication authorization groups
and all of that, that's the core.
Awesome. Kind of moving on, you know, uh, what frameworks
(06:38):
or, uh, regulatory requirements should internal auditors
consider when they're assessing their IM controls?
There's a wide variety.
Um, I often work with the NIST frameworks.
There's a variety of those.
Uh, the map to iso, um, those are great.
The GTAG is, is great. The latest update.
(07:00):
I love the fact that it includes, um, a mention
of NIST CSF 2.0.
There's a really good control list
to control objective list in NIST 800, uh,
53 R five is the latest.
It's highly detailed,
but it's really good guidance of what we should aim for.
Uh, there's a high, medium, low impact.
(07:22):
It's the number of controls you have, the significance
of the systems, but those are great, uh,
especially within the, uh, access control family.
And then identification family, tho those kind of groups,
I-I-A-C-I-A-P-E families,
NIST 863 is great
for fundamentals, identity fundamentals.
(07:43):
Those are important to know, uh, to understand,
uh, what we're looking for.
Looking for kind of what our group's, lifecycles identities,
what we're trying to achieve.
Um, it's a great starting point.
Uh, NIST CSF 2.0, the update is awesome.
I think, especially given the recent usage of generative ai,
(08:05):
uh, there's one interesting thing that they added is it's,
um, both governance.
There's a whole separate control group on governance,
and there's a data governance.
Data governance is a big deal, especially now
because you need to have a clear view of what data you have.
(08:26):
Um, data catalog standards, policies
defining kind of both categories, categorization of data
and classification of data.
Then you kind of determine how you manage it.
The reason being is that when you have good data governance,
you can apply identity
(08:47):
and access management identity governance to it.
Pips 1 99 is great
because it gives you a way of rating systems
and based on the data, the risk, uh, that they have.
If you combine those together, identity
and access management essentially is having the right,
you know, access to the right data at the right time.
Um, for the right individuals or or systems.
(09:09):
That's a key to success.
And that's also important
for implementing strong DLP data loss prevention.
And in turn, with good governance, with good controls,
with good vision AI tools,
Can you share any real world use cases
where strong IM controls have helped prevent security
(09:31):
incidents or improved operational efficiencies?
Got a couple of win examples
from different kind of viewpoints.
There's a scenario where I had hundreds of thousands
of backlog events, security events
around the access management,
and it was four database database platforms, uh,
for more, uh, numerous ax access lists, three
(09:54):
to five ticketing systems, uh, over four server platforms.
Um, so thousands of servers, thousands of users, um,
like 70,000
or more employees introduced documentation
of the governance, what was, you know, what was done.
And then documented
and standardized, standardized, um, developed solid,
(10:15):
this is how we do things.
And then boiled up to the policy level, standardized alerts,
consolidated the kind
of into a single CMDB cleared the backlog.
And then that enabled us.
And then several examples where we, in instead of weeks,
it took us days to identify incidents
and then escalate, uh, to the C 13 for, for investigation.
(10:38):
And we, we quickly imaged laptops that were affected.
So that, that's few success stories right there.
Yeah, I know that, you know, those,
those systems can generate, uh, incredible volumes of logs,
but none of that information is valuable
until you've had a chance to analyze it
(10:58):
and filter out the ones that aren't important.
And then, you know, identify the ones that you need to,
you know, have action on now. Yep.
So yeah, It's great. Got
A correlated.
Mm-hmm.
Yeah. I know. Kind of asked about success stories.
Do you have any horror stories?
Oh, uh, it's, I mean,
(11:19):
usually when I come in it,
it's a giant horror story and yeah.
And then it kind of dig through it
and implement and governance. You,
You're there to help clean Up configurations.
Yep. There was a large enterprise where, uh,
this is essentially kind of, it's rinse repeat
because there were several of these.
Um, I sometimes do kind of broad identity
(11:40):
and access assessments
and sometimes deep dives of, um, the directory services
get a dump of users groups and all those records.
I, I try to get as, as much information as possible with,
with, uh, scripts, obviously working
with the business closely.
(12:00):
And it's one thing you, you have automated, uh, scripts
and functions to, let's say disable,
like disable user from opening a certain app from,
or just, uh, disable 'em completely
because they're no longer working there.
Um, and then you get an actual dump of the, the data
(12:21):
and report and export from the system itself.
And then you see thousands of users
that haven't been disabled on time, uh, still
around, they're still being used.
There's hundreds of accounts
that haven't had passwords changed or don't need passwords.
Um, use old authentication methods.
Um, one of the more interesting things that I see is that
(12:45):
often as auditors, we approach, um, assessments
on a risk basis and we focus on production environments,
and then we have the dev test
and the, uh, lower environments.
But to make it convenient, developers
sometimes take shortcuts.
(13:05):
The teams take shortcuts and they reuse passwords.
And then when you scan and compare the password hashes,
you see, oh, there's so many reused passwords across
the non-prod and the prod environments.
That was a huge lesson learned
for me when I first started seeing these,
don't ignore the lower environments.
(13:27):
You know, don't necessarily reduce the amount of testing,
depending if passwords are allowed
to be shared or can be shared.
You, you have to keep that in mind.
So you think there's a good value in
at least allocating a, a portion of your time to
looking at environments other than the top level
production into the
(13:48):
Absolutely. Nice.
Absolutely. At least, uh, compare the, the,
the password hashes across the environment,
um, the environment.
And that's something that can be fairly automated.
Uh, not a lot of time in that
I person comes in, runs a few scripts script,
assuming they're reviewed by the technology team
and approved, because not every script should be run.
(14:09):
It should go through the proper change management process.
Um, and yeah, scripts, commands, whatnot.
You need to know what you're running, uh, validate it, um,
test it in a small environment, then you can run it.
Um, sometimes commands are better
because they're simpler, um, scripts.
You can see third party tools.
(14:31):
You have to be very, uh, comfortable with the risk and,
and what you're leveraging
to really depends on the tools you're using.
Awesome. So, uh, kind of moving on to kind
of the next area we wanted to talk about.
You know, this is something I've had a lot of experience
with, uh, as a practitioner, is, uh, kinda
what are the best practices for managing user access reviews
(14:55):
and, you know, how often do you
think they should be conducted?
This is an interesting one,
and I have a couple of horror stories, uh, for
that one, uh, to start, I
Have a horror story as, as well, so Awesome.
She did with that. Yeah.
Perfect. I, it's this, this is like one
(15:16):
of those classic areas where, where you find
so much interesting stuff.
Um, I had, uh, the poor DBA, uh,
just received stacks
and stacks of, I mean, if he printed out,
they haven't printed it, uh, exports of users
and their privileges across a multinational enterprise
(15:38):
across different databases that this individual was supposed
to send to business, um, owners,
sometimes business owners, sometimes it owners.
And it, it was such a volume of accounts to review
and validate and the detail of access that was listed.
No human could possibly be able to do
(16:00):
that a hundred percent accurately
and keep track of everything.
So it's, it's overwhelming.
It's too much, um, to, to understand to deal with
kind of maybe it, it helped to reach out
to the individual owners,
but it's, it's still a lot of data.
So I think it's, it's good to take user access reviews and,
(16:22):
and kind of just quite say pieces.
So I have, um, have this drawing,
and I published it in the past year
or two of the identity management, kind of the, the pillars
of the different RACI chart groups and the responsibilities.
And you have identities
and you have business roles, IT roles
and, uh, entitlements goes left to right.
(16:45):
And then you have the business side, the hr,
the business side, and more technology side.
As you go to the right from left being the, the HR side
that would validate the, the business roles
and job descriptions to the middle,
which would be management.
And they would validate the business roles and IT roles.
(17:06):
And then to the far right,
you would have the more technology people
that would validate the specific technology.
Specific entitlements. Specific configurations.
So each group would play a role, not,
not one individual taking the whole user soup
to nuts review of their access.
That's, that's impossible.
Um, I think that would be helpful if, if, uh, if we
(17:30):
chop up identity into several functions, like
business roles, it roles and treat them all as,
as a lifecycle, then validating those would be much
more reasonable.
There's tools that do that, but I'm pretty too agnostic.
It depends on how you implement what the governance is, um,
tools that help with that.
(17:50):
I think that's kind of the, the main one.
Just make it feasible for employees to do that.
Yeah. I, so I had this horror story of, uh,
user access review where, you know, all
of our internal systems, we were good at, you know,
we would, uh, do the user access reviews anywhere
between one, one time a year for lower risk applications up
(18:12):
to about four times a year for the higher risk.
But we had this one application we didn't own,
but we had a lot of, the company used a lot,
and we are in very good terms with this other company.
We're like, you know, we don't really have a process
for communicating any of this, so let's get with them
and let's get a listing of all the users
(18:32):
and let's that they have
and compare it to kind of all of our current employees.
And let's see.
'cause this has never been done in like over 20 years.
So we get it, the listing we get from them
of active people is more than the current number
of employees we have at the company.
'cause once again, it's never been done.
(18:53):
And the only kind of field that we could use to tie the,
you know, their list between their listing of users
and our listing of, you know,
current employees was email address.
So we, we bump it up
and we find the ones that, that don't mix, that don't match.
And we're like, okay. It kind of did like a, it was a lot,
(19:13):
it was many thousands of people.
'cause it was a, a area where there was a good amount
of turnover, and once again,
there was more people on their system than we actually had
employees in our company.
So we were able to get that listing to them of like, Hey,
these are the people that don't,
are no longer employees here.
Unbeknownst to me, um, who I was the one
(19:34):
that was managing this is that a long time ago they used
to have a different email convention.
So unfortunately it was, it was very limited,
but it was, there were about 20
or 30 people that came in the next day
that had their access cut off that we had to get them back
because, uh, I didn't,
That's another good way of validating access.
(19:54):
Yeah. And that is cut It off.
I know. We, we like to threaten that a lot.
This is one time where it actually kind of happened,
but that was, that was, that was interesting.
I felt terrible, but, uh, fortunately it wasn't too bad
and everybody, uh, took it in stride.
Fair enough. Well, well, it's, it's a good thing.
They, uh, they let you know right away.
(20:15):
I've, I've had instances where we cut off access
and we haven't heard from people,
and in a few weeks we would hear it from them.
And sometimes it's tricky
because sometimes you have, uh, fire call accounts
that are just set up
but not used technically should be disabled
and track system and all that.
(20:35):
But that happened.
And then PR testing comes and then they can't use it.
And then you find out always good to test.
Um, it reminds me of a time when, when we were doing a scan
and we've scanned through users
and filtered those groups, we filtered those
and then we decided to do kind of this obscure, uh, script
that pulled out inactive directory, uh,
(20:59):
privileged entitlements.
Just this entitlements not mapped to anyone, individual,
not mapped to a system, just they turned out to be orphan
entitlements that just were sitting
there and not cleared up.
And then if you wanted to, you can,
if you gain the right access, you can assign those
(21:19):
to just orphans.
Yeah. It's a potential vector for
someone gaining access they shouldn't have.
Uh, absolutely. Absolutely.
So, yeah, or orphans is a, is a big deal.
Orphan accounts, orhan users entitlements.
Uh, we had a time when there was a, a group owner that was
everyone left, and the only kind of group owner
(21:42):
that was left in the company was, was an audit.
They've totally forgot about that group too.
And I think that group had privileged access.
So that's, it's always good to prove the access, not only
of individuals, but of systems,
machines, entitlements groups.
How about continuous audit authentication?
Your thoughts on that? From
what challenges it might present for, for auditors?
(22:04):
It really depends on how it's implemented.
It, it continuous authentication
leverages the existing data, these existing user groups.
Um, and I, I've seen clients where they have that in place.
Um, and I wouldn't stop at
seeing continuous authentication in place.
Um, you know, two factor continuous
(22:27):
re-authenticate based on risk.
Um, I think identity
and access management based on risk is excellent
because it's a sliding scale depending on
what data you have access to.
And Pam should be a continuum of that.
It's, it's not like admin versus not admin accounts.
It's, it's a sliding scale. Um, okay.
(22:48):
So I, I think we should make sure that if there's,
uh, if that is in place, then make sure that it's complete,
that it's enterprise wide.
Um, because as, as we talked
before, uh, users have a tendency of bypassing controls
for convenience.
So the core systems might have that in place,
(23:09):
but you could still have orphaned accounts.
Um, you could still have, um, hidden local kind
of accounts and groups within, like network devices, uh,
that are just waiting there to be exploited.
So I, I would verify the completeness.
Um, you know, I, I often see it as too good to be true,
(23:29):
and only when I verify that it's everywhere then.
So you definitely wanna make sure it is a,
a complete shift to this.
You can't do it piecemeal. No.
'cause that's just ripe for vulnerabilities.
That's right. Yep. Perfect. That's right. So,
Um, I, I think, and we touched upon, uh, privilege access.
(23:51):
I don't know if this is something that
we're gonna talk about. Uh,
We can go, we can go talking about that right now. Oh,
Perfect. Yes.
I, I love Pam.
I think it's a subset, it's part and parcel management.
Uh, it shouldn't be limited to admin accounts.
Uh, not, I mean, how do you define it?
(24:13):
That's, that's what I see in mm-hmm.
In organizations, we don't have a defined, clearly,
and it, it's critical because is privileged access,
the ability to add, remove users?
Sure. Um, if it's a low risk user, maybe it's, you know,
higher, lower risk, I don't know.
Uh, now is privilege access, the ability to view
(24:37):
the CEO's email, the CISO's email
maybe, and then kind of have visibility into that data
read only access?
Is it privileged? It could be, right.
The ability to see unredacted social security
numbers, credit card numbers. Yeah.
Oh, absolutely. A hundred percent.
(24:59):
We have different definitions of a privileged access, um,
across different standards.
Uh, I do like the fact that, uh, some of them now I'll kind
of read excerpts of definition.
So NIST mentions security relevant functions
that ordinary users are not authorized to perform.
So it's, it's above ordinary, which is great.
(25:20):
It doesn't limit it to certain, you know,
you can change, add or remove users.
It's more than that. Um, one of the vendors,
SailPoint mentions a more powerful access rates than are
normal user rate.
That's risk-based. That's a sliding scale.
Uh, CyberArk mentions special access or abilities above
and beyond that of a standard user.
(25:41):
And then privilege access can be human users,
non-human apps.
I added machine kind of learning kind of bots,
AI devices, scripts, et cetera.
So, uh, so, so important to see it from a,
a risk-based access, kind of a sliding scale.
Um, and then this way we can manage it better
and easy pickings for red flags for auditors.
(26:04):
Um, there's no privileged access management, pam,
or definition of privileged access.
It's not sufficiently defined.
If you find that that's right there, it's,
it's a glaring deficiency that we need to have clear vision
and clear definition of privileged access.
Uh, not, this is something that's not supported
by enterprise wide, um, of the ERM program.
(26:28):
It should be supported. ERM programs should be tied into our
privileged access definition and governance
and, uh, you know, safe, so scattered,
non centrally managed.
We're, we're not tied to tickets.
You know, we have a privileged access kind of activity
and then we can't, we have a ticket in place,
but can we validate it?
It was an actual legitimate activity.
(26:51):
That's something I still don't see.
Service providers, privileged access tools do.
Maybe one or two are starting to,
but they don't have the ability to, for you to,
if you're checking out a privileged account
to go into the service ticket portal
and then connect that service ticket
and say, I am performing this change based on
(27:14):
that existing service ticket.
I, I, I only see, I think one, if any, of the tools
that actually do that.
And this was a kind of something that I saw way back when,
a little bit of a war story and,
and, uh, it, it's, it's hard
to validate if the activity was legitimate,
if you don't even can't even tie it
to service ticket or anything like that.
(27:37):
Very true. So I know we, we
promised we were gonna touch on this subject,
I think it might be time, uh, artificial intelligence, ai.
Um, how does artificial intelligence
machine learning impact?
Im, what should auditors know about AI with regards to,
I am love to hear your thoughts on this.
(27:58):
Alright. Um, AI is great.
I mean, it's, it's emerging still on its way to kind of,
it's being improved is, is being, uh,
generative AI is, is being improved.
Um, we're moving towards something
that can reason a little better.
(28:19):
It's still not perfect.
And in a way it's, it's, it started off with kind
of machine learning and, and kind of automation
and then turned something into something akin
to advanced machine learning.
Now that can generate text.
Um, in reality that's what it is.
It kind of generates something that's more, uh,
(28:40):
the most plausible kind of solution
to the problem you're presenting to it.
And it ties into data governance, zero trust,
and kind of the generative AI implementations.
I've seen scenarios where a generative ai,
uh, a corporate solution was implemented and
because not all data was, was secured
(29:02):
and it was treated as open employees could see,
you know, sensitive information.
Something like clear take text passwords or,
or personal kind data and all that.
Um, so that, that's something,
Yeah, they ended up feeding it too much information
and, uh, without thinking of the consequences.
(29:22):
Yeah. And you could think you have it buttoned down
and you have your data labeled,
but somewhere someone has a little repository of,
of unencrypted data and it picks it up.
Um, so it's, it's important
People find ingenious uses for little notes fields
that are in applications. Applications
Yep. Applications, yeah. Oh yeah,
yeah.
(29:43):
Little free text areas, Unstructured data, that's,
Yeah. Yep,
yep. And we, we have to, we have to, we have to know,
and NIST has a, a framework that came out.
The AI risk Management framework,
which is essentially NIST CSF for ai.
It gives kind of control objectives across the kind
(30:05):
of designing, developing,
and deploying steps of, of an AI system.
Um, so it points out all the different, what we're looking
for, different areas of controls and control objectives.
And for example, if you want to, you want
to catch the instances of people kind
of leaving the unencrypted data and then it gets picked up
(30:25):
and have controls in place.
It, it mentions one
of the controls is making sure you monitor the outputs to,
uh, so it doesn't disclose any AI or any sensitive data.
That's a great f framework that US auditors can use.
I would say nothing highlights, areas needing support
as in budget allocation, like audit, nothing except
(30:49):
for maybe a, a data breach, but then it's too late.
So, uh, IT audit
and business, we, we should work together proactively
to build trust
and take this opportunity to shape
a more resilient organization.
Awesome. Thank you very much, Nick.
I appreciate your time and, uh, hope
to here for you guys again soon.
(31:10):
Absolutely. Awesome.
Thank you so much. Are you concerned about
security in the age of ai?
Join the I'S 2025 analytics, automation
and AI virtual conference on April 24th.
You can hear from industry experts
how cutting edge technology is transforming internal audit
by securing your spot and registering today@theia.org, ORG.
(31:33):
If you like this podcast, please subscribe and rate us.
You can subscribe wherever you get your podcasts.
You can also catch other episodes on YouTube or@theiiaa.org.
That's THE IIA a.org.
The Institute of Internal Auditors presents all
things internal audit tech.
In this episode, bill Truitt talks
with Nicola Sanko about the critical role of identity
and access management in today's organizations.
The conversation also covers frameworks,
regulatory requirements, and real world use cases.
(00:22):
So Nick, um, let's just start it off.
Can you gimme, uh, an overview of what identity
and access management entails
and why It's, uh, critical for organizations?
Identity and access management is paramount.
It's the frontline, it's the nexus.
A malicious hack, data breach incident is essentially
unauthorized access.
It's absolutely paramount.
(00:44):
I could talk a little bit of the, the cost.
I love that because we get
to tie the business side with the technology.
Mm-hmm. Um, that's really valuable
for making cost benefit decisions.
A recent IBM cost of a data breach report, uh, kind
of mentioned some costs and, uh, a bunch of other sources.
So they vary from 1.3%
(01:07):
to 1.9% of revenues all the way to 25% of revenues.
If you look at the Verizon report, uh,
specifically about ransomware, so across the industries,
profit margins vary from 2% to 20%.
So you can have a breach incident,
wipe out the entire profit margin for the year. Yeah.
(01:28):
Or at least a very good percentage of it.
And that's never a good sign to, to show on your,
uh, your financials.
That's right. It also gives a way to measure the value of,
uh, good identity and access management, uh,
because that's, um,
an important component in our control environment.
It's even more important now.
Costs of breaches have increased 10% over the past year,
(01:51):
and leading attack vectors are phishing stolen credentials,
and those are the ones with a higher cost email compromise.
Malicious insider attacks are less frequent,
but also as costly.
So you can see how everything ties to identity.
And for incidents, security incidents, uh, cyber attacks,
(02:13):
on average, we're getting better at containing them about
two months to identify.
It used to be two and a half months.
It's still a lot of time. So the more time
passes, the more damage is done.
So again, that's, that's critical's,
That's it's good to hear that they're, they're,
they're getting, they're improving on, uh, time to identify
(02:34):
and then, you know, once they have identified, then we'll,
they can respond and react to, uh, to the breaches.
That's right. Now some of the biggest challenges to deal
with that and respond have been, um, just
if there's a malicious insider, for example, uh, we need
to distinguish between legitimate and malicious users.
And if there's weak identity governance, it's very hard
(02:57):
to dig through the environment
and the data we have, uh, to get to the bottom of it
to determine if it's a malicious actor or a legitimate user.
Yeah. So that, that's kind of one of the challenges we have.
Nice. So kind of digging more into, uh, identity
and access management, what are some
of the most common risks
that internal auditors should be aware
(03:18):
of? In, in this area?
It's weak governance, and that is the foundation for
a solid cybersecurity environment.
Mm-hmm. Control environment.
When you're talking about weak governance, would you say
that would include poor password controls, uh,
poor just identity management, you know,
like IDs not tied to single people.
(03:40):
Can you maybe give some examples of
what you would consider to be weak governance?
Sure. When we have, uh, a clear path forward,
it's really easy to navigate,
to move forward when there's clarity of vision, uh,
good governance and identity is clear vision in terms of
how is identity defined, what are the rules,
(04:03):
what are the policy standards?
And by the time we get technical with the tools,
with the processes we're implementing, with rigor,
with clarity, and with risk management in mind,
and of course,
always keeping the business interest at heart.
Yeah. So setting kind of a, a, a strong
(04:24):
and clear tone at the top
and have everything trickle down from that.
That's right. And it's difficult
to do when you have a large multinational organization
because there's silos, uh, there's different platforms.
There's OnPrem, there's the cloud, uh, mishmash together.
There's employees remote on kind of onsite.
(04:46):
There's non-employees that have access.
And when you try to improve an existing system,
it's really difficult.
Um, and takes a lot of time and analysis to go through
and improve and rebuild the governance.
That's kind of the, the core challenge, uh,
moving mountains.
Yeah. I had had previously worked at a very large, uh,
(05:08):
bank and it was almost like,
it was like 12 different companies each with their kind
of own silo and ways of wanting to do things
that were just kind of loosely tied together.
So like, definitely, you know, a, a strong, uh,
governance position, um, would definitely be, you know,
beneficial for those situations to get some, uh,
uniformity across kind
(05:29):
of all the different lines of business.
Yep, that's right. Uh, lots of, um,
financial institutions, big banks, healthcare enterprises
have a similar scenario where, where they're siloed.
They're, um, I've seen multiple environments where,
where there's just, um, things are all over the place.
Uh, a lot of manual effort.
You know, there's one or two people managing access, um,
(05:53):
for thousands of employees, and they're about to retire.
So it's challenging.
Um, it's challenging that, that was kind of an example
of some of my projects.
And the, the e to success is, like you said,
top down, uh, governance toned from the top,
and leadership, the leadership has interest
(06:14):
and the will to implement the solid governance,
solid identity and access management.
And then that is, that is the core to the success.
Um, before we get to the, you know, technical, you know,
the encryption, key management mm-hmm.
Authentication authorization groups
and all of that, that's the core.
Awesome. Kind of moving on, you know, uh, what frameworks
(06:38):
or, uh, regulatory requirements should internal auditors
consider when they're assessing their IM controls?
There's a wide variety.
Um, I often work with the NIST frameworks.
There's a variety of those.
Uh, the map to iso, um, those are great.
The GTAG is, is great. The latest update.
(07:00):
I love the fact that it includes, um, a mention
of NIST CSF 2.0.
There's a really good control list
to control objective list in NIST 800, uh,
53 R five is the latest.
It's highly detailed,
but it's really good guidance of what we should aim for.
Uh, there's a high, medium, low impact.
(07:22):
It's the number of controls you have, the significance
of the systems, but those are great, uh,
especially within the, uh, access control family.
And then identification family, tho those kind of groups,
I-I-A-C-I-A-P-E families,
NIST 863 is great
for fundamentals, identity fundamentals.
(07:43):
Those are important to know, uh, to understand,
uh, what we're looking for.
Looking for kind of what our group's, lifecycles identities,
what we're trying to achieve.
Um, it's a great starting point.
Uh, NIST CSF 2.0, the update is awesome.
I think, especially given the recent usage of generative ai,
(08:05):
uh, there's one interesting thing that they added is it's,
um, both governance.
There's a whole separate control group on governance,
and there's a data governance.
Data governance is a big deal, especially now
because you need to have a clear view of what data you have.
(08:26):
Um, data catalog standards, policies
defining kind of both categories, categorization of data
and classification of data.
Then you kind of determine how you manage it.
The reason being is that when you have good data governance,
you can apply identity
(08:47):
and access management identity governance to it.
Pips 1 99 is great
because it gives you a way of rating systems
and based on the data, the risk, uh, that they have.
If you combine those together, identity
and access management essentially is having the right,
you know, access to the right data at the right time.
Um, for the right individuals or or systems.
(09:09):
That's a key to success.
And that's also important
for implementing strong DLP data loss prevention.
And in turn, with good governance, with good controls,
with good vision AI tools,
Can you share any real world use cases
where strong IM controls have helped prevent security
(09:31):
incidents or improved operational efficiencies?
Got a couple of win examples
from different kind of viewpoints.
There's a scenario where I had hundreds of thousands
of backlog events, security events
around the access management,
and it was four database database platforms, uh,
for more, uh, numerous ax access lists, three
(09:54):
to five ticketing systems, uh, over four server platforms.
Um, so thousands of servers, thousands of users, um,
like 70,000
or more employees introduced documentation
of the governance, what was, you know, what was done.
And then documented
and standardized, standardized, um, developed solid,
(10:15):
this is how we do things.
And then boiled up to the policy level, standardized alerts,
consolidated the kind
of into a single CMDB cleared the backlog.
And then that enabled us.
And then several examples where we, in instead of weeks,
it took us days to identify incidents
and then escalate, uh, to the C 13 for, for investigation.
(10:38):
And we, we quickly imaged laptops that were affected.
So that, that's few success stories right there.
Yeah, I know that, you know, those,
those systems can generate, uh, incredible volumes of logs,
but none of that information is valuable
until you've had a chance to analyze it
(10:58):
and filter out the ones that aren't important.
And then, you know, identify the ones that you need to,
you know, have action on now. Yep.
So yeah, It's great. Got
A correlated.
Mm-hmm.
Yeah. I know. Kind of asked about success stories.
Do you have any horror stories?
Oh, uh, it's, I mean,
(11:19):
usually when I come in it,
it's a giant horror story and yeah.
And then it kind of dig through it
and implement and governance. You,
You're there to help clean Up configurations.
Yep. There was a large enterprise where, uh,
this is essentially kind of, it's rinse repeat
because there were several of these.
Um, I sometimes do kind of broad identity
(11:40):
and access assessments
and sometimes deep dives of, um, the directory services
get a dump of users groups and all those records.
I, I try to get as, as much information as possible with,
with, uh, scripts, obviously working
with the business closely.
(12:00):
And it's one thing you, you have automated, uh, scripts
and functions to, let's say disable,
like disable user from opening a certain app from,
or just, uh, disable 'em completely
because they're no longer working there.
Um, and then you get an actual dump of the, the data
(12:21):
and report and export from the system itself.
And then you see thousands of users
that haven't been disabled on time, uh, still
around, they're still being used.
There's hundreds of accounts
that haven't had passwords changed or don't need passwords.
Um, use old authentication methods.
Um, one of the more interesting things that I see is that
(12:45):
often as auditors, we approach, um, assessments
on a risk basis and we focus on production environments,
and then we have the dev test
and the, uh, lower environments.
But to make it convenient, developers
sometimes take shortcuts.
(13:05):
The teams take shortcuts and they reuse passwords.
And then when you scan and compare the password hashes,
you see, oh, there's so many reused passwords across
the non-prod and the prod environments.
That was a huge lesson learned
for me when I first started seeing these,
don't ignore the lower environments.
(13:27):
You know, don't necessarily reduce the amount of testing,
depending if passwords are allowed
to be shared or can be shared.
You, you have to keep that in mind.
So you think there's a good value in
at least allocating a, a portion of your time to
looking at environments other than the top level
production into the
(13:48):
Absolutely. Nice.
Absolutely. At least, uh, compare the, the,
the password hashes across the environment,
um, the environment.
And that's something that can be fairly automated.
Uh, not a lot of time in that
I person comes in, runs a few scripts script,
assuming they're reviewed by the technology team
and approved, because not every script should be run.
(14:09):
It should go through the proper change management process.
Um, and yeah, scripts, commands, whatnot.
You need to know what you're running, uh, validate it, um,
test it in a small environment, then you can run it.
Um, sometimes commands are better
because they're simpler, um, scripts.
You can see third party tools.
(14:31):
You have to be very, uh, comfortable with the risk and,
and what you're leveraging
to really depends on the tools you're using.
Awesome. So, uh, kind of moving on to kind
of the next area we wanted to talk about.
You know, this is something I've had a lot of experience
with, uh, as a practitioner, is, uh, kinda
what are the best practices for managing user access reviews
(14:55):
and, you know, how often do you
think they should be conducted?
This is an interesting one,
and I have a couple of horror stories, uh, for
that one, uh, to start, I
Have a horror story as, as well, so Awesome.
She did with that. Yeah.
Perfect. I, it's this, this is like one
(15:16):
of those classic areas where, where you find
so much interesting stuff.
Um, I had, uh, the poor DBA, uh,
just received stacks
and stacks of, I mean, if he printed out,
they haven't printed it, uh, exports of users
and their privileges across a multinational enterprise
(15:38):
across different databases that this individual was supposed
to send to business, um, owners,
sometimes business owners, sometimes it owners.
And it, it was such a volume of accounts to review
and validate and the detail of access that was listed.
No human could possibly be able to do
(16:00):
that a hundred percent accurately
and keep track of everything.
So it's, it's overwhelming.
It's too much, um, to, to understand to deal with
kind of maybe it, it helped to reach out
to the individual owners,
but it's, it's still a lot of data.
So I think it's, it's good to take user access reviews and,
(16:22):
and kind of just quite say pieces.
So I have, um, have this drawing,
and I published it in the past year
or two of the identity management, kind of the, the pillars
of the different RACI chart groups and the responsibilities.
And you have identities
and you have business roles, IT roles
and, uh, entitlements goes left to right.
(16:45):
And then you have the business side, the hr,
the business side, and more technology side.
As you go to the right from left being the, the HR side
that would validate the, the business roles
and job descriptions to the middle,
which would be management.
And they would validate the business roles and IT roles.
(17:06):
And then to the far right,
you would have the more technology people
that would validate the specific technology.
Specific entitlements. Specific configurations.
So each group would play a role, not,
not one individual taking the whole user soup
to nuts review of their access.
That's, that's impossible.
Um, I think that would be helpful if, if, uh, if we
(17:30):
chop up identity into several functions, like
business roles, it roles and treat them all as,
as a lifecycle, then validating those would be much
more reasonable.
There's tools that do that, but I'm pretty too agnostic.
It depends on how you implement what the governance is, um,
tools that help with that.
(17:50):
I think that's kind of the, the main one.
Just make it feasible for employees to do that.
Yeah. I, so I had this horror story of, uh,
user access review where, you know, all
of our internal systems, we were good at, you know,
we would, uh, do the user access reviews anywhere
between one, one time a year for lower risk applications up
(18:12):
to about four times a year for the higher risk.
But we had this one application we didn't own,
but we had a lot of, the company used a lot,
and we are in very good terms with this other company.
We're like, you know, we don't really have a process
for communicating any of this, so let's get with them
and let's get a listing of all the users
(18:32):
and let's that they have
and compare it to kind of all of our current employees.
And let's see.
'cause this has never been done in like over 20 years.
So we get it, the listing we get from them
of active people is more than the current number
of employees we have at the company.
'cause once again, it's never been done.
(18:53):
And the only kind of field that we could use to tie the,
you know, their list between their listing of users
and our listing of, you know,
current employees was email address.
So we, we bump it up
and we find the ones that, that don't mix, that don't match.
And we're like, okay. It kind of did like a, it was a lot,
(19:13):
it was many thousands of people.
'cause it was a, a area where there was a good amount
of turnover, and once again,
there was more people on their system than we actually had
employees in our company.
So we were able to get that listing to them of like, Hey,
these are the people that don't,
are no longer employees here.
Unbeknownst to me, um, who I was the one
(19:34):
that was managing this is that a long time ago they used
to have a different email convention.
So unfortunately it was, it was very limited,
but it was, there were about 20
or 30 people that came in the next day
that had their access cut off that we had to get them back
because, uh, I didn't,
That's another good way of validating access.
(19:54):
Yeah. And that is cut It off.
I know. We, we like to threaten that a lot.
This is one time where it actually kind of happened,
but that was, that was, that was interesting.
I felt terrible, but, uh, fortunately it wasn't too bad
and everybody, uh, took it in stride.
Fair enough. Well, well, it's, it's a good thing.
They, uh, they let you know right away.
(20:15):
I've, I've had instances where we cut off access
and we haven't heard from people,
and in a few weeks we would hear it from them.
And sometimes it's tricky
because sometimes you have, uh, fire call accounts
that are just set up
but not used technically should be disabled
and track system and all that.
(20:35):
But that happened.
And then PR testing comes and then they can't use it.
And then you find out always good to test.
Um, it reminds me of a time when, when we were doing a scan
and we've scanned through users
and filtered those groups, we filtered those
and then we decided to do kind of this obscure, uh, script
that pulled out inactive directory, uh,
(20:59):
privileged entitlements.
Just this entitlements not mapped to anyone, individual,
not mapped to a system, just they turned out to be orphan
entitlements that just were sitting
there and not cleared up.
And then if you wanted to, you can,
if you gain the right access, you can assign those
(21:19):
to just orphans.
Yeah. It's a potential vector for
someone gaining access they shouldn't have.
Uh, absolutely. Absolutely.
So, yeah, or orphans is a, is a big deal.
Orphan accounts, orhan users entitlements.
Uh, we had a time when there was a, a group owner that was
everyone left, and the only kind of group owner
(21:42):
that was left in the company was, was an audit.
They've totally forgot about that group too.
And I think that group had privileged access.
So that's, it's always good to prove the access, not only
of individuals, but of systems,
machines, entitlements groups.
How about continuous audit authentication?
Your thoughts on that? From
what challenges it might present for, for auditors?
(22:04):
It really depends on how it's implemented.
It, it continuous authentication
leverages the existing data, these existing user groups.
Um, and I, I've seen clients where they have that in place.
Um, and I wouldn't stop at
seeing continuous authentication in place.
Um, you know, two factor continuous
(22:27):
re-authenticate based on risk.
Um, I think identity
and access management based on risk is excellent
because it's a sliding scale depending on
what data you have access to.
And Pam should be a continuum of that.
It's, it's not like admin versus not admin accounts.
It's, it's a sliding scale. Um, okay.
(22:48):
So I, I think we should make sure that if there's,
uh, if that is in place, then make sure that it's complete,
that it's enterprise wide.
Um, because as, as we talked
before, uh, users have a tendency of bypassing controls
for convenience.
So the core systems might have that in place,
(23:09):
but you could still have orphaned accounts.
Um, you could still have, um, hidden local kind
of accounts and groups within, like network devices, uh,
that are just waiting there to be exploited.
So I, I would verify the completeness.
Um, you know, I, I often see it as too good to be true,
(23:29):
and only when I verify that it's everywhere then.
So you definitely wanna make sure it is a,
a complete shift to this.
You can't do it piecemeal. No.
'cause that's just ripe for vulnerabilities.
That's right. Yep. Perfect. That's right. So,
Um, I, I think, and we touched upon, uh, privilege access.
(23:51):
I don't know if this is something that
we're gonna talk about. Uh,
We can go, we can go talking about that right now. Oh,
Perfect. Yes.
I, I love Pam.
I think it's a subset, it's part and parcel management.
Uh, it shouldn't be limited to admin accounts.
Uh, not, I mean, how do you define it?
(24:13):
That's, that's what I see in mm-hmm.
In organizations, we don't have a defined, clearly,
and it, it's critical because is privileged access,
the ability to add, remove users?
Sure. Um, if it's a low risk user, maybe it's, you know,
higher, lower risk, I don't know.
Uh, now is privilege access, the ability to view
(24:37):
the CEO's email, the CISO's email
maybe, and then kind of have visibility into that data
read only access?
Is it privileged? It could be, right.
The ability to see unredacted social security
numbers, credit card numbers. Yeah.
Oh, absolutely. A hundred percent.
(24:59):
We have different definitions of a privileged access, um,
across different standards.
Uh, I do like the fact that, uh, some of them now I'll kind
of read excerpts of definition.
So NIST mentions security relevant functions
that ordinary users are not authorized to perform.
So it's, it's above ordinary, which is great.
(25:20):
It doesn't limit it to certain, you know,
you can change, add or remove users.
It's more than that. Um, one of the vendors,
SailPoint mentions a more powerful access rates than are
normal user rate.
That's risk-based. That's a sliding scale.
Uh, CyberArk mentions special access or abilities above
and beyond that of a standard user.
(25:41):
And then privilege access can be human users,
non-human apps.
I added machine kind of learning kind of bots,
AI devices, scripts, et cetera.
So, uh, so, so important to see it from a,
a risk-based access, kind of a sliding scale.
Um, and then this way we can manage it better
and easy pickings for red flags for auditors.
(26:04):
Um, there's no privileged access management, pam,
or definition of privileged access.
It's not sufficiently defined.
If you find that that's right there, it's,
it's a glaring deficiency that we need to have clear vision
and clear definition of privileged access.
Uh, not, this is something that's not supported
by enterprise wide, um, of the ERM program.
(26:28):
It should be supported. ERM programs should be tied into our
privileged access definition and governance
and, uh, you know, safe, so scattered,
non centrally managed.
We're, we're not tied to tickets.
You know, we have a privileged access kind of activity
and then we can't, we have a ticket in place,
but can we validate it?
It was an actual legitimate activity.
(26:51):
That's something I still don't see.
Service providers, privileged access tools do.
Maybe one or two are starting to,
but they don't have the ability to, for you to,
if you're checking out a privileged account
to go into the service ticket portal
and then connect that service ticket
and say, I am performing this change based on
(27:14):
that existing service ticket.
I, I, I only see, I think one, if any, of the tools
that actually do that.
And this was a kind of something that I saw way back when,
a little bit of a war story and,
and, uh, it, it's, it's hard
to validate if the activity was legitimate,
if you don't even can't even tie it
to service ticket or anything like that.
(27:37):
Very true. So I know we, we
promised we were gonna touch on this subject,
I think it might be time, uh, artificial intelligence, ai.
Um, how does artificial intelligence
machine learning impact?
Im, what should auditors know about AI with regards to,
I am love to hear your thoughts on this.
(27:58):
Alright. Um, AI is great.
I mean, it's, it's emerging still on its way to kind of,
it's being improved is, is being, uh,
generative AI is, is being improved.
Um, we're moving towards something
that can reason a little better.
(28:19):
It's still not perfect.
And in a way it's, it's, it started off with kind
of machine learning and, and kind of automation
and then turned something into something akin
to advanced machine learning.
Now that can generate text.
Um, in reality that's what it is.
It kind of generates something that's more, uh,
(28:40):
the most plausible kind of solution
to the problem you're presenting to it.
And it ties into data governance, zero trust,
and kind of the generative AI implementations.
I've seen scenarios where a generative ai,
uh, a corporate solution was implemented and
because not all data was, was secured
(29:02):
and it was treated as open employees could see,
you know, sensitive information.
Something like clear take text passwords or,
or personal kind data and all that.
Um, so that, that's something,
Yeah, they ended up feeding it too much information
and, uh, without thinking of the consequences.
(29:22):
Yeah. And you could think you have it buttoned down
and you have your data labeled,
but somewhere someone has a little repository of,
of unencrypted data and it picks it up.
Um, so it's, it's important
People find ingenious uses for little notes fields
that are in applications. Applications
Yep. Applications, yeah. Oh yeah,
yeah.
(29:43):
Little free text areas, Unstructured data, that's,
Yeah. Yep,
yep. And we, we have to, we have to, we have to know,
and NIST has a, a framework that came out.
The AI risk Management framework,
which is essentially NIST CSF for ai.
It gives kind of control objectives across the kind
(30:05):
of designing, developing,
and deploying steps of, of an AI system.
Um, so it points out all the different, what we're looking
for, different areas of controls and control objectives.
And for example, if you want to, you want
to catch the instances of people kind
of leaving the unencrypted data and then it gets picked up
(30:25):
and have controls in place.
It, it mentions one
of the controls is making sure you monitor the outputs to,
uh, so it doesn't disclose any AI or any sensitive data.
That's a great f framework that US auditors can use.
I would say nothing highlights, areas needing support
as in budget allocation, like audit, nothing except
(30:49):
for maybe a, a data breach, but then it's too late.
So, uh, IT audit
and business, we, we should work together proactively
to build trust
and take this opportunity to shape
a more resilient organization.
Awesome. Thank you very much, Nick.
I appreciate your time and, uh, hope
to here for you guys again soon.
(31:10):
Absolutely. Awesome.
Thank you so much. Are you concerned about
security in the age of ai?
Join the I'S 2025 analytics, automation
and AI virtual conference on April 24th.
You can hear from industry experts
how cutting edge technology is transforming internal audit
by securing your spot and registering today@theia.org, ORG.
(31:33):
If you like this podcast, please subscribe and rate us.
You can subscribe wherever you get your podcasts.
You can also catch other episodes on YouTube or@theiiaa.org.
That's THE IIA a.org.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.