Details
05-28
Details
05-28
Comment
05-28
In this Audit Tuesday session, the focus is on securing the Identity Attack Service. The speakers, Dan and Rashad from Red Cup IT, discuss the importance of managing identity and access management systems (IAMs) to protect against vulnerabilities. They emphasize the need for limiting the identity attack surface and implementing the principle of least privilege. This approach involves granting privileges on a time-limited basis and automating identity management processes. They also mention that these practices are included in regulations such as NIST cybersecurity framework and HIPAA. Good morning, everyone, and welcome to today's Audit Tuesday. So in this session, you will spotlight securing the Enterprise Attack Service, specifically the Identity Attack Service. To help explain the subject, we're lucky to have Dan Lee, Cyber and Solutions Expert and CEO and founder of Red Cup IT, and Rashad Sherry at Red Cup IT as well. Welcome, Dan and Rashad. Thank you. So first of all, so Dan, can you please introduce yourself to the Audit Tuesday audience? Hi, everyone. I'm the founder of Red Cup IT and the Chief Security Officer as well, and I work on designing our security architecture, picking products, and talking to our customers to figure out what's actually going to work for them. Most of our customers are in fintech, healthtech, and enterprise B2B SaaS, so they're very complicated and they're very advanced in their needs, and so it does take a partnership to figure that out. And, Rashad, would you mind introducing yourself as well to the Audit Tuesday audience? Yes. Hey, my name is Rashad Sherry. I'm the Sales and Partnership person here at Red Cup IT, so I handle all of our partnerships with our clients and day-to-day project management. Perfect. So let's go ahead and get started. So, Garrett, why don't you talk a little bit about what is an attack surface? Yeah, thanks, Ashley. And when it comes to an attack surface, this is what the industry has told us to worry about, these guys, you know, your devices. And I lift up my laptop, but it'd be a little hard since I'm using that camera, right? But that's not the only attack surface, and in fact, you know, real security guys like Dan on this call will tell you it's not even the most crucial attack surface, right? What we have to worry about is our identity. And it doesn't matter whatever comes from your Android or your iPhone or someone just happens to do it on their watch, if your identity is exposed, that's your real attack surface. And that's why USF has partnered with Red Cup IT to address the identity attack surface. Yes. And Garrett, let's get more specific. So what is meant by identity attack surface? Yeah, so what's meant by identity attack surface is, so here we go, you've got identities in your system. And yeah, yeah, yeah, we can talk about, you know, Facebook and all that, but that's not going to be the focus of this conversation. This is going to be, you have an identity in your enterprise, usually starting somewhere in HR system, propagated to your IAM systems, your identity and access management systems. That's a huge vulnerability. Don't ask me, ask the casinos in Las Vegas. How did it work out, right? How did that work out for them when their IAMs were owned? I mean, that was serious. They were owned. They were owned by the attackers. And they were creating roles, creating policies and training groups, et cetera, that benefited the attackers. That's what we're referring here on this call, and that's why we coupled once again with Red Cup to UHS addresses the identity of Red Cup, manages it then for the enterprise to make sure their IAMs and their identity attack surface is under control. And Stan, the identity attack surface, though, it poses a problem to enterprises, right? Definitely, yeah. There's a lot of identity sprawl in enterprises, especially because there's different business units, there's different departments, there's people joining companies, leaving companies, people changing roles. And so the permissions that you have in a company or what you shouldn't see or shouldn't see are changing on a near daily basis. And so this is something that you need to manage very well. And you need to have a really good asset management process around that as well, because an identity is an asset. And those assets have a lot of different entitlements, such as AWS access, GitHub access, 365, SharePoint access. All those entitlements and identities will be changing. And if you're not managing that well, that can lead to an insider threat or a breach long term. So there is a need to limit the identity attack surface. This isn't a new concept, is it? No, no, it's not. I mean, if you go to our website, uattest.com, you'll see all this writing on something called basically principle of least privilege. Principle of least privilege, okay? Look it up, NIST AC-4 for NIST 101, this cybersecurity framework. It's been revised for 2.0 AA05. Principle of least privilege, what is that saying? And I like it when I got the East Coast guy waving his head up and down. Right, Rashad? There you go. Then I know I'm right, okay? And principle of least privilege, what is it saying? It's saying you've got these accounts, right? And you give them access, right? Why are you giving them too much access? And most of the time we have. There is a survey that was done by the Palo Alto group, their attacker group, their risk group. And it said 99% of cloud permissions are overly permissioned. That means we've added, we added. And this is something I talked to Dan early on about. We partnered together on this. Because this is the way I look at the IAMs, the Identity and Access Management. They're great. They're like the engines that America developed in World War II. We had these amazing engines. Rashad's like, where's he coming with this? Okay, so watch where I'm going. So here's World War II, you know? We got these airplanes. You got your P-47s, you got your P-51s, right? These things are amazing. Yeah, I was a kid. I had all the models over my bed, right? And those engines were amazing, right? So what did America do when we got back home? Said, I know what we'll do. Let's throw those into Cadillacs and Buicks. Okay. How's that going to work out? Look it up, guys. What it is is we had massive horsepower and these things couldn't stop. We're just killing people left and right, right? So then we came up with disc brakes, right? You had your drum brakes that couldn't stop the damn engines. But you had your disc brakes that say we're good. That's what identity governance is, and that's what the principle of least privilege is. That's saying, holy, it's awesome that we can add new applications, that you can throw in people real quick. It's really awesome. That's what functionality is. That's what people in the business units are yelling about. I need my users added immediately, right? And that's what they're yelling at Dan and Rashad about. Let's go. I need immediate turnaround. And they can facilitate it. But Red Cup was professional enough to understand that, hold it, if we're going to automatically add in people out here, we need some governance. We need some disc brakes on this. And that's where UITAS comes in with the principle of least privilege. The principle of least privilege says, hold it, does that person really need access, right? Do they change roles, right? Or do you have some god awful way that you're just adding people by groups and by copying ways, right? There needs to be governance, and that's the principle of least privilege. Yes. And Dan, this has always been a best practice in identity and security management, right? I think so. It's always been a best practice. However, operationalizing practice is not easy because you need to build a piece of – it's a process that should be a piece of software since it's very complex. And like as Garrett mentioned, there's a sprawl of identities. There's just hundreds or thousands of identities or tens of thousands of identities in an enterprise to manage. And so using a spreadsheet to do that is not scalable, and it's very time consuming. So most auditors, for example, were required to do that on a quarterly basis. But just think about how much is changing your business on a daily basis. That's waiting for 90 days to start doing a review. It's untenable. It's not manageable. So you do need a piece of software that's deeply integrated into your system with a team that understands how that works on a day-to-day basis so that they can help you with automating that and basically providing you a facilitated way of managing the identities versus just letting it sit there for 90 days and then trying to do it on a spreadsheet. So that's how we found UATest because we felt like there should be a better way to manage identities. And with least privilege, UN and UATest together, it's better because you can actually grant privileges for a time-limited basis versus just granting it in perpetuity and then revoking it later. And Garrett, this is included in the regulations, right? Yeah. Yeah. So let's take it back. So a lot of people are confused, they're not in the industry, what NIST does. That's the National Institute of Standards and Technology. And they have NIST cybersecurity framework. They have 853 for the feds. They have 871 for, what is that? That's the zero trust. And I can go on and on. Those are guidances. Those are regulations. Those are guidances, okay? And then what happens is two groups look at what NIST writes. And there's others, but NIST is the program, is the consortiums, things like PCI DSS, which is not a government. That's the retailers say, hey, if you're going to hold credit cards, you have to follow this. PCI DSS or that, and that's a consortium. Another one is HITRUST for healthcare. Healthcare, that's not government. That's just the thing that the insurance company is like, hey, you know, we're getting hacked and we got to trust our suppliers, so our suppliers better follow HITRUST. Those are actual regulations that they enforce. Then there is government regulations. Government regulations that have real fines and even now, if you watch what happened to the solar winds, literally legal action and criminal actions. That's by the government. That's stuff like HIPAA, the Healthcare Portability Act. That's saying if you're in healthcare and you hold sensitive data, which is called PHI, personal healthcare information, you're under HIPAA regulations. And that's where all the breaches come from, right? The breach lawsuits. And Dan and Tim can tell you, you don't get sued for being hacked. You get sued for sloppy practices that you can't show your due care of handling the data. And those are regulations all over the board. There's regulations that pertain to publicly traded companies. That's Sarbanes-Oxley. Okay, there's regulations straight out for if you're in a defense industry, CMMC. All of these regulations, all these regulations have guidances pretty much cut and pasted from the NIST document that say how you should be handling identities, the best practices, as we started off, and how you should be doing reviews of the access you've given. So to answer your question, Ashley, yes. As we started, there's a best practice around identities, and then it's even enforced by the guidances from enterprises like NIST. But it's actually embedded into regulations, regulations that have fines and sometimes even criminal prosecution around. And Rashad, so your customers care about security and compliance, correct? Absolutely. So our customers are recovering from small businesses and large enterprises. They place a high priority on security and compliance. So the industry that they operate in do require strict regulatory requirements, and they have to protect that sensitive data and adhere to these standards. So it's very crucial where they rely on us to make sure that all of their IT systems are secure and compliant, which is why we partner and use UITest. You guys help us to automate everything and kind of streamline the process. That way everything is, you know, they're following the rules and meeting all of these standards properly. And Dan, given that security is the main driver for Red Cup IT, is this why you brought it on UITest to review these privileges? Yeah, exactly. So like Garrett mentioned, the rules and regulations give you like a paved road or a guardrail where these are the bounds of where you should operate. And if you're trying to do that out of a spreadsheet, then you can easily go out of bounds. There's no real controls there other than, you know, trying your best. So you do need a partner and software and a whole ecosystem of solutions that you use, and this is where we had to go out into the market and look to find something that would fit these requirements that our customers are regulated by or pretty much cyber insurance as well. Like Garrett was alluding to, basically you can't not do these things because you'll be deemed as negligent, and that's when your cyber insurance won't pay out. Garrett, why don't you explain to the audience what UITest does and how it works in the Red Cup environment? Yeah, in the Red Cup and general environment, 100%. So you have identities. So you get a great service like Red Cup, and they're managing your identities. They got whatever, you know. If you said, hey, I do SSO through my Ocker or my AD or my Contra AD, and Red Cup says rock and roll. We'll manage that. We'll, you know, turn on the two-factor. We'll manage your users, et cetera. But what Dan and I talked about was, okay, once that's set up, there is governance. Governance needs to be done. Governance is the process. It's the actual process of understanding who I've given access to and then attesting to, attesting to who has that access. And that attestation is a real report. It's a real report. Want to have some fun? Look up the SolarWinds criminal prosecution of Tim Brown, which is their CSO. And it straight out says, hey, CSO, in your Sarbanes-Oxley filings, you've said, your SOX filings, your 10-Ks and your 10-Qs, you said that you were doing something called the principle of least privilege that we just talked about. Where is the evidence that you were doing any activity around the principle of least privilege? And after they did their discovery and their due diligence, they're saying there's no evidence you were doing it. That's where Red Cup comes in, right? Yeah, we built this great product, right? And it will go in there and it will attest to your users and all that. But that's what Red Cup does. And the managed service, what they're doing is they're, of course, they're managing your actor, your AD, your outer AD, right? But then they're plugging in UFS on top of that to go through your permissions and to clean up. That's what they're saying. It just breaks, right? It cleans up your users and says, this one's overprivileged. This guy left last month. This guy, you know, has an orphan account. And it cleans it up. That's what UFS does, right? And then what's really cool, because Red Cup is a managed service provider, what they're doing is saying, and by the way, here's the evidence that you've done this every quarter. Rock and roll. So, you know, and I'm not saying whatever, but it's reality. It's 2024, guys. There's hackers out there. Big alarming news, right? So, you know, if anything does happen, you, there you go. Here is the evidence that you as an enterprise, via your managed service partner, have been doing due care on the identities. And that's where UFS is. It is the actual functionality, and we have just, you know, tell them what we've done. We've been doing this for five years. We've done three and a half million attestations. We worked out all that real painful workflow stuff. You know, when you're supposed to be doing an identity review once a year that you do it, which is way too infrequent, is spreadsheets and emails? We have automated that. We've automated through clicks, and that's going to be the second part of this when we have Kashif show some demos of this. That's what we do at U-Attest. So, can you talk, Rashad, of how Red Cup IT customers need and utilize U-Attest for identity security and compliance? Absolutely. So, as Garrett mentioned, he kind of broke down what U-Attest does. But how we take that information is with those automated access reviews, we're able to ensure that there are only authorized users accessing the sensitive information. For meeting with the standards, the compliance standards with the industry, we use U-Attest to help us meet the regulatory requirements by using the detailed reports, simplifying, you know, the compliance processes. As far as with road management, U-Attest enables us to define and enforce specific users to be, you know, have access to the different reports and information within that company. So, we take everything that U-Attest provides and kind of bring it down for our customer level to get them to understand and also meet their compliance needs at the same time. And, Garrett, I believe this is where U-Attest can come up to help enterprises meet the gap in identity security and compliance, correct? Yeah, absolutely. That's what we're doing. As Rashad says, he's got the customers on his side. Hey, we've got to do security audit and do the identity attestations, and that's the workflow that we built. So, Dan, your MSP Red Cup IT, they have trained personnel who can run the needed user access reviews for your clients, correct? Yeah, absolutely. So, we have an information security manager, for example, that can log into the system and jump on a Zoom call with you, and then we can guide you through the process of identifying the assets or identities that we need to manage. And then we can, you know, once you have visibility, then the business can make decisions on that. Usually, there are so many identities that the issue with not having software to do this is that you won't even know your attack surface or you won't even know what identities you have or don't have or are out of date. So, this is where using software and our team, we can guide the customer through that process and basically accelerate that process as well. Perfect. So, Garrett, let's show some demos and then let's take some questions. Yeah, yeah. So, what I'm going to do is I'll just show, just give a visual first, and before Kashif goes in, I'll just show how we're working with Red Cup on this, and then Kashif will do what people like to see, is the demos and the actual stuff. Okay. And straight out, first of all, guys, Red Cup knows their stuff. So, one thing that I always do on these webinars, right, is I type and type really loud, okay? And Dan stopped me at the beginning and goes, hold on, guys, we have a service around this. And he walked me through and I'm a better person for it and actually he's actually a happier person for it because I'm always doing it too much and pointed it out. So, once again, it's great to have, you know, it's great to have tools like UFS that work. It's really important to have people that know how to use them, okay? So, that's what you're getting out of Red Cup, the real world. So, this is UFS, okay? This is your current state. It's like, hey, I'm, you know, I'm working away. I'm a risk manager, risk manager generic term for security chieftain, someone who risks in compliance, someone, you know, in operations, right? And I'm like, and by this time, guys, you're in a regulated industry, right? Elementary schools are in a regulated industry. Why? Because they're holding information, healthcare information around students, PHI. So, everyone's got some guidance that they're under, right? And this is where Red Cup comes in. They're going to help you. They're going to say, because you're struggling. You've got regulations, guidances, security frameworks, right? You have all these identity resources. So, Red Cup comes in as a GRC practicer with UFS. Our product immediately pulls in the information. And then, as Dan just said, he has trained personnel that click the buttons that you'll see CarShift do it, that push out, push out the actual attestations out to the, out to your employees. Because that's what an access review is. An access review is not, is not your IT guy saying, oh, I'm good with these roles. That's not going to cut it from the compliance officers. What it has to be is the line manager saying, I have reviewed these. And that's the workflow that CarShift will be showing. And then what occurs is the product actually creates the evidence that goes to the security managers, that would be in Red Cup this case, the compliance officers, and your internal and your external auditors. That's what they're going to want to see. They're going to want to see the evidence that you have done this process. At a technical level, what you'll see is whatever you've got. You have HR permissions, your IAMs, we call these siloed resources, stuff that you haven't even synced up yet, but you're in healthcare and you're financed, you have tons of it. And then it does the delegation and creates the evidence. All right. A lot of slides. Let's show what it actually does, CarShift. Okay? Sure. Thanks, Garrett. And let me just share my screen and somebody be kind enough to let me know if it's there. Please. Yes. It's got it. Great. Thank you. So you are looking at the UATest dashboard at the moment. We usually start our customers with plugging into or integrating with their IAMs, but this is not what we are limited to. We can audit anything that you have, any resources, any applications, but usually we start at the IAM. So this tenant of mine is integrated with my Entra ID, formerly called Azure AD. So we will be pulling entitlements and the metadata directly from my Azure or Entra ID environment. So the setup is pretty clean. And Red Cup IT and our partners, they can get you up and running the same day because we have made the process simple for users and MSPs and partners. What we need or they will need from our clients is a bunch of information, including their API key, the tenant IDs, and client IDs. And once they have that information, they can just get you up and running within the same day in a few hours. We are not talking about weeks or days or months. It's just a few hours within the same day. Once you are there, once the integration is done, you can readily create these audit campaigns because now you're plugged into your IAM. And the process is pretty simple. You just give it a name. You just give a timeframe. How long do you want to give your reviewers to complete the task? And then going next, let's say we are creating an application audit to see who has access to a certain application that is in sync with your Entra ID. Let's say that's the finance application we have. Once you execute this, it's going to fetch the information in real time, and it's going to show it to you in this format here, where you will be able to see the targeted app, the users, their profile attributes, including their email, their manager's email, a bunch of other details in order to make decisions. For example, what's their role within the company? Any description of the application, last login date, or their status, if they're active or inactive within the system. So once you have that, the admin or the risk manager, he can do anything if he wants. But that's not the gist of the essence of the process here. He should be able to delegate these people out to their relevant managers or anyone who's responsible for these identities. It could be the application or group owner. It could be the direct line manager, or it could be someone else in the security or compliance department, maybe, or IT department. So we have enabled the tool to do all that for you. The simplest way to go by this is to do the audit delegation, where it will let you decide between the manager and the application owner or the group owner. Once you have selected that, you can just click Confirm. Or the other way is you can include multiple reviewers for the same audit. So all you need to do, just put in their identities in here, multiple of them, and then assign it to multiple reviewers, make it mandatory for all of them to take part in the audit, or just leave it unchecked. And anyone who completes the process coming in first, the tool will consider it completed and will close the audit. So you can include multiple reviewers in the same audit. So let's go with audit delegation, see how it works. I'm going to select the manager here and confirm. Now, the tool is picking up the information from the user profile, and it's pushing out notifications to the reviewers, to the managers that have been assigned to these users here. So let me just switch for a few seconds and become a manager who has received an email from a risk manager or the admin. So that's the notification that you will receive as a reviewer, along with the link to the audit, which will only be a subset of what I can see as the admin. So if there are only two people reporting to me, I'll be able to decide for those two identities and not the rest of them because they belong to someone else. So let's say Mark Gibson. If I'm good with this person, I'll just recommend to certify his access into that application. But this other guy, Cher, if either he has left the organization, in which case I'll recommend to revoke, or if he has moved departments, in that case I'll just further delegate him to the right person instead of pushing it back to the admin again. So I have this capability to assign it to the right manager. So let's say he has left the organization, in which case I'll just recommend to revoke that person's ID for that application. And that's all I have to do as a reviewer. So when I go back, I'm an admin now, and I want to see the progress. I'll just hit refresh, and I see one of my managers has completed the task by recommending what to do with the reports he has, and then I'm waiting for these two other managers to complete the task, which, by the way, we have automated completely because we wanted you to get rid of the nag emails and typing them all the time just to remind people to do their job. We have just automated that process by including these email templates here. And this you see, let's go at the bottom, reminder emails. Well, we want to name it reminder instead of nag emails. So you can go in here. You can program it. You can change the text, change the message. And instead of keeping those reminders in your Outlook, you can just put a reminder here and then decide upon the frequency, how long and how often you would like to send these messages out to the managers, both within the due date as well as when it's overdue. That's been taken care of. Now let's complete the process, assuming the other manager has completed their task as well by either certifying or revoking these two individuals, these two identities. And I'm going to do that just now by certifying it. Now my audit is at 100 percent, right? All you have to do as a risk manager, as an admin, go back to your listings page and mark this audit as complete so that no one can make any changes to this audit after this point. And it's secure now. Once it's marked as completed, it will let you execute all the changes, especially the revocations that you have received as recommendation from your reviewers, on your Azure AD or Entra ID environment. So if there are any revocations, you can apply those on a group level or an application level so they don't have access to that group or application, or you can apply this on an overall user access level in your Entra ID so they don't have access to the environment at all. But when we say we are revoking or executing revocations in your IAM, we don't mean to say that we are deleting or removing those identities. We are not. We are only putting them in a suspended state or in a deactivated state until someone from a client's IT department goes in following the protocol. Maybe they would like to just keep that ID for 30 days, 60 days, 90 days, whatever is the protocol, and after that they go in to remove that identity for good. So we only put that in a suspended state. And you can easily get the report out both in CSV and PDF format. The PDF format looks something like this. Let me just comment here. Please. So real important, and let me just say, the reason why we partnered with Red Cup is they got guys all trained in this. Okay? And our guys did a great job showing it. But Red Cup has spent the money, has the time, has the humans that know how to do this, and this is the report then that you have. This is your evidence. You've done your job. And I hate to talk like a lawyer, but there's no one, no one in management now, who can't, shouldn't be thinking with a legal mind in the West anymore because you're holding, and once again, once I get the East Coast guy shaking his head, I'm in a good mood. Right, Rashad? Right? I always think of the East Coast as all the legal humans. Anyways, so, but that, bring that back up, Kashif, that evidence report. Right? This is what Red Cup will be creating for you. Right? On a regular basis that we have reviewed these users. These were our actions. We're doing due care. This is not optional anymore for IT. We did a webinar, Ashley did, with Cynthia Stamer, who's this really big-time lawyer out of Dallas. Look her up, guys. She's really good. And she had a slide, and she was talking to a bunch of CISOs in Los Angeles. I took a picture of it. And she went up there and she said, so, you guys think you're doing your job. Right? You're doing your job. You're, you know, you're adding users. You're adding applications. You're managing these goofy things. And she goes, if you're not showing the evidence, you're not doing your job. You know, then I sure as hell can't defend you. Right? And that's why you partner with people like Red Cup. Right? Because they're doing all this. There's more to do than there's ever been. Right? And not only is it, you have to manage users, you have to show that you're doing the work. All right. Kashif, thanks for lending me Red. No problem. All right. So, that's the final evidence you get. But we are not, as I said, as I mentioned in the beginning, we are not limited to these IAMs. We can audit any of your resources. Or, for that matter, Red Cup ID or a partner can go in to your, these applications, resources that are not connected to your IAM. They're not in sync. And they can create reports to get the orphan accounts, get the ghost accounts, clean up the identity data that you have for that, for those resources, and then come up with the clean data for you and for other partners to run these audit campaigns. Not from their IAM, but from, let's say, a CSV file. You export out from any resource, and we or, you know, Dan's team, they'll be able to upload those CSV files and create audits for you. So, we are not limited to the IAM. We can audit any resource, any application you have sitting there for like 10 years, 15 years, and not connected to your IAM system. You can still create audits and create evidence for those applications as well, even though they're not connected. So, that's what we are offering. Plus, anyone who has an on-prem AD. Or they have. What Kashif is saying, and let me just translate for you. So, you know, here you are. You got all, you know, no one's identities are clean. That's why managed services is this. It doesn't, it's too much by this time, right? And, you know, I was a CISO once, and they, you know, like, you can do your certifications, you can think the way it works like this. It's not what it is. You got an IAM. The company says, hey, I need this business case. We're going to take this app, this app, this app. And it's not connected. It's not connected to your IAM. That's where RETCA comes in. They manage those, right? And then they can use UITest with this feature. You're going to show a silo of resources, right, Kashif? Right. Yeah. Right. So they use UITest to audit your resources that aren't connected to the, with this tool, because we're connected to the IAM, and it's really powerful. They do a lot of work. This is called, we call this, this feature, which is used, every customer uses this. It's called siloed resource auditing. Right. So let's say, for an example, there is a file that was there, you know, exported out of a resource or an application. It had two users in it that have been sitting there for like 15 years. It could be two, it could be 20, it could be 200, whatever. But this is what we pulled out of that CSV, ingested that information in UITest for the auditors or for the risk manager to be able to see the information and delegate it out to relevant reviewers. So you can delegate this information out to the managers, or you can manually do that to include multiple other people in addition to the manager to make part of this process. Could be the security people, could be compliance people. The only difference would be that because this resource is not connected to your IAM, you will be able, you still will be able to pull the current data on who's the manager of these users from your Entra ID, from your IAM. Because we are using this email or username as a unique identifier. So we can run, you know, cross-reference this in your IAM and find out who the current manager is for this ID today. Maybe you've changed it, updated it maybe two years ago in that application and it's stale now. But we can pull that information out for you from your IAM and put it in an ongoing audit over here so that the risk managers can easily delegate it out to the relevant people that are actually taking care of those identities and departments today. So here, when you do that, it becomes easier for your reviewers as well to just click through the GUI and give their recommendations, what they want to see, and also if your CSV file has details, what their roles are, what kind of access do they have within the system. We will show that to you as a separate line item for each of those permissions. And you can go granular by just checking for those that you don't want and just revoke the access for those and then certify the rest. And then at the end, as usual, you can get the evidence either in form of a PDF or CSV file. Now, that was a CSV or the siloed resources. Before running this, you can go to the siloed report. And if you have other applications that you would like to compare those identities with what you have in your IAM today so that you can find gaps, you can always do that with this report. So, for example, you have data from a resource that is not connected. Let's say I'll just choose this file here just for the sake of the demo. Now, next, it will let you map what you have on the CSV file and compare that with your IAM to find out if there is any gap when it comes to identities. Let's say go here. Now, since I'm using Azure or EnterID, it's going to show me in the dropdown. And in the CSV field, if I have email, yes, I have. So, I'll just choose that and compare that with the email in my identity system. Run those two emails and see what I get. So, when you run a source identity matching criteria, it will show you if the identity exists on both sides or if it exists on either side and not on the other. That's your ghost account or your orphan account that you need to take care of. And plus, it also will give the report for the group matching. So, for example, you would like to see if a finance application, a user, has also access to a finance group within your Azure AD, which makes it relevant. So, if you type in finance group, it will match and cross-reference that ID into that group and will show you whether it exists on either side or both sides and report will look something like this. So, for example, you just run the report for the application finance X and now it says it exists on both sides. Yeah, and what's really relevant, y'all, is this wasn't hypothetical, this information. We got this from external auditors who said this is what they needed to see, okay? They needed to see basically two things. You don't, according to the auditors, you don't have to have everything synced, but the auditor said straight out what they have to do is show, one, that that user exists, okay, that it's not an orphan account, and secondly, that there's some type of virtual mapping that your company took the time to say, okay, this is a healthcare app. I know it's siloed. I haven't connected it, but it's in the group. It's in the group that I sell healthcare. And then you show your auditor, my favorite auditor is a gentleman named Raj, and they say, Raj, here is the report, and Raj and team did help us design this, and we appreciate that. Right, so if you find these orphan accounts here, either you can get rid of those identities or you can make them part of that group where they belong. So either way, you're just getting rid of your ghost accounts or your orphan accounts. Now they matter if you have added those to those relevant groups. So this will clean up all the identity data that you have in the silos, and then after it's cleaned up, you can run regular audits, assign it to your reviewers without having to worry about your orphan or ghost accounts in the data. Same way we have done this for AWS accounts as well, where we can pull fine-grained entitlements and show it to the auditors, show it to the admins and the reviewers, including the root account as well, even though you will not be able to take any actions on the root account, but it will give you the details. When was this root account used the last time? What was the last login date? MFA, whether it's enabled or disabled, that root account. And then a bunch of other information about maybe a handful of people who are the admins in there. So if their last activity was, let's say, more than 90 days ago, we flag that information for you. If the MFA status is disabled, it will be flagged. If their status is inactive, it will be flagged. And then that's where Red Cup IT comes in and takes care of these flags for you, why they are flagged, what should be done to get rid of these anomalies. So we provide you this information, plus it can go in and bring you the fine-grained entitlements. You can go granular and find out, well, they are a member of this security group, or these are the admin privileges they're having as part of the policy. So you can decide whether you need to certify those policies and group memberships, or you need to revoke for this particular ID. And the last bit was the triggers. I'm sorry, Gary. No, no, we'll do that for future. Why don't we break off for some questions? I know Ashley is on the dashboard, and it will take questions. So great job. Sure, thanks, Kasha. Okay, so we have some questions from the audience. So first question is for Dan. How does the BreadCup implement zero trust with regards to limiting identity attack service? Zero trust means that you apply zero trust to every part of your business and every part of your technical infrastructure. So basically what we do is we start with passwordless authentication. So we use another provider that provides you cryptographic authentication into your system. Then that system works with single sign-on. We partner with Okta for that. And then from there, there's a bunch of logic and device assurance that happens. Then a tool like EOTest would then help you with fine-grained access and limiting access over time. And then we also wrap that behind an enterprise browser. And also Zero Trust and SASE is UT&A as well. And then also we're making sure that our entire security and technology stack is also implemented on all of the devices. So whether you're on a BYOD device or a fully managed device, we have to scope the rules so that we know who you are, what device you're coming in from, what identity you should have access to. And then that's how we basically protect identity attack service management. But more importantly is making sure that we know exactly what you have and why and for how long. So that's where a tool like EOTest can come into play. And so what that does is it limits the internal and the external attack service to just what you really need at that moment in time and not have like a credential or permission sprawl over time, which is like too many AWS full admin accounts or having previous employees still there in your system. So it's a lot that we do in terms of Zero Trust for identities. Perfect. Next question is for Garrett and Kashif. So how does the workflow work if I have multiple reviewers? Oh, yeah. Go ahead. Take it away, Kashif. I'll let you talk. Go for it. Yeah. Well, thanks, Ashley. There are like two ways, two types of multiple reviewers. When we are auto-delegating, you can manually delegate to multiple reviewers and involve multiple people in an ongoing audit. But the other way we are doing it is through tiers. So we have like four different tiers that you can involve in an audit process where it goes to the first one for review, and then the second one is the validator who validates and evaluates the reviewers done by the manager. And then the third one, or maybe the fourth one, is the auditor or the person who gives the final sign-off. So once all the three or four layers or tiers, they give their sign-off for the audit to be considered as complete, that's when the audit is considered as complete and you get the report. You get their feedback on the same file. Instead of having one reviewer, you will have like four different tiers of reviewers. So that's how it works on both sides when it comes to multiple reviewers. Perfect. Next question is for Dan. So does Red Cup IT specialize in any particular vertical? Yeah, we specialize in code-producing entities, so a fintech, a health tech, insure tech, or enterprise B2B SaaS company. So what that means is you not only have people on computers that are just using the computer, but also developers and engineers writing code, writing software. They're in multiple systems like AWS, GitHub, GitLab, things like that, where they're installing local pieces of software like Docker and they're doing data science. So there's a lot going on just in the computers. It's like you can think of it like a Russian nesting doll of complexity that we're managing for our customers. If you're not a code-producing client, then we can still service it. However, it's still advanced but less complex, but we specialize in the more complex entities and then managing all the identities across all those layers. And then, Garrett, so what is the UHS Zero Trust story? Yeah, that's a whole hour we spent with, what was his name, Don Hester from the CISA. That's the America's Cybersecurity Infrastructure and Security Agency, CISA. And I like their definition of Zero Trust because it's really quantifiable. They say there's four steps to your Zero Trust story. Traditional, initial, advanced, and optimal. Okay? And this is really good. I'm going to tie it into a red cup and all that, right? So traditional is, guys, how you're doing it today, right? You got some identities out there. You got some spreadsheets. You got some emails. And we're being asked. Okay. But that's how it is. Initial is you tie in what our friends at Red Cup have done. You tie in a governance tool like UHS into your identities, and you start doing your reviews. And advanced is where I rudely interrupted Kashif, right? Because Kashif was saying, hey, what about the triggers? Okay? So you can, you know, get a demo from Red Cup or us, right? And then what the product does is it says, hey, in real time, if someone hypothetically alters the admin group, my friends in Las Vegas, right, well, you should be alerted. And that's what we built into UHS. It has triggers. It has triggers, and here I am. So it says, hey, you said you care about these groups, these policies. That changes literally what happens with our product. It's turned on, and then a Red Cup person, the security guy monitors and takes action. That is the advanced state. Okay. And now I'll get out of the soapbox behind me and get on to the optimal state. First of all, if any vendor says they, as a product, are at the optimal step of Zero Trust, just tell them they're wrong, because it's not right. UHS can never be at the optimal state of Zero Trust. We have to partner with someone at Red Cup, because the optimal state of Zero Trust is that we're integrated into other tools, and it's all working as a mesh. Okay. That's the optimal state of Zero Trust, and that's why UHS is so big on partnering, is that we take our identity, our scores, we have AI scores, and it's inserted into other products, and that intelligence is being used in those products. That's the optimal state of Zero Trust, and we're covered there, and you're covered there with the partnership of Red Cup and UHS. Perfect. So, Dan, can you tell the audience how they can get a hold of you in Red Cup IT? Yeah, our website is RedCupIT.com, and you can message us there. We also have a shared Slack channel that we can create with all of our customers. You can also reach us on LinkedIn as well, and also email at sales at RedCupIT.com. There's a lot of different email addresses, but most of them all reach our team. We have a pretty tight-knit team. And then we at UHS can be reached at UHS.com, or, of course, just email us at info at UHS.com. Thank you for all of our audience for being here, and then thank you, Dan and Rashad. We appreciate you. Thank you. All the best, guys. Thank you. Thank you.