Adopting Zero Trust with Christine Owen: Hunting For the Finish Line
This week we chat with Christine Owen, Director at Guidehouset, and we dig into Zero Trust as an approach to harden your identity and access management strategy, her dislike of passwords, and phishing-resistant multifactor authentification. Christine brings to the table the expertise of an IAM (identity and access management) pro and an attorney, who currently consults and educates federal departments and commercial enterprise organizations on IAM and Zero Trust.
The Zero Trust Finish Line
Is there a finish line or a goal post for Zero Trust? Is there a state where you can run down a list, check every box, and be totally secure?
“It doesn't matter what the organization is; they can't say, ‘oh, I like, Zero Trust. I got all the Zero Trust principles in. Mission accomplished. I'm good.’ No, you're never. You always have to iterate your defenses and shore them up and move forward because you don't know what's coming at you generally.”
As with all aspects of cybersecurity, there is no silver bullet, and there are no finish lines.
It’s Zero Trust; It’s Not Zero Trust
“If I'm talking to a federal client, Zero Trust absolutely is at the forefront of their mind because they have lots of requirements that specifically call out Zero Trust,” said Owen.
Over the past few episodes, it’s been made clear that CISOs, MSSPs, and other cybersecurity professionals shy away from fully embracing the term Zero Trust with only a single exception: Nicolas Chaillan (former DHS).
Though we have limited data points, it seems reasonable to assume that the federal government is completely open to not only embracing the buzzy term but even requiring it. This shouldn’t come as a surprise as the White House put out a memo earlier this year, and based on timing it suggests most federal agencies should be well on their way to adopting Zero Trust and moving apps to the cloud.
However, requirements may be the leading factor that pushes federal agencies to use the term, we’ve seen the opposite scenario for the private sector.
“If I'm talking to a commercial client, I really just talk about the identity-centric principles of Zero Trust. So making sure that you have a common IDP, you don't have multiple IDPs all over the place, making sure that that IDP allows for single sign on so that you can get into all of your applications.”
So today, the US federal government called it Zero Trust, but will private companies follow suit tomorrow? Christine suggests there may be a snowball effect down the road.
The Shift to Web Authentication and Phishing Resistant MFA
“Inbox, inbox, inbox is always the least difficult path of compromise and any exploit path,” said Neal.
Headline after headline, breach report after breach report, it’s crystal clear that social engineering and phishing, in particular, will forever be the thorn in the paw of companies large and small.
“You could have a great IDP, but if you don't set it up properly, it doesn't really matter,” said Owen. If this sounds familiar, it’s one of the more common faults that lead to supply chain attacks. Along with misconfigurations, there are still a concerning amount of organizations who do not have any form of MFA enabled or required. But not all MFA and IDP solutions are created equal.
In highlighting this gap, Owen also brought up another concept: phishing-resistant MFA.
So what technology is considered phishing resistant? According to Owen: PKI certs, FIDO tokens, and web authentication. What about SMS, emails, one-time verification codes, or standard usernames and passwords? Absolutely not.
“All of those things are not fishing resistant because a bad actor can send you a really good fake email to try to get something from you. So for example, if you're using some authenticators on your phone, they can send you a push notification, said Owen.
“If a bad actor gets your username and password, which they probably already have it, because you're probably reusing something and it's on the dark web and they've already bought it because it's in a package of all the other, you know, millions. They usually get a couple million at a time that you get to try out. So they probably already have it. And then if they decide oh, their second factor is something that's just a push. Well, that's easy. So they push it to your phone. So automatically that's not phishing resistant.”
This is why Christine advises those looking for a new IdP that the solution features PKI certs, FIDO tokens, and web authentication to be phishing resistant.
What about passwordless approaches or solutions that align with Zero Trust Network Access concepts? To date, these are another layer of strength that connects with your IdP, replaces most VPN use cases, and has more granular access controls. However, the technology to create user fingerprints is still immature, and Owen suggests you’d need 24/7 monitoring to react to flagged users/devices.
Christine’s Crystal Ball for Zero Trust Adoption
Towards the end of the episode, Christine provided some insight based on experience and where things sit today on how Zero Trust may start its land grab beyond the federal space.
“I think that what the federal government's going to end up doing, again, just my opinion. I think they're going to take this mandate. They're going to start slowly expanding it. So it's going to start first with critical infrastructure. So, finance, energy, you know, things like that. Then they're going to say, well, we have probably at this point a good probably 20 - 35% of US companies would fall under the requirement of Zero Trust.”
“How do we get them further? Then they'll start including it in healthcare. Other highly regulated industries that have to work with the federal government. So anyone who has to touch the federal government for whatever way. So most healthcare companies touch the federal government through Medicare, Medicaid, the financial industry, the treasury, and things of that nature.”
“At that point, you're gonna get at least 75%. And then if you also add on the vendors who would have to do it as well, So then you're just gonna have the last 25% that's mom and pop shops, maybe like that just don't fall under that mandate. But at that point for them to do business with the, with the bigs, they'll have to do it as well.”
Phishing-resistant MFA should be table stakes for adopting Zero Trust
Requirements mapping is a must prior to technology acquisition
It’s challenging to build a Zero Trust architecture with a disconnected tech stack
To date, there has not yet been an uptick in legal requirements to adopt or align with Zero Trust, but privacy improvements are likely first to shift
FEDramp is going through related changes but will take years
Federal agencies' adoption of Zero Trust may create a snowball effect on the private sector
Coming Up Next
Here’s who we have on tap for the coming weeks:
Maureen Rosado ZT consultant on Oct 6
J.R. Cunningham CSO of Nuspire on Oct 20
Interested in helping us close out the season as a guest? Send us an email at elliot(at)elliotvolkman[.]com.
Adopting Zero Trust With Christine Owen Transcript
As always, this is automatically generated, so please blame the robots for typos and other errors.
Elliot: Hello everyone. And welcome back to another episode of adopting zero trust or a Z T today. We have a fantastic guest which will cover probably one of the most critical aspects of zero trust I am or identity and access management. So our guest doesn't just have experience with IM and I'll let her kind of share that specific background element.
But before we hand it off, over to Christine, I do just want to give a little bit of heads up. So in a couple of weeks, there is the Texas cyber summit and Neil doesn't like to shout out his own stuff, but he is one of the organizers or co organizers there. So please definitely check out that event. He'll be there on site.
I'm also sending along some stickers for him to hand out for the show. So if you see him make sure you get some stickers and swag out of him. That being said I wanted to hand this over to Christine, Ms. Christine Owen who not, again, was just focused on, I am N zero trust, but is a, I don't know if the best way to say this is that we're covering attorney.
Is that the right way to approach
Christine Owen: Yes. I definitely consider myself a recovering attorney. It was a very horrible, addictive thing I did to myself, where I went into a lot of debt for it. And then I realized I woke up one day and thought, oh, this wasn't a great idea for me. So then I ended up in something that was just as painful at times, which is I worked for the federal government I consulted with a federal government on IM policies and tried to push agencies along in.
I am journeys. Now I actually I do a couple of things. I'm a director at guy house, which is a management consulting firm where I get to do enterprise. I am solutions for both federal and commercial clients, which is a lot of fun. And then on top of that, I get to help some federal agencies get to that zero trust requirement in the EO, 14 0 28.
So both are really fun on the commercial side. Even if we don't call it zero trust, obviously zero trust principles are put in when we are working on IM and or a cyber solu, a cybersecurity solutions. So that's that's me in a nutshell,
Elliot: Love it. So I, especially like that you were straight up front that you are essentially doing zero trust without calling it zero trust. And that seems to be a pretty common theme that we hear from our guests and just in general, but what are some of the ways that you're positioning that or following zero trust principles without actually focusing on zero trust?
Christine Owen: Well, if you're, it depends so on, on clients where let's see, that's a good question, cuz it's really hard to say that. Unfortunately I like. Throw it over people's face. Like I do air trust, but I think, but zero trust is really just identity plus, you know, a couple other things, right? So it's micro segmenting, logging you know, making sure.
Well, to me, encryption still falls under zero trust. I think micro segmentation still falls under zero trust. So I don't, there's not a lot that I don't put under identity and zero trust that, but logging, I think. But yeah, I think I, what ends up happening is if I have a, if I'm talking to a federal client, zero trust absolutely is the forefront of their mind because they have lots of requirements that it specifically call out zero trust.
If I'm talking to a commercial client I really just talk about the identity centric principles of zero trust. So making sure that you have a common IDP, you don't have multiple IDPs all over the place, making sure that IDP allows for single sign on so that you can get into all of your applications.
And that they're kind of segmented off if you can making sure that users come in as general users, and then we can give them extra privileges if they need to be privileged users or even make them go through another solution, if it's really critical and the, and it'll cause pain to the company.
Those are things that I, to me, those principles are exactly the same, regardless of what you talk about when I read. So miss. A hundred, what? Yeah, 802 0 7 are the zero trust principles essentially. It's this is how you get to zero trust architecture. When I read that, I was like, oh, these are all the greatest things that we've had forever, that they finally put into one document.
Oh, thank God. Yay. And and it ended up, I was talking to some of my clients and they didn't understand all of the principles in there because the, for example, attributes based access control is a really hard one to understand if you hadn't read the bohemoth the hundred 50 page, you know, N book or N special publication.
It's not something that kind of is intuitive for people. Contextual authentication seems very foreign, especially for those people who don't even use multifactor authentications. So it's adding all of those things together is a lot of fun, I think.
Neal: Yeah. So quick curiosity question then on all that fun stuff. So we talk about some of the transitionings and the consolidations, like you mentioned from a, a. Private industry perspective. You know, we have a lot of companies over the last 10, 15 years that have made a living doing this access management control stuff through SAML, pick a flavor and variations there up.
Have you seen any good market shifts with some of those primary providers to produce constructs around the zero trust mentality, or given the fact that inherently some of that's already baked in, but have you seen them purposely trying to promote and or grow that continuity and structure within those types of products?
Christine Owen: So when you say they, are you talking about the vendors that are selling to the companies or just the companies in the industry themselves,
Neal: am. So those third party providers doing identity access management control stuff.
Christine Owen: Well, so I think all of them any product that like even tangentially touches cybersecurity or any kind of principle, they claim they do zero trust, which is quite amazing to me cuz they don't all do zero trust. So I absolutely see that back to the SAML question. I have actually seen, I'm thinking that because you said Sam, I'm thinking obviously IDPs.
I've seen a lot of shifts recently. I feel like one, I think that. Web authentic is really gaining an industry. For sure. I've seen major companies adopt web authentic to the point where they didn't, they kind of skipped a couple steps and went straight to web authentic, which kind of shocked me, but they decided to go a little longer and then just jump right in.
Target is one of those companies that did that. There's a couple other major fortune 500 companies who have also done that. And I think that's really good, right? Because that gets us to fishing resistant MFA pretty quickly. Back backing up a little bit within the IDP industry. I actually think that all of them ha all the vendors that I can think of have been kind of iterating very quickly and really doing a good job of seeing what the security threats are out there and trying to shore.
Their identity providers to make sure that they aren't the next one that has that golden ticket, for example. They don't wanna be the one that has that vulnerability. So they have been working really hard to make sure that it's in there. The one interesting thing, though with that being said, you know, you could have a great IDP, but if you don't set it up properly, it doesn't really matter.
And so one of the things that I've learned recently is that I was talking to some of my friends at CISA and I found out that less than 20% of, I probably shouldn't say this, but less than 20% of American companies actually don't use M. Internally, they just don't use it. And so that's really scary.
And you know, we need to go out there and help them with that. We need to get them using MFA at a minimum, preferably fishing resistant and making sure that they start to use a a good IDP that will help them re make a frictionless way for their general users to get into their applications.
Neal: So you brought up a really good term that nobody's brought up on this yet and it's fishing resistant. I mean, we have constructs of what that might be. But can you kind of expound upon what you mean when you talk about that? Cause that, that obviously is really the number one threat to any organization, any given day aside from just unpatched stuff.
But inbox inbox is always the least difficult path of compromise and any exploit path. So fishing resistant I kind of wanna, if we could expound upon that and kind of get your definition of what that includes mentality wise.
Christine Owen: Sure. I mean, I'll even list what they are, cuz it's such a small handful. So it's a it's PKI, certs are fishing resistant and then I'll go back and say why. And then phyto tokens are fishing resistant and then the last one are, is web auth, which if you like Starbucks, as much as I do, you use web auth, regularly when you are reloading your card on your, on the app because you use a fingerprint, right?
So that's web. So moving backwards to talk about why that's fishing resistant and everything else, literally everything else, SMS, no. Getting an email. Nope. Any of those one time verification codes. Absolutely not. Username password. Just kill me now. Like I'll walk away. It's fine. So all of those things are, not fishing resistant or because a bad actor can send you a really good fake.
Email to try to get something from you. So for example, if you're using so some authenticators on your phone, they can send you a push notification. If a bad actor gets your username and password, which they probably already have it, cuz you're probably reusing something and it's on the dark web and they've already bought it because it's in a package of all the other, you know, millions.
They usually get a couple million at a time, that you get to try out. So they probably already have it. And then if they decide oh, they're their second factor is something that's just a push. Well, that's easy. So they push it to your phone. A lot of people just don't, they, they like they're gonna push it to, to dismiss it off of their phone.
So automatically that's not fishing resistant. The next one is if they, if you get an email that says, Hey, like I've got this deal for you, go in and sign in with your credentials. And you sign in and it ends up. It's not a deal. It's well, it's a deal for them cuz they gotta offer you for free, but it's not a deal for you.
It's a bad actor trying to get your your username password to some sort of thing. That's fishing. The other one fishing res non fishing resistant. The last one is man in the middle of attack. So essentially they can pick up the signal in between, by having you try to say, put in a one time, passcode into a website, they'll pick that up and then they'll take it and reuse it immediately to get into your account and they might change your passwords or take your money or whatever they decide to do that day. So that's the difference. And again, there's not very many. On the market in industry today that is fishing resistant. It's a very small handful. So back to IDPs, that's why IDPs matter, right? You need to make sure if you're out there looking for a new IDP, you need to make sure that they have all of the fishing resistant factors available to them so that you can use those and you know, move forward in your life.
Neal: Yeah, I like I've been a long time fan of just P PKIs or PGP, some kind of policy procedure that way. I used to do a lot of independent research and other stuff that could or could not get me in hot water with some people. Way further east. And all the people we worked with, we'd never worked without any with anyone, unless we had some kind of key exchange for email going on at the very least.
And even that took a lot of implicit trust sometimes to get started cuz that network of people. Yeah it's amazing to me, the little things that we could do at least from a corporation perspective, to keep your CEO from, you know, texting you and asking you to email him for iTunes gift cards or something else, or tax season comes around, HR departments always get hammered with all those unsolicited three letter board member people saying, Hey, send me the latest on social security numbers and tax bracket crap for my employee base, please. But yeah, something as simplistic as just having a simple key exchange really can keep a lot of that from happening.
Cuz then it, if you've got the right email system it identifies to say, Hey, this actually isn't from your CEO. Maybe you should think twice.
Christine Owen: Yeah, but that, I mean, if we have if we have so many companies out there not even using MFA key exchange is a little a bridge too far. Let's be honest. We have to take small steps to get there. I totally agree though. Key exchanges are really important, but also seeing people in the field, they don't like things like that as much as we do.
I agree with you on that.
Neal: I'm an extremist. I used to be so bad that I wouldn't exchange keys with someone unless I physically met them or at least had physically met them before. And I could get on before video conferencing was a big thing, you know, I could at least get on there and have them do a quick chat on like sky.
Oh, okay. It's still you. Let me just put it here in. In the Skype channel, then we're good to go. No, that's interesting. So on, on the note of some of these other technology stuff you know, moving the ball forward a little bit, you know, you mentioned you're disdain for passwords we've talked about this actually on a one or two other prior episodes about passwordless security environment and where that's kind of going.
And what's your take on that from a, I know mine, I know that once it's there, it doesn't matter how good it is. We're always gonna find ways to circumvent it, but what's your idea of, or take on that whole biometric fingerprinting keyboard pattern recognition, stuff that some of these organizations are looking to do.
Christine Owen: Yeah. Alright, so back I wanna back up I feel like I'm gonna peel that layer of onions that you just threw at me. So the first one is no it's okay. So the first one is your take is it sounds like, is what does it matter? They're going to figure out how to circumvent it. I totally agree. I, no, I think it's true.
So it, the way that I see a defensive cyber is my job is to be one step ahead of the bad guys, which means I always have to learn and continue to move the ball forward, which also means that any, it doesn't matter what the organization is. They can't say, oh, I like, for example, zero trust. I got all the zero trust principles in I'm in mission accomplished.
I'm good. No, you're never. You always have to iterate your defenses and shore them up and move forward because they're, you don't know what's coming at you generally on December 24th of every year. So
Christine Owen: I totally agree with you on all of that. Like it, you can't say good. We're good.
All right. So that's number one. Number two, my view on passwords quite simply is I literally cannot remember them. And so I hate them so much. I mean, they're also a security risk, but I hate them more because I have to use them because I'm a, you know, I'm a consumer and I hate using them. And you know, FIDO standards are not as ubiquitous right now for consumers.
And it makes sense. So there we are for that. But how do you get away from passwords? I'm gonna go with more internal and less external although I can think through how to like external users would be similar, but not as not as complex, but internal for internal general users.
What I would use, I do like PKA certificates. Honestly. I think that they are the strongest. I why hate on something that works so well but people hate on them. Using a fishing resistant token or web often, like those would also be acceptable for the general user coming in. So that's one.
But then on top of that, I would add to that. I like to think of, I like to say, okay, well, here's, it's like a flower arrangement. You take your first flower and then you start arranging around it. So the, so that's your first easy one, right? That's simple. Then you go on what do you get next?
So you definitely need things like an IP address, but to add to that general, user's what their profile looks like, but an IP address isn't really good enough because you can easily spoof an IP address. You can have someone coming in from a country that we don't want them coming in, but they're actu, but it looks like they're coming in from the us.
That's an easy one to spoof, but adding the IP address is still not a horrible thing to do, especially if they tend to have static IP addresses coming in, because you're gonna use that as your past user history. So you're gonna see, like what IP address does this person come in on daily? Is it normally the same one?
If it's not, and it's like at a different time than, you know, maybe I'm gonna raise red flag. So then the next time is, what time is this user coming in? Mostly for general users. They tend to ha habitually enter their network around the same time. If you're an Exter internal user. So if you're entering in at 2:00 AM on a Saturday, but you really only work Monday through Fridays, there's likely something wrong.
And then on top of that, I will add in probably again, if this is an internal user, I would add in some sort of watermark or certificate on the device, because adding additional device level signals really helps because generally not all the time, but generally we issue devices to our employees and then we know exactly what that.
Device should look like if you wanna go even fancier, you could add in whatever the security posture on the device is. So you don't wanna a non unclean device on your network, but whatever, not a lot of people can do that right now. So it's fine. For, and then the last piece, I think the idea of using keyboards and that type of biometric or a fingerprint, which I don't really fingerprints like a biometric for through web and standard shore, but if you're just doing it willy-nilly then cuz there's certain requirements when you do it through web, through Fido. But if you're gonna use the keyboard, like how quickly you're typing, it's actually quite interesting. They have said that it's kind of like a fingerprint that you can see what it, if. It's really hard to like, take what someone does and do it over again. But then the problem is if something happens to that person, like they have a stroke or whatever, their entire behavior totally changes.
But I guess the same thing, if you burn your finger, same thing, you'll lose your fingerprint. So it's a, it's an issue we have. But I think the way that I like to do this, and again, this is from my cyber background, I prefer to take as many layers of of like different things that we can get a hold of to build that whole user profile.
And then every time that user comes in, see how many matches that user has to what we think that profile should be. And then if it's less than there's a risk score attached to it, so if it's less than half, then whoa, maybe that person shouldn't come. To our network. Or maybe they should be flagged immediately to go talk to the to have the sock look into it or something like that under no circumstances, though, if you're gonna do all of that, I wouldn't say, oh, you flag it.
And then someone looks at it five days later. That's not worth it at that point.
Neal: and you definitely need the right security model to respond to the nose. So I think those are great points, you know, it's something, I think people are starting to comprehend more and more the last few years, especially courtesy of COVID is that security needs to be to your point, like an onion or a Flowal arrangement.
There needs to be layers behind it. Security and death, right? So in the military, whether it's physical or digital, we always talk about security and depth. When we go set up a shop somewhere patrol based, whatever there's security and depth to, you know, for everybody to be doing the right things and cybersecurity, same thing needs to happen.
And I think the metrics piece that you're talking about I love this because there's another company I'm working with that's doing some document, access control things. I you know, if I send you a PDF, how do I know when you send it to someone else that you shouldn't have sent it to kind of thing?
Christine Owen: oh I think we might be talking to the same company. I know a company that does that too. I love that. I love that idea by the
Neal: I do too. I'm especially so in the ISAC ISO community where I spend most of my days, we broker in sensitive data all the time. And when you send the email out or you go through a. You know, you need to be able to, you tell people, TLP, pick a flavor, you know, if it's red or Amber strict now with the new one don't share outside of this little group of 10 people, once they log in, it's really the honor system, right?
So the company doing stuff like that, but their model is built like what you're talking about, where they can still manage things offline, indirectly. So if the server that's supposed to provide the security pairings, isn't directly available, the document itself has that implicit fingerprint built into it for what it's expecting.
And then you can set varying levels based off of the risks you're willing to expose yourself to, for that document access. So if it's a, if it's a lower echelon document, yeah. You know, at the end of the day, if someone accesses this from Germany, when I know his fingerprint says he's actually.
Texas, but yet he still has the password and he still has a MacBook labeled X, Y, and Z. Cool. This is a lower threshold risk. So I like that because to your point, if you can build some kind of model around it and you build a scoring mechanism around it, then you can build a lot more automation around it, both for what you're alerting on, as well as what your thresholds of exposure can be for the varying degrees of access that you set apart.
And you know, we talk about zero trust where everything should be completely expunged from each other, and there needs to be some kind of secured pathways, but in reality, there's gotta be echelons to all of that, right? In some fashion or another.
Christine Owen: Yeah. And so I like if I am a listener and I'm thinking that sounds really hard, where is that one product that does all this? So there's not one product that does all this, so that's problem. Number one, you have to find people who know all the products that can do all this. But the second thing is that like it for the vendors out there who might be listening, you know, the lot, we have such great depth of information from logging for all of the things that we do within a day on our computers. And so it just makes sense for this to be the thing that's easy. I mean, and make sure that we get this in the hands of companies and other organizations that really need this because I mean, I know how to do it.
I've built it. It's definitely something that you can do, but you can't do it with one product, which I get. This is just how it works. But I think that most people out there think either that one product can do all of this, no they can't or that that there's never gonna be an easy way to connect it.
The dots, because we're also used to pre pandemic. I would say like the, from the pandemic moving forward, technology has advanced significantly, especially cyber security technology and pre pandemic. We would've had to have a ton of engineers who are really expensive doing, you know, code like Java being or whatever, to get these different vendor products connected so that they can work and get to target applications.
Now, most of these things outside the box can connect to other products. And quite frankly, most of them have alliances with other products. So they are required to work together well. And then that, that you can build your, the right thing to get to the products that you're looking or to the applications you're looking to get to.
But it does cost investment dollars upfront, which is not fun to shell out.
Neal: That's no joke. So something that we've talked also loosely about, For larger, more well established organizations that already have a bunch of different security stacks in play or different security tools and protocols in play. The it's probably very likely if you think, if you agree or disagree, one way, it's probably very likely that they may already have the right tools in the play and to your point need to make them do things better together.
And they may already be able to do all that. And so I guess from an investment perspective, some of these companies may have already made the investments. They just need to do the right things to put them into play.
Christine Owen: Yeah, so actually there is an organization that I cannot name, but it makes me laugh so hard. So I ask. Someone, they were asking me, how would you create a zero trusts architecture for this organization? So I said, send me all of the applications that they own, their, the vendor products that are cyber based.
So they sent them all to me. They had so many, I mean, they're very large organization, but they had so many buys throughout the organization that I actually built. I, like I said, okay, here's one zero trust architecture that they can do. Here's a second one. And here's, you know, I'll do a bonus one on the third one, and they all had different products.
They didn't use the same product twice. So to your point, you're absolutely right. You can likely, you likely have some of the pieces already. You might have to swap up, swap out some other things, but for the most part, yeah. I mean, I have also seen other organizations. By the way remember I'm in commercial and federal space.
I've seen a lot. I've seen other organizations say, well, we just bought this one product. And then their consultants said, okay, cool. Like we need to implement it. Can you hold off? And then some other vendor comes in and sells them another product. Oh, we just bought this other product too. So then this, the company kept buying products.
And I said to the, I said to their consultant, I was like, you need to tell them to stop buying things because it's really gonna make your life miserable. When you have to sit down and figure out how to connect all these things together that they just bought. Cuz they probably have a couple pieces. They don't really need, it's like an Ikea desk.
When you come back, you always send up with extra pieces. So
Neal: That's no joke. No, that's pretty funny. And that's good. It's and it's very true. Having worked as a consultant myself in some places I've come into a place that just basic SAML tooling and account management 1 0 1. They literally had three different companies that provided it, but they bought one because they wanted one that did MFA.
They bought another because it had the good L app connectivity. And then the third one, I still don't know to this day, how it got in there, it was just there and they weren't
Christine Owen: It was a good salesman. It was a
Neal: It was, I think that's exactly what it was, but you know, it's true, you know, they, that's a whole nother long winded conversation on my part about requirements mapping and making sure you actually know what it is you're trying to buy before you buy.
And many orgs don't do that.
But on the flip side with zero trust it might be to hear benefit because maybe you don't have to go out and look at new technologies potentially depending on how many things you've got floating around in the ether that's funny. On that note though, when we think about the technology growth, so you mentioned it early on in this conversation that chances are, everybody's got zero trust or zero something, or trust something slapped onto it somewhere.
And I think it's good to iterate on the fact that it's not a one product fits all. It is a multi-product requirement to do this the right way, no matter what you have and don't have already on that note from a vendor marketing perspective we talked about those L D SAML off people already kind of pushing things.
Have you seen as a legal perspective, as a recovering lawyer aside from the federal government, have you seen a lot of nomenclature coming out from businesses, agreements and stuff like that to stipulate the legal requirements to maintain zero trust in a private sector, kind of world.
Or have they started looking at the weights of what that could be for the variations of everything from insurance to compliance to all this other weird stuff that you lawyers and recovering lawyers like to talk to.
Christine Owen: so I that's actually interesting. The answer is no I would say I haven't seen a lot and I think I have seen so, but I think it depends on where the company is. So I have seen some companies who around the time of the pandemic, really, they actually bought into technology. That wasn't a hundred percent as mature as it is today.
Like it wasn't even, and some of them were not even close, that they knew that that those companies, they saw the roadmap, they knew where they were going. I think that what I see instead of zero trust in, in in things like that, what I see more from the commercial side is actually mitigating the risk by pushing the risk to somebody else, to a third party.
So you see a lot of you see a lot of cloud based vendors coming, like getting more into a commercial. You also see a lot of sock as a service coming out. Which I think is great because there are smaller companies that just, they don't have the ability to run a sock. And quite frankly, like having all those skilled analysts, like it, it's better to have them in a shared service cuz then they actually see a tax in a greater re greater birth within an industry type as opposed to only that one company.
So I think that, I think I see that more than I see like a focus on zero trust. I think I, the problem is like I'm identity person. And so I go out to all the identity things and all I talk about is identity and access management all day, every day. So I feel like all of my friends who work at, in these industries, they all absolutely have that idea and that mindset, but that doesn't mean the rest of the company does.
It's just, my friends are geeky. Like I am
Neal: You're in the right neck of the woods. By default. Yeah know, at least you got something good to talk with each other about I miss my Intel discussion. You know, I gotta go back and sneak on the base every once in a while and see if they'll let me into a skiff to have some clear conversations.
They don't like it when you do that, by the way.
Christine Owen: No, they don't.
Neal: If anybody's listening from app cyber, I haven't done that in a very long time. No, that being that, that's fun though. That's fair quote, fair play. I think the it is a weird trend looking at all the MSPs M DDR or MDRs M SP as well without the extra S for whatever reason stock out of box stock out of the box stock as a service, all these other wonderful marketing terms.
And that's something I personally haven't seen where. Where those groups have blatantly talked about zero trust in respect to how they're helping you deploy those security stacks. At least not blatantly it's usually some weird third party consultancy slash product vendor doing it still. And then they're like, oh, we'll tie into pick a service provider MSSP for you.
It's a weird trend. Once again, whole nother conversation we could have around the benefits of so as a service piece as well. I agree. I think that's a wonderful thing to do, whether you're getting started or not. It's a good expansion of your footprint and capabilities.
Elliot: Obviously a lot of what we do today is shaped around compliance and regulations. And that's really where you see people are forced to start to adopt certain aspects and kind of cover certain elements. Obviously we also have environmental changes, like COVID impacted things and now people are more remote, but I'm curious from your legal background what has been, or maybe even foresight.
Where do you see the most change coming from like a legislation impact on zero trust adoption, and in particular, IM
Christine Owen: The only thing legislatively that I see coming down the pike is a privacy. There's a privacy legislation. That's I don't know if I talk to my friends who are big on privacy, they say it's absolutely going to happen. I don't believe that, but I mean, if it does, it'd be great.
But I think that would make a massive impact with identity and access management because the, so I spoke at RSA this past. They gave me my going away partying gift was COVID. Luckily it wasn't really that bad, but I mean, I knew what I was getting myself into. It was a lot of fun.
And what I actually ended up doing is I spoke with a friend of mine Jamie Danker, who's like this massive privacy expert. And we went and we talked about faking privacy and identity and access management because when you're doing any kind of, I am or even zero trust integration, what you're going to end up doing is you're going to end up impacting someone's privacy, right?
Because of all of the information that you're collecting to be able to get to contextual authentication. So you're getting all this really good information where that person is, you know what all of the other fun things like, you know, fingerprints perhaps, but really that stays on the local device, but in theory and some other things.
Usually you'll probably get their mobile number. If you need an extra factor, blah, blah, blah. So you get all this information and then what do you do with it? Well, hopefully you don't do anything with it and you just use it for authentication purposes, but some companies have decided to use it for marketing purposes and that's not good.
So I think that's a, that's kind of a really big, important piece because as you're doing this, you're gonna get even companies that are implementing zero trust, not just with their employees, but also for on the IAM side as well. They start to get a lot of really rich information that they hopefully do not use against the consumer to be able to try to target mark marketing, but they could, if they don't adhere to whatever privacy standard that they had given the consumer a as a side note, I actually, I have a friend who's a regulator.
So because they're an attorney and they called me up one day and they said, how would you do this? We've got these privacy issues. Like how would you go and make sure that they do the things that they say they're gonna do if they get popped on privacy? And I was like, oh, that's simple.
I would make sure I would make them bake it into an I am solution. And I started talking through how it would work. I was like, don't let them collect information on forms and then put it on a database. That's gotta stay in the IDP and silly things like that. So I think that to me, when it comes to IM and legal stuff it's the privacy piece that comes is the implement is part of it.
Like it's not the, so yeah, you have regulatory things like HIPAA. all that other fun stuff. But on those you have missed standards, like 853 that kind of come into play. I think what the other piece of this is the fact that I have this attorney background and I have this attorney brain because I did so well in civil procedure.
I now understand, like I can get policies. I can do policies pretty well, like either written policies for users to see or policies into engines to create risk scores. Because I under, it's kind of an if then kind of thing that you write out, which I guess if you're a coder you can do too, cuz it's very similar in nature.
I'm not a coder though, so I don't know
Elliot: Yeah, I think there was, I mean, you might have called out something that I know I've run into in particular. I won't name the social platform, but it's
Christine Owen: oh, I know which one it.
Elliot: It's the big one. So they, I think they got in trouble or at least yeah, it's definitely no think they got in trouble for using, I don't know if it was SMS or two factor numbers and they were using that for marketing purposes.
So I think like there are very real examples of that being out in the wild and people are very has definitely been exposed to a situation to that extent. So I can definitely understand that.
Christine Owen: And it's a shame because if you had an, if you, so there are like modern IDPs, so you have to get away from. What are I can't think of the word modern off? Basic ath I think is the, is how you call certain types of auth from certain companies that we shall not name, but modern off. So IDPs that do modern off.
In many cases, they also have a forms feature attached to their to, to it, to be able to collect information from the user. And that forms feature. It gets fed into the IDP. Now, of course, if someone decides to come in and pull out all of the information from the IDP, then they could use all of that person's information.
But to me, it's a very simple way to not like a company can easily make sure that, that information that they collect from a user doesn't get used for marketing purposes. But I will say , I'm probably gonna scare everybody. So for very large companies that have been collecting user data for years and years, The whole, the European view of being able to disappear yourself.
I forget what erase your, I
Neal: GDPR. Yeah.
Christine Owen: but what do they call it? It's not erase yourself.
Neal: the right to forget or be, yeah.
Christine Owen: Yeah. The right to forget you don't, you can't, they can't forget you. It's not a possibility cuz they don't know where all your data is. It's very scary.
Elliot: That unfortunately that ties into another social platform that just recently got into some headlines where they don't really know how and where they're storing all the data and all that good stuff. I guess we'll just keep using social media as our Guinea pig for all of the things that could go wrong and constantly go wrong for identity access management and zero trust in particular.
Christine Owen: Yeah. I mean, that's what we're gonna do. They do a good job of protecting that data so that other people can't get to it.
Neal: Yeah. They put it behind a really large paywall.
Christine Owen: They do
Neal: Man, I'm gonna look at my phone. It's not gonna work anymore here in about five minutes, but now, so that's a fun factor in the sense, you know, that there is a lot of. PII potentially out there which brings us back kind of that, that doc control aspects of being able to set to your thing, scores and mechanisms and threshold around what it means to do the access of whatever, not, you know, not just the laptop, but a PDF to an email, to whatever and what your thresholds of exposure are depending on you getting it wrong.
I think on that note, one of the one of the pieces from my past that I used to look at was in the retail space a little bit. And so just like financial services banks have to worry about your fingerprints, your I eyeballs now, and everything else on your phone, like Starbucks, never money else.
But in the retail space as well, you know, there's everything from the advertising channels that you have to monitor from those third party CDNs to, and how those were collecting, cuz back in 2000. 10 or 11 or 12, whenever it was exploit kits, galore taking advantage of eye frame and Adobe flash and all that fun stuff and stuff like that, still here.
But then you have this leakage in your phone and other stuff to get access to the data. And a lot of it really does boil down to if you had the right policy in play. And when you built the app, you would've already looked at it and that leaky data wouldn't exist at the end of the day. It's not because there's an actual exploit in your app or on your browser most of the time.
It's just because you didn't take it into account when you built it. And now it's leaking out into all the network traffic or through third party cookie settings and all this other fun stuff. Yeah. Fun
Christine Owen: no, I totally I totally agree with that. I think the other thing because you're talking about data, And protecting data. The one thing. You know, the pillars, right? I like to say that they're actually, they're not, it's a kind of a leaning house instead of a stable house, because that you've got the identity pillar, which is pretty strong.
If an organization, we, all the tools are out there to build that strong pillar, but data, it's not, I feel you know, if you have an identity higher than a hundred percent, data's like pretty low and it's not because there's not enough data out there's too much, but it's because we actually, and this is another thing I like to harp on too.
We like the vendors that it's two things. One is there's not enough vendor products out there that are competitive enough to be able to really see. And if you want tag the data or at least classify the data at the data object level, the second issue that we have is. You have a lot of SAS solutions that has data inside it.
And they don't always like to think of that data as that organizations. Sometimes they like to think it as of their own. And so they don't like outside tools coming in and being able to manage that data in a way that would allow for better cyber hygiene. And so when that occurs, then, which we have all the time I can name so many vendors where I just can't get to the data.
I can't even get to the group level within that vendor product. So because of that, we actually have we can't reach that optimal aback solution that we would like to get to the data level. We, I, when I think when people say aback, I really think of it back to the application layer. Because I just don't see us doing it right now, anytime soon.
Part of it is vendors need to play better with each other, which is not always an easy thing to do. But then the other thing is we need more advancements in how to review the data and classify the data really quickly. And luckily we have AI ML and all of those other fun buzzwords to be able to help to get there.
I do know a couple of companies that are starting to get there that are going back. They're kind of going around the applications and they're going straight into the SQL databases to be able to review that data and classify that data. But if it's an SA solution, it's not as easy to do.
Neal: So that's interesting, cuz you just reminded me of something from the healthcare industry that I totally forgot about. But there, there are companies out there for legal reasons exclusively, almost that do that. Document discovery on, on your networks and databases, right? There are companies solely built around scraping every single thing you give them access to and categorizing it into whatever.
I see these in the healthcare industry now more than ever, but they, I think they started off more as a post breach awareness. They're probably already there for the lawyers before this, but this is the mechanism I saw them applying to was post breach to figure out, you know, Hey, we said server a, B and C is what's compromised.
Well, server a is 18 petabytes. We need you to classify the info. So on that, that vein taking something as simple as a service provider like that, who does data classification for you to start from scratch? I think that's actually an interesting idea. That's not something that we've talked about yet, and we really haven't talked about data classification and handling that data either as part of the trust model as well.
Christine Owen: cause it's hard. It's hard. Why would you talk about something that's too hard? Like when you get to, if you have people who come up to you and say, I don't know how to accomplish their trust, you say, well, you can get all the way up to deer then pass there. Just, nah, we'll deal with it later.
Neal: well, wait for the technology to catch up, hopefully a little bit more. But no, I mean, I do think that's a great point though, is you can do application level security. You can secure the box a little bit. You can secure the devices. We can build zero trust around what it means for my laptop to talk to servers, ABC, or other laptops in the network.
And we all should be working towards that. But at the same vein, bring it back down in layer to the actual data residing on your various servers and boxes and things like that. That. yeah, I think that's gonna be a fun one. I like the idea. I'm on board with the idea, especially with some things I'm working on today.
But yeah, that's gonna be a unique market space. I think extending zero trust to the documents and to the actual data repo itself, beyond that and putting some kind of secure rapper, if not around each individual file, but maybe around the folder structure, the file structure at the top level, as much as you have the application managing it.
Christine Owen: I mean, I know that those are all possibilities because I know that happens in some types of spaces. But it's just not, I think that in my opinion, it's not the easiest to do. You definitely have to have really smart people who have done it before who at least see it currently and can replicate it.
And there's just not enough people who know how to do that because they're not granted access to that type of sophistication.
Neal: Yeah, we definitely do it in the classified world. I think pretty regularly I sent you something DSS, sci, blah, blah, blah. And you've only got blah instead of blah, blah, blah. Well, I'm safe. I may get a little hand slap for sending it to you in general, but at least you can't open it. But I think that's my last little nugget that I like thinking about here.
We, we talk about the government policies and procedures and I like to always kind of get to take personally on having come from the government and the military background. We see the government tend to set trends. I think the trend from the government doing something in cyber security to the private sector, picking it up has gone from decades to years.
And now I think we're starting to see a slight shift with certain things in the private sector are starting to outpace the government side, but they. They have their zero trust standard. In the government side, we have been doing document level security type things in the government side for a while.
There's now a couple companies trying to do that here in the private sector. But nobody's made it a standard yet for that particular element. So all that to say on, in a note, you know, do you think that courtesy of the government propping this up and mandating this internally, that this is going to accelerate our zero trust curve here in the private sector in some method way?
Christine Owen: absolutely. So I actually think in this case I think that, so here's, I like this is only my opinion, Christine Owens opinion. It's my crystal ball that I have in front of me. I think that what the federal government's gonna end up doing, again, just my opinion. I think they're going to take this mandate.
They're going to start slowly expanding it. So it's gonna start first with critical infrastructure. Finance energy you know, things like that. That it's going to then they're gonna say, well, we have probably at this point a good probably 20, 35% of us companies would fall under the requirement of zero trust.
How do we get them further? Then they'll start including it in healthcare. Other highly re highly regulated industries that have to work back with with the federal government. So anyone who has to touch the federal government for whatever way. So most healthcare companies touch the federal government through Medicare, Medicaid financial industry, through treasury things like of that nature.
At that point, you're gonna get at least 75%. And then if you also add on the vendors who would have to do it as well, So then you're just gonna have that last 25% that's like mom and pop shops, maybe like that just don't fall under that mandate. But at that point for them to do business with the bigs, they'll have to do it as well.
So I do actually think, I don't think this is gonna happen tomorrow. I think that the, I think that the federal government needs an agency to get it done and succeed at some level of the agency. I mean, agencies are, can be massive or can be teeny tiny. So they need a part of an agency to be able to be their shining star to say, this works really well.
If you go into the finance field finance sector, they actually basically implemented zero trust, but they don't call it zero trust, but they have really good, very similar methodologies. For example, as a general user, as a consumer, when you go into your bank account, it's so weird because most of the time you can just go in using username password.
And that's what I get most of the time I get general users saying to me, well, I shouldn't have to do anything behind username password, because that's all I have to do to get into my bank account. And that's really important. And I say, yeah, but do you know what other things that are behind that username password that they've actually done to your computer?
Do you know, you've got a cookie, you've got all these other, they're looking at your IP dress. They're looking at, yeah, there's a risk score behind you and they can lock your computer down if they, or your account, if they feel like they need to, but they're not, they people don't see that the behind the scenes there. So I think that's where we're going. I also see a lot of large companies who, and I mean, again, they're very large companies, fortune five hundreds are above that. See the value in having a strong identity and access management solution and layering on top of that to get to that zero trust posture, because they recognize that The bad guys are coming for them too.
Cuz they come for them in ransomware informs ransomware. So the more ransomware us companies start paying out, that's what's gonna be a problem. And now I realize your question on zero trust in legal documents. So you know what I've seen? I don't see zero trust yet, but I do see requirements for insurance to get cybersecurity and insurance.
I see the requirement to get, to have MFA on all of your users. So that's absolutely like the number one baseline that insurance companies are requiring for private industry right now. If you happen to get security insurance,
Neal: Nice. Yeah. Yeah, that, that was, thank you. That was a good rollback to that one.
Christine Owen: like, oh, I
Neal: good round back to it. Yeah, no, that's interesting. The I dunno, it'll be fun to see where it goes. And then one last quick legal question around have you played in the Fedra space at all?
Christine Owen: So I work with I, I don't think you can play. I feel like it's a very painful space. No I . So I have so many thoughts and feelings personally on Fedra, but I will say I have, I do use a lot of vendors that are fed ramped, both moderate and high, and some of them are also higher. So ITL L four and above.
So the answer is yes. Is there a question beyond that?
Neal: a question behind that. So outta curiosity, I've only played in the Fedra space a little bit here and there. And most of, as you go through the echelons, by the time you get at the top, you, you've kind of indirectly of not like true zero trust, but you've done some things architecturally in your dev sec DevSecOps world that are pretty dead burn close to, but it's not labeled, it's not labeled as doing this. And even then there's still some elements that could get a lot better from a zero trust perspective, even. Hi, and B boom. So I guess outta curiosity with your crystal ball, do you see kind of conceptually again, as we build these out in the industry, do we see an update to Fedra and or CMC in our near future?
Probably to stipulate a lot of that for us.
Christine Owen: so there is a requirement to update FedRAMP. So yes, there is a requirement in it's either. It's either the executive order, M 2209, but one of them does actually, I think it's the executive order because it. Calls out the cloud and it says, yes. How long is that going to take? Eight long time?
So personally the one thing that I would love to see from FedRAMP is I would love to see audits like true. I would love them to, to use third parties, to go out and audit the vendors themselves as opposed to have right now. And by audit, I mean, pin test and not just do the auditing the paper exercise that I really, that's my number one concern.
I think I think that I, let me stipulate this. I think that Fedra vendors do a great job and especially once you get to high, I, they do a fantastic job to the point that I'm working with a vendor who is almost, they're almost certified as high, but they are in the high environment. . And so they're doing, you know, a lot of things there and they're trying to get a certain widget to work in their high environment.
And they can't because the high environment is specifically created to make it hard for that widget to work. And so I think it, so to me, that means that they implemented it properly. So it's wonderful. And then I say, oh, I'm really sorry. Hurry up and make it though. But for things like that, where you wanna keep you, you want certain types of of feature parody between, you know, just regular commercial, all the way up to high.
You definitely need more pin testers for that moderate and high, to make sure that when that feature was created, that it doesn't bring it back down to a commercial setting. So I think that's really important. Hopefully that's something that they're gonna look into. I honestly don't know.
I don't I don't talk to them much. The reason why I say that it's so painful is because if you are on either any of the sides of it, if you're a vendor there, the agency, the sponsors also gets involved and the fed gets involved and then they also tend to have consultants come in as well. So there's a lot of people who are involved to get that fed ramp done.
And it's a really painful process. It costs companies a lot of money, like a lot. And it also takes a lot of time. It generally takes them somewhere between one to two years to get a fed ramp certificate. And even if they're already in moderate, it takes them quite a lot of time just to get into high.
It's not like you say, okay, well, I just recreated everything I did here. Added the controls I needed to have. And I went into an already determined to be Fedra high cloud, to be able to put my stuff in there. I'm good. Now you still have to go through all the steps again. So it takes quite so much, a lot of time and effort.
And then on the agency side, they have to kind of go through and validate and verify as well. But pin testing, let's add pin testing to FedRAMP. I think that'd be amazing.
Neal: Yeah, it'd be a fun addition for sure. I.
Christine Owen: think it's important.
Neal: This is great. So y'all already hear fed. Ramp's gonna suck more of your time in life, out here very soon with zero trust official. No, I do think though, like you, I think it's gotta be only a matter of a time. And then for us, I think you mentioned it, it might already be called out at least loosely to migrate towards some date in the actual order.
I'm gonna go back and personally re actually reread it, cuz I hadn't read it way before we started this podcast. So it'd be good for me to go back and renew my interest in that one as well to see what it actually says again. But anyway one last question from me anyways and I'm probably beating Elliot to this.
If you if from a closing perspective, if you had to start anywhere for private and public sector and there we're getting a thematic around this, I think which is really good. if you had to start somewhere day one to look at where to get started with zero trust, where would your suggestions be for that.
Christine Owen: So is it, I, can I ask a point of clarification? Is this for what types of vendors would I look at? Or what would I do within my within my organiz.
Neal: Yeah. What would you do if someone came to you today and said, Hey, our org's moving towards zero trust, quote, unquote, figure out what we need to do. That open ended.
Christine Owen: All right. So I actually, oh, it's you went to my talk. So there I actually give I've done this presentation a couple times. So honestly I've already plugged this apparently like miss loves me because I plug their documents so well, miss 800 802 0 7 is the best document to start at.
So you read this 802 0 7 and you go well, half the time you go, this doesn't make sense to me because it's identity and I'm scared of identity, which I don't get it. Cuz I think if a dummy like me gets identity, then everyone should get identity. But you read through it, but it actually has specific things to do.
And the first thing is to go and figure out all the things you have inside your organization, which not all organizations know. So what applications do you have? Where are they? What kind of datas are in there. So classify that data out to figure out, and it doesn't have to be like at the data object level oh, I have an HR system.
That's gonna have a lot of PII that might need to be really protected. So go through and figure that out. And then after that you go over and you say, what tools do I already have in place? Or what tools do I have that I haven't actually, you know, figured out how to use properly. So go through and figure out all the tools you have and then start mapping them together.
I have these tools, this will be able to create this part of the architecture. Maybe I need this one extra piece. So for example, you might need to upgrade your firewalls to a next NextGen firewall because you want a sassy product, right? A lot of your firewall vendor might actually be able to do that for you.
If you're one of a couple of vendors or if you have one of a couple vendors. So things like that, looking through that. And then I think what else would I the last thing I would, well, it would be in the early stages and not the last stage, but one of the St in the early stage, I would also tell everyone what I'm doing and explain why I'm doing it and explain how important it is, and then tell them again and again, because there is no way that you're gonna be able to.
Take a current your current security posture, which the majority of us have a lateral movement, security posture. There's no way you're gonna change from being able to laterally move within the network to go to a micro segment, to network without having massive all the way down to the end user, the application users, and then all the way up to your C-suite.
They all have to have buyin a great example of this and a great reason that you have to have this is because when you go from a lateral network to a micro segment in network, what you end up doing is you end up excluding the ability to ride the network or use peer to peer networking, to be able to do things that is a normal business need remodeling into a computer for a help.
and when you can't do that, boy, do people get upset? So you absolutely need to be able to get into, to, to figure out what it is that you're doing. Explain how that works. And then you have to build that architecture and then test it. and then test it and then test it and break a lot of things and then come back and keep testing it.
After you fix those breaks, I had I was helping a client migrate to zero trust and we were in the test phase and one of their stakeholders called and was just yelling at me and they were so furious and they were like, you broke the entire network. How dare you think that this is a good idea. And I was like, tell me how I broke the network.
Come on, tell me this sounds great. So they start telling me how they can't get from one point a to point B without having to do some sort of, you know, re authentication. And I mean, it's not like a step up authentication. It was just not as easy to move laterally because we micro segmented. And they were quite upset with me.
And I was like, oh, it works. This is awesome. And then they got more mad, but now they love it. They hated it at the time, but they like it more now. So it's good.
Elliot: with that in mind. We absolutely appreciate you being here. Being able to share your expertise, your insight Access and identity in particular are critical aspects to zero trust.
So having conversations like this is just so important for people to understand where to really get started and some of the most complicated aspects to zero trust. Even if organizations aren't going zero trust, whatever they're doing and it aligns with it. Fantastic. I think what we've come to realize has really been a repackaging of anything.
Some might call it a philosophy or principles, but at the end of the day, repackaging is a pretty good way to sum it up. But that being said again, just, we really appreciate you being here and being able to share your expertise with us. Yeah. And that is it. We will not bug anymore.
Neal: If all else fails, we can just get one of the little white things in her lap (her dog joined us)