Segregation of Duties: A Key to Security with Chris Katz

Joseph Carson:

Hello, everyone, welcome back to another episode of the 401 Access Denied Podcast. I'm the host of the show, Joe Carson, and It's a pleasure to be here with you. This podcast is supported and delivered with the help of Delinea and I'm the chief security scientist and advisory CISO at Delinea, So, as always, I'm joined by another amazing guest for the episode today so welcome to the show. Welcome. Chris, you want to give the audience a little bit of background about who you are, what you do and some interesting things about yourself?

Chris Katz:

Yeah. Well, first of all, thank you for having me, I'm really excited to be able to present today. I think I've heard a couple of these podcasts and they're always super intriguing and trying to learn a little bit more. So, a little bit of background myself. My name is Chris Katz, I'm an associate director with a consulting firm called Protiviti, been there for just over a decade now supporting clients in a variety of different things. So, I started my career and my journey in the audit space so I have a bit of background in internal audit, in helping clients support some of the internal controls. After that, I moved into our SAP security practice, so helping clients either design their security or redesign their security so that they had compliant processes, compliant roles, compliant access, they are living within ... We're going to talk about segregation of duties a lot, that's my bread and butter in most of my life.

And then the last and the majority of my career has been spent in the dynamics, Microsoft Dynamics based applying security and SoD across X, 2012 but, much more recently, D365 finance and operations as a ERP for a number of supply chain consultants. I am really passionate about coaching, I love sharing, I love trying to make sure that other people are aware and they're doing the right things and best practices and I know that's really what today is about. Outside of my professional career, I have a ton of hobbies, I love sailing, mountain biking, being outside in general. Being in Atlanta, I'm fortunate to have quite a bit of amazing weather to be able to get outside. So, yeah, that's a little bit about me. I'm excited to join and share and see what we can do.

Joseph Carson:

Absolutely, fantastic. And today's episode is all about know organizations who are taking the journey around getting the path to identity compliance. So, something that's very, very important for organizations but I think we're going to really start at the groundwork, how it all begins and where it all gets started. So, for you, can you tell me a little bit about what's the best place or what's some of the challenges today for organizations for going down the path and what's some of the best places to get started and at least understand sometimes it's just the risks?

Chris Katz:

I think that there are ... That's the number one question that we get asked and, generally, when we're just starting to help our clients support whatever they need to do. So, you can have a consulting firm where you can even start, day one, try to hit the ground running but there's a structural element of groundwork that you need to lay first and a couple of things that you need to do and understand in order to make that project as successful and last as long as you probably want it to. So, one of the most common questions is who do we need to have involved, it's usually the first question that we get.

So, we see the most success if you can get, it's three groups of people in the room. If you can get IT, they're going to be involved because they understand the application, they understand some of the technical nuances of how things are going to work and how things are going to connect together. That said, I was just listening to Frank Berkowitz's podcast, I guess, as a trackback to one of the former ones of these and IT does not make decisions in a vacuum, they're not the end all be all for who is allowed to access what or why something's allowed to happen. And so, bring in the business, that's part number two of people that need to be involved. Generally, it's someone at the controller level, sometimes it's an accounts payable manager or an accounts receivable manager as well as some people across ... I do a lot of work in supply chain, that's a critical element of your business.

If it's fundamentally going to make or break you from a broad perspective or from a significant financial or inventory movement perspective, we need them too. And then the last group and often forgotten is the compliance or the audit teams. They're not going to be making decisions, that's not the reason that we involve them in some of these projects but they do understand the groundwork, the framework of what the risks are, what we should be looking out for. If you are a public organization and many are, what is external looking for, what are the buzzwords that they have and what are the things that they're asking and how are you going to build that into your project plan so that you don't get caught at the very end of the project. You've done all of this fantastic work and then there's one or two or three questions that external asks that totally dismantle all this great work that you've done and, oh, now I need to go back and take another look.

And I will talk about this later but one of those buzzwords is completeness and accuracy and that has been just ... I've seen that expand even this year quite a bit and it's challenging. Unless you really know what you're doing, it could be a real challenge to answer some of those questions, I think it's a test If you know anything. You can ask why three or four times, how many times can you actually answer that why with a real understanding. So, generally, you need those groups in the room and then you need to talk about what your risks are. So, it's really difficult to create this, and we're going to talk about this, compliant security architecture. What can users do? What are we going to allow them to do? What are we not? It's really challenging to do that if you don't know what your risks are because you don't have anything to measure it on.

So, you have to create that, we call it a measuring stick, I'm going to use that analogy probably quite a bit here but...

Joseph Carson:

What's some of those KPIs or measurements that you're looking for? What would be some of the ones that the most common that you would see?

Chris Katz:

Well, some of them are SoD risks so it's defining what are the risks as far as who can create vendors and pay vendors. So, that's a very common risk or who can't create a journal entry and post that journal entry. So, that would be some of the first ones. Just do you have a rule set and are you compliant with that rule set or not. But there's a number of other things that really help set the foundation and this is one of the other things that you want to set up front so you know did I succeed or did I not succeed. So, some of these are checkbox items. I can tell you one of the other most common requests that we get, the checkbox item is I want my external audit to be happy at the end of the day, that's what I care about. That's a big checkbox but maybe it's having a conversation with them.

So, identifying key strategic points where you're going to get them involved and say this is my plan, I want to talk to you here, here and here. I want to talk to you after we finish design, I want to talk to you after I finish UAT about the documentation that I need to make sure that I've collected or maybe even before and I want to talk to you after I go live and show you how I've done there. Also, if you talk about just clear separation between display access and update access or setup access and this goes across almost any ERP. I have a background in SAP in dynamics but, a lot of the times, you're not going to have a segregation of duty risk because you can see something. I'm not saying you people should see everything and there's certainly sensitive objects but, a lot of times, that's the only thing that people need and there's not always roles for that.

Joseph Carson:

Absolutely.

Chris Katz:

So, do you have a clear separation and do you have roles or whatever the method is, roles are common, but do you have a way of assigning users access to just be able to see things? And maybe that's all they need and there's licensing implications to that too. In dynamics, for instance, if you have read access to something and that's truly all you have, you don't need an extensive license. The licensing is driven on security and that security is driven on the access that you have. So, if you're able to clearly separate out display versus update access and just grant display access, not only can you be more compliant from a audit perspective, but you're also more compliant from a licensing perspective and you pay less.

Those are common examples but everyone needs to sit down and realistically define what their viewpoint is and that might depend on the size of their organization too. If you have a pie in the sky idea of least privileged access, that's fantastic, that is a great thing to go for.

Joseph Carson:

Absolutely. Least privilege, for me, is a great foundation, I think it's something that all organizations should have as part of the controls and processes as they're going through. And it even reminds me, back in my days when I, years ago, working in a data center, that I was responsible for infrastructure tools and one of my tasks would be is going into every one of the cages and then add my list of tasks that I needed to do. It might be upgrading a system, it might be making a configuration change or some security changes or modifications and I have many tasks list to do but one of the clear things that I was not allowed to do, because you are working for massive clients, banks, you're working for government agencies, so I was never allowed to audit my own work so I couldn't just sign it off and say it was done. And it was very strict as well is that we were not allowed to be in the same cage at the same time as the auditors.

So, the auditors were come a few days or a week after I've placed my task in that particular cage and I'd already moved on to the next organization or next checks and the auditors would go in and they would be basically checking our work, making sure that we did the right, apply the configurations out. We didn't touch any other machines or systems or databases that we weren't or should not have touched. And that was just that whole ... You use that separation, segregation duties interchangeable depending on the world you are but that would define because it was clear in regards to our responsibilities, that referred to as the separation of duties that I could not audit myself. I couldn't say ... Otherwise, at the end of the day, you're signing off your own work and you can give yourself good marks and good results and that was something that would not be accepted as part of the requirements or compliance or regulations. So, that was a very, very clear area.

As you were talking, one of the things that came to mind is really, at the beginning, is really having part of the foundation of success for this is having very clear defined roles. If you don't have those roles defined about what can do or, to your point, about having the view only role that I can look at the data and make decisions but I can't modify or update it. How important is getting the roles very, very well-defined at the beginning?

Chris Katz:

Yeah, it's critical. So, that's beyond setting that foundation for what are your KPIs for success. If you think about that as you're measuring stick, your capability, your way of getting there is going to be, in many applications, I would say even in most, it's through roles. So, sometimes those are also called permission sets or entitlements or there's many different names but the fundamental element of it, it's a way of assigning a chunk of access to a user and those are critical. That's the only way that you're going to be able to, in many cases, sign that access. And so, clearly defining what those roles can and cannot have, do a couple of things. One, it makes your life easier. If you had to go and pick Microsoft... tens of thousands of security objects and, for every user, if you had to go manually pick 10,000 objects and then do they need re-create, update, delete access to each of those, it's taking you forever. You'd end up where a lot of people are today which is, all right, make Frank like Joe, copy all of that access.

Joseph Carson:

You just copy all the same permissions but Frank may have been in the organization for 10 years and may have had 10 different positions throughout that time and there's inherence of all of that. So, me, should I inherit all the same? And one of the things organizations are already poor at is unprovisioning access they no longer need.

Chris Katz:

Oh, yes. Well, and defining the roles or the permissions is a key element of that. So, can you define in the architecture what does accountant mean for your business? It's not the same answer for someone in manufacturing, honestly, as it might be for someone in, let's say, healthcare or even ... We talk about multinational organizations and a lot of the people that I work with have that. So, if you have someone in Europe, for instance, there's a very defined set of standards which you have to meet in the criteria that you have to meet in order to view personally identifiable information. And so, how are we making sure that only certain roles and appropriate roles have access to that information?

Joseph Carson:

Absolutely.

Chris Katz:

And to your point, you have this joiner, mover, levers process. If you can define your roles well enough, it should be pretty simple to understand, okay, this is an accountant, they should need, maybe we're going to call that role insert organization here accountant, and we're going to define what that level of access is that we would expect for our accountants. And so, when I have a new accountant, that's the role that I'm going to select for that person. Or if they move in the organization, they get promoted, maybe they've done ... They absolute crushed it, now they're a CFO, well, they can't keep all of the roles that they had, to your point, in order to get up there, otherwise, they're preparing journal entries, they're approving journal entries, they might be setting the standards for opening and closing periods. So, now, all of a sudden, you have the ability to open up a period, go back into the last financial period, post a journal entry, approve that journal entry and then all of your statements are materially incorrect.

And that's a malicious example but the other element of segregation of duties and probably more of what happens is it's not purposeful things that people are doing to be malicious to their organization, it's a mistake. Someone had a little bit too much access and they were poking around because they thought that button looked really neat and they were just curious what that button does and, oops, I forgot I wasn't... So, it's honestly more of that and trying to sort out how you're going to explain to your stakeholders, be it your shareholders or if it's external audit or whomever, why did this person have that access, how did this happen, how are we going to undo this, how much of a headache is it going to be to undo this, that's more of what we see in-

Joseph Carson:

Mistakes do happen, people do make mistakes. And I think what your point is is that, if we are overprivileged or have too much rights, sometimes people might decide to try and hide that mistake and that's where the problems occur is that, if they've got too much rights, they can change the history, they can change the audit log, they go back and try to just hide it so that they don't feel or look bad with their peers or bosses. And I think it's really important is that we have to get into promoting that be honest and be transparent with mistakes and it's okay, we will make them. Let's just make sure that we're not, at the same time, putting that culture where people are afraid and they will hide because hiding them can cause major problems later. It can cause incidents, it can cause data breaches, it can cause, fundamental, let's say, cascading effects where it could actually have major financial penalties from an auditor perspective.

Chris Katz:

Absolutely, that's certainly an element of it. And there's a point that I think we were talking about earlier that I think is important to highlight too where I think a lot of where we're doing role design, we were talking about some of the KPIs and where to get started and what's important to measure and things like that, I think it's important to know where your organization is going. So, a lot of times we're working with organizations and we're looking at security within a single ERP and we're trying to define a rule set for a single ERP. But the odds of that really happening in the real world now, there's so many applications. So, you might have Dynamics D365 finance and operations and that's your primary ERP, maybe you run your AP, your AR and your GL but maybe you use a different solution for warehouse management and maybe you use a totally different solution to payroll and then you use a different solution for X, Y, Z.

So, a lot of organizations are moving towards what they're trying to get is a role-based access request so they can take advantage of some of the newer technologies, identity access management solutions, things like that. Think about that as you're doing the role design or as you're setting up your risks is how does this interact and play with others because, eventually, it probably will or a lot of organizations want it to. And if you've called ... You're doing a role design, you're calling this role accountant in D365 and then, in another one, you're calling this other role super special accounting manager, and I've actually seen that role once-

Joseph Carson:

Super special.

Chris Katz:

How do you know those are the same? How do you know who needs that role and who doesn't need that role? And how are you going to eventually tie all that together into an IAM request where you have a person, a joiner that joins your organization, their accountant, how do you know they need this role here or these two roles here and then that other role there and this privilege here and then access to Outlook.

Joseph Carson:

Yeah. The onboarding process can be a nightmare if you can't map it to people who's joining the company if you can't really see ... I think one of the big mistakes I've seen is you're referring to a lot of the custom side of things, they're making their roles, I've seen the problem with many organizations using the default roles and, therefore, not having really defined it. I attended a session recently at DEFCON where it was talking about Cloud environments and that specifically had a lot of the infrastructure hosting environments and many organizations went down because they weren't quite sure about how to define those roles and then use they default ones. How big of a mistake is it for organizations to do that, to take a lot of because, many cases, it might look like a least privileged type of role but most cases it's not, it's actually too much privilege?

Chris Katz:

Very common and it's challenging too. It becomes a question of ... I'll answer this in maybe a different way than I was originally going to. It's part of the reason that you need that foundation of setting up front what is your expectations So, for instance, using out of the box roles that I'm going to use Dynamics, actually, I'll use both, Dynamics and SAP, they come with out of the box roles and those are fantastic for a starting point but you have to think about the lens of which those roles were created. So, for SAP and for Dynamics, they're creating these roles ... They're trying to sell software so they're trying to prove that something can work and these roles need to have access to various different things to make this work. In the real world though, there's going to be, and I've seen across both SAP and D365 and many other organizations or many other applications, those roles have either tens or even hundreds.

I know for accounting manager, accounts payable manager, in D365, both of those roles have 10 plus segregation of duty conflicts and it's obvious ones, it's not things that just go by the wayside. You're creating vendors, you're creating journal entries, you're approving it, you're doing the setup, check some of them have access to the chart of accounts and maintenance over there or fiscal periods, it's pretty wild. But if you think about it, they're just trying to make the ERP work. So, it's important to use that measuring stick that you've defined at the beginning of the project for what you want to allow, what are your risks, use that to look at those roles and see if they work for you or not. In a lot of cases, they probably won't but maybe there's just a couple of different things depending on the size of your organization.

Some people have 10 people or, sorry, 10 people that have the ability to go and focus on security and they can design from the ground up or they can hire someone and purchase a set of roles that can be defined specifically for your organization, you can get really close to that least privileged access. And other organizations are simply just too small, they don't have that team that can go in and get to that least-

Joseph Carson:

It's all different individuals, correct. A person might have multiple roles in the organization so, therefore, it's important that they, operational wise, they separate the activities-

Chris Katz:

Exactly.

Joseph Carson:

... when they're performing one task. And I think I've seen that situation where small organizations that have individuals who do multiple things, I think sometimes that's where a lot of incidents occur or security breaches occur is because they forget to close one door when they open another door and separation of the operational side of their tasks. Because sometimes we try to multitask and do many things at once and, therefore, sometimes we might log into one system which might be the financial system, at the same time, we're logging into maybe a payable system or an invoicing system. And ultimately, that can cause a conflict by just having those open at the same time where we have to make sure we compartmentalize those activities and not do them at the same time.

Chris Katz:

And sometimes you can't, that's the other challenge. You're not big enough to do it or the way that your process works doesn't allow for that to happen. And so, there's going to be times where you have to live with risks and that becomes part of the evolution of that conversation. Okay, well, I have a risk, I know what the risk is because I defined it, I know that a person has it because I have some sort of tool or maybe it's a governance risk and compliance, a JRC tool to measure it and so you need to advance that conversation to say, well, I need to put some controls around it, I need to understand what people that have this access are doing, I need to put a check or a balance in place maybe. And a lot of the times, journal entries are a very easy one, maybe there's an approval.

So, an accountant's going to prepare a journal entry and they're going to submit it through a workflow of some sort and the controller is going to review that and get a second pair of eyes on it or three-way matching, it's a great one. So, just knowing there's going to be times where you have to live with risk and knowing that you have this element of mitigating controls that you can use as a way to protect yourself and say I know I have to live with this risk, I have a person that has wearing multiple hats, they are ... In the morning, they're this person then they back up this other person because they got sick and then, oh, crap, the warehouse manager didn't show up so they're going to pull inventory. Sometimes that happens but you just need to define what the controls are and those become explainable.

And if you can do that upfront rather than finding that out when you do just a random assessment at the end of the year, you'll be much more prepared to understand and make informed decisions on what you want to allow and what you don't want to allow. And if you're going to allow something that you wouldn't like to, what you're going to do about it.

Joseph Carson:

Absolutely, it's all about really understanding your risks. It's having those defined and then looking for what types of controls and processes should be in place to minimize them just to make sure that the auditability side of things. For organizations who's going down all of this path, this is really ... I think for organizations, it's so important to do this in order to really define the foundation when they do go down that path of identity access management and privilege access management is you're really setting that foundation for those programs and strategies to be successful because having the operational process side in place. What would recommendations getting started, and you've defined the roles, you've got what types of people you need to access, doing regular audits, is that something that you'd recommend, different checkpoints to make sure that things haven't moved away or strayed into something that could be catastrophic?

Chris Katz:

Yeah, absolutely. So, a lot of the times when I'm talking and we have a whole presentation, we talk about this concept of a triangle basically. So, part of the triangle is defining what your risks are and we've already talked about that. And then the other part of the triangle is how do you have compliant roles in users. Well, the bottom part of the triangle is what are your governance processes around this whole thing. You've defined a rule set, you've defined roles and you assign those to users, how do you make sure that that's compliant and how are you going to deal with the constant change? And so, there are a number of different governance processes that we typically recommend in order to protect the investment. Some of those are user access reviews, I've heard them user entitlement reviews, UARs or UERs.

So, every once in a while, and generally it can be a ... I've seen it quarterly, twice a year, yearly, I haven't seen it really more than yearly, how are you going to review access and make sure that it's still appropriate. And what that's meant to catch is, you used an example earlier, you have a person that joined the organization and then they moved two or three times, did you remove all the other stuff that they don't need now? So, finding those elements. And more and more today, I think the other one is reviewing. So, you've defined maybe a risk, a segregation of duty rule set and, under that, you need to define what are the one or two or 10 or 30 different technical objects that align to your ERP that allow you to do that. So, an SAP that could be a transaction code and then the authorization objects underneath it in Dynamics, those could be menu item displays or menu item actions or data entities.

But what's happening now is a lot of these ERPs are moving to the Cloud and you're taking updates every ... For Microsoft, you have to take an update at least twice a year, they're releasing them quarterly, thank goodness. That used to be they were releasing every month and so just trying to stay on that cadence was a challenge. But a lot of the ERPs are moving that way and, part of those updates, there's new security ways or new features and functions and you have to enable that with security. So, are you thinking about those updates that you're taking? Are you thinking about what are the new ways of doing things and are you reincorporating that back into the rule set? And that should be part of ...

Everyone knows you have to do regression testing to make sure that the system isn't going to work and the business isn't going to yell at you day one but what people don't know or aren't maybe thinking about is how are you assessing those new security objects and putting them in your rule sets so that you don't find that I've just had 300 new objects this year, I wonder what those do. But you're not assessing them, right?

Joseph Carson:

Yeah. And the object you may have been using in the past might be gone, it might be redefined into something else. And I've seen also a lot of times where you may have applied a configuration that you had been using and, for some reason... didn't hold and, all of a sudden, you're back to the defaults and those defaults are not always the ideal that you want to be in.

Chris Katz:

Yeah, precisely. You have to be really careful with it. And it's just making sure you're looking and taking the time to think through it. And it's easy because everyone has many things in their plate, you could be multitasking to forget about that but making sure that you set the foundation, what are those governance processes and the rule set review is part of taking updates is one of those, doing user access review is another and maybe doing segregation of duty review every ... As often as you can really. But I have some clients that will do it once a quarter, I have others that will do it once a year because they have to do it for external audit. But I'll tell you the best ones, they're running it almost every day and, basically, they'll set it up and they use tool that Delinea just purchased called FastPath and they'll say, "Look, tell me any new risks that I have in my organization that don't have mitigating controls and only send me the new ones. Don't send me the ones that have mitigating controls because I don't want to know about it."

And it's another way of just getting informed, basically, as soon as you can so you know within a day of something happening and you can do something with that. So, how often are you looking, can you use those things that aren't ... It doesn't have to be another 10-minute task or 20-minute or two-hour task that you're doing every day but can you set something up so you can be alerted so that you know to do something about it and, that way, you can tackle it up front rather than trying to look back and see everything that John Doe did with his unlimited access.

Joseph Carson:

Yeah, absolutely, absolutely... is having that governance side of things is that I want to see ... One is I've created a baseline, show me where that baseline is no longer being met, so that differentiational. And also show me the audit history so I know, basically, I'm going to be able to go back and check and see, if we did it this way 10 times in the last time, why was it different and then be able to see the differences between the process and the flow.

Chris Katz:

Yeah, and there's more and more information. SAP has always had some really good information. You can look at some of the stat data tables and see what users were doing. Other applications, Microsoft Dynamics, D365 for especially finance and operation, that's historically challenging. There aren't great audit logs for, there are for journal entries, but they're not for some of the master data changes and Microsoft's now starting to release, and I know you'll ask a question, we'll share some information, blog posts, things like that but they're starting to release some of that in the form of what's called telemetry data. So, how are you tracking that and storing it so that you have it when you need it and other than using some of the database logging features that have some known system performance drawbacks if you're not careful about what you're tracking.

So, part of it's just staying educated and knowing what you should be looking for and trying to set some of those things up in advance rather than trying to go dig for something that might or might not exist at the end of the year and you spend your entire winter break looking through compliance logs rather than spending time with, I don't know, your family or doing the hobbies that you love.

Joseph Carson:

Absolutely. And how important is training as part of all of this? Because a lot of times that's sometimes one thing that people forget is here's the solution, here's a process, here's a control, go get started. How important is training as part of this entire journey?

Chris Katz:

Well, it's pretty difficult to execute a process if you don't know what you're supposed to do so it's very important. I think the part that people overlook with training is just how much is available out there. Obviously, you need to train on your particular process and there's going to be certain ways that it works for your business that could be different than others but there are so many great tools. If you're using a tool for, let's say, user access reviews, honestly, there's generally provided from the vendor some great training things and start there. Also, use your user acceptance testing if you can. I'm assuming you're going to go through some element of that, use that as a training. Record it, create those desktop procedures so that people have references. People are busy, that's not their entire day, it's not thought about or they're not thinking about compliance.

So, it's critical but it's not just the initial training, it's also making sure that they have the right things at their disposal, maybe it's a desktop procedure as a quick reminder of how to do something because what you might find is someone doesn't know how to do something and, rather than asking, which always ask, it's better to ask and then you can figure it out together rather than not asking, you're doing it on your own.

Joseph Carson:

Absolutely.

Chris Katz:

But if you don't have the right training, you might find that people are just rubber-stamping things. Yup, cool, this looks great, I'm going to rubber stamp it and we're going to send it on its merry way and then you find compliance issues in that regard because someone either didn't take the training or they did take the training and they forgot because they were taking the training on one screen but then they were checking...

Joseph Carson:

Not paying attention, yeah. The focus is ... Yeah. So, what are some of the things ... How do you stay up to date and what's some of the resources and tools and training places you go to? Is there blogs that you can recommend that people-

Chris Katz:

Yeah, there are so many different things. I'm going to start generic and I'll get specific with my focus area and Dynamics. But I think that the most overlooked thing is some of the communities that exist out there, there's communities for almost any ERP that you can dream of. And especially the big ones, they have really robust communities, they're constantly sharing knowledge on challenges that people have faced or, from a security perspective, what they've done or a tool that they use that was really neat. It's fantastic how much people are willing to share and they love sharing. And so, I think looking for those communities for your ERP or for your profession are fantastic resources.

There's also blogs, ERP specific or not. I know Microsoft has actually quite a few and Microsoft themselves will host those. As well as you're going to find, almost in an ERP, there's going to be a couple people that know, copy-wise too, honestly, that know a lot. They're a true subject matter expert and they're going to be writing blogs because they're fascinated by what the products can do or different nuanced ways of doing that. And that person or those two people or three people will often have a blog that they write on their own that they host. You'll find those, if you look through the community form, you're going to start to notice, man, I'm seeing Alex Meyer's name all the time on these blogs, I bet he knows something about Dynamic security because he's answered 17,000 questions.

And he's a fantastic resource, a Microsoft MVP that writes a lot of blogs for Dynamics and I've learned a ton. I still constantly learn from his blogs and I'm sure we can drop some of these links in the show notes but-

Joseph Carson:

We will do, absolutely.

Chris Katz:

... there's fantastic resources out there and people that are sharing it. And then even just talking internally. A lot of the times, I think there's a lot more knowledge that's inherent to organization than people realize and they just don't ask the question because they're nervous or because they don't want to be seen as just not knowing everything. But a lot of the times you can ask the question internally and someone probably right sitting next to you has an answer or... away from an answer and you don't have to go send a...

Joseph Carson:

Absolutely. It's one of my always big-time advice is that for people never be afraid to ask for advice.

Chris Katz:

Absolutely.

Joseph Carson:

Or ask for help, ask for help as well. Because we always try to surround ourselves with really smart, intelligent people and sometimes it's just being strong enough, you'll always find that majority of people are always willing to help. What's some of the conferences you recommend? Is it one place or where would people see you at if there was a conference around this?

Chris Katz:

Yeah, so there's two major conferences that happen for Dynamics every year, at least in the United States. The next one's going to be Microsoft Dynamics Community Summit, that's coming up here in October in San Antonio. Going there, I have a few folks on my team that are presenting on various different security topics, how to get started, 10 common mistakes kind of things. So, excited to see them and watch them here in Summit in October. And then there's a Dynamics Community Roadshow, it goes to different offices, sorry, different cities so excited to see that as well. There's also DynamicsCon, it's making a rise, really, not necessarily making a rise, it's been around for quite some time but they're starting to do more in-person activities. And I know they were live for a little bit during the pandemic and, even after a couple of years after, they were doing webinar-based events but they're back in person too.

So, there's some amazing conferences coming up that there's just so much to learn and people to meet and you have to know ... It's easier to know and you can see who you should be asking questions to or, oftentimes, you didn't know you had a question but someone else asks it and then you think about it and like, "Wow, I really wanted to know that, that's fascinating."

Joseph Carson:

Yeah. I'm a big, big fan of the communities because I was in a place bringing people together and so many people end up having the same questions, to your point, is that sometimes you might not think about it in the same context but it's something that's always important. Chris, it's been awesome having you on. I think, for the audience, we're really going to get a really valuable knowledge here about some of the things that they should be thinking about, some of the things that may have not been, the questions that you've answered today will be great value for them. So, Chris, it's been awesome having you on the podcast and really looking forward to talking with you more in the future.

And for the audience, if you want to catch up with Chris, definitely keep an eye out at some of the communities and we'll make sure that all of the blogs and additional information is in the show notes for the episode. So, Chris, it's been awesome having you on as... great discussion.

Chris Katz:

Likewise, my pleasure.

Joseph Carson:

And for the audience, also, what's some of the best ways for the audience if they want to reach out and connect with you and ask questions?

Chris Katz:

Yeah, we can drop my email in the show notes below. You can find me on LinkedIn, that's a great way to find me and get a hold of me and see what's happening, where I'll be. I try to share some great blogs as well there from security and Microsoft D365. So, I think those are usually the best two places to find me.

Joseph Carson:

Awesome, fantastic. So, everyone, it's been awesome having Chris on. For everyone out there, make sure you tune in every two weeks for the 401 Access Denied Podcast. I'm the host of the show, Joe Carson. Stay safe, take care and see you on another episode soon. Thank you.