An endangered bird and a rather thuggish colonial pest might seem a strange pair to discuss in relation to cyber security and identity governance. But they offer a simple metaphor for how we manage and police IT ecosystems in our organization and, more importantly, how we take control of who and what we allow to thrive within them whether by accident or design.
The story of the red kite is one of design. Brought to the brink of extinction by habitat reduction and egg stealing, a carefully managed plan was implemented over decades to preserve the species and build the native population back to healthy numbers. On the contrary, the story of the grey squirrel is one of accident – their introduction to the UK via ships from America brought an unknown threat into the environment of the native red squirrel, decimating their numbers which are still proving difficult to rebuild today.
Both species in their own way have had a ground zero moment - the brink of extinction for the red kites, and the introduction to a foreign and unknown ecosystem for the grey squirrel. Each of them found themselves at a moment in time where they needed to adapt, provision for themselves and secure access to what they needed to prevail. Sink or swim. The same goes for any organization today, facing a continual onslaught of cyberattacks. So, here are three ways to tell if your organization is currently a red kite, or a grey squirrel.
Population control – otherwise known as identity management
For both the red kites and grey squirrels, the crux of the issue is maintaining a healthy size of population. Grey squirrels got quickly out of hand in the UK, spreading quickly throughout the country and using large amounts of vital resources (such as forest habitat and foods) which meant that the environment could no longer sustain both reds and greys. The same goes for digital identities within an organization.
We are all familiar with the concept of permissions creep – where one employee gains more and more access over time as they move through the organization, changing departments or changing role. If an organization is not monitoring for permissions creep carefully, then risk can develop where old permissions no longer visible to IT can be exploited, opening the door to hackers or misuse. To keep your population of overall access under control, and identify any ‘creep’ before it becomes a security risk, teams need to deploy a solution which can manage access based on identity. This means promoting a strong culture of regular access evaluation and a rule of ‘the least access to get the job done’.
Looking after the natural habitat
Creating an environment which enables identities throughout your organization to be managed effectively is also a question of providing and protecting a suitable habitat. When rebuilding the red kite population, conservationists focused on ensuring a good food supply, by setting out pieces of meat. Over the past thirty years, the birds have gone from the endangered list, to having over 600 mating pairs in the UK each year. The red kite now flourishes across most of the UK.
This is a masterclass for cybersecurity professionals in highly targeted provisioning and access to a particular set of individuals to remarkable effect. Likewise, if you make it easy for the most informed employees to audit and approve higher-risk permissions approvals, while automating lower-risk ones, you can target human efforts towards those tasks which most need their skills and consideration.
Taking a look at the grey squirrel again, after their accidental introduction the UK they caused significant environmental damage thanks to their habit of stripping the bark off trees to get to the softer insides. When you are an organization managing thousands of people across complex and interrelated OS and MS systems that combine a sprawling remote working culture and AI, data definition language and machine learning technologies, the exposed surface on which the wrong kind of ‘type’ can multiply and thrive is plain to see. So, while accepting that the technologies needed by business users to be productive will constantly change, how can security professionals plan to manage a sprawling IT infrastructure?
Predict migrations and plan accordingly
For many organizations, this year Covid-19 has prompted an unexpected and sudden migration to cloud and remote technologies. But the pandemic has accelerated everything both good and bad – leading to elevated risk for organizations trying to maintain business continuity amongst changing regulations and restrictions. While 80 percent of employees up and remotely working in a matter of days and weeks, a wave of phishing scams and attacks trying to take advantage weren’t far behind. Cybersecurity and identity governance have gone from being a practical challenge inside the IT function, to being a cornerstone of business strategy across the whole organization.
Some situations are hard, if not impossible, to predict. But even the ones we could not stop can offer a masterclass in how one might change the way we respond in similar situations. If your organization is already actively managing its IT environment and governing digital identities, then you are already closer than you think to plan proactively for migration – whether it’s away from or back to the office.
So, which type of organization are you?
If you closely manage identities, create a cyber-strong IT environment, and plan for evolution and change – your organization is more like the red kite. But beware of those ‘easy’ decisions which may make your fate like that of the red squirrel.
Teams tasked with leading the cybersecurity strategy in their organization could learn a simple lesson from the grey squirrel and the red kite. The grey squirrel represents an error in strategy - creating the opportunity for an ill-informed decision that one cannot reverse once it’s made. Merely manage and mitigate. The Red Kite demonstrates that a well-informed strategic decision which provisions, enables and optimizes the right individuals to thrive and flourish can succeed to staggering effect and impact.
So, time to repeat the question: which kind of organization are you – red kite or grey squirrel?
- More than half of organizations that store customer data in the cloud had security incidents in 2020
Ben Bulpett, EMEA Director, SailPoint