Identity Management Day: What Sharks and Your Identity Program Have in Common

Legend has it that in 1988 the idea for Shark Week was hatched over a round of drinks and documented on the back of a napkin as an awesome (and fun) way to capture more viewers. Seems like it worked: Discovery Channel viewers doubled after the very first Shark Week.

Fast forward to 2021, and what started as a joking comment on an IDSA “Beyond Best Practices” Technical Working Group call turned into this (most unlikely) blog article: relating your identity program to… a shark?

It turns out sharks and identity programs have more than a few things in common. A shark’s lifespan is much longer than previously believed, there is a real phobia for the intense fear of sharks (galoephobia) and each whale shark’s spot pattern is as unique as a fingerprint. Some of these fun facts and comparisons might inspire some new thinking about your own identity program!

Never stop moving – Most sharks must continuously move in order to stay alive; similarly, successful businesses never stop moving. Businesses grow, expand and adapt to economic or even societal conditions created by a pandemic — and successful identity programs evolve alongside and in support of their businesses. Moreover, the state of the art in identity technology and security is continuously evolving, in part due to evolutionary pressures from malevolent actors. Not keeping up will leave you vulnerable (“make you prey”) so we say be like the sharks and keep moving continuously.

A dominant part of the food web – Sharks are apex predators; remove them and the food webs they participate in would collapse. Similarly, identity-centric security provides a lens into security that spans perimeter security, endpoint security, application security, etc. An identity compromise will lead to the bypass of other forms of security, by using a legitimate credential to go undetected in an organization, while searching for more targets. Adversaries are continually attacking and evolving their attack, and we’ve recently seen malware that was ‘identity aware’ — stealing valid credentials out of memory to move laterally in the network. Identity security is a key part of the mesh of security solutions that protect every organization.

Lots of variety, be successful in your own niche – There are thousands of shark species, each adapted to their own environmental niche.  Through their eons of evolution, different shark species have found specific niches in which to survive and thrive. Sharks have evolved to live everywhere from the brackish waters of the Mississippi River to the nearly frozen deep water of the North Atlantic. In the identity world, we host a wide variety of diversified identities – personal, bots, non-humans, applications, secondary accounts, and third-party identities. Just like the sharks, each identity program must evolve to cover your own niche. Identify all identity types in your organization and consider how to best protect them. Make sure to recognize that your industry sector may need a different approach, for example, banks need to consider partner and consumer identities; healthcare needs to consider data privacy regulations for employee and patient identities, etc. To address your niche, be fast like a Mako shark, and long-lived like a Greenland Shark (272+ years!), pervasive like the Great White (Cape Cod to South Africa)… and realize there’s more than you think. The world-wide population of sharks is more than 1 billion, across more than 500 species. Likewise, you likely have more identities (and more types of identities) than you think.

Spot the risk before it’s too late – Hammerhead sharks have 360-degree vision and are able to sense electrical fields, even in murky waters. Organizations should adopt identity-centric security strategies to quickly uncover compromised accounts in the murky waters of authentication events and access requests. A few specific identity-centric security outcomes can help provide the visibility needed including kicking off attestation based on high risk events and ensuring that access rights (users and privileged users) are continuously discovered.

“You’re going to need a bigger boat” – As Chief Brody famously and dreadfully suggested in the 1985 film JAWS, this beast is just too big for the vessel. In a recent survey by the Identity Defined Security Alliance, Identity and Access Management: The Stakeholder Perspective, 78% of respondents report there is more than one department involved in defining system access and two in five characterize ownership of system access as “messy and all over the place”. There are lots of stakeholders involved in making an identity program a success and putting in place a “bigger” identity governance committee (as described in a Best Practice) is the nexus of necessary collaboration. You need the biggest boat you can get, which means involving stakeholders you may not have considered before.

If you don’t pay attention, it will bite you – Another quintessential quote by Matt Hooper, oceanographer, from our favorite shark film of all time, JAWS – “I’m familiar with the fact that you are going to ignore this particular problem until it swims up and bites you in the [butt]!” In the research, 50% reported it usually takes three days or longer to revoke access for a worker that leaves an organization. This delay in revoking access for workers who have left the organization (voluntarily or involuntarily) or have transitioned roles introduces the risk of inappropriate access and data theft that may only be discovered long after the damage (aka the bite) is done.

While the brainstorming session of our IDSA “Beyond Best Practices” Technical Working Group made for an entertaining meeting, hopefully you find that the comparisons ring true. While sharks play a major role in our oceanic ecosystem, identity plays a much bigger and more critical role in our organizations than most realize. Join us on April 13th – Identity Management Day – and sink your teeth into identity (pun intended).

About the Author: The Beyond Best Practices Technical Working Group subcommittee was formed in July 2020. The team, led by Paul Lanzi, includes Aubrey TurnerStephen Bahia, Christopher HillsMorey HaberJesper JohansenJerry Chapman and Dan Dagnall.



Let's work together to help everyone become more secure.