9 Sept, 2023
Greenpeace Australia Pacific takes peaceful action to confront decision-makers and hold them accountable to people and the planet. They work with a diversity of communities throughout the Australia Pacific region to promote peace, to develop effective solutions to environmental problems and to inspire others to create positive change in their own lives.
The global organisation has been operating for over 50 years. The major focus over that time has been protecting the environment and community from threats like climate change. Research and conservation efforts have concentrated on clean energy and protection of natural resources, with initiatives to reduce our reliance on practices like fossil fuel extraction, use of plastics, overfishing and deforestation.
Being such a high profile organisation, Greenpeace understands the importance of security in the current technological landscape. On top of the impressive work they are doing across our communities, they also prioritise the protection of their digital environment and customer data.
After a recent internal review of their security practices, Greenpeace collaborated with Midnyte City to audit their current progress towards the Centre for Internet Security (CIS) critical security control framework and assist them in working to further enhance their security capabilities. We worked closely with a number of Greenpeace internal teams across engineering, operations, data and governance to mitigate security risk and improve security posture across the organisation.
As the Midnyte City team has expertise across governance, data, operations and engineering, we were able to approach the task holistically and uncover opportunities for cybersecurity uplift across most of the organisation.
The team began the engagement with thorough information gathering, which allowed us to identify and prioritise the highest risks inside the organisation and delegate tasks appropriately within the team. We were then able to deliver on tasks from governance, data and engineering perspectives.
A few of the most important items addressed from a governance perspective were:
An audit of the current incident response process to ensure that key personnel and contacts were assigned to appropriate roles in case of an incident
Information on existing digital and software artefacts gathered and inventories with updated details on asset ownership generated
Investigating options for security awareness training for staff members
From a data perspective, Midnyte City helped clarify GPAP’s understanding of the scope of their data. It was crucial to highlight the importance of aligning the organisation’s existing Data and Information Management Policy with the current enterprise data footprint stored in the CRM and other systems. To this end, we initiated the creation of a data inventory to capture the specifics of a data field's ownership, sensitivity classification, retention periods, disposal times and user access controls. We also recommended the nomination of additional key roles to assist with the data inventory backfill process.
As part of the engagement, we identified the cloud infrastructure as one of the highest risk factors. The first step was to stabilise the team’s current deployment process and provide insight into an orchestration pattern which involves deploying from containers to bring consistency and portability to deployment and abstract dependencies away from local development environments.
We then provided some “security-hardened” networking examples as Terraform infrastructure-as-code for website infrastructure entailing Google resources such as Compute Engine Virtual Machines (VM), Virtual Private Cloud (VPC) and some additional cloud resources, namely Cloud SQL, Cloud Run and App Engine.
Through pair programming, the Midnyte City team provided mentoring for the internal crew with a more stable and consistent approach to deployment of infrastructure via the 3 Musketeers pattern, as well as an approach for repeatable and auditable configuration via Terraform infrastructure-as-code.
The team was also provided with some sample infrastructure-as-code to allow them to create secure architectures in the future.
The collaboration significantly accelerated Greenpeace Australia Pacific’s Cyber resilience initiative and expedited compliance with the Centre for Internet Security (CIS) critical security control framework. By working together, the Midnyte and GPAP were able to rapidly share organisational context, leverage specific security, data, governance and Cloud infrastructure skills and swiftly bring the organisation within the Board’s risk appetite for Cyber resilience.
The key benefits from the engagement included:
The documentation of additional processes that were required to comply with CIS controls
Audit of existing documentation and recommendations to comply with CIS controls
Improved awareness of cybersecurity with the leadership team
Reduced management overhead through conversion of self-managed infrastructure to managed infrastructure on the cloud
Reduced provisioning and recovery time through automation
"Greenpeace engaged Midnyte City’s expertise in cloud engineering, change management and project management for a Cyber resilience exercise. The engagement significantly improved our organisation's security posture and inspired us to maintain and expand upon the groundwork laid. We are immensely grateful to Midnyte City for the dedicated efforts providing these critical services."
Chris Bloomfield
IT Manager, Greenpeace Australia Pacific
If you would like to speak to someone about similar challenges in your team or organisation, reach out below to schedule a time.