IT managers everywhere feel overwhelmed with the rising tide of security threats they have to deal with in the face of an increasing regulatory burden. It is not surprising then that they tend to overlook one particular area of IT security, which is the privileged access that they grant themselves and/or their colleagues in order to do their jobs.
The level of access to sensitive data given to privileged users is often the highest any employees have had in the history of business. It is the equivalent of having the locksmith solely hold the keys to the safe, and then requiring them to come and maintain it at any time they wish, alone and unassisted. Whilst such access is necessary, it is most commonly managed on an ad hoc basis or not managed at all and, despite claims to pay heed to regulations, requirements with regard to privileged users are often overlooked.
This report should be of interest to anyone concerned with ensuring that the availability of their IT systems is not impacted by the inadvertent or malicious actions of privileged users, that the use of privileged user accounts is policed and that such accounts cannot be easily compromised by outsiders. It should also be of interest to those with responsibility for ensuring that their organisations' use of IT would satisfy the demands of regulators and, indeed, anyone concerned about the safe keeping of their personal data that businesses are storing ever more of.
IT managers everywhere feel overwhelmed with the rising tide of security threats they have to deal with in the face of an increasing regulatory burden. It is not surprising then that they tend to overlook one particular area of IT security, which is the privileged access that they grant to themselves and/or their colleagues in order to do their jobs.
- Certain employees need to be granted privileged access to various resources in order to do their job; this is especially true for the management of information technology (IT) IT managers need privileged access to operating systems, databases, business applications, networks and IT security systems. Such high level access means that any mistakes they make can have serious consequences, and if they abuse their rights for personal purposes the results of their actions can be very serious indeed.
- Controlling and monitoring their own activities is not high on the agenda of most IT managers IT managers feel they have plenty of other issues to worry about with the dangers of malware, the activities of "normal" users and the demands placed by an increasing tide of regulations on the IT infrastructure they oversee.
- The ISO27001 standard for IT management, which is adopted by about 40% of the respondents to this survey, explicitly states that "the allocation and use of privileges shall be restricted and controlled" Despite widespread claims to have adopted the standard, many businesses admit to bad practices with regard to privileged user management (PUM) that are in direct contravention to it.
- Bad practices include the sharing of privileged user accounts, the use of default usernames and passwords and the granting of far broader privileges than necessary for a given privileged user to do their job 41% of respondents admitted that their organisations shared administrator accounts between users for operating system access; this rose to over 50% for network administrators.
- There are plenty of examples of privileged users abusing their access rights or hackers targeting these accounts as their main entry point, underlining the need to put controls in place These range from straightforward theft of sellable data, such as credit card details, to the perpetration of complex frauds or the theft of intellectual property. In other cases it is down to pure spite by a disgruntled employee.
- The technology exists to mitigate the threat posed by privileged users but adoption levels are low Just over 25% of European businesses have deployed technology for PUM although many more say they have plans, albeit delayed ones. Such technology allows privileged user access to be managed and monitored and bad practices to be brought under control, enabling the "least privilege principle" where only the access rights needed to carry out a given set of tasks are granted.
- There are two reasons for prevarication around the deployment of such technology Lack of budget is the biggest constraint on the deployment of better IT security although there is little evidence of budgets being cut. However, the main reason for holding back is a lack of awareness amongst IT managers of the dangers of not monitoring and controlling their own activity, even when it is in their own interest. There is likely to be a similar lack of awareness amongst business and risk managers.
It is in the interest of individual IT managers, the IT department as whole and the overall business to have measures in place to control and monitor privileged users. Manual processes are ineffective and do not provide an audit trail that would satisfy regulators. The one way to ensure this is to put in place tools that fully automate the management of privileged user accounts, the assignment of privileged user access and enable the full monitoring of privileged user activity.
To download this paper you must be logged in.