A full 61% of those surveyed reported that privileged users access sensitive or confidential data out of curiosity, not for job function, according to a survey of more than 5,500 IT operations and security managers in 13 countries.
“The dangerous privileged user, the person who has these access rights, can do a lot of damage to a company”, said Larry Ponemon, chairman and founder of the Ponemon Institute. “In order to solve this problem at an organizational level, we need to be able to see these things happening”, he told Infosecurity.
Forty-two percent of respondents said the risk to organizations caused by the insecurity of privileged access users would increase over the next 12 to 24 months. Cloud-based applications, virtualization, and regulations or industry mandates are the primary reasons for this belief.
“Right now the problem [of privileged user access rights] is getting really bad because with collaboration and social tools, and the acceleration of deploying applications in enterprises, privileged access to these systems is growing rapidly. That introduces threats”, Tom Reilly, general manager of HP Enterprise Security, told Infosecurity.
Many respondents claimed to have well-defined policies for individuals with privileged access rights to specific IT systems. However, almost 40% were unsure about enterprise-wide visibility into specific rights, or whether those with privileged access rights met compliance policies.
According to the survey, 27% of respondents said their organizations use technology-based identity and access controls to detect the sharing of system administration access rights or root-level access rights by privileged users.
“That means that 73% are not using technology-based controls; they are relying on something else. Is it a manual procedure? A quarterly audit of privileges? What are they doing to ensure that privileged users are not doing things beyond their job responsibilities? You need technology to manage this risk”, Ponemon stressed.
While 41% of respondents said the best way to describe the assigning of privileged user access to IT resources is ad hoc, 39% said assignment is determined by well-defined policies that are centrally controlled by corporate IT, and another 13% said it is determined by well-defined policies that are controlled by business or application owners.
When asked to indicate the relative importance of technologies with respect to controlling privileged user access to IT resources, the respondents selected user provisioning systems, security information and event management systems, and authentication and identity management.
“Organizations do not have a handle on managing access rights for privileged users. In fact, these results say that they are significantly falling short, and this is impacting their ability to pass compliance”, Reilly said.