Of these risky methods, 37% of information security professionals used manual enforcement of privileged user access and passwords, 12% used home-grown solutions, and 10% used sudo to control access to enterprise servers. Echelon One conducted a survey of 327 information security professionals from a range of industries on behalf of FoxT.
All of these methods expose the organization to insider fraud, corporate espionage, and nation-state-sponsored attacks, warned FoxT.
There are three drivers of enterprise server access control issues: regulatory compliance pressures, increasing security threats, and increasing IT infrastructure complexity, explained Subhash Tantry, chief executive officer of FoxT.
“Sharing of privileged passwords creates vulnerabilities; it opens organizations up to access creep. Once passwords are shared among users, they begin taking administrative shortcuts, and enterprises are unable to track actions to users”, Tantry told Infosecurity.
“Manual enforcement of privileged user access represents the number one risk for compliance failure”, Tantry stressed.
Bob West, chief executive office of Echelon One, told Infosecurity that the risk of access “creep”, which is the accumulation of access rights beyond what is needed for employees to do their job. “When someone joins a company, they will be in a particular area of an organization for a given period of time and then they will move. As an example, at a bank you might hire a teller and the teller becomes a supervisor or branch manager or goes to a different part of the bank. If you don’t adjust what rights that person has when he or she is accessing different systems, it is very easy to accumulate rights”, West explained.
The “potential for insider fraud is widespread and huge”, added Tantry.