It is pretty obvious that to audit the use of IT resources and applications you need to know who is doing what. This is especially true when it comes to system administrators (sys-admins) who are operating with increased levels of privilege.
Certain regulations and standards make strong statements on the subject. One of the controls in the IT service management standard (ITSM) ISO270001 states that “the allocation and use of privileges shall be restricted and controlled”. The Payment Card Industries Data Security Standard (PCI-DSS) recommends “auditing all privileged user activity”.
Neither of these requirements can be met if it is not possible to identify an individual privileged user and link them to the actions they have carried out. This means that either a privileged user must always act under an assigned personal identity or must be individually assigned privileged access rights for a given set of resources for a limited period of time, using tools that will provide a clear audit trail.
Many organisations cannot achieve this due to poor privileged user management practices, especially around the use of group access accounts. Recent Quocirca research shows that more than 50% of organisations do not stop the use of such accounts meaning that when a particular action is carried out under privilege it could be any one of a range of users who know the group access details that were active at the time.
Things get worse. The passwords for such accounts are rarely changed as informing all the potential users is too arduous and the passwords used are often chosen to be easy to remember and so are also easier to guess and hack. Furthermore, ex-employees and/or contractors will retain the details of these shared privileged user access accounts, which they could still use if they were motivated to do so.
A new Quocirca’s research report entitled “Conquering the sys-admin challenge” (Nov 2011) looks at current practices around sys-admin, privileged user management and auditing and is freely available here.