RSA Europe: CA-sponsored research reveals bad practice on privileged user accounts

The process of managing privileged user accounts - known as a privileged identity management in high-end enterprise IT circles - is one that requires careful management, said Bob Tarzey, service director of Quocirca, whose research company was commissioned by IT security vendor CA to carry out the research.

In the report, entitled `Privileged User Management: It's Time to Take Control,' Tarzey and his team found that around half of the senior IT managers surveyed in Europe share accounts and passwords for access to networks, operating systems, applications, databases and security systems.

Despite nearly 60% of the organisations saying they have implemented or plan to implement the ISO 27001 standard for secure management of IT systems, about 41%  still have poor management of their privileged user accounts.

"This shows that IT managers and allied professionals are simply not paying enough attention to controlling access to these types of accounts, which often have super-user privileges and give a user access to just about any aspect of a company's IT resource", said Tarzey.

Speaking at a Computer Associates-sponsored press conference at the RSA Europe conference in London, Tarzey went on to say that, from the interviews with 270 IT professionals across Europe held in June, he and his team concluded that respondents did not seem to be not fully aware of - or often overlook - the risks associated with bad privileged user management.

"They also ranked the threat lower than other security concerns such as malware, the internet, internal users, and Web 2.0 tools," he said, adding that, despite the availability of sophisticated systems, only 26% have actually deployed a full privileged user management system.

Just 24% of organisations, meanwhile, have some form of manual control in place for overseeing the actions of and controlling the access of privileged users.

"On top of this, it's clear that a reliance on manual processes for monitoring and controlling privileged users is time-consuming, excessively expensive, unreliable, and prone to errors," he explained.

"The research reveals clearly that while it is in the interest of individual IT managers, the IT department, and the business itself to adopt measures to control and monitor privileged users, it is not a priority," he added.

"Manual processes are ineffective and do not provide an audit trail that would satisfy regulators."

"The one sure means of achieving watertight privileged user management is through the automated management of privileged user accounts, the assignment of privileged user access, and 360-degree monitoring of their activities."

What’s Hot on Infosecurity Magazine?