a A A+

Privileged user management - It’s time to take control

IT managers everywhere feel overwhelmed with the rising tide of security threats they have to deal with in the face of an increasing regulatory burden. It is not surprising then that they tend to overlook one particular area of IT security, which is the privileged access that they grant to themselves and/or their colleagues in order to do their jobs.
Author/s: Bob Tarzey , Clive Longbottom
Created: 31/10/2009
Filename: Quo - Priviledged user management - 2009.pdf
Report Commissioned by:
Tags: systems management   security  
Tag this:
 
Use spaces to separate tags. Use double quotes (") for phrases.

  • Certain employees need to be granted privileged access to various resources in order to do their job; this is especially true for the management of information technology (IT)

IT managers need privileged access to operating systems, databases, business applications, networks and IT security systems. Such high level access means that any mistakes they make can have serious consequences, and if they abuse their rights for personal purposes the results of their actions can be very serious indeed.

  • Controlling and monitoring their own activities is not high on the agenda of most IT managers

IT managers feel they have plenty of other issues to worry about with the dangers of malware, the activities of “normal” users and the demands placed by an increasing tide of regulations on the IT infrastructure they oversee.

  • The ISO27001 standard for IT management, which is adopted by about 40% of the respondents to this survey, explicitly states that “the allocation and use of privileges shall be restricted and controlled”

Despite widespread claims to have adopted the standard, many businesses admit to bad practices with regard to privileged user management (PUM) that are in direct contravention to it.

  • Bad practices include the sharing of privileged user accounts, the use of default usernames and passwords and the granting of far broader privileges than necessary for a given privileged user to do their job

41% of respondents admitted that their organisations shared administrator accounts between users for operating system access; this rose to over 50% for network administrators.

  • There are plenty of examples of privileged users abusing their access rights or hackers targeting these accounts as their main entry point, underlining the need to put controls in place

These range from straightforward theft of sellable data, such as credit card details, to the perpetration of complex frauds or the theft of intellectual property. In other cases it is down to pure spite by a disgruntled employee.

  • The technology exists to mitigate the threat posed by privileged users but adoption levels are low

Just over 25% of European businesses have deployed technology for PUM although many more say they have plans, albeit delayed ones. Such technology allows privileged user access to be managed and monitored and bad practices to be brought under control, enabling the “least privilege principle” where only the access rights needed to carry out a given set of tasks are granted.

  • There are two reasons for prevarication around the deployment of such technology

Lack of budget is the biggest constraint on the deployment of better IT security although there is little evidence of budgets being cut. However, the main reason for holding back is a lack of awareness amongst IT managers of the dangers of not monitoring and controlling their own activity, even when it is in their own interest. There is likely to be a similar lack of awareness amongst business and risk managers.