Monthly Archives: October 2019

The insecurity of privileged users — curiosity is dangerous

Larry Ponemon

The ability to control access to critical information resources and prevent a data breach remains an elusive goal for many organizations.  In The 2019 Study on Privileged Access Security sponsored by Sila Solutions Group, Ponemon Institute presents four years of research findings on how individuals with the most access to high value information assets can be a serious insider risk.

For purposes of this research, privileged users are assigned privileged access based on their roles and responsibilities. Such access can be defined as broad or elevated access rights to IT networks, enterprise systems, applications and/or information assets. However, according to the findings of this study, these individuals often use their rights inappropriately and put their organizations’ sensitive information at risk. For example, the majority of respondents say privileged users feel empowered to access all the information they can view and although not necessary will look at an organization’s most confidential information out of curiosity.

The 659 respondents we surveyed self-reported that they have privilege access to IT resources. Seventy-seven percent of these respondents have access to a minimum of three IT resources and a maximum of more than six IT resources.

The expectation that the risk of privileged user abuse will increase has risen significantly since 2011. The survey found 56 percent of respondents say they expect privilege user abuse to increase in the next 12 to 24 months, a significant increase from 44 percent of respondents in the 2011 research. Further, more than half of respondents (53 percent) say their organization experienced a data breach or other access-related security incident within the past three years

The following are reasons new solutions and governance processes are needed to decrease the risk of privileged user abuse.

  • Even if an employee or contractor has appropriate access to high-value information assets, they put their organizations at risk by accessing sensitive or confidential data without a business need and sometimes share their access credentials with other in the organization.
  • The number of organizations that can’t monitor privileged user activities has increased since last year and a problem with access governance processes is that they don’t have a unified view of privileged user access across the enterprise.
  • According to respondents, a lack of resources, in-house expertise and in-house technologies are challenges to improving the efficiency and security of their access governance processes. Specifically, organizations cannot keep pace with the number of access change requests, reduce the burdensome process for business users requesting access. Respondents also cite the lack of a consistent approval process for access and a way to handle exceptions as significant problems
  • The increasing number of regulations is also contributing to the difficulty in managing access governance. It is also affected by the adoption of virtualization technologies or DevOps tooling.
  • Too much reliance on manual processes for granting privileged user access and reviewing and certifying privileged user access hinders the ability to meet growing requests for access changes.
  • To identify insider threats, organization continue to rely upon monitoring and reviewing log files and using non-PAM security technologies. Fewer organizations are deploying PAM tooling capabilities like session monitoring, performing endpoint monitoring and using big data analytics.

“The results of The 2019 Study on Privileged Access Security shed light on the fact that privileged access is more prevalent than people may realize. It touches every part of an organization and has far-reaching implications for an organization’s business objectives as well as its security,” said Tapan Shah, managing director at Sila. “Leaders need to step back and ask why individuals have the access they do, and how that aligns with the mission of their business – unnecessary privileged access puts data, employees, customers, and the overall business at risk.”

Part 2. Key Findings

Following is an analysis of the key findings. To understand trends in organizations’ abilities to manage privileged user access, whenever possible we compare the findings from 2011, 2014 and 2016 to this year’s research. The complete audited findings are presented in the Appendix of this report.

We have organized the findings according to the following topics:

  • Why privileged user abuse is increasing
  • The security risks created by not keeping up with the delivery and review of access rights
  • New approaches to managing access, including collaboration between IT and lines of business, are needed

Why privileged user abuse is increasing

 According to 81 percent of respondents, privileged access rights are required to complete their current job assignments. However, 19 percent of respondents say they do not need privileged access to do their jobs but have it any way. The two primary reasons are everyone at his or her level has privileged access even if it is not required to perform a job assignment (46 percent of respondents) and the organization failed to revoke these rights when they changed their role and no longer needed access privileges (30 percent of respondents). Since 2011, more respondents report that their organization assigned privileged access rights for no apparent reason – from 15% in 2011 to 20% now.

Even if access rights are appropriate, privileged user abuse is prevalent. Some 70 percent of respondents say it is very likely or likely privileged users access sensitive or confidential data without a business need, such as curiosity. Sixty-two percent of respondents say privileged access rights that go beyond the individual’s role and responsibility, which indicates the difficulty organizations have in keeping up with access change requests and reviews of access rights. Many respondents (41 percent) say privileged users are sharing their access credentials with others in the organization.

To continue reading this report, visit Sila’s website.


The Gretchen Rubin interview on tech and happiness

Bob Sullivan

Is tech hacking your happiness?  And can you reverse that — can tech help make you happier?

This month we began the second season of the So, Bob podcast, hosted by me and Alia Tavakolian, and these are the questions Alia and I explore with Gretchen Rubin, author of The Happiness Project and numerous other best sellers.

Our interview with her was so powerful that we made it the first episode of this new So, Bob season, and our takes up the entire podcast.

I love podcasting because there’s time to dig deep into issues — much deeper than I can in a blog post that’ll you’ll scan for a minute or two.  And the question of tech and happiness is a big topic.

We focused on the key concept of another Gretchen book, The Four Tendencies– her schema that people generally fall into one of four categories: upholder, questioner, rebel, or obliger.  What are these groups? I think they are pretty self-evident, but you can take a quiz and learn more about them at Gretchen’s site.

I wanted Gretchen to talk with us about how gadgets, and particularly smartphones, impact our happiness. We pretty moved into the different ways people from each category react to tech. Do obligers feel obliged to answer every email in a way rebels do not? (Yes). And so on.

I must say I was pretty stunned at the conclusion Gretchen came to.   You are best off listening to the podcast and and letting Grethen explain in her own words. But if you want something to read/scan, here’s part of our conversation:

BOB: Into this Schema you have… ..drop a smartphone…that tings at you with a thousand times a day. 

G: Yes.

B: How do each of these characters react to that? 

G: Okay. So I think I’m very typical as an upholder, which is like, it’s very easy for me to turn it off.

G: It’s very easy for me to ignore it. If I’m like, I need to focus, I can’t look at my phone. That feels like something that I can ignore because my inner expectation, uh, is that I need to, I need to read, I need to, you know, uh, go for a walk, I need to, you know, whatever it is, I, so it’s easy for me to ignore it. And I remember talking, but it’s also a question, and this is true for all the tendencies, is people have different values and they have different kinds of belief systems. And that comes into play. So I was talking to a, actually a guy, uh, military guy who was an upholder and he was saying, oh, well, one of the reasons why I find, this was like three or four years ago, one of the reasons I find Facebook so burdensome is I have to like everything that everybody posts.

G: And I was like, no, you don’t. And like he had decided that was the rule. And so he felt an extreme like, like that he needed to meet that expectation for himself was I was just like, man, I don’t, I don’t feel that expectation. So part of it is that people have different ideas. Some people are like, you can’t leave dishes in the sink overnight. I’m like, you can totally leave dishes in the sink overnight. So I would meet the inner expectation if I had it but I just don’t have it, which is how you can get slacker upholders. It’s not upholders are type A, they can be slackers, they can meet their sta… they can meet every expectation for themselves, but they just have very low expectations. So.

A: Wow, I didn’t think about that. Okay. 

G: So questioners, questioners probably have an, they have an easier time with something like this cause it’s all about efficiency.

Does this work for me? Like, and they tend to like to customize things and hack things. So I would anticipate that many questioners would find it pretty easy to find ways to do workarounds. However questioners also are very drawn to data and research and information. And it might be that, and they can get analysis paralysis, which is where they want more and more information. And so for some questioners, something like the Internet is more of a burden where like if I’m gonna buy a tent, I want to do more and more and more research. So it’s sort of like the endless, the endless supply of information is very burdensome to them. But if they were like, I need to shut off the phone from 6:00 to 9:00 PM so I can spend quality time with my family, that probably wouldn’t be that hard for a questioner because they understand why they’re doing it.

And they do love to customize typically. They like to make things right for them. And so something like, I’m gonna change my notifications. That would make a lot of sense to a questioner. It’s like, just because notifications work for you, I don’t know that they’re going to work for me. Obligers, this is hard because if they feel like everyone’s clamoring for their attention, they’re going to find it very painful to ignore that because it’s like someone texted me, I have to text back. Somebody emailed me, I need to read that email right away. Somebody calling me, I have to pick up. Someone’s expecting me to like their Instagram post. I need to like it. Like these things add up.

A: I don’t know what you’re talking about. 

G: Yeah, yeah, yeah. But so here’s something that obligers can do. There’s many ways to create outer accountability. One of the quick things that obligers can always do is to remember if you say yes to someone, you have to say no to someone else. And so you could say, look, people are, you know, I’m getting all these texts and emails from the office between six and nine, but my family and I, we have talked about how it’s important for us to have quality time and therefore to say yes to my family, I’m going to say no to the office or like, you know, um, and so because part of the time obligers feel like I have to say yes, but it’s like no, you have to say no too, who do you say no to?

And a lot of times when they formulate it that way, it’s easier for them to make choices. But when the thing about tech is it feels, it feels kind of like, oh, you could just do this in 10 seconds. Why wouldn’t you just do this right now? Why wouldn’t you just do this right now? And like 10 seconds becomes five hours. We’ve all experienced that.

A: It’s deceptive. 

G: Yeah. And then for… rebels can do whatever they want to do. So like they want to do it, they’ll do it. They don’t want to do it, they don’t want to do it. It’s like, what do you want? And so if a rebel wants to change because often they get frustrated because they want to change something. But the minute they tried to make a rule from themselves, they want to break it. So in, a rebel would not do well doing something like from six to nine, I’m not going to be on my, on my phone because that’s scheduling that makes them feel trapped.

So what works for rebels is identity. What kind of person am I? How do I want to be in the world? And they are also very, uh, put a very high value on freedom and choice. So I things like I’m not a slave to my phone. I’m not controlled by email. You can’t make me answer your Instagram. I’m free. I need time to reflect. I need time to exercise. I had, I need time to rewatch, you know, Parks and Recreation. And so, you know, it’s just like, if I’m going to be who I am, like I just have to like, you know, put my phone down and walk away from it. Because when they tie it into their identity, it’s much easier for them to do something. Rules don’t work for them, whereas it rule might work really well for an obliger or for a questioner or an upholder.

A: So illuminating.

B: You have just made, um, the last five years of my life make sense. 

G: Oh good! Like, tell me why, tell me why. 

B: You have. Because I write about all of this overwhelmedness and technology, right,

G: Yeah.

B: And I don’t know, I’m gonna make up a number 67, 70% of the time people are like, thank God someone’s finally talking about this. The world is so complicated. I’m so overwhelmed. 

G: Yeah. 

B: But one third of the time ish, people were like, what are you talking about? 

G: Interesting.

B: Um, so I think I’m talking just to one set of people. 

G: Yeah. 

B: I’m talking just to obligers…

A: Wow.

B: I’m not talking to everybody. 

G: Yeah. 

B: Nobody else really seems to have much of a problem with this, whereas this, this one set of people…

G: But see, it’s interesting that you say that because obligers, because obliger is such a big group, people often assume that it’s everyone because, and the way, one of the reasons that I got the insight into the upholder tendency was I was speaking to a journalist and she said, why is it the busy parents like us can ever take time for ourselves?

G: And I said, actually I have no trouble taking time for myself. And she said, actually neither do I. And I’m like, well then why, what is the premise of your article? Because you and I are both busy parents and neither one of us have experienced this. 

A: Yeah.

G: So clearly it’s not a universal thing. So what’s going on there? And that’s when I was like, just because everybody feels something like it’s always you have to say, do I feel this? Now I think sometimes people conflate it. Like feeling overwhelmed by email is a shorthand for saying, I’m overwhelmed by all the tasks that people at work want me to do. It doesn’t matter if it’s email, like Instagram is an internet only problem. Tasks that being pestered at work for people who want you to do things and want your attention and what, yeah, that’s just inherent in work. And like it’ll just take whatever form it takes. It’s like that’s, that’s really a work problem. But then there are some things about being overwhelmed by technology that are truly created or so dramatically amplified that they’re changed by technology. Yeah.