The insecurity of privileged users — curiosity is dangerous

Larry Ponemon

The ability to control access to critical information resources and prevent a data breach remains an elusive goal for many organizations.  In The 2019 Study on Privileged Access Security sponsored by Sila Solutions Group, Ponemon Institute presents four years of research findings on how individuals with the most access to high value information assets can be a serious insider risk.

For purposes of this research, privileged users are assigned privileged access based on their roles and responsibilities. Such access can be defined as broad or elevated access rights to IT networks, enterprise systems, applications and/or information assets. However, according to the findings of this study, these individuals often use their rights inappropriately and put their organizations’ sensitive information at risk. For example, the majority of respondents say privileged users feel empowered to access all the information they can view and although not necessary will look at an organization’s most confidential information out of curiosity.

The 659 respondents we surveyed self-reported that they have privilege access to IT resources. Seventy-seven percent of these respondents have access to a minimum of three IT resources and a maximum of more than six IT resources.

The expectation that the risk of privileged user abuse will increase has risen significantly since 2011. The survey found 56 percent of respondents say they expect privilege user abuse to increase in the next 12 to 24 months, a significant increase from 44 percent of respondents in the 2011 research. Further, more than half of respondents (53 percent) say their organization experienced a data breach or other access-related security incident within the past three years

The following are reasons new solutions and governance processes are needed to decrease the risk of privileged user abuse.

  • Even if an employee or contractor has appropriate access to high-value information assets, they put their organizations at risk by accessing sensitive or confidential data without a business need and sometimes share their access credentials with other in the organization.
  • The number of organizations that can’t monitor privileged user activities has increased since last year and a problem with access governance processes is that they don’t have a unified view of privileged user access across the enterprise.
  • According to respondents, a lack of resources, in-house expertise and in-house technologies are challenges to improving the efficiency and security of their access governance processes. Specifically, organizations cannot keep pace with the number of access change requests, reduce the burdensome process for business users requesting access. Respondents also cite the lack of a consistent approval process for access and a way to handle exceptions as significant problems
  • The increasing number of regulations is also contributing to the difficulty in managing access governance. It is also affected by the adoption of virtualization technologies or DevOps tooling.
  • Too much reliance on manual processes for granting privileged user access and reviewing and certifying privileged user access hinders the ability to meet growing requests for access changes.
  • To identify insider threats, organization continue to rely upon monitoring and reviewing log files and using non-PAM security technologies. Fewer organizations are deploying PAM tooling capabilities like session monitoring, performing endpoint monitoring and using big data analytics.

“The results of The 2019 Study on Privileged Access Security shed light on the fact that privileged access is more prevalent than people may realize. It touches every part of an organization and has far-reaching implications for an organization’s business objectives as well as its security,” said Tapan Shah, managing director at Sila. “Leaders need to step back and ask why individuals have the access they do, and how that aligns with the mission of their business – unnecessary privileged access puts data, employees, customers, and the overall business at risk.”

Part 2. Key Findings

Following is an analysis of the key findings. To understand trends in organizations’ abilities to manage privileged user access, whenever possible we compare the findings from 2011, 2014 and 2016 to this year’s research. The complete audited findings are presented in the Appendix of this report.

We have organized the findings according to the following topics:

  • Why privileged user abuse is increasing
  • The security risks created by not keeping up with the delivery and review of access rights
  • New approaches to managing access, including collaboration between IT and lines of business, are needed

Why privileged user abuse is increasing

 According to 81 percent of respondents, privileged access rights are required to complete their current job assignments. However, 19 percent of respondents say they do not need privileged access to do their jobs but have it any way. The two primary reasons are everyone at his or her level has privileged access even if it is not required to perform a job assignment (46 percent of respondents) and the organization failed to revoke these rights when they changed their role and no longer needed access privileges (30 percent of respondents). Since 2011, more respondents report that their organization assigned privileged access rights for no apparent reason – from 15% in 2011 to 20% now.

Even if access rights are appropriate, privileged user abuse is prevalent. Some 70 percent of respondents say it is very likely or likely privileged users access sensitive or confidential data without a business need, such as curiosity. Sixty-two percent of respondents say privileged access rights that go beyond the individual’s role and responsibility, which indicates the difficulty organizations have in keeping up with access change requests and reviews of access rights. Many respondents (41 percent) say privileged users are sharing their access credentials with others in the organization.

To continue reading this report, visit Sila’s website.

 

Leave a Reply

Your email address will not be published. Required fields are marked *