For years, security experts have outlined best practices for privileged access management (PAM) in an effort to reduce problems associated with the abuse of privileged credentials. Despite this, IT organizations continue to struggle with privileged access management.
To understand why, BeyondTrust recently surveyed nearly 500 IT professionals from around the world with involvement in privileged access management. Because so many attacks start with the misuse of privileged accounts, it is not surprising that respondents rated the following three security measures as somewhat to extremely important to their efforts:
? Privileged access management (83%)
? Privileged session management (74%)
? Privilege elevation management (74%)
When asked what issues keep them awake at night, respondents most often cited the misuse of personally identifiable information (86%), downtime of computing systems (85%), and loss of intellectual property (80%).
Yet, despite these widespread concerns, Forrester research finds that 80 percent of data breaches are the result of the abuse or misuse of privileged credentials[1]. The BeyondTrust survey finds the “5 Deadly Sins of Privileged Access Management” are to blame for this contradiction between the fact that so many IT organizations struggle to secure sensitive information despite their high levels of awareness and commitment to PAM:
- Apathy: When asked to list the top threats associated with passwords, respondents listed employees sharing passwords with colleagues (79%), employees not changing default passwords their devices ship with (76%), and using weak passwords like "12345" (75%). Despite knowing better, respondents admitted that many of these same bad practices are common within their organization. A third of the respondents report users routinely share passwords with each other, and a fourth report the use of weak passwords. Shockingly, one in five report many users don’t even change the default passwords!
- Greed: Users often insist they need full administrative privileges over their devices, and that creates problems for IT. 79% of respondents cite allowing users to run as administrators on their machines as their biggest threat, followed by not having control over applications on users’ machines (68%). Yet, nearly two in five respondents admit it is common for users to run as administrators on their machines. It is no surprise that many respondents say these practices have directly caused downtime of computing systems.
- Pride: As the saying goes, pride cometh before the fall. One in five respondents say attacks combining privileged access with exploitation of an unpatched vulnerability are common. Simply patching known system vulnerabilities can prevent most of today’s commonly-reported attack vectors. Yet, too often, IT does not stay current on their patches.
- Ignorance: Two-thirds say managing least privilege for Unix/Linux servers is somewhat to extremely important. One popular option is Sudo. However, just 29 percent say Sudo meets their needs. The most commonly cited problems with Sudo include being time-consuming to use (32%), complexity (31%) and poor version control (29%). Despite this, the typical respondent runs Sudo on 40 workstations and 25 servers.
- Envy: Enterprises are rushing to embrace cloud computing. Yet, more than a third report that they are not involved in protecting SaaS applications from privileged access abuse.
There are steps any organization can take to address the 5 Deadly Sins of Privileged Access Management:
? Deploy enterprise password management globally across all data centers, virtual and cloud. A centralized password management solution that includes built-in session monitoring will ensure that both important capabilities are met with strong workflow and ease of use.
? Remove local admin rights from ALL Windows and MacOS end users immediately. 94% of Microsoft system vulnerabilities in 2016 can be attributed to users with admin rights. Once all users are standard users, IT teams can elevate a user’s access to specific applications to perform whatever action is necessary as part of their role without elevating the entire user on the machine.
? Prioritize and patch vulnerabilities. Better prioritization and patching of vulnerabilities provides IT with better insight into whether to delegate privileges to an asset or application. The result is better intelligence and less risk of unknowns.
? Replace Sudo for complete protection of Unix/Linux servers. With pressure on budgets, organizations may have to use Sudo, but it doesn’t offer the industrial-strength capabilities that today’s security needs.
? Unify privileged access management – on-premise, in the cloud – into a single console for management, policy, reporting and analytics. As organizations race to adopt SaaS/PaaS/IaaS to keep pace with business demands, IT must provide the same level of protection to cloud-based systems as for on-premise systems. This includes capabilities such as enabling automation for DevOps; finding, grouping and scanning cloud assets; protecting virtual and cloud management consoles and instances; using a cloud access service broker to enable third-party access; and performing vulnerability assessments for hybrid and public cloud infrastructures.