An annual survey of privileged account management habits showed that 84 percent of respondents believed organizational risk from privileged users would increase in the next few years, but, despite this, many had no tools or processes in place to thwart privilege misuse.
On Tuesday, BeyondTrust, a security firm that defends against insider privilege abuse and external hacking threats, released its 2015 report, called “Privilege Gone Wild” (PDF). The survey assessed the responses of 728 IT “decision makers,” which included security managers and network and systems engineers across numerous sectors, the report said.
In an interview with SCMagazine.com, Scott Lang, director of privilege strategies at BeyondTrust, pointed out the disparity between organizational behaviors versus concerns. A key finding that 84 percent of respondents thought risk to their organization from privileged users would grow, seemed to have little bearing on many enterprises' practices, he said.
In the survey, for instance, 33 percent of organizations had “no policies (much less, controls) for privileged password management,” the report said. Furthermore, 47 percent of respondents said that users in their organizations held elevated privileges “not necessary for their roles;” while 20 percent admitted that around three quarters of their user base run as administrators.
The report said that the “perceived cost of purchasing, implementing and managing the privileged account management solutions may be a deterrent to faster adoption,” among companies.
In his interview, Lang explained that there is sometimes an “element of surprise” that factors into enterprise deployment of such solutions, particularly password management technologies.
“When you're buying a piece of software to help address the enforcement of controls, you have to take a look at other third-parties that are affected, you need licenses [and to decide] whether you deploy in a single closed environment,” Lang said of the process.
Overall, establishing proper privileged management controls requires a mix of “people, process and technology,” he explained.
“The ‘people' [aspect includes] education about what good behavior is as far as the sharing of credentials and the automation of account management; the process [entails] procedures and policies at an enterprise level. Technology is where the products come in. It's equal parts behavior – or people – process and tools,” he said.
Lang later added that, to start the process of repairing or improving privileged account management practices, organizations should “pull together a cross-functional team of all the stakeholders in the company.” Then, once a game plan is in place, go after low-hanging fruit, like eliminating excessive use of local admin rights, and move on to password management issues, he said.