Most companies continue to struggle with managing privileged-user access to their IT networks and few managers are satisfied with the degree of visibility and control they have over the privilege granting process, according to newly published survey data.
The problems have grown worse over the past five years and show few signs of improvement, according to the data, released Tuesday by the Ponemon Institute and Forcepoint, a joint venture of Raytheon and Vista Equity Partners.
“It’s very challenging with the interdependencies between today’s interconnected systems, for both business management and IT management, to understand exactly what access is required” for each employee, Forcepoint’s Senior Manager for Insider Threat Operations Dan Velez told Cyberscoop.
Around 700 IT professionals in the U.S. responded to surveys in 2011, 2014 and 2016, the report said. For the purposes of the study, Ponemon defines privileged users to include database administrators, network engineers, IT security practitioners and cloud custodians.
The issue is vital for cybersecurity because privileged users are the most useful vectors for hackers looking to steal credentials or the most dangerous form of insider threats. A single pilfered credential from a database administrator, for instance, enabled the massive Anthem hack.
“Step one in cybersecurity risk management is understanding what the [organization’s] critical assets are and who has access to them,” said Velez.
But the survey shows that most companies cannot keep up with the administrative demands of managing privileged user accounts.
Over the past five years, the proportion of respondents who say they “cannot keep pace with the number of access change requests that come in on a regular basis,” has risen from just over half (53 percent) to nearly two-thirds (61 percent).
The number saying that it “takes too long to deliver access to privileged users” has risen from a third (32 percent) to nearly half (47 percent).
Thirty-nine percent of respondents said they weren’t confident that they have the visibility they need into privileged user access to determine if users are complying with company policies. Only 18 percent are very confident that they have this visibility.
On the plus side, there was a very slight drop (from 35 to 32 percent) over the five years in the number saying their company lacks “a consistent approval process for access and a way to handle exceptions.” And a larger fall (52 to 41 percent) in the number saying it was “difficult to audit and validate privileged user access changes.”
“Privileged users are very challenging to manage,” said Velez, and the reports states that they “often use their rights inappropriately and put their organizations’ sensitive information at risk.”
For example, three-quarters (74 percent) of respondents agreed with the statement that “privileged users believe they are empowered to access all the information they can view;” while two-thirds (66 percent) agreed that they access “sensitive or confidential data” out of “curiosity.”
This article has been corrected to accurately reflect the status of Forcepoint as a joint venture of Raytheon and Vista Equity Partners.