Poor PAM processes and policies leave the crown jewels susceptible to security breaches Global Survey of IT Security Professionals

Transcription

1 Poor PAM processes and policies leave the crown jewels susceptible to security breaches Global Survey of IT Security Professionals November 7,

2 Goals and Methodology Research Goal The primary research goal was to understand current experiences and challenges around Identity Access Management (IAM) and privileged accounts. Methodology An online survey was fielded to independent databases of IT professionals with responsibility for security. A wide variety of questions were asked about experiences and challenges with IAM. Participants A total of 913 individuals completed the survey. All had responsibility for IT security as a major part of their job and were very knowledgeable about IAM and privileged accounts. 2

3 Individuals Represented Hong Kong 11% Country Singapore 11% United States 34% Australia 11% France 11% Germany 11% United Kingdom 11% Individual contributor 20% Job Level Executive 35% Team manager 45% 3

4 Individuals Represented (con t) Security Responsibility IT security professional 34% IT professional with significant security responsibilities 66% Privileged Account Access No 13% Yes 87% 4

5 Companies Represented Industry Technology 27% Company Size Financial Services Federal Government 11% 11% Manufacturing 10% Healthcare 7% More than 5,000 employees 28% 500-2,000 employees 44% Higher Education / University Retail Services 5% 5% 5% State or Local Government 5% 2,000-5,000 employees 28% Energy and Utilities Transportation Other Education 3% 2% Non-Profit 2% Food and Beverage 1% Other 2% 0% 5% 10% 15% 20% 25% 30% 5

6 More than a third (36%) use Excel and almost a fifth (18%) use paper to manage Password vault 54% Change Management software 44% What types of software or other tools do you use to T manage administrative or other privileged accounts? Internally developed tools or scripts Excel or other spreadsheets Delegation of permissions (for example, sudo) 25% 37% 36% Paper-based tracking (i.e. log book) 18% We do not use any tools to manage administrative accounts 3% 0% 10% 20% 30% 40% 50% 60% 6

7 Germany most likely to use paper; Hong Kong least likely to use spreadsheets What types of software or other tools do you use to manage T administrative or other privileged accounts? 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 40% 40% 38% 33% 34% 34% 28% Excel or other spreadsheets 26% 23% 22% 18% 17% 18% 13% Paper-based tracking (i.e. log book) US UK Germany France Australia Singapore Hong Kong 7

8 95% monitor access, but less than half monitor all access No 5% Do you currently record, log or monitor T administrative or other privileged access? Some access, but not all 52% Yes, all access 43% 8

9 93% have a process for identifying overprivileged users, but only 14% use tools We find them as part of our regular audits 43% Which of the following describes your process for identifying "OVER- PRIVILEGED" T users, users that have access to more information than their job requires? We find them when we go looking for it We have tools in place that constantly evaluate user entitlements and report on anomalies Other 1% 14% 34% We don't identify over-privileged users 7% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Most frequent Other : Set up initial permissions rigorously; when we stumble upon it 9

10 98% change privileged passwords, but only 14% do so after each use In general, how frequently are administrative or other privileged T passwords on mission critical systems and devices changed? 60% 50% 40% 30% 20% 10% 0% 14% 53% 22% After each use Every days Less frequently Never Passwords are changed only in the event of a potential security threat against the business 2% 9% 10

11 88% face challenges with managing privileged passwords Multiple administrators share a common set of credentials 46% Default admin passwords on hardware and software are not consistently changed 40% What challenges does your organization face with T managing administrative or other privileged passwords? Admin accounts managed manually (i.e. paper, spreadsheet) Can't consistently identify individuals who perform administrator activities No way to monitor or record activity on admin accounts 21% 32% 36% Other 2% We have no challenges with managing privileged passwords 12% 0% 10% 20% 30% 40% 50% Other : Admin users give rights to others; management doesn t care, multiple user systems not integrated, no way to enforce password complexity, staff turnover 11

12 Healthcare and tech report most challenges; federal least Have challenges What challenges does your organization face with T managing administrative or other privileged passwords? 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 81% Federal Government 85% 87% Financial Services 90% 93% Manufacturing Technology Healthcare 12

13 Two-thirds (67%) use multiple tools to manage privileged accounts What types of software or other tools do you use to manage administrative or T other privileged accounts? 40% 35% 30% 25% 20% 15% 30% 35% 19% 13% (by number of selects) 10% 5% 3% 0% None One Two Three Four or more 13

14 Password Vault users only slightly more likely to change passwords In general, how frequently are administrative or other privileged passwords on mission T critical systems and devices changed? (by Password Vault users) 60% 50% 40% 30% 20% 10% 0% 14% 15% 53% 50% After each use Every days 22% 22% Less frequently 2% 2% Never 9% 11% Passwords are changed only in the event of a potential security threat against the business All Use Password Vault 14

15 Password vaulting cited as most important How critical are each of the following administrative or other privileged account management T practices to your organization? Please rate each of these on a scale of 1 to 4 where 1 = Extremely important and 4 = Not important. Password vaulting (i.e. automated storage, issuance, and changing of administrative credentials) Active Directory bridging (i.e. joining Unix, Linux, and Mac systems to Microsoft Active Directory for authentication and administration) Session audit (i.e. monitoring the activity performed with administrative credentials) Delegation (i.e. implementing a least-privilege model of administrative activity where administrators are only given sufficient rights to do their job) 38% 34% 32% 49% 28% 42% 40% 30% 18% 19% 21% 15% 16% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 1 = Extremely important = Not important 6% 6% 7% 15

16 99% have IAM security solutions in place Single sign-on 61% Self-service password reset 52% Multifactor authentication 51% Which of the following security solutions T are in place across your enterprise? Web access management Privileged account activity auditing Password vault Privileged access delegation Automated enterprise provisioning Identity analytics (analysis to increase identity-related risk awareness) User behavioral analytics (looks at what type of behavior occurred and the reasoning behind this behavior) 35% 29% 26% 22% 48% 42% 42% Automated enterprise governance (attestation/recertification) 21% We do not use any of these security solutions 1% 0% 10% 20% 30% 40% 50% 60% 70% 16

17 For more information Get IAM Right One Identity helps organizations optimize identity and access management (IAM). Our combination of offerings, including a portfolio of identity governance, access management, privileged management and identity as a service solutions, enables organizations to achieve their full potential unimpeded by security, yet safeguarded against threats. For more information, visit Foundation of supporting organizations that rely on Windows-based infrastructure Develop comprehensive portfolio including access management and privileged account management Expand into true enterprise IAM and governance for the industry's most complete and featurerich IAM portfolio Privileged account management Identity governance Empower and enable our customers digital transformations and adoption of cloud technologies Identity as a service Access Management 17

18 For more information About Dimensional Research Dimensional Research provides practical marketing research to help technology companies make smarter business decisions. Our researchers are experts in technology and understand how corporate IT organizations operate. Our research services deliver a clear understanding of customer and market dynamics. For more information, visit Contact Us: Diane Hagglund Principal diane@dimensionalresearch.com +1 (408) David Gehringer Principal david@dimensionalresearch.com +1 (530) A Quirk Magazine Top 10 Research Blog: 18