Operations //

Identity & Access Management

7/14/2015
06:10 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Shared Passwords And No Accountability Plague Privileged Account Use

Even IT decision-makers guilty of poor account hygiene.

As the winds of the cloud scatter corporate data across the globe and beyond any IT boundaries, identity management continues to grow in importance. But a new survey out from Centrify shows that even those that should know better do not engage in secure account management practices.

In its State of the Corporate Perimeter survey out today, the firm found that nearly 60 percent of US IT decision-makers share access credentials with other employees at least somewhat often. Conducted among 200 of these decision-makers, the survey also found that 52 percent of US-based IT employees also shared credentials with contractors.

This is a scary prospect, given that many of these IT employees are entrusted with credentials for privileged accounts, with account sharing essentially spreading the proverbial "keys to the kingdom" across an organization with little accountability. According to the survey, about three-quarters of respondents estimate that more than 10 percent of employees have access to these kinds of privileged accounts, whether legitimately or through sharing. And over half of respondents in the US reported that it would be easy for a former employee to log in to access systems or data with old passwords.

Unsurprisingly, 74 percent of those surveyed in the US reported that their organization needed to do a better job monitoring who is accessing data and 62 percent believe their organization has too many privileged users. The concern grows as new models in cloud and mobile computing have obliterated the corporate perimeter.

“And there’s the rub: today’s corporate perimeter has nothing to do with physical headquarters and contains data that resides in the cloud and on the numerous devices employees and contractors use in the field," said Tom Kemp CEO and co-founder of Centrify.

As things stand, 92 percent of organizations in the US currently have some form of user monitoring in place. However, only a 56 percent have some sort of privileged identity management. Of those, nearly a third companies do not have someone formally analyzing or auditing how and when employees or contractors are performing privileged access to systems in the organization on at least a weekly basis. Even something as simple as updating passwords on a regular basis is only performed by about 58 percent of US organizations.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/15/2015 | 11:38:46 AM
Ownership
Shared accounts, especially privileged accounts, need to have an account owner assigned to them. They need to be in a database that prompts user monitoring to correlate with windows account policies and this is something that is simple and very low cost. I've seen the other side and it gets ugly to say the least.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9923
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVE-2019-9924
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.
CVE-2019-9925
PUBLISHED: 2019-03-22
S-CMS PHP v1.0 has XSS in 4.edu.php via the S_id parameter.
CVE-2019-9927
PUBLISHED: 2019-03-22
Caret before 2019-02-22 allows Remote Code Execution.
CVE-2019-9936
PUBLISHED: 2019-03-22
In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.