Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/8/2019
04:16 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Sila and Ponemon Institute Study Finds Rampant Lapses in Securing Access to Sensitive Information

Joint Research Finds Major Challenges Monitoring and Managing Privileged User Access and Activities, with 70 Percent of Respondents Indicating Users Likely to Access Sensitive or Confidential Data Without a Business Need

Arlington, VA – October 8, 2019 – Sila Solutions Group, a North American technology and management consulting firm, in partnership with the Ponemon Institute, a leading research organization on data protection and emerging information technologies, today released the results of The 2019 Study on Privileged Access Security. The primary takeaway from this study is that insufficient privileged access management (PAM) practices continue to be a critical challenge for many organizations despite significant risks of data breaches and security incidents. According to more than 650 North American respondents, 70 percent think it likely that privileged users within their organizations are accessing sensitive or confidential data for no discernible business need and more than half expect privilege user abuse to increase in next 12-24 months.

Interestingly, the primary reason users have unnecessary access to sensitive resources is that all users at their level are given privileged access, even if it is not required to perform their job assignment. According to respondents, privileged access rights also regularly remain active even after a role change (30 percent). 62 percent of participants felt it likely that their organization assigns privileged access rights that go beyond an individual’s role or responsibilities. This proliferation of access is emphasized with more than 75 percent of respondents having privileged access to three or more IT resources.

According to study participants, the biggest challenges organizations face in granting and enforcing privileged user access rights are:

57 percent – Can’t keep pace with the number of access change requests that come in on a regular basis

48 percent – Lack of a consistent approval process for access and a way to handle exceptions

43 percent – Burdensome process for business users requesting access

“The results of The 2019 Study on Privileged Access Security shed light on the fact that privileged access is more prevalent than people may realize. It touches every part of an organization and has far-reaching implications for an organization’s business objectives as well as its security,” said Tapan Shah, managing director at Sila. “Leaders need to step back and ask why individuals have the access they do, and how that aligns with the mission of their business – unnecessary privileged access puts data, employees, customers, and the overall business at risk.” 

Additional key findings from the report state:

52 percent of organizations do not believe they have the capabilities to effectively monitor privileged user activities

60 percent are not confident that their organization has enterprise-wide visibility for privileged user access or can determine if these users are compliant with policies

Why? 45 percent of those with low confidence state that they can’t create a unified view of privileged access across the enterprise and 29 percent say they can’t keep up with the changes occurring to the organization’s IT resources

Over 70 percent of respondents believe that greater automation of access management processes would be the biggest benefit to their organization’s overall identity and access management security posture 

On Tuesday, October 29th at 1:00pm ET, Sila and the Ponemon Institute will provide a deep dive on the survey findings while sharing insights and best practices on PAM. Please see here to register for the webinar. 

“With organizations facing a multitude of threats on a daily basis and as the risks related to PAM continue getting worse, this year’s survey shows that overall progress toward effective PAM implementation continues to stagnate in many areas,” said Dr. Larry Ponemon of the Ponemon Institute. “The status quo is not secure. Business and IT leaders need to look beyond simple tool integration and a “check the box” mentality solely driven by compliance demands. Organizations take a big risk by not properly investing in effective PAM strategies that not only promote security, but propel business success.”  

 

Supporting Resources:

Download the Full Report

Download Report Graphics

View Executive Summary

Register for the Webinar

 

About Sila

Sila is a technology and management consulting firm that provides substantial solutions in the areas of identity and access management, data analytics, cybersecurity and risk, software engineering and integration, strategy and transformation, and digital and creative services. Our clients include Fortune 500 companies and Federal government agencies.

 

Sila is headquartered in Arlington, VA, with offices in Seattle, WA; Shelton, CT; and Chicago, IL. For more information visit www.silasg.com. 

 

Follow Sila at:

Twitter: @sila_insights

LinkedIn

YouTube

Facebook 

 

 

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3350
PUBLISHED: 2019-11-19
masqmail 0.2.21 through 0.2.30 improperly calls seteuid() in src/log.c and src/masqmail.c that results in improper privilege dropping.
CVE-2011-3352
PUBLISHED: 2019-11-19
Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the 'themename' parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context ...
CVE-2011-3349
PUBLISHED: 2019-11-19
lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation.
CVE-2019-10080
PUBLISHED: 2019-11-19
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI ...
CVE-2019-10083
PUBLISHED: 2019-11-19
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.