Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

7/14/2015
06:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Shared Passwords And No Accountability Plague Privileged Account Use

Even IT decision-makers guilty of poor account hygiene.

As the winds of the cloud scatter corporate data across the globe and beyond any IT boundaries, identity management continues to grow in importance. But a new survey out from Centrify shows that even those that should know better do not engage in secure account management practices.

In its State of the Corporate Perimeter survey out today, the firm found that nearly 60 percent of US IT decision-makers share access credentials with other employees at least somewhat often. Conducted among 200 of these decision-makers, the survey also found that 52 percent of US-based IT employees also shared credentials with contractors.

This is a scary prospect, given that many of these IT employees are entrusted with credentials for privileged accounts, with account sharing essentially spreading the proverbial "keys to the kingdom" across an organization with little accountability. According to the survey, about three-quarters of respondents estimate that more than 10 percent of employees have access to these kinds of privileged accounts, whether legitimately or through sharing. And over half of respondents in the US reported that it would be easy for a former employee to log in to access systems or data with old passwords.

Unsurprisingly, 74 percent of those surveyed in the US reported that their organization needed to do a better job monitoring who is accessing data and 62 percent believe their organization has too many privileged users. The concern grows as new models in cloud and mobile computing have obliterated the corporate perimeter.

“And there’s the rub: today’s corporate perimeter has nothing to do with physical headquarters and contains data that resides in the cloud and on the numerous devices employees and contractors use in the field," said Tom Kemp CEO and co-founder of Centrify.

As things stand, 92 percent of organizations in the US currently have some form of user monitoring in place. However, only a 56 percent have some sort of privileged identity management. Of those, nearly a third companies do not have someone formally analyzing or auditing how and when employees or contractors are performing privileged access to systems in the organization on at least a weekly basis. Even something as simple as updating passwords on a regular basis is only performed by about 58 percent of US organizations.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/15/2015 | 11:38:46 AM
Ownership
Shared accounts, especially privileged accounts, need to have an account owner assigned to them. They need to be in a database that prompts user monitoring to correlate with windows account policies and this is something that is simple and very low cost. I've seen the other side and it gets ugly to say the least.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-20001
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
CVE-2020-36317
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
CVE-2020-36318
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
CVE-2021-28875
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
CVE-2021-28876
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...