Two new surveys out today show how easy enterprises make it for attackers to steal vast quantities of data with just a few successful breaches of employee machines: Employees typically are given far more access to sensitive data than they need to get their jobs done, and enterprises don't do enough to track access behavior.
That failure to enact the very fundamental security principle of auditable least-privilege only increases the risk profile of the employer.
The first report comes by way of the Ponemon Institute, which queried more than 1,000 end-users and 1,000 IT professionals about access patterns, on behalf of Varonis. It showed that among the 1,100 users surveyed, over 70 percent report that they have access to company data they shouldn't be able to see. And of those, more than half report that they use that access frequently. At the same time, among the IT professionals surveyed by Ponemon, four out of five of them report that their organizations don't enforce strict least-privilege data models.
Another survey, conducted by Courion among 35,000 IT executives, found those queried a little more initially optimistic about their enterprise least-privilege practices. Just over 70 percent reported that they thought their organizations enforced least-privilege policies. However, digging in further, approximately 43 percent did say that their organizations are unaware when access privileges are increased or when access behavior is anomalous.
The difficulty with offering too much access and failing to audit access behavior is twofold. Not only are there the natural worries of insider threats, but there is also the even more plausible concern about account privileges being misappropriated by outside attackers.
"This research surfaces an important factor that is often overlooked: Employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences,” says Larry Ponemon, chairman and founder of The Ponemon Institute.
According to the Courion survey, 97 percent of IT pros say that misused or stolen access credentials provide the network entry point for hackers. And just under a third of them say they're confident that their organizations are able to detect improper access.
Often when organizations lack the capabilities of granularly limiting or auditing access, they tend to default toward more open access models so as not to impede productivity. However, the more access that is provided, the higher likelihood that a small breach of an employee machine will escalate into a network-wide breach of sensitive data stores. Many enterprises find it difficult to strike a decent balance between strong identity and access management (IAM) and user work efficiency, says Kurt Jonson, vice president of corporate strategy for Courion.
"IT security executives are under tremendous pressure to provide open access to stakeholders while at the same time controlling access risks in the face of constant attacks," he says. "Beyond perimeter defense, effective identity and access management is the answer to minimizing the likelihood or impact of a data breach, and IAM is made much easier with the diagnostic capabilities of identity analytics and intelligence."