I would think that the one area in the network infrastructure that is a security priority for IT and security administrators is privileged accounts that control access to servers, firewalls, applications, and so on. There is a reason why so few people in any organization hold login credentials for these accounts. Can you imagine how much damage can be done if too many people had access to this sensitive hardware and software and their login information ended up in the wrong hands? As TechTarget pointed out:
In the wrong hands, privileged accounts represent the biggest threat to enterprises because these accounts can breach personal data, complete unauthorized transactions, cause denial-of-service attacks, and hide activity by deleting audit data.
Having a solid privileged account management (PAM) system in place is vital not only in terms of security, but also for meeting industry compliances and regulations. That makes the results of a new Thycotic study, which found that too many companies are failing at PAM security enforcement, particularly troublesome. As explained on Thycotic’s blog post about the study:
An alarming 52 percent of those companies received a failing grade on the enforcement of proper privileged credential controls. Part of the reason may be because only 10 percent of them have invested into a vendor solution to automate and get PAM right.
This is despite 80 percent of those polled stating that PAM security is a high priority and 60 percent adding that PAM security is required to meet government compliance for their industry.
The failures are easy to see – and probably easy to fix: not changing passwords, sharing passwords, and lack of approval for adding new administrators to an account. We already know that hackers take advantage of password laziness but, in this case, those particular passwords in the hands of the bad guys have the ability to exploit virtually any part of a network.
How do you address PAM security? Adopting automated PAM solutions may be the first step. Another may involve bringing in experienced or specifically trained security professionals into the organization, something that too many companies lack. (Sorry, but at this point in the game, telling the IT guy to handle security isn’t enough.) And finally, Thycotic recommended the following:
Adopt security polices to help ensure least privilege strategy for account access. You should explore employing software tools to limit privileged access without impacting user productivity.
Do you know if your PAM meets good security standards? Thycotic developed this survey to see where your PAM stands in relation to others.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.