Important Announcement
PubHTML5 Scheduled Server Maintenance on (GMT) Sunday, June 26th, 2:00 am - 8:00 am.
PubHTML5 site will be inoperative during the times indicated!

Home Explore 2015 Privileged Access Management Study

2015 Privileged Access Management Study

Published by hitachiid, 2017-06-23 15:08:55

Description: How Well is Your Organization Protecting its Real Crown Jewels - Identities?

Can your security team detect and identify intruders before data disappears?

Are you confident that former employees and contractors no longer have access to your critical systems?

These are among the questions we set out to answer in the 2015 Privileged Access Management Study, and the responses help create an eye-opening information security agenda for 2016.

This study was designed to examine just how well organizations are protecting their true crown jewels – identities. In this report, you will receive survey results that explore:

• How organizations are best managing privileged identities;
• The true business impact of intrusions due to external/internal privileged users;
• Modern methods being employed to detect both accidental and malicious activity.

See more at: http://hitachi-id.com/documents/

Keywords: privileged access, privileged access control, privileged access management, privileged account activity management, privileged account management, privileged id management, privileged identity management, privileged identity management gartner, privileged identity management vendors, privileged password management, privileged password management gartner, privileged password manager, privileged session manager, privileged user management

Search

Read the Text Version

2015PRIVILEGEDACCESSMANAGEMENTSTUDYHow Well is Your OrganizationProtecting its Real CrownJewels - Identities?INSIDE- Complete Survey Results- Expert Analysis- Insights from Hitachi ID Systems CTO Idan Shoham

Letter from the EditorTom Field Do you have confidence in your organization’s ability to manage privileged identities and prevent their abuse? Can your security team detect and identify intruders before data disappears? Are you confident that former employees and contractors no longer have access to your critical systems? These are among the questions we set out to answer in the 2015 Privileged Access Management Study, sponsored by Hitachi ID Systems, and the responses help create an eye-opening information security agenda for 2016. More than 90 percent of survey respondents are concerned about external and/ or internal attackers gaining unauthorized access and compromising corporate networks. And the survey results offer sound reasons for these concerns: • 47% of respondents believe that former employees, contractors or vendors are still familiar with their organization’s processes to change passwords on shared accounts; • Only 42% have deployed a multifactor authentication technology for high-risk or highly privileged users; • Only 40% have deployed automation to control access to shared, privileged accounts. This study was designed to examine just how well organizations are protecting their true crown jewels – identities. In this report, you will receive survey results that explore: • How organizations are best managing privileged identities; • The true business impact of intrusions due to external/internal privileged users; • Modern methods being employed to detect both accidental and malicious activity. This survey was conducted online during the fall of 2015, and we had more than 130 respondents from organizations across global regions and industry sectors. Join me in a review of the full survey responses, and then let’s discuss how you can put this data to use to help improve your organization’s capabilities to protect identities and privileged access. Tom Field Vice President, Editorial Information Security Media Group [email protected] 2015 Privileged Access Management Study

About this survey:This study was conducted online during the fall of 2015. More than 130 respondents participated internationally fromorganizations of all sizes and across industries, with concentrations of respondents in the financial services andhealthcare sectors. Table of Contents Introduction ..................................................................................... 2 Big Numbers .....................................................................................4 Survey Results.................................................................................. 5 I. Baseline ........................................................................................ 5 II. External Intrusions ....................................................................... 6 III. Internal Abuse............................................................................. 9 IV. Existing Processes ......................................................................11 V. Infrastructure .............................................................................13 VI. The Cost of Security ..................................................................15 VII. 2016 Agenda ...........................................................................17 Conclusions......................................................................................19 Survey Analysis..............................................................................20 Idan Shoham, CTO, Hitachi ID Systems. Resources........................................................................................ 25Sponsored by Hitachi ID Systems delivers access governance and identity administration solutions to organizations globally. Hitachi ID solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. To learn more about Hitachi ID Systems, visit Hitachi-ID.com 2015 Privileged Access Management Study 3

Big Numbers Some stand-out figures from this survey. 53% Rate as above average or superior their organizations’ ability to manage privileged identities and external/internal access to critical systems. 96% Say they are somewhat or very concerned about outside attackers compromising their corporate networks. 91% Are somewhat or very concerned about legitimate employees, contractors or vendors abusing their privileged network access.4 2015 Breach Preparedness & Response Study

Survey ResultsI. BaselineIn this opening section, respondents were Further results will show exactly where security leaders feelasked to offer a general assessment of their most and least confident.organizations’ abilities to manage privilegedidentities and access – and where they see their What do you see as your organization’s single biggest failingbiggest failings. The key takeaways: when it comes to managing privileged identities and external/ internal access to critical systems and data?• Only 53 percent of respondents rate their organizations at We fail to enforce the good policies above average or superior we have• 23 percent say their Achilles Heel is a failure to enforce 23% existing policies. We lack the right technology toolsFull results to these questions follow. 22How do you assess your organization’s ability to manageprivileged identities and external/internal access to critical We lack the trained sta to properlysystems and data? manage the tools Above Average 17 46% The organization fails to recognize this as a critical objective Average 13 36 We lack financial resources to invest Below Average in sta and tools 7 9 Superior We lack the right policies 7 7 Failing 0 5 10 15 20 25 4 When assessing organizations’ vulnerabilities, three areas stand out: Governance, tools and staffing. Respondents say 0 10 20 30 40 50 their organizations often do have good policies for managing privileged identities – they just often fail to enforce them. AndAt a time when targeted attacks are rampant, and when many of while many organizations do lack the proper tools to supportthe highest profile data breaches owe to stolen credentials, it’s their policies, others are stymied by a deficit of trained staff todisconcerting to see that 47 percent of respondents rate their properly manage the tools.defensive capabilities at average or below. With these baseline figures in mind, look next at whereBut what is missing in cybersecurity is a tangible definition of organizations are vulnerable to external and internal attacks.what “average” truly means. Does it mean “just good enough,”or “we’ve been lucky so far?” 2015 Privileged Access Management Study 5

Survey ResultsII. External IntrusionsIn the era of the Sony, OPM and TalkTalk In the past 12 months, did your IT organization detect anybreaches, security leaders are particularly external intrusions that resulted in unauthorized access to yoursensitive to the risks of external attackers corporate network?hacking into corporate networks. In this section,respondents convey: 22% Yes• 96 percent are somewhat or very concerned about external 78% No attackers• 32 percent say it can take more than 24 hours to detect external intrusionsWhat is your level of concern about outside attackers Roughly one-fifth of respondents say their organizations sufferedcompromising your corporate network? an external intrusion in the past year. But it’s fair to point out: These are the respondents who know their corporate networks Somewhat concerned were breached. At a time when so many of these attacks are “low and slow” and avoid detection, it’s fair to assume that a fair 53% number of organizations were breached … but do not yet know it. Very concerned How long did it typically take your IT organization to detect any 43 external intrusion(s)? Not at all concerned More than 24 hours 4 32% 0 10 20 30 40 50 60 Under 60 minutesNo surprise: In the era of the high-profile data breach – where 30boards of directors and business leaders are held accountablefor their organizations’ security lapses – 96 percent of 1 to 3 hoursrespondents are somewhat or very concerned about the risk ofexternal attackers compromising their networks. 11The key follow-up question is: Have their concerns been 3 to 6 hoursvalidated by external intrusions? 11 6 to 9 hours 9 12 to 24 hours 7 0 5 10 15 20 25 30 356 2015 Privileged Access Management Study

Indeed, when nearly one-third of respondents say it takes more In your most recent external intrusion, did your organizationthan 24 hours to detect the typical external intrusion, then it is determine how intruders gained access to your network?fair to say that many of these attacks are adhering to the “lowand slow” approach, giving the attackers more opportunity to 58 Yesgain access and exfiltrate data. 16 NoHow long did it typically take your IT organization to stop anyexternal intrusion(s)? Under 60 minutes 26 I don’t know36% Similarly, it is encouraging to see that, nearly 60 percent of the time, organizations are able to determine exactly how intruders 1 to 3 hours gained access to their networks. For the 42 percent who question their abilities, it is time to re-evaluate the tools and 23 skills deployed to monitor and investigate network activity. 3 to 6 hours Has your audit or IT security department raised to senior management any concerns regarding the threat of network 5 intrusion by unauthorized external parties? 6 to 9 hours 73% Yes 10 15 No 9 to 12 hours 12 I don’t know 3 12 to 24 hours 3 More than 24 hours 15 We did not stop the external intrusion 5 0 5 10 15 20 25 30 35 40It is encouraging to see that – once detected – externalintrusions often are stopped in under one hour – or within oneto three. But, again, it’s worth reinforcing that the attacks have tobe detected before they can be stopped. And detection remainsthe bigger challenge. 2015 Privileged Access Management Study 7

Survey Results This is a question that would be interesting to track over time. Today, nearly three-quarters of respondents say that the topic of external intrusions has been raised to senior management. But would this have been the case five years ago? Perhaps not. But since the Target, Sony and OPM attacks, where senior leaders were held accountable for the breaches, these intrusions have clearly become a boardroom topic. The next question reviews the business impact of external intrusions. What was the business impact of any intrusions? Financial losses, including lost revenue, and/or incremental operational expenses 20% Damage to the organization's reputation 18 The intruders removed or deleted sensitive data 10 I don't know 3 None 3 0 5 10 15 20 Clearly, it’s not just a matter that the technology failed. Breaches today are recognized for their tangible business impacts. And when assessing these impacts, respondents say that data compromise is the least of their three top concerns. The top two business impacts: Financial losses and reputational damage. The next section looks at the impact of internal compromise.8 2015 Privileged Access Management Study

III. Internal AbuseFor too many organizations, access is the gift Does your organization have robust processes to deactivatethat keeps on giving. Once an individual gains users that no longer need access to your organization’saccess to a critical system, that access is too network?rarely revoked – even when that individualmoves on to a new role. In this section, 72% Yes, we have robustrespondents say: 15 processes in place 11• 91 percent are somewhat or very concerned about legitimate No, we do not have robust employees/contractors/vendors abusing their access processes in place privileges. No, but we are currently developing• 47 percent believe that former employees/contractors/ such processes vendors might be able to still change passwords on shared accounts. I don't knowWhat is your organization’s level of concern about legitimate 2employees, contractors or vendors abusing their privilegednetwork access? 0 10 20 30 40 50 60 70 80 Somewhat concerned For the most part – according to nearly three-quarters of survey respondents – organizations at least have implemented 55% appropriate processes to remove access from individuals who no longer require it. But … Very concerned Never have we worked 36 at a time when so many individuals had so much Not at all concerned access to so much critical information. 9 0 10 20 30 40 50 60Never have we worked at a time when so many individuals hadso much access to so much critical information. From onsiteemployees to remote contractors, vendors and partners, somany different individuals share privileged access to criticalsystems. And survey respondents are legitimately concernedabout the risk of these individuals abusing their access in someway that compromises the organization. 2015 Privileged Access Management Study 9

Survey ResultsDo you believe that former employees, contractors or vendors If this first line of networkare familiar with your organization’s processes to change defense is so vulnerable,passwords on shared accounts? how about other existing processes?47% Yes, former employees, contractors or 28 vendors would still recognize the password reset processes No, former employees, contractors or vendors were never privy to our processes I don't know13 No, former employees, contractors or vendors would no longer recognize the12 processes we employ, as they have changed 0 10 20 30 40 50Nearly half of the respondents say their former employees,contractors and vendors would still recognize how theorganization changes passwords on shared accounts.If this first line of network defense is so vulnerable, how aboutother existing processes? This question will be explored in thenext section.10 2015 Privileged Access Management Study

IV. Existing ProcessesThis section unveils several vulnerabilities Here, 57 percent of respondents say they do have automatedthat must be addressed by both policy and systems in place to initiate and deactivate access as individualstechnology. Among the stand-out stats: transfer through the organization.• Only 57 percent of respondents say their organizations have But that number is perhaps less significant than the 43 percent automated systems in place to deactivate access as people who do not yet have such tools in place. move out of the organization Does your organization have password management• 54 percent rate as average or below their users’ abilities automation to enforce password strength policies and enable to protect themselves from phishing and other social users to reset forgotten passwords or clear lockouts? engineering attacks YesDoes your organization have identity and automated accessmanagement in place to initiate and deactivate access as 74%people move into and out of your organization? No Yes 18 57% Not currently, but we plan to deploy No such a system 29 8 Not currently, but we plan to deploy 0 10 20 30 40 50 60 70 80 such a system Nearly three-quarters of respondents have deployed some form 14 of password management automation to enforce policies and help users either reset forgotten passwords or clear lockouts. 0 10 20 30 40 50 60 But that’s only one layer of defense. Moving on …Frequently, we hear about “access creep,” where individualsnever relinquish any of the system access they gain in anorganization – even when they move into new roles that nolonger require the old access. 2015 Privileged Access Management Study 11

Survey ResultsDo you believe the process used by your organization’s help And, indeed, when it comes to social engineering attacks viadesk to authenticate callers is secure enough to prevent an phishing and other techniques, only 46 percent of respondentsattacker from overcoming it via spoofing? say their users have above average or superior defensive capabilities.54% Yes, I believe the process is secure 29 and prevents spoofing This remains one of the key soft spots in any secure organization. No matter the policies or tools deployed, security No, I believe the process is insecure is only as strong as the decisions people make when confronted and unable to prevent spoofing by the trickery of social engineers. I don't know Does your organization have processes in place to change passwords on shared or privileged accounts?9 Yes We do not have a formal help desk 75%8 No 0 10 20 30 40 50 60 18The help desk shows a weak underbelly for organizations. Only54 percent of respondents say their help desks have a secure Not currently, but we plan to deployprocess to authenticate callers and prevent “spoofing” attacks. such a systemThe remaining 46 percent are vulnerable to social engineeringattackers who know how to worm their way into privileged 7accounts, where their activity may go undetected. 0 10 20 30 40 50 60 70 80How do you assess your organization’s users’ ability to protectagainst phishing and similar social engineering attacks? Recognizing the potential risks of passwords on shared or privileged accounts, 75 percent of respondents say their Average organizations do have processes in place to change these passwords, a fundamental element of defense. 45% Next, respondents share some of the specific security controls Above Average they have deployed. 40 Below Average 8 Superior 6 Failing 1 0 10 20 30 40 5012 2015 Privileged Access Management Study

V. InfrastructureWhen reviewing specific security controls that If you answered yes to the previous question, which of thehave been deployed, it is somewhat surprising following multifactor authentication technologies has yourto find: organization deployed?• Only 52 percent of organizations have deployed multifactor RSA SecurID or similar token 20 authentication to high-risk or highly-privileged users 61%• Only 40 percent have deployed automation to control access to shared accounts App on smart phoneRead on to learn more about current controls. 27Has your organization deployed a multifactor authentication Soft tokentechnology for your high-risk or highly privileged users? 27 Yes PIN sent to user's phone 42% 23 No Smart Card 40 23 Not currently, but we plan to deploy such a system 0 5 10 15 19 For those organizations that have deployed MFA, the most common element are the classic RSA SecurID (or similar) tokens, 0 10 20 30 40 50 soft tokens and apps on smart phones. Smart cards and PINs sent to users’ phones also are common to nearly one-fourth ofIt is a significant red flag that not even half of responding organizations.organizations have deployed multifactor authentication to theirhigh-risk or highly privileged users. This is the equivalent ofinstalling a sophisticated home security system … but neglectingto lock the front door. 2015 Privileged Access Management Study 13

Survey ResultsIf your organization has not deployed multifactor In terms or automation, only 40 percent of organizations sayauthentication technology, what are the reasons? they have deployed automated tools to control access to shared, privileged accounts. This means that 60 percent are39% We plan to deploy in the future entrusting access to monitoring by people – or they are not 30 paying attention at all to this vulnerable vector. This is a door We have inadequate that organizations do not want to leave ajar, given the concerns management support they have expressed about the potential for internal abuse. We do not possess the budget What percentage of your organization’s systems and applications do you believe are in-scope for automated access29 control today? In order to deploy MFA, we must Under 10% overcome interoperability problems 12%14 10%-25% 0 5 10 15 20 25 30 35 40 14For those organizations that do not deploy MFA, nearly 40 26%-50%percent say they plan to do so in the future. But 30 percent ofrespondents say they do not have management support for MFA 15deployment, and 29 percent say they lack the budget. 51%-75%Clearly, this emerges as one strong element around which tobuild a business case for deployment. 2421. Has your organization deployed automation to control 76%-100%access to shared, privileged accounts? 22 None 1340% Yes 0 5 10 15 20 2542 No18 Not currently, but we plan One-quarter of respondents say their organizations have to deploy such a system between 50 and 75 percent of their systems and applications in-scope for automated access control today. That’s the baseline from which organizations must built their 2016 business plans and budgets to automate access to the remaining systems and applications. Next, the report will review how budget is allotted – and what to expect for funding in 2016.14 2015 Privileged Access Management Study

VI. The Cost of SecurityWe know security is an enterprise priority, but Start with the IT security budget, which typically is a portionhow much attention is being paid to privileged of the overall IT budget. Nearly one-third of respondents sayaccess management? Here we learn: security is 1-10 percent of the IT spend. Twenty-five percent say that security budget can range from 11 to 30 percent.• 29 percent of respondents say their current security budgets represent 1-10 percent of the IT budget What proportion of the security budget is assigned to strong authentication?• 40 percent say of that security budget, 1-10 percent is assigned to strong authentication I don’t knowHere is a review of current funding trends: 41%What proportion of your IT budget is currently assigned to 1-10%information security? 40 I don’t know 11-20% 35% 9 1-10% 21-30% 29 6 11-20% 41-50% 15 2 21-30% 31-40% 10 1 41-50% 50%+ 4 1 31-40% 0 10 20 30 40 50 4 From that security budget, 40 percent say 1-10 percent is 3 50%+ dedicated to strong authentication. Another 15 percent say 11 to 30 percent could be allocated.0 5 10 15 20 25 30 35 2015 Privileged Access Management Study 15

Survey ResultsWhat proportion of the security budget is assigned to When focused specificallyprivileged access management? on privileged access management, 41 percent of I don't know respondents say 1-10 percent of the security budget may 42% be allocated here. 1-10% 41 11-20% 9 21-30% 4 41-50% 2 31-40% 2 0 10 20 30 40 50And then, when focused specifically on privileged accessmanagement, 41 percent of respondents say 1-10 percent of thesecurity budget may be allocated here. Thirteen percent say thatrange is from 11 to 30 percent.With those figures in mind, look next at projected spendingplans for 2016.16 2015 Privileged Access Management Study

VII. The 2016 AgendaThere is encouraging news for the coming year: How will they use this funding?• 32 percent of respondents expect increases in their budgets Which technology tools do you intend to deploy in the coming dedicated to privileged access management year to improve privileged access management?• Multifactor authentication is one of the top three technology Audit tools tools planned for deployment 44%What else is on the 2016 agenda? Multi-factor authenticationIn the next 12 months, how will your organization’s securitybudget dedicated to privileged access management change? 41 I don't know Intrusion detection 43% 39 It will not change Password management 26 30 It will increase 1-5% Privileged Access Management system 18 30 It will increase 6-10% Traditional Identity & Access Management system 8 23 It will increase more than 10% Automated access control 5 18 0 10 20 30 40 50 Session recording 14 Provisioning tools 12No organization articulates a planned decrease in budget I don't knowdedicated to privileged access management. That’s encouragingnews. Better yet: 57 percent expect this funding to either 2stay the same or to increase anywhere from 1 to more than 10percent. 0 10 20 30 40 50 2015 Privileged Access Management Study 17

Survey Results Respondents have broad plans to improve privileged access management across the board in the year ahead. The top three planned investments are: Audit tools, multifactor authentication and intrusion detection. But next on the list: password management and a privileged access management system. Given all these statistics, what messages can we draw from the survey – and how can organizations put these results to work to improve privileged access management? In the closing sections of this report, key conclusions will be offered, and then Idan Shoham of survey sponsor Hitachi ID Systems will offer color commentary on what these conclusions mean, and how to incorporate them in your 2016 security strategy.18 2015 Privileged Access Management Study

ConclusionsA thorough review of the survey results brings us to thesesummary conclusions:Recognize the Risks Target, OPM, the NSA – pick a high-profile data breach, and chances are it resulted from identities or access compromised by an intruder who was given or who stole privileged access to a critical network or system. Behind every large breach, it seems, there is a simple, preventable access point. The risks are real, the consequences are costly, and the argument is rock solid: It’s time to improve how enterprises manage identities and privileged access.Raise the Baseline When it comes to breach prevention, “average” is nowhere near good enough. “Average” is why so many targeted organizations have been breached – because they have not rolled out controls such as multifactor authentication and automation for passwords and access management. To avoid being the next headline, organizations must raise this security baseline.Multifactor Authentication is the New Standard Although government regulators and standards bodies have long called for a minimum of two-factor authentication for critical networks and systems, too few organizations have actually moved beyond simple passwords and data that can be purloined by keyloggers. It’s time to heed the warnings and respond to the string of recent attacks. Passwords are not dead – but they must be given new life by being used in conjunction with tokens, pins, biometrics and other robust authentication technologies. To not embrace multifactor authentication is to be negligent.Privileged Access Management is a Not a Deployment This survey reveals multiple pain points. Organizations are vulnerable to external attackers and to trusted insiders, and they have done little to protect mission- critical networks and systems beyond user name and password. Processes are not being followed, the right authentication tools have not been deployed, and security staff is not trained sufficiently to manage the tools that are in place. The business case has been made for privileged access management, but it is important not to approach that as a discrete project – it’s a program. It involves tools, training and ongoing monitoring to ensure that organizations can manage privileged identities with automation, and that they can improve their abilities to prevent external/internal intrusions before critical data is altered, deleted or stolen. In the closing section of the report, Idan Shoham of Hitachi ID Systems will discuss privileged access management and how one can use the results of this survey to make the business case for such a program. 2015 Privileged Access Management Study 19

Survey AnalysisHow to Maximize YourPrivileged AccessManagement ProgramSurvey Analysis by Idan Shoham, CTO of Hitachi ID SystemsNote: In preparation of this report, ISMG VP Tom that’s interesting here is: People’s self-assessment is generallyField sat down with Hitachi ID Systems CTO Idan positive, but then if you look at the assessment of their risks,Shoham to analyze the results and discuss how they’re pretty elevated. I think people are basically saying,security leaders can put these findings to work “We’re doing pretty well compared to our peers, but we havein their organizations. Following is an excerpt of serious issues,” which implies that everybody’s got seriousthat conversation. issues around strong authentication, around deactivating access, around automation. As an industry, I think we can clearly doIn his role as Chief Technology Officer, Shoham is responsible better.for defining product and technology strategy and the overalldevelopment of Hitachi ID Systems solutions. He works closely Overconfident About Access Managementwith his talented team to ensure that the solutions that Hitachi IDSystems delivers to the market are of the highest quality. Prior to FIELD: Idan, it strikes me that the respondents seemed a littlefounding Hitachi ID Systems in 1992, Shoham provided network bit overconfident on the surface at least about their abilities tosecurity consulting services to large organizations such as Shell, manage privileged identity and access. Do you agree? And if so,Amoco, BP Canada and Talisman Energy. He holds a Masters in your experience, where does that overconfidence come from?degree in Electrical and Computer Engineering. SHOHAM: I think people look at their own organizations, and‘We Can Do Better’ then they talk to peers to get a sense of where they stand vis-à- vis the other organizations, and in that sense you would expectTOM FIELD: Okay, Idan, we’ve had a chance to go through the most people see themselves as average: that’s what averagesurvey results. What’s your gut reaction? What are the key points means. I think that there’s a dichotomy between people’s viewthat strike you and maybe even surprise you? of their organization vis-à-vis other organizations versus their view of how they’re doing vis-à-vis absolute risk. People areIDAN SHOHAM: The first thing that strikes me is that IT saying, “Yes, we’re doing about the same as everybody else,”security budgets are relatively small, and that goes a long which is not surprising, and at the same time they’re saying, “andway to explaining the string of public exploits that you’ve read we have these substantial risks,” which is also true. I don’t thinkabout in the press over the past few years. The second thing that these two things are in any way mutually exclusive. They’re just two ways to look at an organization’s security posture, and I think my advice would be focus on actual risk; don’t focus on what your peers are doing. If your organization gets hacked20 2015 Privileged Access Management Study

“The focus really needs to be onabsolute risk, and I think peoplehave a fairly good assessment of what their riskprofile actually is.”and you turn up on the front page of medium-to-large enterprises to have Idan Shohamthe local newspaper, that’s a concrete this kind of sophisticated surveillance.consequence, and the fact that your Larger organizations typically have a if they have something worth protecting,peers who have similar controls didn’t security operations center of some need this kind of surveillance.happen to get hacked in the same way, sort. I know that small organizationsthat’s not much comfort. The focus needs generally don’t, and they probably can’t Internal Access Risksto be on absolute risk, and I think people afford it. The advice here is, if you’rehave a fairly good assessment of what too small to afford building your own FIELD: Switching the conversation totheir risk profile actually is. sensor networks and surveillance and internal access, we see that respondents so forth, farm this function out. There are are concerned about current and formerThe Detection Deficit a number of companies out there that employees, contractors, vendors, how operate managed security services, and they behave. We always hear aboutFIELD: We talked about external smaller organizations can leverage these access creep and privileges that neverintrusions in the survey, and when you services relatively inexpensively. These go away. How do we put this animal backlook at the results, detection seems to providers keep an eye on your network in the cage?be the major hurdle for organizations. for you. Even quite small organizations,When it comes to detection, what areorganizations typically overlooking?SHOHAM: I don’t know that they’reoverlooking anything. I think in order todetect active or attempted intrusions andattacks, you need a pretty sophisticatedinfrastructure. You need sensors onyour network; you may need sensors onthe endpoints. You need log and dataaggregation, you need pattern matchinganalytics. You need the dashboards - thisis a lot of technology. I would expect 2015 Privileged Access Management Study 21

Survey AnalysisSHOHAM: There’s decent technology even as their human owners turn over. reach into the environment and discoverfor that. Here at Hitachi ID, we’re in Without automation, you typically have and integrate systems is quite mature.the business of making software to static, well-known passwords - often What that means in practice is that theaddress this problem. There are really stored as plaintext and shared by many TCO, the barrier to entry, is comingtwo styles of access. There are business people. That’s obviously a security issue, down, and smaller organizations canuser accounts -- e-mail accounts, CRM especially as people move into and out of cost-justify automating privileged accessaccounts and so forth. These are the organization. management.basically end-user access rights, andorganizations manage these through There is a whole other category of “If you’re too smallautomation, through roles, through software to secure these accounts: to afford buildingpolicies, through periodic access privileged access management products, your own sensorcertification and so forth. There are of which we make one. The idea is toquite mature products to manage these set the passwords on these accounts to networks andkinds of access rights. Traditionally the random, frequently changing strings and surveillance andcost of these systems has been mainly then to launch login sessions, without so forth, farm itconsulting fees to deploy them, but that’s necessarily displaying passwords, forcoming down as vendors like us bring authorized users. This way, access is out.”to market implementations that are less granted for short periods of time -- forexpensive to set up. hours, not days or weeks.The other pattern is privileged access. Twenty years ago there were no productsThese are typically shared, high privilege to do this. Ten years ago, there wasIDs, for example root on Linux and really early code. Today, there are quiteAdministrator on Windows. The way sophisticated and mature products in thisthese are managed is different, because space, and I think the consulting effortthe accounts often already exist when required to deploy them and the amounta system is deployed and remain of automation that they bring to bear to22 2015 Privileged Access Management Study

FIELD: Clearly, the technology has “The barrier to to your personal e-mail, and then youevolved. Do you see people and entry is coming have to enter that before you enterprocesses evolving as well to leverage down, and smaller your password. Fundamentally, it hasthose technologies, or do you still have a to be something that isn’t vulnerable tocultural gap you have to get over in many and smaller a keylogger, because there’s malwareorganizations? organizations out there, and people’s endpoints, their can cost-justify laptops, their PCs, sooner or later getSHOHAM: I think the processes are automating compromised. If your PC is compromised,definitely evolving. I’ll give you concrete privileged access some attacker in some other countryexample. One way that organizations management.” will deploy a keylogger on your PC,that didn’t have good technology to will steal your password and will becontrol access to privileged accounts the organizational support to do it, able to sign into anything as you - andwas cut passwords in half - the first five and frankly, funding to implement that includes into the privileged accesscharacters and the last five characters, stronger controls. Beyond that, you management system. The keylogger hasfor example - and give those halves to need technology. Privileged access got you, so you need something that adifferent people. If you wanted to log into management done manually is an keylogger can’t replay, and that’s reallya really high privileged account, both of incredible pain. You need to purchase what we mean by 2FA, or two factorthose people would have to get together products that can discover systems in the authentication.at the keyboard, and one would type five infrastructure, classify them, apply policycharacters, and then the other would to them, randomize passwords, control Making the Case for PAMtype the rest. That’s really low tech, access to privileged accounts, recordand today there’s absolutely no reason sessions and so forth. We make software FIELD: How do you recommend thatto do that, where you have password in this space, as do others. It’s a mature, security leaders build that business caserandomization, vaulting, workflow, single robust, lively marketplace where you can for management to support that programsign-on and screen recording. buy quite advanced capabilities. and invest in it, and what would you say might be the key ROI factors that couldWhat’s changed? When we would The other thing that you really need get management’s attention once youhave conversations with organizations is two-factor authentication. It seems deploy and start to measure results?as recently as two years ago, we were to me strange that you’d go to all thisstill getting requests to automate this trouble to secure privileged accounts, SHOHAM: Let me start with the secondlow tech, password slicing strategy. We and then all these privileged accounts part first. I don’t think that ROI is reallywould say, “Sure, we could do that for are accessible behind a sort of firewall of the right way to think about it. It’syou, but there are better ways to address an authentication step, and that firewall really risk mitigation that we’re talkingthis control problem.” I don’t recall in ought not to be yet another password, about, so you’re talking about risks ofthe last year or two having anyone us to and a static one at that. That just seems massive compromise of private datado that, so there’s definitely a gradual like reverting to the problem that you’re or of corporate IP or rogue trading ortransition away from low-tech to more trying to solve. At least the process safety problems or penalties triggered bysophisticated controls. that you use to sign into a privileged regulatory compliance problems. We’re access management system ought to talking about catastrophic failures in yourMust-Have Tools be a multifactor authentication, and it internal controls and how to avoid them. doesn’t have to be expensive. It can When people talk about “regulatoryFIELD: As you look to 2016, what do you be as simple as when you log in, the compliance” this is really what they reallysee as the must-have tools to enable a system sends a PIN to your phone or mean: “how to comply with regulationsrobust privileged access management that mandate strong enough internalprogram? controls, designed to minimize the risk of catastrophic failures.” That’s reallySHOHAM: I think you need a few things. what’s underlying this, and I think youFirst of all, you need management have to present your business case tomandates to do this! You’re not going management in those terms.to get anywhere if you don’t have 2015 Privileged Access Management Study 23

Survey AnalysisYou have to start by saying: “There’s this static passwords, so if a password is Put the Survey to Workhypothetical catastrophic failure that compromised, the period of time thatI’m worried about, and if this happens it’s good is very short, and you get FIELD: How do you recommend the-- and the probability is not high -- let’s away from the same password being security leaders use our survey resultsnot pretend that this is absolutely going used on many systems. If one password and put them to work?to happen in the next three years; the is compromised, only that system isprobability is relatively low for any given compromised. Basically, you’re creating SHOHAM: Ask for money.kind of incident to happen in any given barriers inside your perimeter, so thatorganization, but the consequences a small compromise does not quickly It sounds cheesy, but it’s true. IT securityof failure are substantial.” In the UK become a large compromise, and you’re is a small percentage of IT spends, andrecently, TalkTalk was hacked, and millions creating forensic audit trails. I think that’s I think it ought to be a somewhat largerof customer records were leaked -- proportion of IT spending, and that’sexfiltrated. Will that company survive the “How much risk not just for procuring technology likeexperience? I don’t know. In the US, Target can you tolerate our products -- it’s also to grow yourgot hacked. Their point of sale systems and how much organization. I think you need an ITwere all compromised. The impact on money are you security program, you need a privilegedthe valuation of the company was in the willing to spend as access management program, you needbillions of dollars, so the consequences an organization to multifactor authentication to play a partare extreme for these incidents, and really mitigate [risk]?” in that. You need one or two people whoyou’re talking about reducing the risk of are technically very smart to help youan extreme negative outcome from maybe essentially how you pitch the solution: implement these systems and to maintainsingle digits to less than 1 percent. I think as a way to slow down the expansion of them, keep them operating, and tothat’s how you pitch it to the organization. a successful initial penetration and as a expand their scope over time. Both people way to create forensic audit, which are and technology cost money, and I think aHow do you pitch PAM as opposed to helpful both against malicious insiders survey like this helps IT security leadersother security tools? I think you have and successful outsiders. You talk to build a narrative for their management,to lay out the scenario that you want to your management about the risk of explaining what the risks are and howdefend against. One scenario that PAM catastrophic control failures, and then you those risks might materialize in practicesystems mitigate is insiders who become draw them a picture of how an attacker and what kind of investment they requiremalicious. This happened to the city of might actually progress through the to mitigate the risks.San Francisco a few years ago, where environment to go from initial ingress toa network admin set all the credentials catastrophic access, and then you show I think if you do a good enough jobon all the network routers, basically them how this kind of system would explaining the risks and the probabilitieslocking everyone else out of network prevent this escalation. of compromise both before and aftermanagement. That admin held the city deploying these systems, then it becomesof San Francisco, the entire municipal a business decision, and I think that’sgovernment hostage. The other kind of what it ought to be – not about whetherincident is an attacker who has physical to implement some security software,access to your network perimeter, or but how much risk can the organizationsomebody who compromises one of your tolerate and how much money is thePCs with malware -- basically an outsider organization willing to spend to mitigatewith a beachhead in the environment, the risk?and they expand their reach from thatstarting point. Both of these are problems For more results and analysis from thethat can be reduced with a privileged 2015 Privileged Access Managementaccess management system, because Study, please see: http://hitachi-id.com/you take away the ability of a keylogger cgi-bin/emaildoc?document=Web873-to propagate the connection from one HitachiID.pptxsystem to another. You introduce 2FAinto all your sessions, and you change24 2015 Privileged Access Management Study

Want to learn Path to Privileged Access Managementmore about Hitachi ID Systems’ Shoham on the Business Drivers, Benefitsprivilegedaccess Wary of intrusions, data compromise and theft, organizations increasingly are deployingmanagement? privileged access management solutions. Idan Shoham of Hitachi ID Systems offers the essential do’s and don’ts.Check out these contentresources. Breach prevention is one of the key business drivers, says Shoham, CTO and founder of Hitachi ID Systems. But there also is concern to avoid regulatory penalties or negative publicity that could result from the wrong person accessing privileged data. “At the end of the day, these are all dimensions of security,” Shoham says. “People are basically worried about securing their infrastructure and their data.” And fair warning, he adds: The biggest deployment challenges are not technical; they’re organizational. In an interview about privileged access management, Shoham discusses: • The business drivers for privileged access management; • The essential do’s and don’ts; • How to prioritize a PAM deployment. http://www.inforisktoday.com/interviews/path-to-privileged-access-management-i-2753RESULTS WEBINAR2015 Privileged Access Management Study:The ResultsPresented by Idan Shoham and Tom FieldWhether seeking to block external attacks or curb internal abuse, security-conscious organizations increasingly are focusingtheir efforts on protecting the true crown jewels: privileged identities.Do you have confidence in your organization’s ability to manage privileged identities and prevent their abuse? Can yoursecurity team detect and identify intruders before data disappears? Are you confident that former employees and contractorsno longer have access to your critical systems?Register for this session to see results of the 2015 Privileged Access Management Study and learn:• How organizations can best managing privileged identities;• The true business impact of intrusions due to external/internal privileged users;• Modern methods being employed to detect both accidental and malicious activity.Idan Shoham of Hitachi ID Systems will provide exclusive survey analysis and insight on how to employ these survey resultsto improve how your organization manages and secures privileged identities and access.REGISTER NOW: http://hitachi-id.com/cgi-bin/emaildoc?document=Web873-HitachiID.pptx 2015 Privileged Access Management Study 25

About ISMG ContactHeadquartered in Princeton, New Jersey, Information Security Media (800) 944-0401Group, Corp. (ISMG) is a media company focusing on Information [email protected] Risk Management for vertical industries. The companyprovides news, training, education and other related content for riskmanagement professionals in their respective industries.This information is used by ISMG’s subscribers in a variety ofways—­ researching for a specific information security complianceissue, learning from their peers in the industry, gaining insights intocompliance related regulatory guidance and simply keeping up withthe Information Technology Risk Management landscape.902 Carnegie Center • Princeton, NJ • 08540 • www.ismgcorp.com


Like this book? You can publish your book online for free in a few minutes!
Create your own flipbook