• No results found

Privileged user management

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Privileged user management"

Copied!
30
0
0

Loading.... (view fulltext now)

Download now ( 30 Page )

Full text

(1)

Privileged user management

vv

It’s time to take control

Bob Tarzey,

(2)

Introduction

• The data presented is based on 270 telephone interviews

with organisations across Europe conducted by Quocirca

in June 2009

• The research was commissioned and sponsored by CA

• One aspect of the research was to look at how European

organisations managed privileged user access to their IT

systems and this presentation outlines the findings

• More details can be found in the associated Quocirca

report available at

www.quocirca.com

Privileged user management

It’s time to take control

(3)

Countries covered in survey

45 40 35 30 15 15 15 15 15 10 10 10 10 5 United Kingdom Germany France Italy Denmark Israel Netherlands Spain Sweden Belgium Finland Ireland Norway Portugal

(4)

Company sizes covered in survey

58

77

83

52

2000-3000

3001-5000

5001-9999

10000 and above

(5)

Business sectors covered in survey

68

68

67

67

Finance

Government

Manufacturing

(6)

Job roles of respondents covered in survey

76

153

24

17

IT Director/CIO

IT Manager

IT Security Head

IT Security

Manager

(7)

The privileged user conundrum

• The necessity of privileged user access

• The dangers of privileged user access

– Accidental actions

– Deliberate actions

– Access by outsiders

• Controlling and monitoring their own activities is not high

on the agenda of IT managers, with so many other issues

to worry about

• This means there is an inherent contradiction in the

confidence many businesses have in their ability to

comply with certain regulations and managed their IT

systems to a given standard

(8)

Deployment of security standards and

methodologies?

Almost 60% of organisations say they have implemented or are planning to implement ISO27001, the widely accepted standard for the secure management of

IT systems

0% 20% 40% 60% 80% 100%

COBIT ITIL ISO 27001

Implemented and certified Implemented

Implementing Adopted/not implemented Not adopted Not heard of

(9)

2 2.5 3 Privileged users Email “Web 2” tools External users Data compromise Internal users Internet Malware Actual Perceived

To what extent are the following a threat

to IT security in your organisation?

Scale from 1 = “not a threat” to 5 = “a very

serious threat”

When it comes to IT security, IT managers have many things to worry about, monitoring and controlling privileged users is not high on the list

(10)

3 3.2 3.4 3.6 Network Applications Web Database Security Operating system Control Monitor

How confident are you that you can control and monitor the following types of PU accounts?

Scale from 1 = “not confident at all” to 5 =

“very confident”

Administrators of...

There is a reasonable level of confidence among IT managers that they can control and monitor privileged user activity. One might assume this is because they have the

(11)

2 2.5 3 Privileged users Email “Web 2” tools External users Data compromise Internal users Internet Malware Actual Perceived

How well prepared is your organisation to

protect against the following risks?

Scale from 1 = “very well prepared” to 5 = “very poorly

prepared”

Another finding is that businesses believe they are reasonably well prepared to protect themselves against compliance audit failure, however, poor practice around

(12)

Requires: “the allocation and use of

privileges shall be restricted and

controlled”

ISO 27001

PCI DSS

Recommends: “auditing all privileged

user activity”

Garante

Privacy

Privileged users are: “key figures for the

security of data banks”

What the standards say about

privileged users

(13)

2 2.5 3 3.5 Health care

Financial transparency Credit card handling Securities trading Environmental International trading EU Industry specific National security Data privacy National government

How do you see regulations in the following areas affecting your organisation over the next 5 years?

Scale from 1 = “will decrease a lot” to 5 = “will

increase a lot”

And the regulatory pressure is expected to increase in many areas, which is likely to lead any areas of bad practice in IT and data management being exposed., if they

(14)

Privileged user bad practices include:

• Account sharing

• The use of default user names and

• The granting of wider access than is necessary

• Ignorance about the existence of privileged user

accounts in the first place

• A failure to monitor the actions of users whilst acting

under privileged

(15)

Do you share admin accounts between different individual privileged users in the following areas?

Sharing of privileged user accounts which means the activities of individual privileged users can not be tracked and is direct contravention of ISO27001 and

other regulations such as PCI/DSS or national government regulations on data privacy (like Garante Privacy in Italy)

0% 20% 40% 60% 80% 100% Network Application Web Security Database Operating system

(16)

Do you share operating system admin accounts between privileged users versus ISO2007 adoption

ISO27001 Status

Even those that claim to have implemented ISO27001 are widely indulging in such bad practice

0% 20% 40% 60% 80% 100% Not heard of Not adopted Adopted/not implemented Implementing Implemented Implemented and certified

(17)

Do you use manual methods to manage

access for privileged users?

0% 20% 40% 60% 80% 100%

Manual control of access to PU accounts

Manual monitoring of PU activity

Already in place Planned for next 12 months Delayed plans No plans/don't know

Only around 20% of organisations have manual controls in place for the management of privileged users, this includes practices such as providing one

off passwords using paper based systems and does not allow for the monitoring and auditing required by regulators

(18)

Do you use any of the following types of

tools for managed privileged users?

0% 20% 40% 60% 80% 100%

Tools to analyze privileged accounts Privileged user management

In place Planned for next 12 months Delayed plans No plans/don't know

A similar percentage have put in place tools to manage and control privileged users, it is only the use of these tools that can fully satisfy the requirements of

regulators and protect business from the potentially harmful actions of privileged user, whether accidental or malicious

(19)

How influential are the following factors in

limiting investment in security?

2 3 4

IT security not seen as a business enabler

Lack of in-house expertise Priority given to other IT investments Business has low awareness of threats Limited budget

Axis: 5 = very big influence to 1 = no influence at all

One factor limiting investment is lack of budget, but another is lack of awareness of the threat – when it comes to privileged user which requires IT managers to police themselves it is all too easy to focus on other priorities and business managers will be much more aware of other high profiles risks such as malware and data loss via

(20)

0% 20% 40% 60% 80% 100% Government

Telecoms & Media Finance Manufacturing

Increasing Stable Decreasing Don’t know Is the proportion of your org’s total IT budget is spent on IT security increasing or decreasing?

But, generally speaking IT security spending is not being compromised, despite the downturn, suggesting that if the awareness around a given threat is high enough,

(21)

Conclusions

• It is in the interest of individual IT managers, the IT

department as whole and the overall business to have

measures in place to control and monitor privileged users

• Manual processes are ineffective and do not provide an

audit trail that would satisfy regulators

• The one way to ensure this is to put in place tools that

fully automate the management of privileged user

accounts, the assignment of privileged user access and

enable the full monitoring of their activities

(22)

The following slides highlight some of the

geographic variations in the data

Note: the small sample sizes for all countries, with the exception of UK, Germany, France and Italy, are too

small to draw anything but possible pointers for further research (see slide 3 for more details)

(23)

Deployment of ISO27001 by country

Deployment of ISO27001 varied widely. The data for France contained more interviews with IT security heads than the other samples, so there may be awareness, or even defensive, issue here, with people in such roles having more insight in to regulatory compliance or not wanting to admit to be overlooking it.

0% 20% 40% 60% 80% 100% Israel Sweden Finland Belgium Netherlands Germany Denmark UK Spain Norway Italy France Overall Implemented and certified Implemented Implementing Adopted/not implemented Not adopted Not heard of

(24)

1.5 2.5 3.5 France UK Denmark Finland Belgium Spain Germany Italy Israel Norway Sweden Netherlands Overall Actual Perceived

To what extent are privileged users a threat

to IT security in your organisation?

Scale from 1 = “not a threat” to 5 = “a very

serious threat”

The recognised threat with regard to privileged users is roughly the inverse of ISO271001 deployment, suggesting that deployment does lead to better practice

(25)

How confident are you that you are able to control and monitor privileged user accounts at the OS level?

2 3 4 Finland Sweden UK Spain Netherlands Germany Norway Israel Italy Belgium France Denmark Overall Control Monitor

Scale from 1 = “not confident at all” to 5 =

“very confident”

The confidence in being able to control them, is also roughly the inverse of ISO271001 deployment.

(26)

0% 20% 40% 60% 80% 100% Israel Spain Germany UK Italy Norway Denmark Finland Sweden Netherlands France Belgium Overall Yes No Don't know

Do you share administrator accounts between different individual privileged users at the operating system level?

The bad practices exposed by this report should not be forgotten. There is little correlation with ISO27001 deployment and bad practices like account sharing. This suggests that the confidence conferred by the standard is general rather than specific.

(27)

0% 20% 40% 60% 80% 100% Spain Israel Finland Germany Sweden Netherlands Norway UK Italy Denmark Belgium France Overall In place Planned Delayed plans No plans/don't know

Do you use manual methods to control

access for privileged users?

There is a rough correlation with confidence to control privileged and the use manual processes for PUM. Whilst this is a good finding, as it shows there is a payback for taking action, the benefits conferred through using and automated tools should not be

(28)

0% 20% 40% 60% 80% 100% Spain Finland Netherlands Israel Sweden Germany UK Norway Belgium Italy Denmark France Overall In place Planned Delayed plans No plans/Don't know

Do you use privileged user management

tools?

There is also a rough correlation with confidence to control privileged and the use of full PUM tools; an endorsement of their use.

(29)

2 3 4 Spain Sweden Denmark Israel Netherlands Belgium France Finland UK Germany Italy Norway Overall Limited budget Lack of business awareness

How influential are the following factors in

limiting investment in security?

Axis: 5 = very big influence to 1 = no influence at all

Budget is always an issue, but remember, overall investment in IT security is being maintained at least as a proportion of overall IT spend. Business awareness is the

(30)

Contact details

• The contacts for this project are:

– Bob Tarzey

– Service Director, Quocirca – [email protected] – +44 7900 275517

– Mariateresa Faregna

– Public Relations Manager, CA – [email protected] – +39 02 90464739

References

Download now ( PDF - 30 Page - 1.08 MB )

Related documents

Japanese rule over rural Manchukuo : strategies and policies

It examines how Japanese authorities used strategies and policies to control the social, political and economic activities of the population in rural Manchukuo; how

Franchizing Frenchness: What Social Models Do French-dominated Multinational Companies Bring to Hungary?

This paper applies an actor-oriented approach to examine industrial relations at French-based companies operating in the service sector in Hungary. The service sector

Attributing the costs of health & social care Research & Development Understanding AcoRD

In the context of this study is the activity a ‘service provided by, or on behalf of, the NHS where that service treats or contributes to the care needs of a patient’. The activity

Handbook on Overseas Assignments United State Department of Energy

All other compensation, including the post differential, received during the calendar year may not exceed the basic salary at Executive Level I (5 CFR, Section 530.203). Pay

HANDLING CIVIL CHILD SEXUAL ABUSE CASES by Darrell L. Heckman Attorney at Law 107 North Main Street Urbana, Ohio (937)

While a civil sexual assault case defendant may file bankruptcy, a debt for “willful and malicious injury by the debtor to another entity” is not dischargeable.. A complaint

PubMedCentral-PMC4864952.pdf

We evaluated adrenocortical differentiation by using 25 genes with very high expression levels in the adult adrenal cortex and that are of importance for adrenal function, including

Effect of Type of Surface Treatment and Adhesive System on Shear Bond Strength of Composite Resin to a Non-Precious Metal Alloy

In the current study, application of Adper Single Bond Plus following two types of surface treatments yielded the highest bond strength with no significant

Dry matter yield, chemical composition and estimated extractable protein of legume and grass species during the spring growth

Extractable protein per ha significantly increased in lucerne and grass species with increasing maturity and was by far the highest in red clover (ranging between 514 and 726 kg ha −1