Transcription
PRIVILEGED ACCESSMANAGEMENT IN THEMODERN THREATSCAPEPrivileged access remains the preferred vectorfor attackers, and most organizations aren’t takingthe very basic steps to secure it 2019 Centrify Corporation All Rights Reserved. www.centrify.comwww.centrify.coma
74% of respondents whose organizationshave been breached acknowledge itinvolved access to a privileged account. 2019 Centrify Corporation All Rights Reserved.www.centrify.comb
Over the past few years, it’s become evident that attackers are no longer “hacking” in for databreaches: they are simply logging in using weak, stolen, or otherwise compromised credentials.Once they are in, they then spread out and move laterally across the network, hunting for privilegedaccounts and credentials that help them gain privileged access to an organization’s most criticalinfrastructure and sensitive data.Forrester Research has estimated that, despite continually-increasing cybersecurity budgets,80% of security breaches involve privileged access abuse and 66% of companies have been breachedan average of five or more times.A new survey by Centrify (conducted by FINN Partners) supports this estimate, finding that74% of respondents whose organizationshave been breached acknowledge it involved accessto a privileged account.The survey of 1,000 IT decision makers evenly split between the U.S. and U.K. confirms thatprivileged credential abuse is the preferred attack vector.Too Much Privilege, Not Enough ManagementMore concerning is that the survey results also reveal that, despite knowing that privileged access is the goal, mostorganizations continue to grant too much trust and privilege, and are not prioritizing Privileged Access Management(PAM), nor implementing it effectively.Given the choice, respondents are most likely to say digital transformation (40%) is one of the top 3 projects they’d preferto work on, followed by Endpoint Security (37%) and Privileged Access Management (28%).This contrasts a prediction from Gartner that PAM will be the second-fastest growing information security technologyin 2019, after being a Top 10 security project for 2018, and again in 2019. Practitioners should consider that critical andfundamental security controls such as PAM are enablers for Digital Transformation. However, organizations are simply nottaking some of the most basic steps to secure privileged credentials, the ‘keys to the kingdom.’Most notably, the survey found:Over half of respondents donot have a password vault.52%65%are still sharingroot or privileged access tosystems and data at leastsomewhat often.More than 1 out of every 5still have not implementedMulti-Factor Authentication forprivileged administrative access.21%These are low-hanging fruit that, when combined with a Zero Trust approach to Privileged Access Management,can significantly strengthen their security postures and close off preferred access points for attackers. 2019 Centrify Corporation All Rights Reserved. www.centrify.com1
“What’s alarming is that the survey reveals many organizations, armedwith the knowledge that they have been breached before, are doingtoo little to secure privileged access.IT teams need to be taking their Privileged Access Management muchmore seriously, and prioritizing basic PAM strategies like vaults andMFA while reducing shared passwords.”— Tim Steinkopf, CEO of CentrifyPAM Maturity Not Where It Needs to BeIn addition to not implementing basic Privileged Access Management solutions, many organizations are not implementingbasic policies and processes to reduce risk.For example, 63% (55% U.S. / 70% U.K.) of all respondents indicate their companies usually take morethan a day to turn off privileged access for an employee who leaves the company, exposing themselvesto revenge exploitation, including selling privileged access credentials on the Dark Web.That data point also revealed a common theme throughout the survey that U.K.-based IT decisionmakers lag behind their U.S. counterparts when it comes to awareness and implementation ofPrivileged Access Management.44%of U.K. respondents werenot positive about what PrivilegedAccess Management is, versus26%of U.S. respondents.U.K. Generally Lags Behind U.S. in PAMThe survey also revealed that U.K. IT professionals are less confident in their ability to secure their organizations.Furthermore, fewer U.K. respondents seem aware that privileged credential abuse is the leading cause of data breaches,and that their organization has likely already been breached.60%45%60% of U.K. respondents36%do not have a password vault, afundamental component of PAM,vs. 45% of U.S. respondents. 2019 Centrify Corporation All Rights Reserved.65%Only 36% of U.K. respondentsare “very confident” in their company’scurrent IT security, software, andprotocol, vs. 65% of U.S.respondents.www.centrify.com29%15%29% of U.K. respondentsbreached in the past claim it wasnot caused by abuse of a privilegedaccount, almost twice as manyas U.S. respondents.2
Securing the Modern Threatscape with Zero Trust PrivilegeMost notably, U.K. respondents are falling behind in securing privileged credentials for the expanding threatscape thatmodern enterprises now face. However, in most cases, U.S. companies are not doing much better.Today’s environment is much different than when all privileged access was constrained to systems and resources insidethe network. Privileged access now not only covers infrastructure, databases and network devices but is extended tocloud environments, it includes Big Data projects, it must be automated for DevOps, and it now needs to cover hundredsof containers or microservices to represent what used to be a single server. In addition, Advanced Persistent Threats(APTs) create a growing and changing risk to organizations’ financial assets, intellectual property, and reputations.The survey found respondents are not prioritizing this new threatscape as much as they should be, only controllingprivileged access to a limited amount of modern use cases.Which of the followingare you controllingprivileged access to?Cloud Workloads47% U.K.63% U.S.Big Data37% U.K.47% U.S.Network Devices28% U.K.36% U.S.Organizations should consider a cloud-ready Zero Trust Privilege approach that helps enterprises grant least privilegeaccess based on verifying who is requesting access, the context of the request, and the risk of the access environment.By implementing least privilege access, Zero Trust Privilege minimizes the attack surface, improves audit and compliancevisibility, and reduces risk, complexity, and costs for the modern, hybrid enterprise.For more information, visit ilege.“By adopting a Zero Trust mindset,organizations can further reduce their riskof becoming the next data breach victim.”— Tim Steinkopf, CEO of CentrifyMethodologyFINN Partners, on behalf of Centrify, surveyed 1,000 IT decision makers (500 in the U.S. and 500 in the U.K.) online inOctober 2018. Respondents were not compensated for their participation. 2019 Centrify Corporation All Rights Reserved. www.centrify.com3
Centrify Privileged Access Management SurveyFebruary 2019All numbers below represent percentages of respondents.Privileged Access Questions1.Which option best describes your current activity for each of the following identity and access management(IAM) solutions? Select all that apply.U.S.ActivelyresearchingPilotingIn owSingle Sign-On5410231020Authentication422225911Advanced Authentication(e.g. multi-factor authentication)4215271421Customer Identity and AccessManagement3922211422Identity Governance andAdministration3820271022Identity-as-a-Service (IDaaS)3820231532ActivelyresearchingPilotingIn owSingle as-a-Service (IDaaS)2817271972Advanced Authentication(e.g. multi-factor authentication)2717302042Customer Identity and AccessManagement2618282053Identity Governance andAdministration2518341653U.K. 2019 Centrify Corporation All Rights Reserved.www.centrify.com4
2.Looking forward to next year, which of the following are part of your organization’s top five security projectsin 2019? Select up to five. U.S.U.K.Protecting Cloud Data. 69. 56Preventing Data Leakage. 51. 44Analyzing Security Incidents. 48. 38Improving Security Education/Awareness Training. 47. 42Encrypting Data. 46. 46Securing Privileged Accounts. 40. 34Preventing Phishing Attacks. 34. 32Protecting Endpoints. 32. 29Addressing Vulnerability and Patch Management. 31. 30Maturing Identity Governance . 15. 14None of these. 0. 0Don’t know. 0. 23.If you could spend your time working on anything you wanted to for a month, either out of personal interestor because you know it’s the best strategic area for your company, what would be your top three projects?Select up to three. U.S.U.K.Digital Transformation. 46. 34Endpoint Security. 38. 36Privileged Access Management. 28. 28Internet of Things for Enterprise. 28. 28Big Data. 27. 30Cloud Transformation. 27. 31Security Awareness Training. 24. 19DevOps. 24. 21Risk & Compliance Management. 20. 20Automation. 10. 8None of the above. 1. 2Other. 0. 04.How familiar are you with the term “privileged access management”?. U.S.U.K.I definitely know what this means. 74. 56I think I know what this means, but am not sure. 17. 30I recognize this term, but I don’t know what it means . 4. 10I am completely unfamiliar with this term . 5. 4I don’t know. 0. 1 2019 Centrify Corporation All Rights Reserved. www.centrify.com5
Some have described “privileged access management” as the act of granting least privilege access based onverifying who is requesting access, the context of the request, and the risk of the access environment.That is the definition being used for the purposes of the survey.5.Do you expect your overall security budget to increase, decrease, or remain the same in the next 12 monthscompared to the past 12 months?. U.S.U.K.Increase. 79. 60Decrease. 2. 9Remain the Same. 19. 30I don’t know. 1. 0N/A/We don’t have a security budget. 0. 16.Overall, how confident are you in your company’s IT security, software and protocols?. U.S.U.K.Very confident. 65. 36Somewhat confident. 33. 52Not too confident. 2. 10Not at all confident. 0. 0Don’t know. 0. 17.Do you distinguish between end users (employees with access to usual company data) and privileged users(employees with authority to access more than usual company data or make changes to the company network)in your organization?. U.S.U.K.Yes. 94. 87No. 4. 10Don’t know. 2. 3ASK IF PREVIOUS QUESTION IS “YES”8.What department/job function is overseeing Privileged Access Management in your organization?. U.S.U.K.IT Management. 75. 77Security Operations. 19. 14Risk Management . 5. 8Other (Specify). 1. 0Don’t know. 0. 0N/A – No dept/job function is overseeing Privileged Access. 0. 0 2019 Centrify Corporation All Rights Reserved.www.centrify.com6
RESUME ASKING ALL9.Which of the following factors drive the decision on how you are implementing the management ofwhich users have privileged access? Select all that apply. U.S.U.K.Desire to adhere to best practices. 57. 44Mandates from our compliance department. 51. 48Mandates required for the sake of privacy. 46. 41Response to an external data breach. 44. 38Response to an internal data breach. 43. 32Mandate from Board of Directors or other management. 35. 30Response to data being breached at another company. 33. 29Mandate from one of our partners. 26. 23Other (Specify) . 1. 0None of the above/ I don’t know. 1. 1N/A – No factors drive this decision. 0. 210. For what ecosystem components are you leveraging Privileged Access Management? Select all that apply. U.S.U.K.Windows Servers. 73. 60Windows-based Endpoints (admin accounts). 50. 44Private Cloud. 50. 45Public Cloud. 39. 37Big Data. 37. 28Linux / UNIX Servers. 36. 31Mac-based Endpoints (admin accounts). 26. 23DevOps Environments. 22. 18Containers and Microservices. 7. 16Don’t know. 1. 1None of the above. 0. 111. Do you extend your Privileged Access Management capabilities beyond your employees to include anyof the following? Select all that apply. U.S.U.K.IT Outsourcers. 73. 66Contractors. 45. 43Partners, such as other organizations with which we have an alliance. 35. 30I don’t know. 1. 2None of the above. 8. 8 2019 Centrify Corporation All Rights Reserved. www.centrify.com7
Solution-Specific Questions12. Which of the following is the main reason that an organization might not adequately implementPrivileged Access Management?. U.S.U.K.Budget constraints . 37. 22IT department unable to get buy-in at the highest levels. 25. 23Being too naïve or ignorant to understand the importance. 16. 22Being a lower priority. 10. 18Being too difficult and time-consuming to easily implement. 10. 12Don’t know. 2. 4Other. 1. 013. Which of the following are you controlling privileged access to? Select all that apply. U.S.U.K.Applications (e.g. cloud services such as Office 365). 64. 59Workloads (e.g. public and private cloud workloads). 63. 47Machines (e.g. servers, virtual machines). 52. 52Big Data (e.g. Hadoop). 47. 37Network Devices (e.g. hubs, switches, routers). 36. 28Containers (e.g. Docker). 29. 27None of the above. 1. 2N/A - Don’t know. 1. 114. Have you implemented multi-factor authentication for privileged access?. U.S.U.K.Yes. 83. 67No. 15. 27N/A - Don’t know. 2. 515. Which of the following apply to your organization when it comes to privileged access management?Select all that apply. U.S.U.K.We have a vault. 55. 40We have implemented privilege elevation. 63. 62We have complete auditing and monitoring. 47. 40None of the above. 2. 3Don’t know. 1. 2 2019 Centrify Corporation All Rights Reserved.www.centrify.com8
16. Approximately what percent of people in your company have privileged access – that is, an abilityto access, control or view higher-level information that others do not have? Your best estimate is fine. U.S.U.K.10% or fewer. 15. 2011% to 25%. 24. 3626% to 50%. 39. 3351% to 75%. 19. 876% .
too little to secure privileged access. IT teams need to be taking their Privileged Access Management much more seriously, and prioritizing basic PAM strategies like vaults and MFA while reducing shared passwords." — Tim Steinkopf, CEO of Centrify 44% of U.K. respondents were not positive about what Privileged Access Management is, versus 26%
