Enterprises Still Failing to Manage User Access to Sensitive Data, Says HP

Even as organizations worry about attackers and cyber-spies going after sensitive data, a recent Ponemon Institute survey found that employees still have too many data-access privileges.

Many companies still fail to adequately manage user privileges and protect sensitive data, exposing them to the risks of data breaches, according to a study from Hewlett-Packard and the Ponemon Institute.

A survey of 5,500 IT professionals around the world found that more than half the organizations were still giving employees access to sensitive, confidential data they didn't need to perform their jobs, Ponemon Institute said in a report released Dec. 12. The survey looked at professionals in a variety of IT roles, such as operations and security management, in 13 countries, including the United States, the United Kingdom, Germany and France.

More than half the respondents say they have access to company data beyond the scope of their job requirements, the survey found. Examples included giving a network administrator access to payroll data or a database administrator access to the customer list.

About 63 percent of the respondents admitted they would look at the data out of curiosity. Many of the organizations did not revoke privileged access after the employee's role or job function changed and they didn't need the data anymore, the report found.

"This study spotlights risks that organizations don't view with the same tenacity as critical patches, perimeter defense and other security issues, yet it represents a major access point to sensitive information," said Tom Reilly, vice president and general manager of the Enterprise Security Products group at Hewlett-Packard, which sponsored the study.

Organizations often focus their defenses on stopping external intruders from gaining access to sensitive data, often forgetting that an outsider who has breached the network will look like an insider, a legitimate employee, Ira Winkler, Codenomicon's chief security strategist, told eWEEK. Organizations shouldn't worry about who is trying to penetrate their systems as much as focusing on how data can be compromised and protect the data accordingly. In most cases, that involves managing who has access to the data in the first place, according to Winkler.

"General business data" such as documents, spreadsheets, emails and other sources of unstructured data were most at risk for snooping, followed by customer data, according to the survey. Mobile, social media and business-unit-specific applications were most targeted. The findings are consistent with a recent Symantec report on malicious insiders who steal corporate data. Business information-such as billing information, price lists and other administrative data-was stolen in 30 percent of the real-world incidents examined in the report.

The problem was often a "culture" problem, according to Ponemon Institute founder and chairman Larry Ponemon. "Somehow, privileged users think they have a right to access," Ponemon said. In the study, 68 percent of respondents said they were "empowered" to access sensitive data.

About a third of the respondents said access-governance policies are in place and strictly enforced. Few organizations had the technology in place to control access or manage how data-access privileges are being used, according to the report.

About 27 percent of respondents said their organizations have technology-based identity and access controls to detect when root-level or system administration access rights are being shared among users. About 24 percent of the survey responders said their organizations combined technology with a business process to control user access. However, 15 percent of the professionals in the survey admitted that access was not really controlled within the organization, and 11 percent said they couldn't detect when access rights were being shared.

Nearly 80 percent of respondents said a security information and event management (SIEM) platform was critical to governing, managing and controlling privileged user access rights, the survey found. However, the high cost of monitoring and the difficulty in validating changes to a user's access rights made proper privilege management a challenge, according to HP.

Organizations had difficulty keeping pace with change requests and had inconsistent approval processes, the survey found. It was also necessary to improve how they identified policy violations and enforced policies across all business units. There also seemed to be some disagreement as to who was in charge of user access management, with 47 percent saying IT was responsible for granting access rights and 40 percent saying the responsibility belonged to the business unit manager.

On the positive note, these organizations were revoking access rights as soon as the employees quit or were laid off, the survey found. Only 17 percent of the respondents thought it was likely that the former employee would continue to be able to access data.

The risk to the organization caused by the incorrect levels of access being granted to employees would increase over the next 12 to 24 months, according to 42 percent of respondents in the survey. An equal number of users said the risk would not change.