5 Deadly Sins of Privileged Access Management Put Firms in Harm’s Way

Data breaches continue to be a regular occurrence around the world as attackers exploit common weaknesses in enterprise infrastructure. A new report from security vendor BeyondTrust has identified what the company refers to as the “5 Deadly Sins” of privileged access management, which are actions and inactions taken by organizations that often lead to exploitable weaknesses. The 15-page report is based on a survey of 474 IT professionals from around the world. Among the survey’s findings is that 22 percent of organizations experienced security problems due to users sharing passwords with other users. The five deadly sins are password policy apathy, administrative privilege greed, patching pride, ignorance about privilege policies and cloud envy. In this slide show, eWEEK looks at the five deadly sins of privileged access management.

The BeyondTrust survey found that a number of insecure practices commonly lead to security problems. The most common ones are sharing passwords (22 percent) and allowing users to run with administrative privileges on their own systems (21 percent).

BeyondTrust identified apathy as one of the five deadly sins. That is, users just don’t seem to take security seriously enough to change and avoid insecure habits.

Not every user needs to have administrative access and privileges. BeyondTrust’s study found that 38 percent of respondents reported that it is common for users to run as full admin users.

There are a number of risks associated with having too many users with administrative access. In the BeyondTrust survey, 18 percent of respondents indicated that attackers commonly combine privileged access with exploitation of an unpatched vulnerability.

Users frequently understand managing administrative access on a Linux/Unix system as simply using the Sudo command. With Sudo, a regular user potentially can temporarily elevate access to accomplish a specific task. The BeyondTrust study found that 68 percent of respondents said that managing least privilege on Linux/Unix is important, while 29 percent said Sudo is enough.

Managing security and privilege access doesn’t stop when an application is delivered via the cloud in a software-as-a-service (SaaS) approach. BeyondTrust’s survey found that 37 percent of respondents said that they are not involved in protecting SaaS applications.