Firms Unaware of How Privileged Accounts Are Secured in Cloud: Survey

More than a half of IT and C-level executives say they don't know what is being done to protect and monitor privileged accounts.

Many organizations are failing to keep track of how privileged accounts are being protected as they move to the cloud, according to a survey of nearly 1,000 IT and C-level executives.

In Cyber-Ark Software's 7th Annual Global Advanced Threat Landscape Survey, researchers found that 56 percent of respondents do not know what their cloud service providers are doing to protect and monitor privileged accounts. In addition, despite still entrusting their information to a third party, 25 percent of respondents feel they are better equipped to protect their company's confidential information than their cloud service provider.

In a paper released in 2012 discussing identity access management for cloud environments, the Cloud Security Alliance advised that access and entitlements for privileged IT users in publicly deployed cloud-based systems must be in conformance with regulatory requirements.

"It is critical that the established SLAs [service-level agreements] between the enterprise and the cloud provider meet or exceed the enterprise's general requirements," the report notes.

"Cloud providers need to offer everything that customers should be doing for themselves," John Worrall, chief marketing officer of Cyber-Ark Software, told eWEEK. "Businesses should ask their cloud service providers if, and how, they follow best practices related to privileged access control, accountability and monitoring. What are the cloud providers doing to monitor all privileged activity as well as protect access to privileged credentials, isolate and control administrative access to target resources?

"Cloud users," he continued, "should also ask their providers if they provide a complete audit trail of who did what, when they did it and why? Can they offer real-time alerts when suspicious activity takes place during a privileged session? Without this preventative, automated approach to managing and securing privileged users across virtual devices, cloud providers are putting their customers at undue risk."

Sixty-four percent of respondents to the Cyber-Ark study also said they are now managing privileged accounts as an advanced threat security vulnerability, though 39 percent confessed they either don't know how to identify where privilege accounts exist or are doing it manually.

"We have found precious few organizations that fully understand where all of their privileged accounts exist—let alone the ability/understanding to establish a comprehensive plan to secure access to them and monitor their use," Worrall said.

"Through prior research, we determined that the number of privileged accounts in an organization is typically three to four times the number of employees," he said. "According to our [previous] survey, 86 percent of respondents from large enterprises (5000+ employees) stated they either didn't know how many accounts they had or that they had no more than one per employee. That means at least two out of every three privileged accounts in these organizations are either unknown or unmanaged."

The survey also found that 80 percent of respondents believe that cyber-attacks pose a greater threat to their nation than physical attacks, though just what role governments should play in addressing that is somewhat divided. Sixty-one percent of the respondents stated that the government and legislative action can help protect critical infrastructure against advanced threats. This number, however, was lowest in the United States, where only 57 percent thought legislation would be an effective tool. That compared to 64 percent of respondents from Europe and 61 percent from Asia Pacific.

"It's a great reminder of the cultural differences and the impact that they can have on people's perspectives and the government's ability/responsibility to make a positive contribution to cyber security," Worrall said.