Analysts to Discuss Privileged Access Management Trends and Solutions at Gartner Identity & Access Management Summits 2016
Establishing controls for privileged access continues to be a focus of attention for organisations and auditors. Gartner, Inc. said that by 2018, 25 percent of organisations will review privileged activity and reduce data leakage incidents by 33 percent.
"Only less than 5 percent of organisations were tracking and reviewing privileged activity in 2015," said Felix Gaehtgens, research director at Gartner. "The remainder is, at best, controlling access and logging when, where and by whom privileged access takes place — but not what is actually done. Unless organisations track and review privileged activity, they risk being blindsided by insider threats, malicious users or errors that cause significant outages."
Prevention of both breaches and insider attacks has become a major driver for the adoption of privileged access management (PAM) solutions, in addition to compliance and operational efficiency. PAM is a set of technologies designed to help organizations address the inherent problems related to privileged accounts.
"IT organisations are under increasing business and regulatory pressure to control access to these accounts, which can be administrative accounts, system accounts or operations accounts," said Mr. Gaehtgens.
Gartner recommends that IT operations and security leaders use some best-practice approaches for effective and risk-aware privileged access management.
Inventory All the Accounts With Privileged Access and Assign Ownership
All privileged accounts in your IT environment that enjoy permission levels beyond those of a standard user should be accounted for. It is a security best practice to frequently scan your infrastructure to discover any new accounts introduced with excess privileges. "This becomes even more important for dynamic environments that change rapidly, such as those using virtualization on a large scale, or hybrid IT environments that include cloud infrastructure," said Mr. Gaehtgens. "Organizations should start by using free autodiscovery tools offered by some PAM vendors to enable automated discovery of unmanaged systems and accounts across the range of infrastructure — but even those autodiscovery tools will not find everything."
Shared-Account Passwords Must Not Be Shared
The golden rule is that shared-account passwords must not themselves be shared. Sharing passwords, even among approved users, severely erodes personal accountability; this is a security best practice and demanded by regulatory compliance. It also makes it less likely that passwords will leak to others.
Minimize the Number of Personal and Shared Privileged Accounts
Eliminate, or at least drastically reduce, the number of users with (permanent, full) superuser privileges to the minimum that is consistent with operational and business needs. Migrating to shared privileged accounts is a recommended practice; however, this requires appropriate tools — managing the risks and control issues that arise from the use of such accounts is inefficient and complicated without a shared account password management tool.
Establish Processes and Controls for Managing the Use of Shared Accounts
Establish processes and controls for managing shared accounts and their passwords. While it is possible to use manual processes to manage privileged access, it is too cumbersome and virtually impossible to enforce such practices without specialized PAM tools.
IT operations and security leaders need to implement PAM tools to automate processes, enforce controls and provide an audit trail for individual accountability. These tools are mature, and provide efficient and effective password management for shared superuser (and other) accounts in a robust, controlled and accountable manner, enabling any organization to meet regulatory compliance requirements for restricted access and individual accountability.
Use Privilege Elevation for Users With Regular (Nonprivileged) Access
Administrators will typically have personal, nonprivileged accounts that they use for their day-to-day work, such as reading email, browsing the Web, accessing corporate applications, creating and reviewing information, and so on. "Never assign superuser privileges to these accounts, because these might exacerbate accidental actions or malware that can cause drastic consequences when used in a privileged environment," said Mr. Gaehtgens. "Instead, use privilege elevation to allow temporary execution of privileged commands."
Additional information can be found in the report "Predicts 2016: Identity and Access Management."
Gartner analysts will further explore best practices for privileged access management at Gartner Identity & Access Management Summits 2016, March 14-15 in London, U.K., and November 29 – December 1 in Las Vegas, U.S.
Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. The company delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is the valuable partner to clients in approximately 10,000 distinct enterprises worldwide. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 8,300 associates, including more than 1,800 research analysts and consultants, and clients in more than 90 countries. For more information, visit www.gartner.com.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.