Press Release

Egham, UK, February 11, 2016 View All Press Releases

Gartner Says By 2018 25 Percent of Organizations Will Review Privileged Activity and Reduce Data Leakage Incidents By 33 Percent

Analysts to Discuss Privileged Access Management Trends and Solutions at Gartner Identity & Access Management Summits 2016

Establishing controls for privileged access continues to be a focus of attention for organisations and auditors. Gartner, Inc. said that by 2018, 25 percent of organisations will review privileged activity and reduce data leakage incidents by 33 percent. 

"Only less than 5 percent of organisations were tracking and reviewing privileged activity in 2015," said Felix Gaehtgens, research director at Gartner. "The remainder is, at best, controlling access and logging when, where and by whom privileged access takes place — but not what is actually done. Unless organisations track and review privileged activity, they risk being blindsided by insider threats, malicious users or errors that cause significant outages." 

Prevention of both breaches and insider attacks has become a major driver for the adoption of privileged access management (PAM) solutions, in addition to compliance and operational efficiency. PAM is a set of technologies designed to help organizations address the inherent problems related to privileged accounts. 

"IT organisations are under increasing business and regulatory pressure to control access to these accounts, which can be administrative accounts, system accounts or operations accounts," said Mr. Gaehtgens. 

Gartner recommends that IT operations and security leaders use some best-practice approaches for effective and risk-aware privileged access management. 

Inventory All the Accounts With Privileged Access and Assign Ownership

All privileged accounts in your IT environment that enjoy permission levels beyond those of a standard user should be accounted for. It is a security best practice to frequently scan your infrastructure to discover any new accounts introduced with excess privileges. "This becomes even more important for dynamic environments that change rapidly, such as those using virtualization on a large scale, or hybrid IT environments that include cloud infrastructure," said Mr. Gaehtgens. "Organizations should start by using free autodiscovery tools offered by some PAM vendors to enable automated discovery of unmanaged systems and accounts across the range of infrastructure — but even those autodiscovery tools will not find everything." 

Shared-Account Passwords Must Not Be Shared

The golden rule is that shared-account passwords must not themselves be shared. Sharing passwords, even among approved users, severely erodes personal accountability; this is a security best practice and demanded by regulatory compliance. It also makes it less likely that passwords will leak to others.

Minimize the Number of Personal and Shared Privileged Accounts

Eliminate, or at least drastically reduce, the number of users with (permanent, full) superuser privileges to the minimum that is consistent with operational and business needs. Migrating to shared privileged accounts is a recommended practice; however, this requires appropriate tools — managing the risks and control issues that arise from the use of such accounts is inefficient and complicated without a shared account password management tool. 

Establish Processes and Controls for Managing the Use of Shared Accounts

Establish processes and controls for managing shared accounts and their passwords. While it is possible to use manual processes to manage privileged access, it is too cumbersome and virtually impossible to enforce such practices without specialized PAM tools. 

IT operations and security leaders need to implement PAM tools to automate processes, enforce controls and provide an audit trail for individual accountability. These tools are mature, and provide efficient and effective password management for shared superuser (and other) accounts in a robust, controlled and accountable manner, enabling any organization to meet regulatory compliance requirements for restricted access and individual accountability. 

Use Privilege Elevation for Users With Regular (Nonprivileged) Access

Administrators will typically have personal, nonprivileged accounts that they use for their day-to-day work, such as reading email, browsing the Web, accessing corporate applications, creating and reviewing information, and so on. "Never assign superuser privileges to these accounts, because these might exacerbate accidental actions or malware that can cause drastic consequences when used in a privileged environment," said Mr. Gaehtgens. "Instead, use privilege elevation to allow temporary execution of privileged commands." 

Additional information can be found in the report "Predicts 2016: Identity and Access Management." 

Gartner analysts will further explore best practices for privileged access management at Gartner Identity & Access Management Summits 2016, March 14-15 in London, U.K., and November 29 – December 1 in Las Vegas, U.S.

About Gartner

Gartner, Inc. (NYSE: IT) is the world's leading research and advisory company. The company helps business leaders across all major functions in every industry and enterprise size with the objective insights they need to make the right decisions. Gartner's comprehensive suite of services delivers strategic advice and proven best practices to help clients succeed in their mission-critical priorities. Gartner is headquartered in Stamford, Connecticut, U.S.A., and has more than 13,000 associates serving clients in 11,000 enterprises in 100 countries. For more information, visit

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.