Too many users have privileged access to data across both commercial and government organisations. That is the conclusion of a report from Forcepoint and the Ponemon Institute (registration required). Among the respondents, 36% government and 40% commercial admitted they have privileged access even when not required for their job function.
It is a problem that organisations have been aware of for a long time but struggle to resolve. One of the biggest causes is the failure of IT to revoke privileged access when a user changes roles. One reason is to allow a reasonable handover to a successor. Another is to ensure that any outstanding work items are completed.
Another reason for having excess privileged access is that “everyone at my level has it.” It’s more a schoolyard complaint than an operational excuse, but 38% used it. A further 24% said that privileged access was granted for no reason. The report didn’t go into any detail as to why this happened.
According to Nico Popp, chief product officer at Forcepoint: “To effectively understand the risk posed by insiders, it takes more than simply looking at logs and configuration changes.
“Incident-based security tools yield too many false positives; instead IT leaders need to be able to correlate activity from multiple sources such as trouble tickets and badge records, review keystroke archives and video, and leverage UEBA tools. Unfortunately, these are all areas where many organizations fall short.”
Key numbers from the report
There are a lot of numbers in this report, many of which make for uncomfortable reading.
- 42% of organisations and 43% of government departments are not confident they have enterprise-wise visibility of privileged access. They are just as uncertain as to how many users comply with policies.
- 56% of organisations (54% commercial; 57% government) say security tools yield too many false positives.
- 40% believe that there is not enough contextual information from security tools (38% commercial; 42% government).
- 44% say that access to sensitive or confidential information is not really controlled.
- 29% admit they are unable to detect sharing of access rights.
- 40% say that privileged user who leave continue to have privileged access rights for some time after leaving.
- 39% claim that privileged users become disgruntled and leak data or damage equipment.
What is the problem with privileged access?
Put simply, data leakage and data breaches. The more users with privileged access to data, the easier it is for a malicious insider or a cybercriminal with stolen credentials to steal data. This is because IT and security systems can’t tell the good from the bad.
It is not just about malicious behaviour. The report shows that curiosity killed more than the cat. When given access to data, users want to know what it is. Respondents admitted:
- Privileged users access sensitive or confidential data because of their curiosity (49% gov; 51% commercial).
- Privileged users can be pressured to share their access rights with others in the organization (44% gov; 42% commercial).
- Privileged users believe they are empowered to access all the information they can view (36% gov; 46% commercial).
Who is responsible for stopping this?
Responsibility for managing privileged access falls across multiple people. IT admins and IT security each have a level of responsibility. One for enforcing and one for setting rules around how privileged access is handled. However, there is another group who are often overlooked – Human Resources.
Human Resources know when a user changes roles and department. They should be setting rules for the handover of data and access. For example, when a user changes roles, if there is a three month period for project handover, HR should be checking with IT admins to ensure privileges are revoked.
At the same time, HR should be working with IT security to determine what data is applicable for each role/user/department. It will allow the automation and enforcement of rules. Working against this is the push to remove data silos and make data accessible to all. That can only work if there are security controls in place.
One thing that comes across strongly from this report is the lack of use of technology to vet users. Again, this falls initially to HR teams inside government but also falls to line managers to determine what an employee needs access to.
In the commercial sector, Identity and Access Management (IAM) solutions are increasingly popular (63%). However, if the right rules are not in place, then the effectiveness of these solutions is, to a degree, neutered. This impacts other tools across the security landscape, where any rise in false positives leads to a relaxation of rules.
Collaboration tools can be a major problem
One of the impacts of COVID has been an increase in users working from home. Many of those users are taking advantage of collaboration systems to share information. Users create shared libraries where all documents related to a project are placed. It is often not just the data directly related to the project but also tangential data. It ensures that everyone has all the data required to make decisions.
The problem here is data leakage. Users do not know what information everyone in the shared group should have access to. In addition, once users have access to that data, there is often nothing to stop them sharing that data elsewhere. Even where organisations have data classification tools in place, they are often defeated by the use of user-created document libraries.
Enterprise Times: What does this mean?
Shockingly, this is not a new issue. It has existed for years, and the problem just continues to get worse. The longer it goes on, the harder it is to detect. While companies are using technology and user education, success is limited by other factors.
The failure to engage all relevant departments, including HR, creates a gap in the controls. HR knows what is happening with user movement, hiring and firing so can determine reasonable handover rules. It can also work with IT security to determine what data a user requires access to in order to do their job.
Excess privileged access is a boon to cybercriminals and nation-state attackers. They can exploit gaps in controls and exfiltrate data easily. As governments introduce more compliance controls and tighter legislation, fines for data loss will get bigger. CrowdStrike acquisition Preempt Security says 80% of data breaches come from compromised credentials. A major contributory factor is the poor, privileged access controls that organisations have.
What is obvious from this report is that organisations, commercial and government, have a long way to go to fix this.