Privileged user management

Similar documents
Firms in Western Europe

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background

13 th Economic Trends Survey of the Architects Council of Europe

DIGITAL CONSUMER SURVEY

Information Security Standards by Dr. David Brewer Gamma Secure Systems Limited Diamond House, 149 Frimley Road Camberley, Surrey, GU15 2PS

THE ELECTRONIC CUSTOMS IMPLEMENTATION IN THE EU

TOWARDS PUBLIC PROCUREMENT KEY PERFORMANCE INDICATORS. Paulo Magina Public Sector Integrity Division

ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT

ERASMUS+ MASTER LOANS

EUROPEAN AREA OF SKILLS AND QUALIFICATIONS

No. 1 Choice for Europe s Leading Brands e-recruitment

Statistical Data on Women Entrepreneurs in Europe

ESC-ERC Recommendations for the Use of. Automated External Defibrillators (AEDs) in Europe

EXECUTIVE SUMMARY. Measuring money laundering at continental level: The first steps towards a European ambition. January 2011 EUROPEAN COMMISSION

PUBLIC VS. PRIVATE HEALTH CARE IN CANADA. Norma Kozhaya, Ph.D Economist, Montreal economic Institute CPBI, Winnipeg June 15, 2007

EUROPEAN YOUTH: PARTICIPATION IN DEMOCRATIC LIFE

ERASMUS+ MASTER LOANS

Regulatory aspects of Energy Investment Conditions in European Countries

SMEs access to finance survey 2014

Towards a Cloud Computing Strategy for Europe Digital Assembly, June 17, Brussels.

2015 Country RepTrak The World s Most Reputable Countries

WHITE PAPER. PCI Compliance: Are UK Businesses Ready?

Irish Version. Does Religion Play a Positive Role?

Renewable Energy Certificate systems in Europe (the path to international trade)

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

Alison Fennah, VP Research & Marketing IAB Europe. IAB Hungary Research Day - Budapest 15 th

European Market for Computerized Physician Order Entry (CPOE) Systems. M March 2011

The Multiplier Effect: Insights into How Senior Leaders Drive Employee Engagement Higher

Special Eurobarometer 431 DATA PROTECTION REPORT

Achieving Global Cyber Security Through Collaboration

UNCITRAL legislative standards on electronic communications and electronic signatures: an introduction

Do good environmental management systems lead to good environmental performance?

INVESTING IN INTANGIBLES: ECONOMIC ASSETS AND INNOVATION DRIVERS FOR GROWTH

Cloud Computing Governance & Security. Security Risks in the Cloud

Expenditure and Outputs in the Irish Health System: A Cross Country Comparison

Electricity, Gas and Water: The European Market Report 2014

STW Open Technology Programme. H2020 Future & Emerging Technology. and. GRANTS WEEK 2015 October 9 th

Il/network/italiano/ Risorse digitali e strumenti colaborativi per le Scienze del'antichità/ Venezia'3'o*obre'2014' Emiliano Degl Innocenti

The value of accredited certification

How To Understand Factoring

European SME Export Report - FRANCE Export / import trends and behaviours of SMEs in France

ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT

EPIF POSITION PAPER ON ACCESS TO BANK SERVICES FOR PAYMENT INSTITUTIONS

What if BAU would come true?

Navigating Cyber Risk Exposure and Insurance. Stephen Wares EMEA Cyber Risk Practice Leader Marsh

Online advertising in Europe surges 40% to 11 billion in 2007

Thermo Scientific ClinQuan MD Software For In Vitro Diagnostic Use. Confidence in Results With Data Integrity

Analysis on European landscape & Match making tool for Photonics Industry & Research

Microsoft Dynamics CRM Online. Pricing & Licensing. Frequently Asked Questions

PUBLIC & PRIVATE HEALTH CARE IN CANADA

Data Transfer Policy London Borough of Barnet

Common Criteria Evaluations for the Biometrics Industry

Labour Force Survey 2014 Almost 10 million part-time workers in the EU would have preferred to work more Two-thirds were women

English-Taught Master s Programs in Europe: A 2013 Update

Foreign Taxes Paid and Foreign Source Income INTECH Global Income Managed Volatility Fund

Internationalization, digitalization and crisis management the new challenges of corporate communication

EMEA CORPORATE CARD, PROGRAMME ADMINISTRATOR GUIDE 1

Bio-Rad Laboratories. QC data management solutions. Introduce Your Laboratory to a Whole New World of Unity Data Management Solutions

Special Eurobarometer 423 CYBER SECURITY SUMMARY

EMEA GCC Dell Channel Partner Rebate Program

UTX Europe V2 - Enhancements

Cooperation in Securing National Critical Infrastructure

Indicator fact sheet Fishing fleet trends

Business Plan Calls Tariff The Choice for Business Telecoms

2015 VORMETRIC INSIDER THREAT REPORT

USAGE OF METRICS AND ANALYTICS IN EMEA MOVING UP THE MATURITY CURVE

ANALYSIS OF THE STAKEHOLDER CONSULTATION ON

Preventing fraud and corruption in public procurement

Cyber Security - What Would a Breach Really Mean for your Business?

Cloud computing security in the Dutch Government

Using a Managed File Transfer technology to prepare your customers for the GDPR (whatever is next)

Expenditure on Health Care in the UK: A Review of the Issues

Mondelēz International entity which issued the PO matches Mondelēz International entity to which you issue your invoice

Canada GO 2535 TM World Traveller's edition Maps of North America (Canada, US, Mexico), Western and Central Europe (including Russia) CAD 349,95

How many students study abroad and where do they go?

Fourth study of the Solvency II standard approach

Automatic Recognition of Full Degrees. Erasmus Student Network AISBL *1. Emanuel Alfranseder #2. February 2014

How to get your invoice paid on time?

Operational Companies VAT Indirect Taxes. Why Luxembourg: VAT advantages for commercial companies*

Terms of Access to Payment Systems

Pan European Fire Strategy 2020 A safer Europe for all

EUROPEAN CITIZENS DIGITAL HEALTH LITERACY

Planned Healthcare in Europe for Lothian residents

Optimising the B2B Sales Funnel

INNOVATION IN THE PUBLIC SECTOR: ITS PERCEPTION IN AND IMPACT ON BUSINESS

Lecture 2: European media systems. European media and communication policies 22 January, 2009 Hannu Nieminen

BI & IM SYMPOSIUM CALL FOR SPONSORS

Transcription:

Privileged user management vv It s time to take control Bob Tarzey, Analyst and Director, Quocirca Ltd

Introduction The data presented is based on 270 telephone interviews with organisations across Europe conducted by Quocirca in June 2009 The research was commissioned and sponsored by CA One aspect of the research was to look at how European organisations managed privileged user access to their IT systems and this presentation outlines the findings More details can be found in the associated Quocirca report available at www.quocirca.com Privileged user management It s time to take control

Countries covered in survey 10 10 10 5 45 United Kingdom Germany 10 France Italy 15 Denmark Israel 15 40 Netherlands Spain Sweden 15 Belgium Finland 15 35 Ireland Norway 15 30 Portugal

Company sizes covered in survey 52 58 2000-3000 3001-5000 5001-9999 10000 and above 83 77

Business sectors covered in survey 67 68 Finance Government Manufacturing Telecoms & Media 67 68

Job roles of respondents covered in survey 24 17 76 IT Director/CIO IT Manager IT Security Head IT Security Manager 153

The privileged user conundrum The necessity of privileged user access The dangers of privileged user access Accidental actions Deliberate actions Access by outsiders Controlling and monitoring their own activities is not high on the agenda of IT managers, with so many other issues to worry about This means there is an inherent contradiction in the confidence many businesses have in their ability to comply with certain regulations and managed their IT systems to a given standard

Deployment of security standards and methodologies? ISO 27001 ITIL COBIT 0% 20% 40% 60% 80% 100% Implemented and certified Implemented Implementing Adopted/not implemented Not adopted Not heard of Almost 60% of organisations say they have implemented or are planning to implement ISO27001, the widely accepted standard for the secure management of IT systems

To what extent are the following a threat to IT security in your organisation? Malware Internet Internal users Actual Perceived Data compromise External users Web 2 tools Email Scale from 1 = not a threat to 5 = a very serious threat Privileged users 2 2.5 3 When it comes to IT security, IT managers have many things to worry about, monitoring and controlling privileged users is not high on the list

How confident are you that you can control and monitor the following types of PU accounts? Administrators of... Operating system Security Control Monitor Database Web Applications Scale from 1 = not confident at all to 5 = very confident Network 3 3.2 3.4 3.6 There is a reasonable level of confidence among IT managers that they can control and monitor privileged user activity. One might assume this is because they have the tools in place to do so, but as this research goes on to show, this is not the case

How well prepared is your organisation to protect against the following risks? Malware Internet Internal users Data compromise External users Web 2 tools Actual Perceived Scale from 1 = very well prepared to 5 = very poorly prepared Email Privileged users 2 2.5 3 Another finding is that businesses believe they are reasonably well prepared to protect themselves against compliance audit failure, however, poor practice around privileged user shows that this confidence may be misplaced in many cases

What the standards say about privileged users ISO 27001 Requires: the allocation and use of privileges shall be restricted and controlled PCI DSS Recommends: auditing all privileged user activity Garante Privacy Privileged users are: key figures for the security of data banks

How do you see regulations in the following areas affecting your organisation over the next 5 years? National government Data privacy National security Industry specific EU International trading Environmental Securities trading Credit card handling Financial transparency Health care Scale from 1 = will decrease a lot to 5 = will increase a lot 2 2.5 3 3.5 And the regulatory pressure is expected to increase in many areas, which is likely to lead any areas of bad practice in IT and data management being exposed., if they haven not been so already

Privileged user bad practices include: Account sharing The use of default user names and The granting of wider access than is necessary Ignorance about the existence of privileged user accounts in the first place A failure to monitor the actions of users whilst acting under privileged

Do you share admin accounts between different individual privileged users in the following areas? Operating system Database Security Web Application Network 0% 20% 40% 60% 80% 100% Yes No Don't know Sharing of privileged user accounts which means the activities of individual privileged users can not be tracked and is direct contravention of ISO27001 and other regulations such as PCI/DSS or national government regulations on data privacy (like Garante Privacy in Italy)

Do you share operating system admin accounts between privileged users versus ISO2007 adoption ISO27001 Status Implemented and certified Implemented Implementing Adopted/not implemented Not adopted Not heard of 0% 20% 40% 60% 80% 100% Yes No Don't know Even those that claim to have implemented ISO27001 are widely indulging in such bad practice

Do you use manual methods to manage access for privileged users? Manual monitoring of PU activity Manual control of access to PU accounts 0% 20% 40% 60% 80% 100% Already in place Delayed plans Planned for next 12 months No plans/don't know Only around 20% of organisations have manual controls in place for the management of privileged users, this includes practices such as providing one off passwords using paper based systems and does not allow for the monitoring and auditing required by regulators

Do you use any of the following types of tools for managed privileged users? Privileged user management Tools to analyze privileged accounts 0% 20% 40% 60% 80% 100% In place Delayed plans Planned for next 12 months No plans/don't know A similar percentage have put in place tools to manage and control privileged users, it is only the use of these tools that can fully satisfy the requirements of regulators and protect business from the potentially harmful actions of privileged user, whether accidental or malicious

How influential are the following factors in limiting investment in security? Limited budget Business has low awareness of threats Priority given to other IT investments Lack of in-house expertise Axis: 5 = very big influence to 1 = no influence at all IT security not seen as a business enabler 2 3 4 One factor limiting investment is lack of budget, but another is lack of awareness of the threat when it comes to privileged user which requires IT managers to police themselves it is all too easy to focus on other priorities and business managers will be much more aware of other high profiles risks such as malware and data loss via normal users

Is the proportion of your org s total IT budget is spent on IT security increasing or decreasing? Manufacturing Finance Telecoms & Media Government 0% 20% 40% 60% 80% 100% Increasing Stable Decreasing Don t know But, generally speaking IT security spending is not being compromised, despite the downturn, suggesting that if the awareness around a given threat is high enough, funds will be made available

Conclusions It is in the interest of individual IT managers, the IT department as whole and the overall business to have measures in place to control and monitor privileged users Manual processes are ineffective and do not provide an audit trail that would satisfy regulators The one way to ensure this is to put in place tools that fully automate the management of privileged user accounts, the assignment of privileged user access and enable the full monitoring of their activities 2009 Quocirca Ltd

Country level data The following slides highlight some of the geographic variations in the data Note: the small sample sizes for all countries, with the exception of UK, Germany, France and Italy, are too small to draw anything but possible pointers for further research (see slide 3 for more details)

Deployment of ISO27001 by country Overall France Italy Norway Spain UK Denmark Germany Netherlands Belgium Finland Sweden Israel Implemented and certified Implemented Implementing Adopted/not implemented Not adopted Not heard of 0% 20% 40% 60% 80% 100% Deployment of ISO27001 varied widely. The data for France contained more interviews with IT security heads than the other samples, so there may be awareness, or even defensive, issue here, with people in such roles having more insight in to regulatory compliance or not wanting to admit to be overlooking it.

To what extent are privileged users a threat to IT security in your organisation? Overall Netherlands Sweden Norway Israel Italy Germany Spain Belgium Finland Denmark UK France Actual Perceived Scale from 1 = not a threat to 5 = a very serious threat 1.5 2.5 3.5 The recognised threat with regard to privileged users is roughly the inverse of ISO271001 deployment, suggesting that deployment does lead to better practice

How confident are you that you are able to control and monitor privileged user accounts at the OS level? Overall Denmark France Belgium Italy Israel Norway Germany Netherlands Spain UK Sweden Finland 2 3 4 Control Monitor Scale from 1 = not confident at all to 5 = very confident The confidence in being able to control them, is also roughly the inverse of ISO271001 deployment.

Do you share administrator accounts between different individual privileged users at the operating system level? Overall Belgium France Netherlands Sweden Finland Denmark Norway Italy UK Germany Spain Israel Yes No Don't know 0% 20% 40% 60% 80% 100% The bad practices exposed by this report should not be forgotten. There is little correlation with ISO27001 deployment and bad practices like account sharing. This suggests that the confidence conferred by the standard is general rather than specific.

Do you use manual methods to control access for privileged users? Overall France Belgium Denmark Italy UK Norway Netherlands Sweden Germany Finland Israel Spain In place Planned Delayed plans No plans/don't know 0% 20% 40% 60% 80% 100% There is a rough correlation with confidence to control privileged and the use manual processes for PUM. Whilst this is a good finding, as it shows there is a payback for taking action, the benefits conferred through using and automated tools should not be forgotten.

Do you use privileged user management tools? Overall France Denmark Italy Belgium Norway UK Germany Sweden Israel Netherlands Finland Spain In place Planned Delayed plans No plans/don't know 0% 20% 40% 60% 80% 100% There is also a rough correlation with confidence to control privileged and the use of full PUM tools; an endorsement of their use.

How influential are the following factors in limiting investment in security? Overall Norway Italy Germany UK Finland France Belgium Netherlands Israel Denmark Sweden Spain Limited budget Lack of business awareness Axis: 5 = very big influence to 1 = no influence at all 2 3 4 Budget is always an issue, but remember, overall investment in IT security is being maintained at least as a proportion of overall IT spend. Business awareness is the next most prominent issue.

Contact details The contacts for this project are: Bob Tarzey Service Director, Quocirca Bob.Tarzey@Quocirca.com +44 7900 275517 Mariateresa Faregna Public Relations Manager, CA Mariateresa.Faregna@ca.com +39 02 90464739

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information