Many organizations need to make sweeping changes to their security mindset in the face of evolving challenges, open configuration, and new paradigms. In a traditional approach, network security would “trust but verify” and automatically trust users and endpoints within the organization’s perimeters. This method served as protection against outside attacks and threats, but current data indicates that organizations must also look inward when mapping out their security protocols.
Businesses are increasingly at risk from malicious internal actors and unauthorized “verified” users with wide-reaching access from inherently dangerous practices such as group accounts. Despite the apparent risks associated with enabling privileged accounts shared by multiple users, most organizations continue to rely on group accounts as a method of allowing quick and easy privileged access. A recent poll from Enterprise Management Associates (EMA), which was sponsored by Hitachi ID, demonstrates this overreliance, with 87% of survey respondents indicating that shared privileged accounts were in use in their organization. This overwhelming use of group accounts continues despite the inherent hazard of eliminating any possibility of accountability.
Making the Case
The shared privileged account risk exists at every level. Even organizations that stringently monitor and record the execution of privileged tasks cannot conclusively identify the specific individual responsible for making an unauthorized change if they use a shared account. Additionally, the more users who know a password or retain credentials that give access to a shared privileged access account, the greater the chances of an account being compromised.
The data demonstrates this stark reality. Organizations that support shared accounts were roughly five times more likely to have unauthorized access to privileged accounts. Conversely, organizations that excluded group accounts from their frameworks had almost no reports of privileged account credentials on the dark web and no impact to endpoint device performance from inappropriate privileged activity.
An unhealthy reliance on shared privileged accounts also reflects the perceived effectiveness of privileged access security. On average, surveyed respondents from organizations that did not employ shared privileged accounts expressed high confidence in the ability of their adopted solution to prevent privileged access security breaches. Moreover, the level of security confidence was roughly inversely proportional to the frequency of group account usage. Higher frequency users (such as database administrators) exhibit lower confidence scores, while lower frequency users (such as end-users) correlate to higher confidence scores.
IT leaders can address security and system confidence issues by avoiding unchecked group accounts and adopting solutions that adhere to the “principle of least privilege.” By limiting privileged access authorizations to required tasks, organizations can eliminate the chance that unauthorized actors will misuse elevated permissions to perform unapproved tasks. Additionally, this implementation provides a level of accountability not available in shared accounts since permissions to perform unapproved privileged tasks require specific authorization. Hitachi ID Bravura Privilege is a cutting-edge PAM solution that upholds the principles of least privilege to enforce security and cross-platform access policies in the evolving digital landscape.
Zero Trust Solves Future Challenges
The dynamic enforced end-user authentication inherent in the “principle of least privilege” is also the basis of zero trust models and architectures that can effectively assess threats and adapt to increasingly complex privilege account access modalities. As the data against group accounts has shown, traditional approaches to security and privileged access management have become inadequate in the face of evolving network challenges and realities. Many organizations have moved to zero trust models to combat issues that arise with disparate elevated privilege account types. IT leaders everywhere should rework organizational best practices to disallow shared privileged accounts and consider adopting contemporary zero trust modeling as they work to confront a changing security landscape.
For more information on PAM best practices and key takeaways from EMA, you can access the full report here: Advancing Privileged Access Management (PAM) to Address Modern Business Requirements.
We recently asked IT leaders in higher education to share their thoughts on identity and access management (IAM) automation via a survey conducted with Pulse. The...
Most organizations continue to employ user accounts that indefinitely retain elevated privileges, despite increasing evidence that utilizing standing privileged accounts...