UK businesses admit to over-privileging IT staff

Andy Harris

Osirium, a leader in Privileged User Management today released research findings which show that 70% of UK companies are finding it difficult to restrict the scope of privileged-level access that system administrators are requesting. As a result, businesses are exposed to unacceptable levels of security risks, through the potential use of over-privileged accounts infringing corporate data policies, hiding non-compliant activities through deleting audit data or even authorising out-of-policy transactions.
“Privileged accounts are essential to managing and maintaining IT infrastructures,” said David Guyatt, CEO at Osirium. “They are however notoriously difficult to control since they don’t actually belong to real users, because these accounts are usually shared across SysAdmin teams which means that changes cannot be traced back to individual users. These shared accounts are usually full access -privileged accounts and, if not managed correctly, can create a number of security problems for any company.”
The research, conducted by analyst group Quocirca, on behalf of Osirium, also found that numerous other access challenges exist within UK businesses which negatively impact abilities to implement a least privilege access policy. For example, 55% of respondents were unsure how best to close-off privileged user access rights when they were no longer needed, whilst others admitted group admin accounts were still predominantly being used as a quick way to gain access to devices.
However, it is not just devices that are at risk – servers and applications can also be impacted. With the current trend towards cloud computing models offering multi-tenanted IT infrastructures, service providers must be able to guarantee that their system administrators can only access the underlying systems that are appropriate to their role and application.
Guyatt warns that the consequences of not following a least privileged model includes security risks from insider threats, operational risks from people accessing and working on the wrong devices, high error rates and an overall inefficient use of available resources.
“In an ideal world, organisations would be implementing automated policies and procedures that enable managers to grant minimal access rights to certain users in order to perform a specific job on a particular device,” he continued. “By controlling this access to cover off a specified period of time, user access can be automatically suspended, granted again later or even fully revoked without time consuming steps needing to be undertaken; ultimately leaving the business in control of its network and its devices.”