Six in 10 organizations say they must demonstrate compliance and auditing of privileged accounts indicating that privileged account management (PAM) security is now a firm requirement to comply with government and industry regulations. This is just one of the many findings from a Benchmark Global Survey with responses from more than 500 IT security professionals from organizations around the world. The findings indicate that privileged account management is not just a security issue, but also a regulatory compliance issue within their organization or industry.
The Survey is part of a new Report, 2016 State of Privileged Account Management that exposes several, significant security gaps in how organizations manage and secure their privileged account passwords and access and shows the extent to which privileged account management security is rising in priority and required for regulatory compliance.
The main reason privileged accounts are so critical to both industry and regulatory compliance is that privileged accounts contain what are known as the “keys to the kingdom.” These accounts have full permissions to computer systems and environments that typically have access to the locations where sensitive data like financial records, classified data or personal identifiable data like email addresses and credit card and social security numbers are stored. It is ultimately crucial that organizations monitor and track any unauthorized modifications, theft, sabotage and privacy breaches of privileged accounts. The U.S. Computer Emergency Readiness Team (CERT) has published several recommendations on how to reduce the risk of insider abuse of accounts. To ensure security controls of privileged accounts are much more secure than regular accounts, they recommend applying a “Least Privilege” approach and implementing security policies and controls with strict password creation and management. Audit and Track Changes and Continuously Discover and Update Accounts are amongst other security recommendations from CERT.
The State of Privileged Account Management 2016 report indicates that many organizations are failing to implement these recommendations, with 20 percent of organizations failing to change default system passwords, 30 percent allowing passwords to be shared, 40 percent using the same security controls as standard accounts, 70 percent not requiring approval for privileged account creation and 50 percent not auditing privileged account usage. This report highlights that many organizations have failed to apply these best practices and recommendations that help reduce the major cybersecurity risk that these accounts expose and that also expose failure to meet compliance.
We have seen major ramifications across the world when it comes to cybersecurity regulations, and many organizations are trying keep compliant with many of these new controls and regulations that not only introduce strict security controls, but also introduce major financial penalties for failure to comply. For example, the new EU General Data Protection Regulation (GDPR) is something that has been going on for several years. It will replace what was previously the European General Data Protection directive from 1995.
The idea of the EU GDPR was to build a consistent foundation across all European Union States so there’s a basic commonality or consistency between what happens with data protection and critical infrastructure. This has been going on for several years now, with the European Commission to establish what that regulation is with several drafts from 2012. The final draft was formally agreed upon in December 2015. That draft finally went to the European Parliament on April 14th this year and has since passed. The General Data Protection Regulation will now take effect 20 days after its passed in Parliament, which means on May 4, 2017, the clock for the two years’ transition period starts.
The regulation is focused on ensuring any nation states, organizations or companies dealing with European citizens’ personal identifiable information are obliged to comply with this regulation. It is really to ensure that organizations dealing with personal data of European citizens have a certain standard that they have to comply with. This means data protection, adequate security measures are in place and privacy by design when there is a breach or disclosure of information. They are obliged to notify the national authority of the country where they operate within 72 hours of the breach, after which they have an obligation to – depending on the risk value of the information compromised, if low risk or high risk – notify the impacted party without undue delay. Now there is a foundation of taking responsibility and accountability when it comes to dealing with European citizens’ data.
As a result of the new accountability and responsibility, companies collecting excessive amounts of information are now accountable, as the more information you gather, the greater your responsibility. Now, in case there is a breach and it is found that adequate security measures were not in place, there are significant penalties and fines in place — €20 million or 4 percent of annual turnover. Previously, companies that decided that there was no business justification for adequate security measures since there was no penalty or accountability in the event of a breach would simply deal with a breach when it happened. Now, there are significant penalties and fines to consider; additionally, these companies must decide whether they are willing to compromise security or whether it will now become a priority. Privileged account management and least privilege is a major security control that helps organizations meet such strict regulations.
We have also recently seen the EU-U.S. Privacy Shield finally getting approval from the European Court of Justice, allowing U.S. companies that collect or process personal identifiable data to continue providing services to European companies and citizens. These organizations were at at major risk for the past year, since the Safe Harbor was found invalid as a result of the revelations of Edward Snowden on the mass collection and surveillance of data by the U.S. government.
Other governments are going through major updates to their own cybersecurity regulations with the U.S., United Kingdom and Japan also having reforms on improving cybersecurity when it comes to the safety, privacy and economic interests of each nation state’s critical infrastructure and citizens’ data.
In the U.S., the responsibility for cybersecurity is split between federal government and state government, which makes cybersecurity regulatory compliance quite inconsistent, and accountability limited. The main regulations around cybersecurity are HIPAA, Gramm-Leach-Billey Act and the Homeland Security Act, respectively regulations mandating policies for health care, financial and federal information security, including least privilege, privileged accounts and auditing.
One thing that is clear and apparent across all of these regulations — whether it is federal, industry or nation state — is this: privileged accounts are crucial in all of these regulations, and of utmost importance is the risk they expose when it comes to cybersecurity, whether from external attacks or internal insider abuse. Getting privileged accounts management right is a major step in being compliant for many regulations. More than 62 percent of incidents and breaches have come as a result of stolen credentials or weak passwords. This is why the report clearly highlights that many organizations are regulated to have privileged account management and that 80 percent of organizations indicate this is a high priority to get under control and reduce the risk of becoming the next victim of cyber crime.
As a result of industry and regulatory compliance, cyber insurance is going to become a major industry over the next two years, and privileged account protection is going to be a major requirement. It is better to get a step ahead and on top of privileged accounts today.
The 2016 State of Privileged Account Management Report exposes several significant security gaps in how organizations manage and secure their privileged account passwords and access. While many organizations adopt privileged account security measures to reduce the risk of the growing cyber threats and to protect against both external and internal attacks, establishing privileged account access controls is a growing priority driven by auditors, controllers and the targeting of privileged accounts by cyber criminals. With 60 percent of organizations facing compliance requirements for PAM security, there is a growing awareness among organizations about the importance of securing privileged credentials.
The fact that privileged account management has climbed up the compliance chain stands to reason; however, many organizations are leaving their PAM needs to homegrown solutions that are full of vulnerabilities. Seventy percent of organizations have not implemented a security program for privileged account management or are using a homegrown solution – typically manual operations that can be difficult to keep updated and/or used to demonstrate compliance with regulatory requirements. It’s no wonder that 94 percent of hackers find privileged credentials in unprotected files such as spreadsheets, according to a survey taken at BlackHat in 2015 indicating that these manual or home-grown solutions represent a significant risk of compromise.
Thycotic recommends that organizations take four easy steps to get closer to being in control of privileged accounts:
- Educate key stakeholders on the importance of PAM
- Discover how many privileged accounts you have
- Automate and secure privileged accounts and
- Implement security policies that help meet compliance and limit access to privileged accounts.