Excessive User Privileges Challenges Enterprise Security: Survey

It is no secret that enterprises sometimes have trouble keeping a handle on privileged users. In the wrong hands, excessive privileges can lead to data breaches and sleepless nights for IT.

According to a survey from security firm BeyondTrust, which focuses on privilege management issues, more than 47 percent of the 728 survey participants said users in their organizations have elevated privileges not necessary for their roles. Twenty percent reported that more than three-quarters of their user base run as administrators. In addition, 33 percent said their organizations had no policies for privileged password management.

“The majority of users do not typically require the ability to install their own software or make changes to system properties,” according to the report. “Providing them with this ability can lead to, at a minimum, inadvertent errors and increased demand on internal IT help desks. Worse, it provides opportunities for malicious employees, or attackers who have compromised employee credentials, to steal sensitive information or disrupt network operations.”

The survey – dubbed ‘Privilege Gone Wild 2′ – backs the findings of a report from the Independent Oracle Users Group in which 54 percent of respondents reported that abuse of privileges by IT staff was among the top threats to enterprise data. A separate study by research company Ovum found that 59 percent of the U.S. businesses surveyed felt privileged users posed a threat to their organization.

Brad Hibbert, CTO of BeyondTrust, listed three reasons employees end up with excessive privileges. First, it makes life easier.

“Granting users’ full admin rights on desktops / servers ensures that they can perform their job tasks without the pushback,” he told SecurityWeek. “Of course this is somewhat short-sighted as this approach raises security concerns and can also impact longer term operational costs as the help desk is engaged to troubleshoot and address issues including misconfigurations, malware and unlicensed software.”

The other two reasons are a lack of oversight as employees move from job function to job function and a lack of “native delegation capabilities” of the operating systems being used, he said.

Seventy-nine percent of respondents in the BeyondTrust study indicated they felt employees are somewhat likely to very likely to access sensitive or confidential data out of curiosity.

“A regular review by managers and supervisors of their employees’ access rights will help reduce permission bloat and users having access to unnecessary systems,” said Hibbert. “Access reviews can be performed as needed or scheduled to occur periodically – for example, every calendar quarter, enabling you to conduct periodic access reviews to maintain the correct level of user privileges. The review schedule will depend on the sensitivity of the access and effort in performing the review. It could range from weekly to quarterly to yearly.”

“One approach that enables more frequent reviews is performing delta attestation analysis between full-attestation reviews,” he continued. “That is, ‘show me how access has changed since the last review.’ This result enables more frequent reviews on a smaller subset of entitlements.”