In an organization’s IT environment, there are several user accounts. Out of these, the “Super User accounts” are usually among the most important ones as they are used for System administration. These accounts are also called root accounts, administrator, admin or supervisor accounts, service accounts, application accounts, emergency accounts and so on depending on the operating system. These accounts are needed for the IT platform to function. They are needed in case of “Break the glass” emergency access situations as well as routine day-to-day activities. Protecting these accounts from unscrupulous use becomes very important from the point of view of IT security because these have far greater access capabilities. They can be misused to make unrestricted system wide changes that can be potentially harmful if this account is hacked by nefarious elements. Privileged Identity Management (PIM) is the process of securing the “Super User” accounts or the above-mentioned accounts in an organization.
We have hence established the point that the Super User account needs to be properly secured or we need to put in place PIM. Notwithstanding this, what can be the most important reasons that make PIM the need of the hour? Let us have a look at some of the critical ones:
They are a big security risk – Ok, we did talk about this in the starting paragraph, however we will dig a bit deeper to assess how big the problem might be. Just look at the systemic risks in case of use by these privileged entities. In a typical IT setup, the Super User accounts like those of a database administrator (DBA), a Unix root, a Chief Information Officer (CIO) and a Chief Executive Officer (CEO) are insufficiently governed by the Identity management software. It leaves these accounts uncontrolled, while advanced privileges are enabled on the network. What makes the situation even more baffling, is the fact that the owners of these accounts usually haven’t been formally trained in using them and hold your breath – in more cases than not, these are shared accounts.
As of March 29th, 2016, there have been over 202 data breach incidents in 2016, with a total of 6,184,526 records compromised according to a report from the Identity Theft Resource Center. That puts the US on track to eclipse 2014’s record high 783 data breaches (2015 was a close second with 781).
The average cost of those breaches? $3.79 million, according to research from the Ponemon institute and beyond the immediate financial cost, data breaches can cause an unquantifiable loss in customer confidence
Some of the most disastrous data breaches of all time (The monetary numbers for each of these couldn’t be ascertained):
o Korean Credit Bureau, 2014, 20 million records compromised
o Home Depot, 2014, 56 million credit and debit cards compromised
o Anthem/Premera Healthcare, 2015, 80 million records breached
o Ebay, 2014, 145 million customer records breached
They are needed by regulation – Regulation either requires controls that manage risks associated with high privilege IT access or recommend it (most of these recommendations will become a requirement soon, so it is not a question of “if”, just a question of “when”). . Control of the privileged accounts is mandated by most of the fearsome regulations – Sarbanes-Oxley, the Payment Card Industry Data Security Standard (PCI DSS), the Federal Energy Regulatory Commission (FERC), HIPAA Corporation (NERC) Critical Infrastructure Protection (CIP) standards, etc. You name it, it is there in all of them in one form or another. There are corollaries that either mandate or recommend measures starting from authentication, access control, access delegation, and separations of duties, to a complete and continuous monitoring, archiving, and auditing of access.
Auditors sniff for it. The internal auditors need a trail that proves that access controls are in place and they are active across all types of accounts – both individual and shared administrative accounts.
Business partners are asking for it – The review of privileged account associated controls is a routine demand by business partners when they have to give their reviews on Auditing Standards (SAS) 70.
It signals confidence in Business practices – When the duties are separated in administrative IT controls, it assuages the fears that business performance records cannot be compromised, blinded or subverted to cover irresponsible or illegal business activities. Privileged Identity Management ensures that the chances of the subversion of business-critical data and operations are minimized, which in turn ensures that the integrity of policy definitions is not violated.
It benefits the business by reducing costs – Data breaches have direct costs in terms of maintenance and support and also costs in terms of loss of reputation and business (reputational costs are usually far higher and not possible to monetize). According to the 2014 IBM/Ponemon Cost of Data Breach Study, the average cost paid per record for a data breach is $145 USD and the average total cost is $3.5M USD. Cleanup costs for some of the breaches of major U.S. retailers in 2014 ranged from just over $4M USD to over $100M USD. Lost revenue for these vendors ranged from around $40 million USD to over $1 billion USD.
Irresponsible or mindless use of IT controls is a big nuisance to businesses in terms of wastage of time and manpower. As per an EMA research of 200 businesses globally, only 40% of the respondents achieved the “Plan–Do–Check–Act” (PDCA) IT change management milestones. Those who achieved it had 50 % median incidence of abrupt security incidences, lesser incidents where failed IT change needed remediation, larger server to system administrator ratios, more number of IT projects completed within time and budget with intended outcomes.
So, we see that Privileged Identity Management is an inevitability today, not just because it is becoming a regulatory mandate but also because it makes sound business sense as the threat landscape is evolving and the costs associated with data breaches are also spiraling with every passing day.
Susmita is currently working as Technical Manager at Happiest minds with close to 12 years in IT industry. With 8+ years in Enterprise Security, ‘Privileged Identity and Access Management’ and Identity and Access Management (IAM) Consulting are her area of expertise. Passionate in exploring the emerging trends in information security technologies. In her free time, she likes to explore various areas of creativity like sculpting, mural painting and writing.
