Organizations spend over $100 billion globally on cybersecurity. In spite of that level of investment in cybersecurity and the attention paid to network security and data protection, major data breaches are still relatively common—and increasing. A new survey from Centrify examines the challenges organizations face with cybersecurity and the role of privileged access management (PAM) in getting things under control.
Centrify surveyed 1,000 IT decision makers across the United States and the United Kingdom to understand the current state of privileged access management, and what hurdles stand in the way of organizations implementing better PAM tools and practices.
3 Out of 4 Data Breaches Involve Access to a Privileged Account
I guess we should start by asking the question, “What role does PAM play in improving cybersecurity and reducing the potential for data breaches?”
I’m glad you asked. According to the Centrify survey, 74 percent of respondents whose organization have been breached indicated that a privileged account was involved. According to The Forrester Wave: Privilege Access Management, Q4 2018, that number is actually a little higher. Forrester estimates that 80 percent of data breaches involve a privileged account. If better PAM could translate to a 74 to 80 percent decrease in data breaches, that would be pretty significant.
Long Way to Go on the PAM Journey
Based on the responses to the Centrify survey, organizations and IT professionals are aware that data breaches are a major issue, and that there are steps that should be taken to improve cybersecurity and prevent those data breaches. Unfortunately, most are not taking the most basic steps to reduce risk or secure access to sensitive data.
The Centrify survey found:
- 52 percent of respondents do not have a password vault
- 65 percent are still sharing root or privileged access to systems and data at least somewhat often
- 63 percent indicate their companies usually take more than one day to shut off privileged access for employees who leave the company
- 21 percent still have not implemented Multi-Factor Authentication (MFA) for privileged administrative access
“Forrester had already estimated that privileged credential abuse was the leading attack vector, but now we have the empirical research to back it up,” said Tim Steinkopf, CEO of Centrify in a press release. “What’s alarming is that most organizations aren’t taking the most basic steps to reduce their risk of being breached. It’s not surprising that Forrester has found 66 percent of companies have been breached five or more times. It’s well past time to secure privileged access with a Zero Trust approach, and many organizations can significantly harden their security posture with low-hanging fruit like a password vault and MFA.”
Emerging Technologies Require a More Agile PAM Strategy
So, based on the survey results above, most companies are doing a fairly poor job when it comes to the basic blocking and tackling of privileged access management in a more or less traditional IT world. Now, add in DevOps environments and containerized applications and data running in hybrid cloud infrastructures and the exposure to risk and challenges of effective cybersecurity grow exponentially.
Steinkopf explained, “Today’s environment is much different than when all privileged access was constrained to systems and resources inside the network. Privileged access now not only covers infrastructure, databases and network devices, but is extended to cloud environments, Big Data, DevOps, containers and more.”
It is not surprising—given the survey results above—but still somewhat alarming that organizations seem to be completely unprepared to defend these scenarios:
- 45 percent are not securing public and private cloud workloads with privileged access controls
- 58 percent are not securing Big Data projects with privileged access controls
- 68 percent are not securing network devices like hubs, switches and routers with privileged access controls
- 72 percent are not securing containers with privileged access controls
Roadblocks to Effective PAM
Organizations seem to understand the problem. For the most part, the IT professionals surveyed also seem to have a grasp on the tools and practices necessary to address the problem. Nearly half (49 percent) of those surveyed indicated a need to meet compliance mandates, and 51 percent reported a strong desire to adhere to privileged access management best practices. So, what’s stopping organizations from adopting and implementing more effective PAM? Two things: management support and adequate budget.
You might assume that PAM is simply not a priority or that it’s too complex for IT professionals to implement and manage. The Centrify survey found, however, that only 14 percent believe it’s a low priority and a mere 11 percent think it’s too difficult or time consuming.
The real hurdles that stand in the way of more effective PAM are budget constraints (30 percent) and the lack of executive buy-in and support (24 percent).
Zero Trust Privilege
Companies around the world are going to spend more than $100 billion on cybersecurity this year—and much of it will be spent on tools and platforms that won’t substantially reduce the potential for data breaches. If 3 out of 4 (or 4 out of 5 according to Forrester) data breaches result from attackers gaining access to a privileged account, it seems like taking a zero trust approach to privilege and implementing better PAM solutions should be a top priority.
One thing I can virtually guarantee: the cost of getting breached will be significantly more than the cost of implementing better PAM.