Basic identity and access management failures putting organizations at risk finds research
- Published: Wednesday, 10 October 2018 08:06
One Identity has released new global research findings that uncover a widespread inability to implement basic best practices across identity and access management (IAM) and privileged access management (PAM) security disciplines. These failures will be exposing organizations to data breaches and other significant security risks.
Conducted by Dimensional Research, One Identity’s ‘Assessment of Identity and Access Management in 2018’ study polled more than 1,000 IT security professionals from mid-size to large enterprises on their approaches, challenges, biggest fears and technology deployments related to IAM and PAM.
Among the survey’s most surprising findings are that nearly one-third of organizations are using manual methods or spreadsheets to manage privileged account credentials, and one in 20 IT security professionals admit they have no way of knowing if a user is fully deprovisioned when they leave the company or change their role. Additionally, a single password reset takes more than 30 minutes to complete in nearly 1 in 10 IT environments.
These and other findings paint a bleak picture of how many organizations approach IAM and PAM programs, indicating that critical and highly sensitive systems and data are not properly protected; user productivity is hindered; and potential threats from mismanaged access remain a major challenge.
Key findings from the report include:
Privileged account practices are poor - and IT security teams know it
In addition to 31 percent of businesses using manual administrative account management methods, a surprising 1 in 25 organizations do not manage administrative accounts at all. Two thirds (66 percent) grant privileged account access to third-party partners, contractors or vendors; and 75 percent admit IT security professionals share privileged passwords with their peers at least sometimes, with one in four admitting this is usually or always the case.
Ineffective administrative account management practices coupled with careless sharing of passwords governing of these accounts demonstrates major gaps in PAM programs across the board, and IT security professionals seem to be aware of their shortcomings. The survey found that only 13 percent of respondents are completely confident in their PAM programs, while more than 1 in 5 (22 percent) are not confident at all.
Organizations are letting basic access tasks and responsibilities slip - potentially impacting user productivity
The research found that 68 percent of users’ password resets take five minutes or longer to unlock, with nearly 1 in 10 (9 percent) admitting the task takes more than 30 minutes, implying widespread hindrance to employee productivity. When it comes to new user provisioning, 44 percent of organizations take from several days to multiple weeks to provide access across all applications and systems needed.
Worse, nearly one-third (32 percent) of IT organizations take somewhere between several days to multiple weeks to deprovision former users from all of the applications and systems they were granted access to, with one in 20 having no way to know if the user has been fully deprovisioned at all. While the majority of respondents rate all aspects of their access control program as excellent or fair, only 15 percent are completely confident that they will not be hacked due to an access control issue.
IT security pros top fear is disgruntled employees sharing sensitive data - but most admit it’s easy to steal
When asked to share their worst IAM nightmare, the most common answer (at 27 percent) was a disgruntled employee sharing sensitive information, followed by having their CIO interviewed on TV following an IAM-cause data breach (22 percent) and usernames and passwords being posted to the dark web (18 percent). Ironically, nearly 8 in 10 (77 percent) of the IT security professionals polled admitted that it would be easy for them to steal sensitive information if they were to leave their organization, with 12 percent admitting they would do if they were angry or upset enough.
About the study
The One Identity Assessment of Identity and Access Management in 2018 study consisted of an online survey conducted by Dimensional Research of IT professionals in mid-size to large organizations with responsibility for security and who are very knowledgeable about IAM and privileged accounts. A wide variety of questions were asked about experiences and challenges with IAM. A total of 1,005 individuals from the US, Canada, UK, Germany, France, Australia, Singapore and Hong Kong completed the survey.