One Identity today released new global research that uncovers a widespread inability to implement basic best practices across identity and access management (IAM) and privileged access management (PAM) security disciplines — likely exposing organizations to data breaches and other significant security risks. Conducted by Dimensional Research, One Identity’s “Assessment of Identity and Access Management in 2018” study polled more than 1,000 IT security professionals globally from mid-size to large enterprises on their approaches, challenges, biggest fears and technology deployments related to IAM and PAM.
Among the survey’s most surprising findings are that nearly one-third of organizations are using manual methods or spreadsheets to manage privileged account credentials, and almost six in ten IT security professionals admit they their organizations allow third-party partners, contractors or vendors to access their privileged accounts. Additionally, a single password reset takes more than 30 minutes to complete in nearly one in ten IT environments.
These and other findings paint a bleak picture of how many organizations approach IAM and PAM programs, indicating that critical sensitive systems and data are not properly protected, user productivity is hindered, and potential threats from mismanaged access remain a major challenge.
Additional top findings from the report include:
In addition to 30 percent of businesses using manual administrative account management methods, a surprising 6 percent of organizations do not manage administrative accounts at all. Six in ten (59%) grant privileged account access to third-party partners, contractors or vendors; and 76 percent admit IT security professionals share privileged passwords with their peers at least sometimes, with one in five admitting this is usually or always the case.
Ineffective administrative account management practices coupled with careless sharing of passwords governing of these accounts demonstrates major gaps in PAM programs across the board, and IT security professionals seem to be aware of their shortcomings. This research shows that only 6 percent of IT security stakeholders are completely confident in their PAM programs. IT security professionals in Singapore are more likely to say they are not confident (25 percent) than their global counterparts (22 percent).
The research found that 62 percent of users’ password resets take five minutes or longer to unlock, with more than one in ten (12 percent) admitting the task takes more than 30 minutes, implying widespread hindrance to employee productivity. When it comes to new user provisioning, 41 percent of organizations take from several days to multiple weeks to provide access across all applications and systems needed. Worse, nearly a quarter (22 percent) of IT organizations surveyed take somewhere between several days to multiple weeks to deprovision former users from all of the applications and systems they were granted access to.
While the majority of respondents rate all aspects of their access control program as excellent or fair, only 8 percent are completely confident that they will not be hacked due to an access control issue. IT security professionals in Singapore are more likely to say they are not confident (23 percent) than their global counterparts (18 percent).
When asked to share their worst IAM nightmare, one in three IT security professionals cited disgruntled employee sharing sensitive information as their top fear (31 percent), followed by having their CIO interviewed on TV following an IAM-cause data breach (26 percent) and usernames and passwords being posted to the dark web (19 percent). Ironically, three quarters (75 percent) of the IT security professionals admitted that it would be easy for them to steal sensitive information if they were to leave their organization, with 4 percent admitting they would do if they were mad or upset enough.
“Our research revealed a number of shocking findings including extensive sharing of privileged passwords internally and externally, failure to immediately deprovision old user accounts, and spending upwards of 30 minutes to reset a password. These poor practices are incredibly real and concerning risks to any organization, so it’s no surprise that there is a general lack of confidence in the effectiveness of IAM and PAM programs,” said Serkan Cetin, Regional Manager, Technology & Strategy at One Identity APJ.
“These results are especially alarming in light of the series of breaches that have rocked Singapore and the region this year, such as the SingHealth breach that affected more than 1.5 million Singaporeans, which included Prime Minister Lee Hsien Loong as well.”
“The fact of the matter is that organizations that fail to address these basic IAM and PAM best practices may not only expose themselves to significant security risks, but also drive business productivity down. This research should serve as a wake-up call to organizations to seek out ways to ensure, manage, and secure appropriate access across the entire organization and user population – end users, third parties and administrators.”
Improving IAM and PAM Practices
Stealing user credentials is one of the easiest ways for malicious actors to gain entry into an organization’s network. Among the most coveted account are privileged (administrative) accounts, which may grant virtually unlimited access to a company’s IT infrastructure, including its most critical and sensitive systems and data. The more accounts available to bad actors, the more damage can potentially be done, including data breaches and leakage, compliance violations, fines and loss of brand-trust and reputation.
Effective IAM and PAM are critical components to any organizations’ security strategy; but the Assessment of Identity and Access Management in 2018 Study shows businesses are still struggling to do so. One Identity offers an end-to-end suite of access management, identity governance, privileged access management and identity-as-a-service solutions designed to eliminate the complexities and time-consuming processes often required to govern identities, manage privileged accounts and control access.
About the One Identity Assessment of Identity and Access Management in 2018 Study
The One Identity Assessment of Identity and Access Management in 2018 study consisted of an online survey conducted by Dimensional Research of IT professionals in mid-size to large organizations with responsibility for security and who are very knowledgeable about IAM and privileged accounts. A wide variety of questions were asked about experiences and challenges with IAM. A total of 1,005 individuals from the U.S., Canada, U.K., Germany, France, Australia, Singapore and Hong Kong completed the survey. The findings above represent IT security professionals in Singapore, which represented 10% of survey respondents.