Published: 31 October 2011
Osirium (www.osirium.com) a leader in Privileged User & Infrastructure Management has today warned businesses about continuing with the use of Group Admin accounts after an independent, security focused research report found many organisations still issue them, despite the fact that they pose a significant risk to businesses whilst also contravening best practice and compliance requirements.
The report found that just 40% of organisations attempted to control the use of Group Admin accounts but more worryingly, 10% of respondents also confessed that they had no way of controlling them.
David Guyatt, CEO at Osirium, said “From the conversations that I am having it’s immediately apparent that most organisations recognise that Group Admin accounts are a security risk, but IT departments just don’t have the resources to create, manage and revoke all those personalised privileged accounts across their entire infrastructure. This creates a numerous operational issues but most critically opens the organisation up to the risk of both internal and external attacks.”
The research, undertaken by Quocirca, on behalf of Osirium, also highlights the impact that the use of Group Admin accounts can have on compliance requirements, which clearly states that when a specific action is carried out the individual performing that task needs to be identifiable. IT security regulations and standards make strong statements about the use of privileged access to such group admin accounts. One of the controls in the IT service management standard (ITSM) ISO270001 states that “the allocation and use of privileges shall be restricted and controlled” whilst the Payment Card Industries Data Security Standard (PCI-DSS) recommends “auditing all privileged user activity”. Neither of these requirements can be met if it is not possible to identify a specific privileged user, or associate them with the actions that they have carried out.
“Security is all about ensuring the right people are accessing the right things and performing the right tasks at the right time,” continued Guyatt. “However, short-cuts are often taken to save time or make life a little bit easier and sharing Group Admin accounts does both these things, unfortunately at the cost of meeting essential compliance requirements and escalating operational risks.
By using solutions such as Osirium to automate the provisioning of personalised accounts throughout the entire infrastructure, full accountability and visibility of SysAdmin changes can be achieved which easily satisfies the requirements of compliance, best practice and change management processes.”