UK organizations taking risks with Group Admin accounts
Osirium has warned businesses about continuing with the use of Group Admin accounts after an independent, security focused research report found that many organizations still issue them, despite the fact that they pose a significant risk to businesses whilst also contravening best practice and compliance requirements.
The report found that just 40 percent of organisations attempted to control the use of Group Admin accounts but more worryingly, 10 percent of respondents also confessed that they had no way of controlling them.
David Guyatt, CEO at Osirium, said “From the conversations that I am having it’s immediately apparent that most organizations recognise that Group Admin accounts are a security risk, but IT departments just don’t have the resources to create, manage and revoke all those personalised privileged accounts across their entire infrastructure. This creates a numerous operational issues but most critically opens the organization up to the risk of both internal and external attacks.”
The research, undertaken by Quocirca, on behalf of Osirium, also highlights the impact that the use of Group Admin accounts can have on compliance requirements, which clearly states that when a specific action is carried out the individual performing that task needs to be identifiable.
IT security regulations and standards make strong statements about the use of privileged access to such group admin accounts. One of the controls in the IT service management standard (ITSM) ISO270001 states that “the allocation and use of privileges shall be restricted and controlled” whilst the Payment Card Industries Data Security Standard (PCI-DSS) recommends “auditing all privileged user activity”. Neither of these requirements can be met if it is not possible to identify a specific privileged user, or associate them with the actions that they have carried out.
“Security is all about ensuring the right people are accessing the right things and performing the right tasks at the right time,” continued Guyatt. “However, short-cuts are often taken to save time or make life a little bit easier and sharing Group Admin accounts does both these things, unfortunately at the cost of meeting essential compliance requirements and escalating operational risks.
The research was completed by Quocirca in August 2011 and 100 interviews were collected. At the time of answering the questions, those surveyed were not aware that the research was being conducted on behalf of Osirium.
•Date: 2nd November 2011 • Region: UK •Type: Article • Topic: Operational risk