Two common drivers compel organizations to invest in new IT security and management technologies – data breaches and failed regulatory compliance audits.
Companies such as mine – we develop privileged identity management (PIM) products – receive new customers seeking to rectify both such incidents. Preventing data breaches is an obvious impetus for investing in a PIM product. But, for many people, the tie in with regulatory compliance is less clear.
Basically, the mismanagement of privileged passwords is the tip of the iceberg of regulatory compliance – whether it’s PCI-DSS, HIPAA, SOX, or something else. But it’s an excellent illustrative point of why mandated compliance exists. Without it, many organizations shoot themselves in the foot time and time again.
Effectively, the privileged password problem is related to a fundamental situation that exists in most IT infrastructures. There’s too much access, to too many systems, for too long, with no accountability. Most organizations allow anyone in the IT department to have full access to every system with no auditing. Privileged accounts are often shared among large groups of people. So when a breach does occur, there’s no record pointing to who did what.
There is a fundamental question one must ask from a simple segregation of duties point of view. Is it reasonable that a low level employee in IT has unlimited access to the CEO, HR, accounting and other critical systems whenever they wish? Access should be on a “need to know” basis with some sort of approval process.
IT security auditors have been writing up findings about improper management of privileged accounts for many years now. These auditors warned companies about critical passwords which never change, ex-employees who can still access sensitive systems, and no access control for sensitive systems.
Privileged Identity Management and Regulatory Compliance
Here’s where privileged identity management helps with regulatory compliance. These products inventory all systems, accounts and passwords. And they track where the passwords are used. This provides a framework that IT can use to grant audited access to sensitive information, on a need to know basis only.
Without such software, this crucial task is simply not accomplished. That puts the security of the entire organization at risk. And that brings us back around to data breaches, the other common source of new customers for the IT security industry.
What products and processes help you meet your regulatory compliance audits? Share your thoughts below. You can also follow us on Twitter: @liebsoft.