Friday May 22nd 2015

Regulatory Compliance and the Privileged Account Principle

Two common drivers compel organizations to invest in new IT security and management technologies – data breaches and failed regulatory compliance audits.

Companies such as mine – we develop privileged identity management (PIM) products – receive new customers seeking to rectify both such incidents. Preventing data breaches is an obvious impetus for investing in a PIM product. But, for many people, the tie in with regulatory compliance is less clear.

Basically, the mismanagement of privileged passwords is the tip of the iceberg of regulatory compliance – whether it’s PCI-DSS, HIPAA, SOX, or something else – but an excellent illustrative point of why mandated compliance exists. Without it, many organizations shoot themselves in the foot time and time again.

Effectively, the privileged password problem is related to a fundamental situation that exists in most IT infrastructures: there’s too much access, to too many systems, for too long, with no accountability.  In the case of privileged accounts, most organizations allow anyone in the IT department to have full access to every system with no restrictions and no auditing.  In many cases, privileged accounts are shared among such large groups of people that when a breach does occur, there’s no record pointing to who did what.

There is a fundamental question one must ask from a simple segregation of duties point of view.  Is it reasonable that a low level employee in IT has unlimited access to the CEO, CFO, HR, accounting and other critical systems whenever they wish?  Access should be on a “need to know” basis with some sort of approval process.

IT security auditors have been writing up findings about improper management of privileged accounts for many years now. These auditors have warned companies about critical passwords which have never been changed, ex-employees who still have access to sensitive systems, and no access control when it comes to sensitive systems.

Here’s where privileged identity management helps with regulatory compliance. These products inventory all systems, accounts and passwords – and track where they’re used. This provides a framework that IT can use to grant audited access to sensitive information, on a need to know basis only.  Without such software, this crucial task simply does not get accomplished and the security of the entire organization is at risk. And that brings us back around to data breaches, the other common source of new customers for the IT security industry.

What products and processes help you meet your regulatory compliance audits? Share your thoughts below. You can also follow us on Twitter: @liebsoft.

Leave a Reply


eight + = 15