Companies such as mine – we develop privileged identity management (PIM) products – receive new customers seeking to rectify both such incidents. Preventing data breaches is an obvious impetus for investing in a PIM product, but for many people, the tie in with regulatory compliance is less clear.
Basically, the mismanagement of privileged passwords is the tip of the iceberg of regulatory compliance – whether it’s PCI-DSS, HIPAA, SOX, or something else – but an excellent illustrative point of why mandated compliance exists. Without it, many organizations shoot themselves in the foot time and time again.
Effectively, the privileged password problem is related to a fundamental situation that exists in most IT infrastructures: there’s too much access, to too much data, to too many systems, for too long, with no accountability and no controls. In the case of privileged accounts, most organizations allow anyone in the IT department to have full access to every system with no restrictions and no auditing. In fact, in many cases, privileged accounts are shared among such large groups of people that when a breach does occur, there’s no record pointing to who did what.
There is a fundamental question one must ask from a simple segregation of duties point of view. Is it reasonable that a low level employee in IT has unlimited access to the CEO, CFO, HR, accounting and other critical systems whenever they wish? Any IT administrator would say that access should be on a “need to know” basis with some sort of approval process.
IT security auditors have been writing up findings about improper management of privileged accounts for many years now. These auditors have warned companies about critical passwords which have never been changed, IT employees who left the organization still having access to sensitive systems and, effectively, no locks or controls of access in place when it comes to their sensitive systems.
Here’s where privileged identity management helps with regulatory compliance. These products inventory all systems, accounts and passwords – and track where they’re used. This provides a framework that IT can then use to permit audited access to sensitive information, on a need to know basis only. Without such software, this crucial task simply does not get accomplished and the security of the entire organization is put at risk. Which brings us back around to data breaches, the other common source of new customers for the IT security industry.