Thycotic recently surveyed more than 500 organizations worldwide revealing several major risk and compliance gaps in securing privileged access:
• 70% would fail an access control audit
• 73% of organizations fail to require multi-factor authentication
Protecting access to privileged credentials is becoming a must-have cybersecurity and compliance requirement. Learn how to:
• Review the alarming survey results of the 2018 Global State of Privileged Access Management Risk and Compliance Report
• Walk through examples of why organizations are falling short on privileged access management and how to solve them
• See how you can develop a Privilege Access Management lifecycle security program to protect privileged credentials and meet compliance requirements
6. Compliance Standards
ISO
ISO/IEC 27002 is an information security standard published by
the International Organization for Standardization (ISO) and by
the International Electrotechnical Commission (IEC)
NIST
The National Institute of Standards and Technology (NIST) is a
measurement standards laboratory, and a non-regulatory agency
of the United States Department of Commerce
The Payment Card Industry Data Security Standard (PCI-DSS) is a
proprietary information security standard for organizations that
handle branded credit cards from the major card schemes
PCI
7. Compliance Standards
CIS CSC
The Center for Internet Security Critical Security Controls for
Effective Cyber Defense is a publication of best practices
guidelines for computer security
The General Data Protection Regulation (GDPR) (Regulation (EU)
2016/679) is a regulation by which the European Parliament, the
Council of European Union and the European Commission intend
to strengthen and unify data protection for all individuals within
the European Union (EU)
EU GDPR
8. Privileged Accounts
• Also Non-human accounts
• Local administrator & Groups
• Unix ROOT
• Service accounts
• Domain administrator
• CISCO Enable
• Application Accounts
• Batch job/scheduled tasks/chron jobs
Admin
Int. User
14. WHY THIS REPORT
IS A MUST READ:
URGENT
CHALLENGES
Protecting access
to privileged
credentials - the
preferred target of
cybercriminals and
malicious insiders –
is rapidly evolving
as a must have
compliance
requirement.
DISTURBING
SURVEY RESULTS
While more than
60% of organizations
must satisfy regulatory
compliance
requirements around
privilege credential
access, a staggering
70% would Fail an
Access Controls audit!
LIKELY
CONSEQUENCES
Millions of dollars
in regulatory fines,
business operations
at higher risk of
severe compromise
or even shutdown.
RECOMMENDED
ACTIONS
Develop a Privilege
Access Management
lifecycle security
program to secure
access and meet
compliance mandates.
Privilege Access
Management is not a
simple checkbox but
an important
continuous process.
15. THE FINDINGS
First, the Bad News
Most companies would
FAIL an Access Controls
AUDIT and many are not
even close to scrapping a pass
64 of
Companies
Would FAIL
%
16. 6 In 10 Organizations
Say They Must Demonstrate
Compliance & Auditing
Of Privileged Accounts
17.
18. COMPLY OR DIE:
The Privileged Access Management
(PAM) Security Imperative
Most organizations only begin to implement
Privileged Access Management after a failed audit
or major cybersecurity attack that can cost millions
of dollars and cause reputational damage.
19. FAIL to include privileged accounts
and passwords in Access Control
Policies
64%
20. Access to even one privileged account enables
an attacker to perform malicious activity
Fail at changing default
vendor supplied passwords
59%
21. Fail to audit and remove test
or modify default accounts
before moving applications to
production
73%
22. FAIL to use a dedicated system
for all administrative tasks
78%
23. Fail to require multi-factor
authentication with privileged
accounts
73%
24. Fail to fully discover privileged
accounts - and 40% do nothing at
all to discover these accounts
70%
25. KEY COMPLIANCE TAKEAWAYS
1. Policies covering Privileged Accounts.
2. Educate Employees who use Privileged Accounts
on Accountability and Acceptable use.
3. Implementing Multi-Factor Authentication for
emails and all sensitive privileged accounts.
4. Audit All Privileged Account Usage.
5. Incident Response for Privileged Account
Compromise.