Survey Finds Homegrown Server Control Common, Less Than Adequate

A new survey finds nearly six in 10 information security pros are using inadequate tools to protect their enterprise servers.

According to the "Privileged Access Management Report," a survey conducted by enterprise access management solutions vendor Fox Technologies and IT security research company Echelon One, a majority of the 327 respondents are "using home-grown solutions (12 percent), sudo (10 percent), or manual enforcement of privileged user access and passwords (37 percent) to control access to enterprise servers."

The December 2011 survey included a wide range of industries and company sizes, with 27 percent of respondents coming from firms with 5,000 or more employees.

We should always be skeptical of vendor-sponsored surveys, though having been involved with some in the past, I know they aren't faked, just selectively used. This survey is about enterprise access management and, not shockingly, discovered shortcomings.

Surveys such as this can present interesting findings -- you aren't alone, there are lots of companies just like yours -- but are really a heads-up for things we might not be thinking about but should. Sometimes they uncover things we'd like to think we aren't doing, such as leaving servers vulnerable from even unsophisticated attackers.

You can download a PDF of the complete survey, which makes an interesting read if you like train wrecks and disasters in the making.

Here are some highlights from the report:

• Manual enforcement of privileged-user access and passwords remains prevalent among 37 percent of enterprises polled. Failure to automate access-management controls results in the sharing of privileged passwords. Once passwords are shared across multiple accounts users begin taking administrative shortcuts and enterprises are unable to track actions back to a specific user. Manual enforcement of privileged-user access represents an opportunity for data compromise and is the No. 1 compliance risk.
• Potential for insider fraud is widespread, with 76 percent of respondents unable to automatically administer user accounts across multiple servers. Potential for access creep emerges when enterprises cannot automatically administer user accounts across the entirety of their server farm. Access creep results when employees accrue unmanaged access rights throughout their careers at an organization, resulting in more privilege than is necessary for their positions. Without central consoles that can administer user accounts across multiple servers, IT is unable to manually administer each individual user account within the organization due to a lack of available resources and staff.
• Seventy-three percent of respondents reported they are unable to centrally define the access rules and policies necessary to map access to employee role. Enterprises that are unable to centrally define rules and policies create the opportunity for user-access controls to change from server to server, enabling data compromise and accelerating the operational costs of manual enforcement.
• Enterprises lack the critical infrastructure to enforce server access: 42 percent of those surveyed are unable to implement multifactor authentication, and 37 percent are not able to define and enforce granular authorization rules. The inability to automatically authorize and enforce who can access which servers, and even what commands they can execute based on the context of the request, leaves enterprises open to the risk of a data breach.

Again I hope this isn't you, but if it is realize that access control for servers is a fairly basic thing. And if you don't have that nailed, you should look around for other hidden problems, too.