While most companies use some form of identity and access management controls to protect their applications and information, precious few are able to centrally manage these systems and keep up with changes in user privileges, according to a Ponemon Institute study released Monday.
It's a dangerous situation, given that any company that can't get a handle on who has access to what within their IT environments is a prime candidate for a security breach, either from an insider looking to exceed access privileges or an outsider tapping into orphaned user accounts that still offer access to former employees or contractors.
More than 64% of the 627 IT pros surveyed by Ponemon for a study sponsored by SailPoint Technologies, a provider of compliance, governance, and identity management technology, say their companies use identity and access management technology. About half of the remaining respondents who don't use identity and access management technology say this is because the technology is too expensive. Only 14% avoid identity and access management because it's too difficult to deploy or because they're content with manual methods of identity management.
"We've found that the process for most companies remains largely manual, and that also translates to reactive measures for addressing insider abuse," says founder and chairman Larry Ponemon, who points to last month's revelation that a DuPont research chemist was stealing the company's intellectual property as a case where identity management's importance came into full view. Gary Min was caught after DuPont realized he had been accessing large volumes of information not relevant to his role at the company. "But these anomalies weren't detected and identified as high-risk behavior until after $400 million in trade secrets had been compromised," Ponemon adds.
Those who do invest in identity and access management technology are spurred on primarily by the need to improve the efficiency of system access and the security of their systems, not to mention meet the demands of government regulators. Of the regulations driving identity and access management investments, half of the Ponemon respondents cited California's state breach notification law, followed by Sarbanes-Oxley, Payment Card Industry requirements, and the Gramm-Leach-Bliley Act.
It's rare to find a company that's adopted a centralized approach to managing identities and access to its systems. Only 13% of Ponemon's respondents have centralized identity and access management. Often identity and access information is managed outside of IT, by individual departments or business units. And 18% of Ponemon's respondents indicated that this information is managed based on geographic location rather than from a central, company-wide location.
The ability to track temporary or contract employees who have access to sensitive or confidential data is the top reason companies in the Ponemon study implement identity and access management systems. Another top reason is the ability to track the activities of privileged users (e.g., system admin, DBAs) with access to critical applications or databases. About 64% indicated it was "very important" or "important" in providing them the ability to detect and prevent disclosure of confidential or private data.
"If we can't rapidly respond to a change in our user community, that's a concern," says Jay Raimondi, chief technology officer of CRC Health Group, a provider of treatment for people with chemical dependency and related behavioral health problems. Raimondi adds that CRC's greatest security threat would more likely come from a disenchanted employee than from an outside attack against its systems. "The first part of the IT security evolution dealt with external forces, and now we need to look internally, something that identity management addresses."