HP study finds security holes in privilege management

Many companies are still failing to adequately manage user privileges and protect sensitive data, according to a study from HP and the Ponemon Institute.

The survey which polled IT administrators from 13 countries including the UK, US, Germany and France, found that more than half allow access privileges beyond what is needed for their users' current roles with the company.

Among those employees who are given access to sensitive information, abuse of privilege is rampant. Some 63 per cent of those surveyed reported that curiosity has driven privileged users to access sensitive or confidential data.

Additionally, the study found that few companies have systems in place to adequately manage and view how user privileges are assigned and how they are used.

"It not only is a tech related problem, it's also about culture," said Ponemon Institute founder and chairman Larry Ponemon.

"Somehow privileged users think they have a right to access."

To change that culture, the HP and Ponemon believe that firms need to adjust their approach to the way user rights and privileges are managed.

Ryan Kalember, senior director of solutions marketing for HP enterprise security products, told V3 that rather than looking to assign strict privileges on user access, companies should make more of an effort to monitor and analyse access patterns.

When administrators are able to view how data is accessed, IT departments can gain a clear picture of what rights are required for each role and flag unusual or specific behaviour, he said.

Much of that change, said Kalember, will rely on shifting the conventional approach to access management and repurposing existing monitoring and analysis tools for access and activity logs.

"There is a measure of correlation that you have to do in order to get this right," he explained.

"That information is not necessarily married up with identity information, so that is a technical process to solve."