Discover Performance

HP Software's community for IT leaders // March 2012

No Inside Jobs: Three steps to controlling privileged access

HP security expert Rafal Los warns that most organizations give employees too much privilege—leaving the enterprise vulnerable to abuse and attack.

Privilege is extremely difficult to manage in any size organization, and the more rapidly your business changes, the more difficult privilege is and the more likely you will devolve into a situation where, as everyone takes on more projects or responsibilities, everyone ends up with much more access than they should. This a dangerous, especially when privileged users report feeling entitled to abuse their access merely to satisfy their own curiosity—to say nothing of the possibility of more malicious intent.

A new study by the Ponemon institute, sponsored by HP Enterprise Security, asked a group of mostly supervisor-and-higher-level IT professionals about their privileges:

According to 77 percent of respondents, privileged access rights are required to complete their current job assignment. However, 23 percent say the access rights they have are not necessary for their role."

You trust your employees and administrators with the most critical technical functions in your organization—but they're only human. You need controls over who has access—and how much access—to your critical intellectual property, company secrets, and other proprietary information. The Ponemon study suggests that many organizations don’t have a tight grip on privileged access.

It was surprising enough to see many users state that their excess of access was "for no apparent reason," but the most striking response was "everyone at my level has privileged access even if it is not required to perform a job assignment," which was cited by a mind-blowing 43 percent of respondents.

I suppose that if the organization fundamentally does not understand what your role is, and what you need to accomplish your job, everyone requires access to everything. That’s dangerous enough on its own, but compound it with this—64 percent of privileged users believe they are empowered to access all the information they can view—and we have a recipe for disaster. We’ve got organizations that misunderstand the concept of role-based access, and administrators with excessive senses of entitlement. That’s not going to end well.

There is a three-step process around privilege in any situation. The first critical step is understanding privilege. Once you've understood it, you can implement and ultimately govern and monitor privilege usage and distribution.

Step 1: Understanding privilege
Ground zero for a solid privilege model is understanding how your organization is built. Fundamentally, what are your critical processes, systems, applications, and data; who should have access to them; and in what capacity? You'll need to answer the what, the who, and the how to be successful in understanding privilege. 

Step 2: Implementing privilege
Implementing privilege across the organization is done with a combination of manual processes and automated tools. Lots of great technologies can help you to script your way to managing privilege—just be careful of the ones that promise too much.

Step 3: Govern and manage privilege
Once you've got your organization understood and implemented, it's going to be time to monitor and carefully govern to ensure you don’t end up back in the mess you just fought your way out of. Modern organizations are so fluid that it's difficult not to fall back into privilege chaos, but you absolutely must keep a watchful eye on your systems, applications, and data to make sure that someone isn't trying to get into things they don't have rights to.

Access the report
The Ponemon study (registration required) is certainly interesting—moreso given all the recent talk of insider attacks. Check out the study and draw your own conclusions, and think about how much unnecessary access is floating around your organization.

Rafal Los is the Chief Security Evangelist with HP Software. A longer version of this article appeared at his security blog, Following the White Rabbit.


IT leader assessment

This tool evaluates the correlation between IT attributes and business success and, based on how your answers compare with average scores, will advise you where to invest in IT.

It is based on data HP collected from 650 global companies about a range of IT characteristics (server capacities, approach to information management, security, BYOD, etc.) and how they correlate to revenue gain. This assessment will compare your answers to the average scores in that study.

There are 12 questions that will require an estimated 10 minutes of your time. You'll receive a summary of your rating upon completion.

Let's get started

Please select an answer.


Your answer:
Your score:
Average score:
Revenue leaders' score:


Please select an answer.



Your score:
Average score:
Revenue leaders' score:

Get detailed results:


Popular tags


Discover Performance Weekly

HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episodes.

Enterprise 20/20

Security 20/20

Preparing today for tomorrow’s threats.

Introduction to Enterprise 20/20

What will a successful enterprise look like in the future?

CIO 20/20

Challenges and opportunities for the CIO of the future.

Dev Center 20/20

How will we organize development centers for the apps that will power our enterprises?

Marketing 20/20

Welcome to a new reality of split-second decisions and marketing by the numbers.

IT Operations 20/20

How can you achieve the data center of the future?

Employee 20/20

What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.

Mobility 20/20

Looking toward the era when everyone — and everything — is connected.

Data Center 20/20

The innovation and revenue engine of the enterprise.

Read more

HP Software related

Most read articles

Discover Performance


Tweets @ HPSecurity