85 percent of organizations don't meet basic levels of PAM security
While 78 percent of organizations now include privileged credential protection as part of their cyber security policies, their privileged access management (PAM) security practices are still lacking.
According to a new study by PAM specialist Thycotic, 85 percent of respondents are still struggling to get beyond the initial phase of PAM maturity.
A worrying 55 percent of organizations have no idea how many privileged accounts they have or where they're located. In addition more than half of organizations' privileged accounts never expire or get deprovisioned.
Only 18 percent of organizations are storing all their privileged accounts in a secure privileged access management vault or password manager.
"The 2019 State of Privileged Access Management Maturity Report is a wakeup call for organizations worldwide to immediately assess their PAM practices with a goal of moving beyond dangerous habits to implementing a PAM Lifecycle Model, which is outlined in our report," says Joseph Carson, chief security scientist at Thycotic.
Thycotic assesses PAM security in four phases:
• Phase 1 -- Analog -- Organizations in the Analog phase face a high degree of risk.
• Phase 2 -- Basic -- Organizations transition from Analog to the Basic stage of PAM maturity, by adopting PAM security solutions and automating time-consuming, manual processes.
• Phase 3 -- Advanced -- Organizations in the Advanced phase of PAM maturity have moved from reactive to a proactive privilege security strategy.
• Phase 4 -- Adaptive Intelligent -- As the ultimate stage of PAM maturity, organizations in the Adaptive/Intelligent phase take continuous improvement to a higher level, integrating leading technologies such as machine learning to collect information and adapt system rules.
"Lack of visibility into how many unprotected privileged accounts exist in an organization and where they are located is an enormous risk for organizations," adds Carson. "Because privileged accounts such as local admin and service accounts exist everywhere in multiple places throughout an organization, trying to manually discover and manage them is virtually impossible. Your first step should be automating privileged account discovery on a continuous basis so that you can see what you need to protect and what security controls should be in place."
The full report is available from the Thycotic website.