Establishing controls for privileged access continues
to be a focus of attention for organisations and auditors. Gartner,
Inc. said that by 2018, 25 percent of organisations will review privileged
activity and reduce data leakage incidents by 33 percent.
"Only less than 5 percent of organisations were
tracking and reviewing privileged activity in 2015," said Felix Gaehtgens, research director at Gartner.
"The remainder is, at best, controlling access and logging when, where and
by whom privileged access takes place — but not what is
actually done. Unless organisations track and review privileged activity, they
risk being blindsided by insider threats, malicious users or errors that cause
significant outages."
Prevention of both breaches and insider attacks has become a
major driver for the adoption of privileged access management (PAM) solutions,
in addition to compliance and operational efficiency. PAM is a set of
technologies designed to help organizations address the inherent problems
related to privileged accounts.
"IT organisations are under increasing business
and regulatory pressure to control access to these accounts, which can be
administrative accounts, system accounts or operations accounts," said Mr.
Gaehtgens.
Gartner recommends that IT operations and security leaders use some
best-practice approaches for effective and risk-aware privileged access
management.
Inventory All the
Accounts With Privileged Access and Assign Ownership
All privileged accounts in your IT environment that enjoy
permission levels beyond those of a standard user should be accounted for. It
is a security best practice to frequently scan your infrastructure to discover
any new accounts introduced with excess privileges. "This becomes even
more important for dynamic environments that change rapidly, such as those
using virtualization on a large scale, or hybrid IT environments that include
cloud infrastructure," said Gaehtgens. "Organizations should
start by using free autodiscovery tools offered by some PAM vendors to enable
automated discovery of unmanaged systems and accounts across the range of
infrastructure — but even those autodiscovery tools will not find
everything."
Shared-Account Passwords
Must Not Be Shared
The golden rule is that shared-account passwords must not
themselves be shared. Sharing passwords, even among approved users, severely
erodes personal accountability; this is a security best practice and demanded
by regulatory compliance. It also makes it less likely that passwords will leak
to others.
Minimize the Number of
Personal and Shared Privileged Accounts
Eliminate, or at least drastically reduce, the number of users
with (permanent, full) superuser privileges to the minimum that is consistent
with operational and business needs. Migrating to shared privileged accounts is
a recommended practice; however, this requires appropriate tools — managing the
risks and control issues that arise from the use of such accounts is
inefficient and complicated without a shared account password management tool.
Establish Processes and
Controls for Managing the Use of Shared Accounts
Establish processes and controls for managing shared accounts
and their passwords. While it is possible to use manual processes to manage
privileged access, it is too cumbersome and virtually impossible to enforce
such practices without specialized PAM tools.
IT operations and security leaders need to implement PAM
tools to automate processes, enforce controls and provide an audit trail
for individual accountability. These tools are mature, and provide efficient
and effective password management for shared superuser (and other) accounts in
a robust, controlled and accountable manner, enabling any organization to meet
regulatory compliance requirements for restricted access and individual
accountability.
Use Privilege Elevation
for Users With Regular (Nonprivileged) Access
Administrators will typically have personal, nonprivileged
accounts that they use for their day-to-day work, such as reading email,
browsing the Web, accessing corporate applications, creating and reviewing
information, and so on. "Never assign superuser privileges to these
accounts, because these might exacerbate accidental actions or malware that can
cause drastic consequences when used in a privileged environment," said Gaehtgens.
"Instead, use privilege elevation to allow temporary execution of
privileged commands."
Companies Aren’t Investing in Personalization:
New Mindtree Study
A global, cross-industry study released today
by Mindtree, a leading digital
transformation and technology services company, pinpoints personalization as the key driver that will help
“phy-gital” consumers reach their ideal mix of online and offline shopping. It
also reveals that while most companies are in transformation mode and consider
themselves pioneers in adopting or investing in digital technologies, few are
investing in personalization initiatives that consumers say will increase the
depth and breadth of their shopping experience.
Key
findings from the survey include:
· Consumers indicate that personalized
promotions encourage them to buy products and services they have purchased
before (78 percent), as well as relevant products and services they have never
purchased (74 percent).
· Only 28 percent of the decision makers from
companies surveyed globally say their organizations are investing significantly
in personalization to improve the online purchasing experience, even though it
has improved their online sales over the past 12 months for the majority (58
percent).
· Consumers expect their use of mobile apps for
shopping to more than double in the next three years. While 6 percent of
consumers said their preferred channel for making retail purchases as of 2015
was mobile apps, 15 percent said they expected mobile apps to be their
preferred channel by 2018.
The study, “Winning in
the Age of Personalization,” was commissioned by Mindtree and
conducted by independent market research firm Vanson Bourne. It surveyed 6,000
consumers across three primary regions (U.S., Europe, and Asia/Pacific), as
well as 900 decision-makers from companies spanning the retail and consumer
goods, travel and hospitality, banking and insurance, and media and
entertainment industries.
The survey also highlights some notable
disconnects between what online features consumers desire and what features
companies are investing in. As an example, consumers crave improved search and
compare/aggregate functions, but companies are investing more in features like
shopping lists, wish lists and social features. The survey results also reveal
the top reasons that customers abandon online shopping carts, and what drives
customers to read and post online reviews (positive or negative).
“There are a lot of stories to be gleaned from
this study, but what stands out most is that companies need to prioritize more
investments in personalization, an area that quite clearly drives more
commerce,” says Radha R., EVP and Head of Digital Business at Mindtree. “Many of
today’s personalization approaches are ineffective since they are based on a
siloed view of the customer. With the right data engine and digital
underpinnings in place, customized experiences will allow companies to target
the right people, at the right time, in the right place, on the right device,
with the right content.”
Recommended Next Steps
for Companies:
· Break up data silos to get a more enriched
view of customers from various digital touch points, using a big data-led
approach.
· Deliver relevance for customers by creating content,
offers and recommendations using context-weighted personalization algorithms.
· Implement the technology to automatically
deliver these customized messages and offers to customers in a cross-channel,
cross-device landscape.
This will only work if a company has the right
digital infrastructure at the broadest level.Mindtree believes that
companies need to blend four cornerstones that are crucial to achieving true
digital transformation and success: creating digital customer experiences,
digitizing the value chain across the front and back end, developing
“sense-and-respond” systems, and shaping new, innovative business models and
partnerships.
“It’s important to note that an online
presence should focus on serving customers and not just on selling to
customers,” says Paul Gottsegen, Chief Marketing and Strategy Officer at Mindtree.
“With better personalization, companies will essentially embed themselves in
the ongoing phy-gital lives of consumers and earn the right to be part of a
continuous stream of engagement. It will strengthen the relationship for the
long haul and give the companies that get it right a big advantage.”