As enterprises continue with their digital transformations by automating their manual workflows, moving existing applications to the cloud, and developing and deploying new applications at a record pace, they’re also rapidly increasing the complexity in their environments, and as a result security controls and processes that should be in place continue to slip.
A recent survey from access control provider SSH.com, commissioned Vanson Bourne, provides some insight to the extent old poor security habits continue digital transformations. The survey of 625 IT and application professionals, this past spring, with varying levels of experience within the United States, United Kingdom, France, and Germany. The survey sought insights on respondent’s thoughts on their moving to cloud, as well as privileged access management processes as their environments continue to grow in complexity. “We learned that high-risk behaviors in many organizations, including password sharing, excessive access, and the bypassing of software security controls, threaten to undermine the security of corporate IT,” the report concluded.
Concerningly, the report found that than half of IT and application development professionals are willing to sacrifice security for speed, and to bypass software security controls when they are under pressure to meet deadlines. “The results provide a view of the habits that threaten corporate IT,” the report said.
As one may expect, the survey did find that hybrid cloud environments are on the rise: 56% of those surveyed said they have a hybrid cloud technology environment, up from 41% one year ago. Unsurprisingly, those respondents who use cloud found privileged account management slowed down their day to day work. “The biggest speed bump cited was configuring access (34%) – which could involve configuring SSH keys, switching between access protocols, or revoking access. Repeatedly logging in and out was the second-biggest hurdle (30%),” the survey found.
The nature of the job role of survey respondents affected their answers.
The survey indicated that application developers, “who typically like to work fast and must often shift between environments to get work done, were most likely to say that they were slowed by frequent logging in and out (35%). Senior IT security leaders were most likely to say they were inhibited by things like configuring access (39%) or granting access to other users (34%). IT admins also expressed troubles with configuration (30%),” the report continued.
The report also found significant sharing of credentials, such as passwords.
“We found that while many say they’re keeping those credentials locked away in encrypted folders or files on their computer, or in dedicated password management software like LastPass, RoboForm, or DashLane, others are much less careful with their credentials,” the report said.
That’s for sure. The survey found that one-fifth of respondents keep passwords in emails, paper, or in nonencrypted files and folders. “Additionally, 86% of respondents said that some or all privileges or credentials are saved to the target servers of applications in their organization. This is risky because if an attacker were to gain access to a server where a public key is stored, it could use that key to bypass password authentication in the future. Even if the password is reset, the attacker will retain access via the rogue key,” the report found.
The risk of third-party providers also ranked high. The survey found 29% of respondents said that contractors are given permanent access credentials for their work. “Permanent credentials are inherently risky. They provide widespread access beyond the task at hand, and can be forgotten, stolen, mismanaged, misconfigured, or lost. If these credentials are obtained by cybercriminals, they can also be used to help attackers move laterally within a network. Given that contractor projects are often time-bound, and that outside access should always be revoked upon completion of the project, it would be safer instead to grant contractors temporary IT access for the duration of the contract,” the report said.
The survey also indicates that organizations plan to increase their use of third-party IT suppliers in the year ahead. It will be important for these companies to get a handle on their secure access policies sooner rather than later.
Overall, the report shows that as enterprises accelerate their digitization efforts, they’re bringing along all of their bad security habits.