Millions are being hemorrhaging every year by companies through hidden costs, security risks and compliance liabilities all associated with administrative, super-user or privileged passwords, according to a white paper by IDC and sponsored y Cyber-Ark Software entitled “Privileged Password Management: Combating the Insider Threat and Meeting Compliance Regulations for the Enterprise” (Jan 2007, #204906).
Sally Hudson, research manager for IDC’s Security Services and Identity Management Products program and author of the report comments on the privileged password dilemma "Our research shows that managing privileged passwords is a security conundrum," says. "Not only do privileged passwords pose a security threat, but maintaining, storing, changing and monitoring privileged passwords and their users is an expensive and daunting task. In particular, there are thousands of privileged passwords at all levels – devices, embedded, laptops, etc. – and the cost of changing them on a routine basis is difficult to do manually in any effective way. IDC estimates that it takes approximately $30 in man hours/labor to change the Sys-admin password on a single Microsoft Exchange Server."
"IDC believes that the risk can be significantly mitigated by implementing policies which demand special treatment for privileged passwords,” according to Hudson. “These include the ability to disable an employee’s system access promptly upon employee termination; enforcing a company-wide password change on a regular basis; and implementing reliable auditing and reporting systems. Furthermore, companies such as Cyber-Ark that offer a Privilege Password Management solution are well-positioned to assist organizations in preventing unwarranted insider attacks.”
Calum Macleod European Director of Cyber-Ark said “Privileged passwords are like a big taboo! When you talk to organizations they know they are there big security black-spot but just don’t know how to manage them! What companies should realize is that the IT guys who have access to the privileged passwords are the ones with all the power, they have the power to change accounts, see sensitive financial information and basically get to know everyone’s business without anyone really knowing what they are doing.
The worst problem is so many people within the IT department often are privy to the privileged passwords that when there is a serious breach or the system is sabotaged it’s very difficult to find out who it was. For many of the large financial institutions and other companies who need to protect their sensitive information such as utilities and pharmaceutical companies they have now begun using password management software which can automate, control and manage the privileged passwords, therefore putting the lid on what has otherwise and still is a very large can of worms.”