SSH Research: Bad PAM tools lead to bad security habits. Why simpler security is safer.
More companies are moving to hybrid IT environments to gain speed, agility and productivity. But how strong are the security controls that protect access to on premises and cloud services? Not very, according to a new study from SSH.COM.
We commissioned Vanson Bourne to survey 625 IT and application development professionals from different levels of seniority across the United States, United Kingdom, France, and Germany. We asked them a range of questions about their usage of on-premises and hybrid cloud environments, as well as the security practices in place within their organizations. You can download the full research report, “Re-Thinking Privileged Access Management in the Age of Hybrid Cloud,” here.
The survey reveals a lot about the rise of hybrid IT: 56% of respondents described their IT environment as hybrid cloud, an increase from 41% a year ago. And on average, companies are actively using two cloud service vendors at a time.
More cloud IT environments mean many more privileged user accounts to manage, which is why companies bring in privileged access management (PAM) software. But, the survey suggests that legacy PAM solutions often slow down daily work for IT and application development professionals. And as a result, many IT pros seek time-saving shortcuts or workarounds, which in turn, increase security risk.
Speed bumps encourage risky shortcuts
For respondents whose organizations use cloud solutions, we asked which common issues resulting from cloud access solutions, such as PAM, tend to slow down daily work the most. Here’s how the rankings fared:
We believe that if an organization’s PAM tool creates roadblocks because it is complex and nonintuitive, or because it introduces steps that interrupt an IT professional’s daily workflow, then employees are probably going to avoid using it. The results seem to back that up. More than half (52%) of respondents said they would “definitely” or at least “consider” bypassing secure access controls if they were under pressure to meet a deadline.
There are other bad habits at play. The majority of respondents (85%) already share account credentials with others out of convenience, even though most (70%) understand the risks of doing so. And more than half (60 percent) of respondents use unsecure methods to store their credentials and passwords, including in email, in non-encrypted files or folders, and on paper.
Ultimately, traditional access controls lead to a productivity trade-off, which encourages IT admins and developers to bypass security entirely, opening the organization up to greater risk. The only question is, what do companies do about it?
Simpler is safer: Businesses need an easier PAM approach for hybrid IT
At SSH.COM, we have argued for some time that modern IT security solutions are too complex for most users. As we wrote last year:
“There’s a commonly held belief that people are the weakest link in cybersecurity. That at best, they’re prone to make mistakes, and at worst, they’re careless, dumb or lazy. But if we’ve bought into that premise, then why are we still placing so much responsibility for security in the hands of the user? Shouldn’t we be trying to reduce the risk of the human element?”
What if, instead of creating a security climate that imposes all of the burden on the user to change their risky behaviors, we designed security solutions that reduce or eliminate their potential to impact security in the first place? Instead of swimming against the currents, why not just go with the flow?
That’s what we’ve strived to build with PrivX, our lean PAM solution. And the survey results find that many IT pros would be welcome to the idea of security solutions that take secure access tasks off their plate. The wide majority (90%) believe that new tools and technology in their organization would make work easier, and 61% said they believed automation could be a viable way to eliminate most of or all routine access and configuration tasks.
These are the sorts of technologies and capabilities that make PAM more user friendly. And when your PAM tool is easy to use, more people are likely to use it. That’s how you keep corporate data safe and secure, whether it’s on-premises or in the cloud.
There’s much more in the full report – from an in-depth look at all the bad habits that threaten corporate IT, to IT perspectives on the specific capabilities PAM needs to have in order to enable efficient work. You can find all of that information at the link below.