December 12, 2011 07:45 ET

Research Exposes Security Risks of Mismanaged User Access - HP

Security Intelligence Solutions Critical to Reining in Policy Enforcement Lapses

PALO ALTO, CA--(Marketwire - Dec 12, 2011) - HP (NYSE: HPQ) today unveiled new global research that reports increased threats to sensitive and confidential workplace data are created by a lack of control and oversight of privileged users, including database administrators, network engineers and IT security practitioners.(1)

Key findings of "The Insecurity of Privileged Users" study, conducted by the Ponemon Institute, revealed that:

  • Fifty-two percent of respondents indicated that they are at least likely to be provided with access to restricted, confidential information beyond the requirements of their position.
  • More than 60 percent reported that privileged users access sensitive or confidential data out of curiosity, not job function.
  • Customer information and general business data are at the highest risk, and the most threatened applications included mobile, social media and business unit specific applications.

Many respondents claimed to have well-defined policies for individuals with privileged access rights to specific IT systems. However, almost 40 percent were unsure about enterprise-wide visibility into specific rights, or whether those with privileged access rights met compliance policies.

Organizations attempt to maintain control over the issue in different ways. Twenty-seven percent say their organizations use technology-based identity and access controls to detect the sharing of system administration access rights or root-level access rights by privileged users, and 24 percent say they combine technology with process. However, 15 percent admit access is not really controlled and 11 percent say they are unable to detect sharing of access rights.

"This study spotlights risks that organizations don't view with the same tenacity as critical patches, perimeter defense and other security issues, yet it represents a major access point to sensitive information," said Tom Reilly, vice president and general manager, Enterprise Security Products, HP. "The results clearly emphasize the need for better access policy management, as well as advanced security intelligence solutions, such as identity and privileged user context, to improve core security monitoring."

The global survey focused on more than 5,000 IT operations and security managers across the Australia, Brazil, France, Germany, Hong Kong, India, Italy, Japan, Korea, Singapore, Spain, United Kingdom and United States. Other key findings include:

  • Top barriers to enforcing privileged user access rights are the inability to keep pace with change requests, inconsistent approval processes, high costs of monitoring and difficulty in validating access changes.
  • Areas for improvement include monitoring privileged users' access when entering root-level administrative activity, identifying policy violations and enforcing policies across an entire organization.
  • The potential for privileged access abuse varies from country to country based on responses, with France, Hong Kong and Italy having the greatest potential, and Germany, Japan and Singapore having the least.
  • Nearly 80 percent of respondents reported that deploying a security information and event management (SIEM) solution was critical to governing, managing and controlling privileged user access rights.

"The intent of the study is to provide a better understanding of the state of access governance in global organizations and the likelihood privileged users will abuse or misuse IT resources," said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. "The findings demonstrate key areas of concern, and clearly identify budget, identity and access management technologies, and network intelligence technologies as the three most critical success factors for governing, managing and controlling privileged user access across the enterprise."

HP enables comprehensive security intelligence and control over privileged user management through its Security Intelligence Platform, which helps businesses in their pursuit of an Instant-On Enterprise. In a world of continuous connectivity, the Instant-On Enterprise embeds technology in everything it does to serve customers, employees, partners and citizens with their business solutions needs.

HP Security Intelligence Platform is a key component of the HP IT Performance Suite, which enables IT management to improve the performance of operational intelligence. The HP IT Performance Suite delivers a comprehensive view across IT assets, automates IT management and adjusts IT performance to meet specific business enterprise goals.

On Tuesday, Dec. 13, at 10 a.m. PT, HP Enterprise Security will host a webinar highlighting findings from "The Insecurity of Privileged Users" study. Additional details and registration are available here.

About HP
HP creates new possibilities for technology to have a meaningful impact on people, businesses, governments and society. The world's largest technology company, HP brings together a portfolio that spans printing, personal computing, software, services and IT infrastructure to solve customer problems. More information about HP is available at

(1) "The Insecurity of Privileged Users," Ponemon Institute, December 2011. The survey reflects interviews with more than 5,500 IT operations and security managers from a variety of industries in 13 countries.

This news release contains forward-looking statements that involve risks, uncertainties and assumptions. If such risks or uncertainties materialize or such assumptions prove incorrect, the results of HP and its consolidated subsidiaries could differ materially from those expressed or implied by such forward-looking statements and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements, including but not limited to statements of the plans, strategies and objectives of management for future operations, including execution of growth strategies, transformation initiatives and restructuring plans; any statements concerning expected development, performance or market share relating to products and services; any statements regarding anticipated operational and financial results; any statements of expectation or belief; and any statements of assumptions underlying any of the foregoing. Risks, uncertainties and assumptions include macroeconomic and geopolitical trends and events; the competitive pressures faced by HP's businesses; the development and transition of new products and services (and the enhancement of existing products and services) to meet customer needs and respond to emerging technological trends; the execution and performance of contracts by HP and its customers, suppliers and partners; the protection of HP's intellectual property assets, including intellectual property licensed from third parties; integration and other risks associated with business combination and investment transactions; the hiring and retention of key employees; expectations and assumptions relating to the execution and timing of growth strategies, transformation initiatives and restructuring plans; the resolution of pending investigations, claims and disputes; and other risks that are described in HP's Quarterly Report on Form 10-Q for the fiscal quarter ended July 31, 2011 and HP's other filings with the Securities and Exchange Commission, including but not limited to HP's Annual Report on Form 10-K for the fiscal year ended October 31, 2010. HP assumes no obligation and does not intend to update these forward-looking statements.

© 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.