19
©2019 Centrify Corporation All Rights Reserved. www.centrify.com a www.centrify.com PRIVILEGED ACCESS MANAGEMENT IN THE MODERN THREATSCAPE Privileged access remains the preferred vector for attackers, and most organizations aren’t taking the very basic steps to secure it

PRIVILEGED ACCESS MANAGEMENT IN THE …...Given the choice, respondents are most likely to say digital transformation (40%) is one of the top 3 projects they’d prefer to work on,

  • Upload
    others

  • View
    1

  • Download
    0

Embed Size (px)

Citation preview

©2019 Centrify Corporation All Rights Reserved. www.centrify.com a www.centrify.com

PRIVILEGED ACCESS MANAGEMENT IN THE MODERN THREATSCAPEPrivileged access remains the preferred vector for attackers, and most organizations aren’t taking the very basic steps to secure it

©2019 Centrify Corporation All Rights Reserved. www.centrify.com b

74% of respondents whose organizations have been breached acknowledge it involved access to a privileged account.

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 1

Too Much Privilege, Not Enough ManagementMore concerning is that the survey results also reveal that, despite knowing that privileged access is the goal, most organizations continue to grant too much trust and privilege, and are not prioritizing Privileged Access Management (PAM), nor implementing it effectively.

Given the choice, respondents are most likely to say digital transformation (40%) is one of the top 3 projects they’d prefer to work on, followed by Endpoint Security (37%) and Privileged Access Management (28%).

This contrasts a prediction from Gartner that PAM will be the second-fastest growing information security technology in 2019, after being a Top 10 security project for 2018, and again in 2019. Practitioners should consider that critical and fundamental security controls such as PAM are enablers for Digital Transformation. However, organizations are simply not taking some of the most basic steps to secure privileged credentials, the ‘keys to the kingdom.’

Most notably, the survey found:

Over half of respondents do not have a password vault.

52%65% are still sharing root or privileged access to systems and data at least somewhat often.

More than 1 out of every 5 still have not implemented Multi-Factor Authentication for privileged administrative access.

21%

Over the past few years, it’s become evident that attackers are no longer “hacking” in for data breaches: they are simply logging in using weak, stolen, or otherwise compromised credentials.

Once they are in, they then spread out and move laterally across the network, hunting for privileged accounts and credentials that help them gain privileged access to an organization’s most critical infrastructure and sensitive data.

Forrester Research has estimated that, despite continually-increasing cybersecurity budgets, 80% of security breaches involve privileged access abuse and 66% of companies have been breached an average of five or more times.

A new survey by Centrify (conducted by FINN Partners) supports this estimate, finding that

The survey of 1,000 IT decision makers evenly split between the U.S. and U.K. confirms that privileged credential abuse is the preferred attack vector.

74% of respondents whose organizations have been breached acknowledge it involved access to a privileged account.

These are low-hanging fruit that, when combined with a Zero Trust approach to Privileged Access Management, can significantly strengthen their security postures and close off preferred access points for attackers.

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 2

PAM Maturity Not Where It Needs to BeIn addition to not implementing basic Privileged Access Management solutions, many organizations are not implementing basic policies and processes to reduce risk.

For example, 63% (55% U.S. / 70% U.K.) of all respondents indicate their companies usually take more than a day to turn off privileged access for an employee who leaves the company, exposing themselves to revenge exploitation, including selling privileged access credentials on the Dark Web.

That data point also revealed a common theme throughout the survey that U.K.-based IT decision makers lag behind their U.S. counterparts when it comes to awareness and implementation of Privileged Access Management.

Only 36% of U.K. respondents are “very confident” in their company’s current IT security, software, and protocol, vs. 65% of U.S. respondents.

U.K. Generally Lags Behind U.S. in PAMThe survey also revealed that U.K. IT professionals are less confident in their ability to secure their organizations. Furthermore, fewer U.K. respondents seem aware that privileged credential abuse is the leading cause of data breaches, and that their organization has likely already been breached.

“What’s alarming is that the survey reveals many organizations, armed with the knowledge that they have been breached before, are doing too little to secure privileged access.

IT teams need to be taking their Privileged Access Management much more seriously, and prioritizing basic PAM strategies like vaults and MFA while reducing shared passwords.”

— Tim Steinkopf, CEO of Centrify

44% of U.K. respondents were not positive about what Privileged Access Management is, versus 26% of U.S. respondents.

29% of U.K. respondents breached in the past claim it was not caused by abuse of a privileged account, almost twice as many as U.S. respondents.

29% 15%36% 65%

60% of U.K. respondents do not have a password vault, a fundamental component of PAM, vs. 45% of U.S. respondents.

60% 45%

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 3

Organizations should consider a cloud-ready Zero Trust Privilege approach that helps enterprises grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. By implementing least privilege access, Zero Trust Privilege minimizes the attack surface, improves audit and compliance visibility, and reduces risk, complexity, and costs for the modern, hybrid enterprise.

For more information, visit www.centrify.com/education/what-is-zero-trust-privilege.

Securing the Modern Threatscape with Zero Trust PrivilegeMost notably, U.K. respondents are falling behind in securing privileged credentials for the expanding threatscape that modern enterprises now face. However, in most cases, U.S. companies are not doing much better.

Today’s environment is much different than when all privileged access was constrained to systems and resources inside the network. Privileged access now not only covers infrastructure, databases and network devices but is extended to cloud environments, it includes Big Data projects, it must be automated for DevOps, and it now needs to cover hundreds of containers or microservices to represent what used to be a single server. In addition, Advanced Persistent Threats (APTs) create a growing and changing risk to organizations’ financial assets, intellectual property, and reputations.

The survey found respondents are not prioritizing this new threatscape as much as they should be, only controlling privileged access to a limited amount of modern use cases.

Big Data

37% U.K.47% U.S.

Cloud Workloads

47% U.K.63% U.S.

“By adopting a Zero Trust mindset, organizations can further reduce their risk of becoming the next data breach victim.”

— Tim Steinkopf, CEO of Centrify

Network Devices

28% U.K.36% U.S.

MethodologyFINN Partners, on behalf of Centrify, surveyed 1,000 IT decision makers (500 in the U.S. and 500 in the U.K.) online in October 2018. Respondents were not compensated for their participation.

Which of the following are you controlling privileged access to?

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 4

Centrify Privileged Access Management Survey February 2019All numbers below represent percentages of respondents.

Privileged Access Questions1. Which option best describes your current activity for each of the following identity and access management

(IAM) solutions? Select all that apply.

U.S.

Actively researching

Piloting

In Production

Upgrading /Refining

Not interested

Don’t know

Single Sign-On 54 10 23 10 2 0

Authentication 42 22 25 9 1 1

Advanced Authentication (e.g. multi-factor authentication)

42 15 27 14 2 1

Customer Identity and Access Management

39 22 21 14 2 2

Identity Governance and Administration

38 20 27 10 2 2

Identity-as-a-Service (IDaaS) 38 20 23 15 3 2

U.K.

Actively researching

Piloting

In Production

Upgrading /Refining

Not interested

Don’t know

Single Sign-On 41 16 29 11 2 2

Authentication 28 27 30 13 2 1

Identity-as-a-Service (IDaaS) 28 17 27 19 7 2

Advanced Authentication (e.g. multi-factor authentication)

27 17 30 20 4 2

Customer Identity and Access Management

26 18 28 20 5 3

Identity Governance and Administration

25 18 34 16 5 3

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 5

2. Looking forward to next year, which of the following are part of your organization’s top five security projects in 2019? Select up to five.

..................................................................................................................................................U.S. ...........U.K.Protecting Cloud Data ................................................................................................................ 69 ....................... 56

Preventing Data Leakage ............................................................................................................ 51 ....................... 44

Analyzing Security Incidents ....................................................................................................... 48 ....................... 38

Improving Security Education/Awareness Training ..................................................................... 47 ....................... 42

Encrypting Data .......................................................................................................................... 46 ....................... 46

Securing Privileged Accounts ..................................................................................................... 40 ....................... 34

Preventing Phishing Attacks ........................................................................................................ 34 ....................... 32

Protecting Endpoints .................................................................................................................. 32 ....................... 29

Addressing Vulnerability and Patch Management ...................................................................... 31 ....................... 30

Maturing Identity Governance……………………………. ........................................................... 15 ....................... 14

None of these............................................................................................................................... 0 ......................... 0

Don’t know ................................................................................................................................... 0 ......................... 2

3. If you could spend your time working on anything you wanted to for a month, either out of personal interest or because you know it’s the best strategic area for your company, what would be your top three projects? Select up to three.

..................................................................................................................................................U.S. ...........U.K.Digital Transformation ................................................................................................................. 46 ....................... 34

Endpoint Security ........................................................................................................................ 38 ....................... 36

Privileged Access Management .................................................................................................. 28 ....................... 28

Internet of Things for Enterprise ................................................................................................. 28 ....................... 28

Big Data ....................................................................................................................................... 27 ....................... 30

Cloud Transformation .................................................................................................................. 27 ....................... 31

Security Awareness Training ........................................................................................................ 24 ....................... 19

DevOps ....................................................................................................................................... 24 ....................... 21

Risk & Compliance Management ................................................................................................ 20 ....................... 20

Automation ................................................................................................................................. 10 ........................ 8

None of the above ....................................................................................................................... 1 ......................... 2

Other ............................................................................................................................................ 0 ......................... 0

4. How familiar are you with the term “privileged access management”?

..................................................................................................................................................U.S. ...........U.K.I definitely know what this means ............................................................................................... 74 ....................... 56

I think I know what this means, but am not sure ......................................................................... 17 ....................... 30

I recognize this term, but I don’t know what it means ................................................................ 4 ........................ 10

I am completely unfamiliar with this term ................................................................................... 5 ......................... 4

I don’t know ................................................................................................................................. 0 ......................... 1

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 6

Some have described “privileged access management” as the act of granting least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. That is the definition being used for the purposes of the survey.

5. Do you expect your overall security budget to increase, decrease, or remain the same in the next 12 months compared to the past 12 months?

..................................................................................................................................................U.S. ...........U.K.Increase ....................................................................................................................................... 79 ....................... 60

Decrease ....................................................................................................................................... 2 ......................... 9

Remain the Same ........................................................................................................................ 19 ....................... 30

I don’t know ................................................................................................................................. 1 ......................... 0

N/A/We don’t have a security budget ......................................................................................... 0 ......................... 1

6. Overall, how confident are you in your company’s IT security, software and protocols?

..................................................................................................................................................U.S. ...........U.K.Very confident ............................................................................................................................. 65 ....................... 36

Somewhat confident ................................................................................................................... 33 ....................... 52

Not too confident......................................................................................................................... 2 ........................ 10

Not at all confident ...................................................................................................................... 0 ......................... 0

Don’t know ................................................................................................................................... 0 ......................... 1

7. Do you distinguish between end users (employees with access to usual company data) and privileged users (employees with authority to access more than usual company data or make changes to the company network) in your organization?

..................................................................................................................................................U.S. ...........U.K.Yes ............................................................................................................................................... 94 ....................... 87

No ................................................................................................................................................. 4 ........................ 10

Don’t know ................................................................................................................................... 2 ......................... 3

ASK IF PREVIOUS QUESTION IS “YES”

8. What department/job function is overseeing Privileged Access Management in your organization?

..................................................................................................................................................U.S. ...........U.K.IT Management ........................................................................................................................... 75 ....................... 77

Security Operations ..................................................................................................................... 19 ....................... 14

Risk Management ........................................................................................................................ 5 ......................... 8

Other (Specify) ............................................................................................................................. 1 ......................... 0

Don’t know ................................................................................................................................... 0 ......................... 0

N/A – No dept/job function is overseeing Privileged Access...................................................... 0 ......................... 0

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 7

RESUME ASKING ALL

9. Which of the following factors drive the decision on how you are implementing the management of which users have privileged access? Select all that apply.

..................................................................................................................................................U.S. ...........U.K.Desire to adhere to best practices .............................................................................................. 57 ....................... 44

Mandates from our compliance department .............................................................................. 51 ....................... 48

Mandates required for the sake of privacy ................................................................................. 46 ....................... 41

Response to an external data breach ......................................................................................... 44 ....................... 38

Response to an internal data breach .......................................................................................... 43 ....................... 32

Mandate from Board of Directors or other management........................................................... 35 ....................... 30

Response to data being breached at another company ............................................................ 33 ....................... 29

Mandate from one of our partners ............................................................................................. 26 ....................... 23

Other (Specify)_____________ ...................................................................................................... 1 ......................... 0

None of the above/ I don’t know ................................................................................................. 1 ......................... 1

N/A – No factors drive this decision ............................................................................................ 0 ......................... 2

10. For what ecosystem components are you leveraging Privileged Access Management? Select all that apply.

..................................................................................................................................................U.S. ...........U.K.Windows Servers ......................................................................................................................... 73 ....................... 60

Windows-based Endpoints (admin accounts) ............................................................................. 50 ....................... 44

Private Cloud ............................................................................................................................... 50 ....................... 45

Public Cloud ................................................................................................................................ 39 ....................... 37

Big Data ....................................................................................................................................... 37 ....................... 28

Linux / UNIX Servers ................................................................................................................... 36 ....................... 31

Mac-based Endpoints (admin accounts) ..................................................................................... 26 ....................... 23

DevOps Environments ................................................................................................................ 22 ....................... 18

Containers and Microservices ...................................................................................................... 7 ........................ 16

Don’t know ................................................................................................................................... 1 ......................... 1

None of the above ....................................................................................................................... 0 ......................... 1

11. Do you extend your Privileged Access Management capabilities beyond your employees to include any of the following? Select all that apply.

..................................................................................................................................................U.S. ...........U.K.IT Outsourcers ............................................................................................................................. 73 ....................... 66

Contractors.................................................................................................................................. 45 ....................... 43

Partners, such as other organizations with which we have an alliance ....................................... 35 ....................... 30

I don’t know ................................................................................................................................. 1 ......................... 2

None of the above ....................................................................................................................... 8 ......................... 8

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 8

Solution-Specific Questions12. Which of the following is the main reason that an organization might not adequately implement

Privileged Access Management?

..................................................................................................................................................U.S. ...........U.K.Budget constraints ..................................................................................................................... 37 ....................... 22

IT department unable to get buy-in at the highest levels .......................................................... 25 ....................... 23

Being too naïve or ignorant to understand the importance ....................................................... 16 ....................... 22

Being a lower priority .................................................................................................................. 10 ....................... 18

Being too difficult and time-consuming to easily implement ..................................................... 10 ....................... 12

Don’t know ................................................................................................................................... 2 ......................... 4

Other ............................................................................................................................................ 1 ......................... 0

13. Which of the following are you controlling privileged access to? Select all that apply.

..................................................................................................................................................U.S. ...........U.K.Applications (e.g. cloud services such as Office 365) ................................................................. 64 ....................... 59

Workloads (e.g. public and private cloud workloads) ................................................................. 63 ....................... 47

Machines (e.g. servers, virtual machines) .................................................................................... 52 ....................... 52

Big Data (e.g. Hadoop) ............................................................................................................... 47 ....................... 37

Network Devices (e.g. hubs, switches, routers) .......................................................................... 36 ....................... 28

Containers (e.g. Docker) ............................................................................................................. 29 ....................... 27

None of the above ....................................................................................................................... 1 ......................... 2

N/A - Don’t know ......................................................................................................................... 1 ......................... 1

14. Have you implemented multi-factor authentication for privileged access?

..................................................................................................................................................U.S. ...........U.K.Yes ............................................................................................................................................... 83 ....................... 67

No ................................................................................................................................................ 15 ....................... 27

N/A - Don’t know ......................................................................................................................... 2 ......................... 5

15. Which of the following apply to your organization when it comes to privileged access management? Select all that apply.

..................................................................................................................................................U.S. ...........U.K.We have a vault ........................................................................................................................... 55 ....................... 40

We have implemented privilege elevation ................................................................................. 63 ....................... 62

We have complete auditing and monitoring .............................................................................. 47 ....................... 40

None of the above ....................................................................................................................... 2 ......................... 3

Don’t know ................................................................................................................................... 1 ......................... 2

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 9

16. Approximately what percent of people in your company have privileged access – that is, an ability to access, control or view higher-level information that others do not have? Your best estimate is fine.

..................................................................................................................................................U.S. ...........U.K.10% or fewer ............................................................................................................................... 15 ....................... 20

11% to 25% ................................................................................................................................. 24 ....................... 36

26% to 50% ................................................................................................................................. 39 ....................... 33

51% to 75% ................................................................................................................................. 19 ........................ 8

76%+ ............................................................................................................................................ 2 ......................... 1

N/A – I don’t know ....................................................................................................................... 1 ......................... 2

17. Approximately what percentage of privileged accounts are shared within your organization, meaning that more than one individual has access to those accounts? Your best estimate is fine.

..................................................................................................................................................U.S. ...........U.K.10% or fewer ............................................................................................................................... 16 ....................... 21

11% to 25% ................................................................................................................................. 25 ....................... 36

26% to 50% ................................................................................................................................. 34 ....................... 30

51% to 75% ................................................................................................................................. 22 ........................ 8

76%+ ............................................................................................................................................ 2 ......................... 2

N/A – Don’t know ........................................................................................................................ 1 ......................... 3

18. How often do you share either root or privileged level access to systems or data with other employees?

..................................................................................................................................................U.S. ...........U.K.Very often .................................................................................................................................... 42 ....................... 18

Somewhat often .......................................................................................................................... 30 ....................... 40

Not too often .............................................................................................................................. 11 ....................... 21

Rarely ........................................................................................................................................... 10 ....................... 12

Never ............................................................................................................................................ 7 ......................... 7

Don’t know ................................................................................................................................... 0 ......................... 2

19. How often does your company allow contractors or third parties to have root or privileged level access to systems or data?

..................................................................................................................................................U.S. ...........U.K.Very often .................................................................................................................................... 38 ....................... 17

Somewhat often .......................................................................................................................... 32 ....................... 40

Not too often .............................................................................................................................. 12 ....................... 21

Rarely ............................................................................................................................................ 9 ........................ 14

Never ............................................................................................................................................ 8 ......................... 8

Don’t know ................................................................................................................................... 0 ......................... 1

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 10

20. How often does your company change root or privileged levels of access to accounts?

..................................................................................................................................................U.S. ...........U.K.Very often .................................................................................................................................... 39 ....................... 20

Somewhat often .......................................................................................................................... 38 ....................... 44

Not too often .............................................................................................................................. 14 ....................... 22

Rarely ............................................................................................................................................ 6 ........................ 10

Never ............................................................................................................................................ 1 ......................... 2

N/A - Don’t know ......................................................................................................................... 1 ......................... 2

21. Do you assure that access requests are being made from secure connections only?

..................................................................................................................................................U.S. ...........U.K.Yes ............................................................................................................................................... 92 ....................... 76

No ................................................................................................................................................. 6 ........................ 19

Don’t know ................................................................................................................................... 2 ......................... 5

ASK IF PREVIOUS QUESTION IS “YES”

22. How important is it to control the source from which the privileged access occurs?

..................................................................................................................................................U.S. ...........U.K.Very Important ............................................................................................................................. 77 ....................... 58

Somewhat Important ................................................................................................................... 21 ....................... 38

Not too Important ........................................................................................................................ 2 ......................... 4

Not Important at all ...................................................................................................................... 0 ......................... 0

Don’t know ................................................................................................................................... 0 ......................... 0

RESUME ASKING ALL

23. How important do you believe it is to take context into account when authorizing privileged access? In other words, how important is it to understand why a person is requesting privileged access before authorizing it?

..................................................................................................................................................U.S. ...........U.K.Very Important ............................................................................................................................. 70 ....................... 51

Somewhat Important ................................................................................................................... 27 ....................... 39

Not too Important ........................................................................................................................ 2 ......................... 8

Not Important at all ...................................................................................................................... 0 ......................... 1

Don’t know ................................................................................................................................... 0 ......................... 1

24. Have you implemented “access zones” to segregate users from accessing data that they’re not authorized for?

..................................................................................................................................................U.S. ...........U.K.Yes ............................................................................................................................................... 82 ....................... 64

No ................................................................................................................................................ 16 ....................... 29

I don’t know ................................................................................................................................. 2 ......................... 7

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 11

25. Have you implemented a process for “least privilege” and privilege elevation? (The concept of “least privilege” entails giving people the least amount of administrative privileges on IT systems that they need to do their jobs, and then elevating those privileges as needed.)

..................................................................................................................................................U.S. ...........U.K.Yes ............................................................................................................................................... 85 ....................... 71

No ................................................................................................................................................ 12 ....................... 23

Don’t know ................................................................................................................................... 3 ......................... 6

26. Which of the following do you use when it comes to access controls for privileged users?

..................................................................................................................................................U.S. ...........U.K.Static Access Controls (based on pre-written IT policies) ........................................................... 35 ....................... 29

Adaptive Access Controls (based on real-time risk and behavior) ............................................. 18 ....................... 30

Both ............................................................................................................................................. 44 ....................... 35

Neither of these ........................................................................................................................... 1 ......................... 5

Don’t know ................................................................................................................................... 1 ......................... 1

27. [*] Does your organization have tools in place to monitor how and where employees are performing privileged access to systems or data within your organization?

..................................................................................................................................................U.S. ...........U.K.Yes ............................................................................................................................................... 91 ....................... 78

No ................................................................................................................................................. 7 ........................ 18

Not sure ........................................................................................................................................ 2 ......................... 4

28. [*] How often does someone in your company formally analyze or audit how and when employees and/or contractors are performing privileged access to systems or data within your organization?

..................................................................................................................................................U.S. ...........U.K.Daily ............................................................................................................................................. 28 ....................... 17

Weekly ......................................................................................................................................... 45 ....................... 42

Monthly ....................................................................................................................................... 15 ....................... 26

Quarterly ...................................................................................................................................... 7 ........................ 10

Yearly ............................................................................................................................................ 2 ......................... 2

Never ............................................................................................................................................ 0 ......................... 1

N/A - I don’t know ........................................................................................................................ 2 ......................... 3

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 12

29. When an employee and/or contractor leaves or stops working with your company, how long does it usually take for your company to completely cut off their access to sensitive systems and data after they leave?

..................................................................................................................................................U.S. ...........U.K.Within the day ............................................................................................................................. 45 ....................... 30

Within the week .......................................................................................................................... 41 ....................... 38

Within the month ........................................................................................................................ 11 ....................... 23

Within the year ............................................................................................................................. 2 ......................... 4

Could be a year or more before we get to it ............................................................................... 0 ......................... 1

Don’t know ................................................................................................................................... 1 ......................... 2

N/A- Do not cut off employees access ........................................................................................ 0 ......................... 1

30. How easy would it be for a former employee in your organization to access systems or data with old passwords or log-in information after they have left the organization?

..................................................................................................................................................U.S. ...........U.K.Very easy ..................................................................................................................................... 42 ....................... 21

Somewhat easy ........................................................................................................................... 30 ....................... 43

Somewhat difficult ....................................................................................................................... 10 ....................... 15

Very difficult or impossible .......................................................................................................... 17 ....................... 20

N/A - Don’t know ......................................................................................................................... 1 ......................... 2

31. Are you feeding any findings about privileged access sessions into your SIEM or other incident response systems to provide real-time alerting and reporting?

..................................................................................................................................................U.S. ...........U.K.Yes ............................................................................................................................................... 80 ....................... 61

No ................................................................................................................................................ 17 ....................... 29

N/A - Don’t know ......................................................................................................................... 3 ........................ 10

32. Taking your responses to the previous questions into consideration, do you believe your current Privileged Access Management approach or solution will serve modern use cases such as DevOps, cloud, containers, and Big Data?

..................................................................................................................................................U.S. ...........U.K.Yes ............................................................................................................................................... 85 ....................... 70

No ................................................................................................................................................ 11 ....................... 21

Don’t know ................................................................................................................................... 4 ......................... 9

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 13

Data Breach Questions33. How confident are you that your existing IT security is protecting all levels of data against

a potential breach?

..................................................................................................................................................U.S. ...........U.K.Very confident ............................................................................................................................. 58 ....................... 30

Somewhat confident ................................................................................................................... 38 ....................... 54

Not too confident......................................................................................................................... 3 ........................ 13

Not at all confident ...................................................................................................................... 1 ......................... 2

Don’t know ................................................................................................................................... 1 ......................... 1

34. How concerned are you about your organization facing security breaches compared to 12 months ago?

..................................................................................................................................................U.S. ...........U.K.Much more concerned ................................................................................................................ 43 ....................... 23

Somewhat more concerned ........................................................................................................ 28 ....................... 41

The same ..................................................................................................................................... 21 ....................... 28

Somewhat less concerned ............................................................................................................ 5 ......................... 6

Much less concerned .................................................................................................................... 2 ......................... 2

Don’t know ................................................................................................................................... 0 ......................... 1

35. How much do you think a breach costs a company on average?

..................................................................................................................................................U.S. ...........U.K.Less than hundreds of [U.S.: dollars/ U.K.: pounds] ................................................................... 10 ....................... 11

Hundreds of [U.S.: dollars/ U.K.: pounds] .................................................................................. 22 ....................... 25

Thousands of [U.S.: dollars/ U.K.: pounds] ................................................................................. 32 ....................... 34

Hundreds of thousands of [U.S.: dollars/ U.K.: pounds] ............................................................ 22 ....................... 20

Millions of [U.S.: dollars/ U.K.: pounds]...................................................................................... 10 ........................ 6

I don’t know ................................................................................................................................. 4 ......................... 4

36. Do you think your organization has ever had a security breach in the past?

..................................................................................................................................................U.S. ...........U.K.Yes ............................................................................................................................................... 62 ....................... 46

No ................................................................................................................................................ 30 ....................... 38

I don’t know ................................................................................................................................. 6 ........................ 12

Prefer not to say ........................................................................................................................... 2 ......................... 4

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 14

ASK IF PREVIOUS QUESTION IS “YES”

37. Thinking of the last security breach you had…was it caused by someone with access to a privileged account?

..................................................................................................................................................U.S. ...........U.K.Yes ............................................................................................................................................... 82 ....................... 65

No ................................................................................................................................................ 15 ....................... 29

I don’t know ................................................................................................................................. 3 ......................... 6

Prefer not to say ........................................................................................................................... 1 ......................... 0

RESUME ASKING ALL

38. What do you believe is the primary attack point for most of today’s data breaches?

..................................................................................................................................................U.S. ...........U.K.Software ...................................................................................................................................... 41 ....................... 27

Network ....................................................................................................................................... 26 ....................... 31

Cloud ........................................................................................................................................... 20 ....................... 21

Human ......................................................................................................................................... 11 ....................... 17

Other ............................................................................................................................................ 0 ......................... 1

I don’t know ................................................................................................................................. 1 ......................... 2

Miscellaneous Questions39. Are you applying machine learning to your company’s cybersecurity practices?

..................................................................................................................................................U.S. ...........U.K.Yes ............................................................................................................................................... 79 ....................... 59

No ................................................................................................................................................ 19 ....................... 33

I don’t know ................................................................................................................................. 2 ......................... 8

40. Are you applying machine learning to your company’s privileged security practices?

..................................................................................................................................................U.S. ...........U.K.Yes ............................................................................................................................................... 80 ....................... 60

No ................................................................................................................................................ 17 ....................... 33

N/A – I don’t know ....................................................................................................................... 3 ......................... 7

41. Are you familiar with Microsoft’s clean source principle that requires all security dependencies to be as trustworthy as the object being secured?

..................................................................................................................................................U.S. ...........U.K.Yes ............................................................................................................................................... 86 ....................... 76

No ................................................................................................................................................ 14 ....................... 24

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 15

ASK IF PREVIOUS QUESTION IS “YES”

42. How easy or difficult is it for your department to enforce Microsoft’s clean source principle?

..................................................................................................................................................U.S. ...........U.K.Very easy ..................................................................................................................................... 51 ....................... 31

Somewhat easy ........................................................................................................................... 40 ....................... 55

Somewhat difficult ........................................................................................................................ 8 ........................ 13

Very difficult .................................................................................................................................. 0 ......................... 1

Don’t know ................................................................................................................................... 1 ......................... 1

RESUME ASKING ALL

Demographic QuestionAnd now, just a few final questions for statistical purposes only.

43. What industry or sector do you work in?

..................................................................................................................................................U.S. ...........U.K.Technology .................................................................................................................................. 56 ....................... 46

Consumer products ...................................................................................................................... 9 ........................ 13

Healthcare .................................................................................................................................... 6 ......................... 5

Agriculture .................................................................................................................................... 4 ......................... 2

Nonprofit ...................................................................................................................................... 4 ......................... 1

Government ................................................................................................................................. 3 ......................... 6

Insurance ...................................................................................................................................... 3 ......................... 4

Energy .......................................................................................................................................... 2 ......................... 7

Food ............................................................................................................................................. 2 ......................... 4

Utilities ......................................................................................................................................... 2 ......................... 3

Other ............................................................................................................................................ 9 ........................ 10

44. How long have you been working at this organization?

..................................................................................................................................................U.S. ...........U.K.Fewer than 5 years ...................................................................................................................... 14 ....................... 22

5-10 years .................................................................................................................................... 60 ....................... 50

10+ years ..................................................................................................................................... 26 ....................... 27

45. How long have you been working in the IT field?

..................................................................................................................................................U.S. ...........U.K.Fewer than 5 years ...................................................................................................................... 11 ....................... 19

5-10 years .................................................................................................................................... 54 ....................... 47

10+ years ..................................................................................................................................... 35 ....................... 34

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 16

46. How many employees are there (including all offices worldwide)?

..................................................................................................................................................U.S. ...........U.K.Under 50 ....................................................................................................................................... 3 ......................... 4

50 – 99 .......................................................................................................................................... 8 ........................ 13

100 – 499 ..................................................................................................................................... 27 ....................... 32

500 – 999 .................................................................................................................................... 30 ....................... 20

1,000 or more .............................................................................................................................. 32 ....................... 32

47. U.S. ONLY: And finally, what is your company’s total cybersecurity budget?

..................................................................................................................................................U.S. ...........U.K.Less than $50K ............................................................................................................................. 2 ..........................

$50K to $100K ............................................................................................................................. 11 .........................

$101K to $500K ........................................................................................................................... 36 .........................

$501K - $1M ................................................................................................................................ 29 .........................

Over $1M .................................................................................................................................... 18 .........................

Don’t know ................................................................................................................................... 4 ..........................

48. U.K. ONLY: And finally, what is your company’s total cybersecurity budget?

..................................................................................................................................................U.S. ...........U.K.Less than £40K ......................................................................................................................................................... 4

£40K to £75K .......................................................................................................................................................... 12

£76K to £400K ........................................................................................................................................................ 32

£401K- £800K ......................................................................................................................................................... 24

Over £800K ............................................................................................................................................................. 22

Don’t know ............................................................................................................................................................... 5

49. And approximately how much of your company’s total cybersecurity budget is used for privileged security?

..................................................................................................................................................U.S. ...........U.K.5% or less ..................................................................................................................................... 4 ......................... 7

6-10% .......................................................................................................................................... 20 ....................... 36

11-20% ........................................................................................................................................ 52 ....................... 40

Over 20% ..................................................................................................................................... 20 ....................... 11

I don’t know ................................................................................................................................. 3 ......................... 7

©2019 Centrify Corporation All Rights Reserved. www.centrify.com 17

Our mission is to stop the leading cause of breaches – privileged access abuse. Centrify empowers our customers with a cloud-ready Zero Trust Privilege approach to secure access to infrastructure, DevOps, cloud, containers, Big Data and other modern enterprise use cases. To learn more, visit www.centrify.com.

Centrify is a registered trademark of Centrify Corporation. Other trademarks mentioned herein are the property of their respective owners.

©2019 Centrify Corporation. All Rights Reserved.

US Headquarters +1 (669) 444 5200EMEA +44 (0) 1344 317950Asia Pacific +61 1300 795 789 Brazil +55 11 3958 4876Latin America +1 305 900 [email protected] www.centrify.com