Analyst firm Quocirca recently announced the results of a European study on Privileged User Management (PUM) based on interviews with senior IT managers in 14 countries. 

In the study, about 40% of organisations claimed to have implemented the ISO 27001 standard.  However, about 40% of these supposedly compliant organisations admitted to sharing operating system administrator accounts.  It makes me wonder how these businesses will fare when they next try to go through a certification audit (given that the ‘privilege management' control in ISO 27001 explicitly states that "the allocation and use of privileges shall be restricted and controlled"). Even worse, if these organisations do not consider sharing administrator accounts as a security risk, and as part of their ISO 27001 implementation did not adopt adequate security controls to mitigate that risk.

Anyway, this raises the question of why would so many organisations go through the trouble of implementing such a comprehensive standard, but then fail to implement it properly when it comes to sharing operating system privileged accounts.

It's actually common for large organisations to wrestle with this issue especially when it comes to UNIX and Linux environments.  It is due to inherent limitations that these operating systems have with fine-grained access control and delegation of superuser privileges (i.e., they lack the granularity to effectively delegate certain system administration rights to less powerful user accounts). These limitations make it impractical to apply the principle of least privilege and many user accounts, such as application developers and backup operators, end up with more powerful privileges than needed to accomplish even special administrative tasks such as applying emergency fixes or running backups.

This issue is further amplified by the lack of accountability and auditability.  It becomes difficult, if not impossible, to identify which person performed a particular action (malicious or otherwise), since users are sharing their accounts.

At the same time, businesses continue to keenly look for solutions to their most difficult security problems remaining today - addressing insider threats, protecting sensitive resources and meeting mandatory compliance requirements.  This is why privileged user management in general is currently a focus area for many organisations.

And where there is a need, there is a market and a solution. Here's a detailed Burton Group report that assesses the UNIX as well as the virtualization hypervisor security marketplace.  It also discusses the various vendors and approaches for solving the above problems and more.