Authomize Blog

Everyone Should Care About SaaS Security — But it’s Your Responsibility

A lot of (digital) ink has been spilled about how the cloud is going to change the way that we work — and for once, the marketers have really undersold how big the impact is…

05/08/2020 • Dotan Bar Noy

Read more

Service Accounts 101: Learn How to Get Control Over Highly-Privileged Service Accounts

Service accounts, usually have a high level of permissions, exist everywhere in IT environments…

06/07/2020 • Noam Biran

Read more

Download
Solution Brief

Learn how Authomize's solution is changing the way companies are managing authorizations

Download

Listen to this Post

In today’s IT environments, access to systems is quite often granted to non-human entities, or service accounts– a special type of user reserved for system to system communication. Service accounts, which usually have a high level of permissions, exist everywhere in IT environments and are used to automate critical applications and IT services. Another type of service account are application accounts created to allow applications that you’ve installed in various platforms take actions on behalf of your organization or a user.

The proliferation of new technologies and services in the IT environment, as well as the rise of cloud-based services, has resulted in an exponential increase in the number of service accounts in use.

While they are very useful, service accounts present organizations with some complex challenges. On the one hand, service accounts require powerful authorizations, with a frequent change of password. On the other hand, service accounts have no common framework to model one service account after another (based on behavior), and there is no recertification process.

In a typical organization, service accounts are too numerous (a medium-size organization may be running hundreds or thousands) to be managed manually, which leads to misconfigurations and security risks. Organizations must prioritize this issue and address service account management to ensure the reduction of cybersecurity risks and to enhance compliance.

Intro to Service Accounts

Service accounts are specialized non-human privileged accounts. They can access applications, data, and network resources to perform specific tasks. The service accounts are running in the background and act when called on by a user, an application, or other services. Service accounts operate with associated privileges that require certain local system privileges to function and/or to connect with other network resources. In many organizations service accounts often have privileged access to business-critical applications and data. Something that is worth mentioning that service accounts aren’t tied to a unique human and can easily go unnoticed and unmanaged for long periods of time.

In many organizations, no records are kept for each specific service account describing why it exists, who has access or any dependencies.

The Main Challenges with Service Accounts

Service accounts represent major challenges for businesses:

The basic principle for service account management revolves around strict automated life cycle management. This is the only method to meet policy and regulatory requirements. On top of that, the correlation of the authorization definitions and the actual permission usage should be sought to validate the least privilege model for service accounts.

What needs to be done

 

To achieve this one would need to incorporate a holistic deep granular solution that can provide intelligent automation. Such a solution needs to include:

Service Account Management with Authomize

Authomize, as an automated authorization governance solution enables organization to track all their service accounts and identify those that are over permissioned.

Authomize also helps organizations to take actions to mitigate the risk of overblown permissions assigned to service accounts, by reporting on the actual usage of each permission and actionable recommendations on how to achieve a better security posture with service accounts.

Customers discovered many unknown/lost service accounts, achieved a significant reduction the access footprint of service accounts and eliminated unused service accounts without any risk to the normal operation of production environments.