In today’s IT environments, access to systems is quite often granted to non-human entities, or service accounts– a special type of user reserved for system to system communication. Service accounts, which usually have a high level of permissions, exist everywhere in IT environments and are used to automate critical applications and IT services. Another type of service account are application accounts created to allow applications that you’ve installed in various platforms take actions on behalf of your organization or a user.
The proliferation of new technologies and services in the IT environment, as well as the rise of cloud-based services, has resulted in an exponential increase in the number of service accounts in use.
While they are very useful, service accounts present organizations with some complex challenges. On the one hand, service accounts require powerful authorizations, with a frequent change of password. On the other hand, service accounts have no common framework to model one service account after another (based on behavior), and there is no recertification process.
In a typical organization, service accounts are too numerous (a medium-size organization may be running hundreds or thousands) to be managed manually, which leads to misconfigurations and security risks. Organizations must prioritize this issue and address service account management to ensure the reduction of cybersecurity risks and to enhance compliance.
Intro to Service Accounts
Service accounts are specialized non-human privileged accounts. They can access applications, data, and network resources to perform specific tasks. The service accounts are running in the background and act when called on by a user, an application, or other services. Service accounts operate with associated privileges that require certain local system privileges to function and/or to connect with other network resources. In many organizations service accounts often have privileged access to business-critical applications and data. Something that is worth mentioning that service accounts aren’t tied to a unique human and can easily go unnoticed and unmanaged for long periods of time.
In many organizations, no records are kept for each specific service account describing why it exists, who has access or any dependencies.
The Main Challenges with Service Accounts
Service accounts represent major challenges for businesses:
- Operational – Most organizations suffer from service account sprawl. Service accounts are just too numerous to be managed manually and without proper documentation are impossible to comprehend. Updating or decommissioning service accounts is risky because this practice can affect running services with a chain of dependencies and can lead to “catastrophic” business disruptions. In addition some accounts that are established as “user” accounts are de-facto service accounts used mainly for various RPA tasks (in internal or external applications). we’ve seen those in every customer we visited and those are some of the hardest to identify – adding to your overall chaos. This is the reason that quite often permissions are not removed from service accounts and oftentimes, service accounts achieve a far greater set of permissions than needed
- Risk – Since there’s no commonality between service accounts, one cannot achieve right sizing in service accounts’ permissions by comparing to other (similarly behaving) service accounts, a (flawed) practice known as “model-after”, that is usually applied to human-based accounts.
- Cybersecurity – Service accounts allow an attacker to access sensitive data while staying hidden. Service accounts allow attackers to maintain persistent access and move around corporate networks and cloud environments undetected. To make this even worse, many service accounts are entitled to take actions on other service accounts (usually by mistake). It is nearly impossible for organizations to calculate the potential access of users accounting not only to direct entitlements (which is hard enough) but based also on the access they can gain via service-accounts (considering escalation paths through more than one service account)
- Compliance and regulatory – Managing service accounts is important to meet compliance requirements for access security controls. Organization must demonstrate compliance for privilege access management of service accounts as well as the users with access rights to those service accounts.
The basic principle for service account management revolves around strict automated life cycle management. This is the only method to meet policy and regulatory requirements. On top of that, the correlation of the authorization definitions and the actual permission usage should be sought to validate the least privilege model for service accounts.
What needs to be done
- Discovery – Continuously map and monitor service accounts. This needs to include discovering “hidden” service accounts that were created as regular user accounts (yes, I am talking about your “devops-gsuite” account) as well as a deep understanding of dependencies and relations and which employees have credentials to access them.
- Governance and Management – Ensure the Principle of Least Privilege (POLP) based on actual usage, and continuous monitoring for activity anomalies. Make sure you can enforce policy and regulatory requirements and that full audit of all activity are kept. It is important to remove unused/expired service accounts to reduce the privileged security attack surface.
To achieve this one would need to incorporate a holistic deep granular solution that can provide intelligent automation. Such a solution needs to include:
- Automation of the entire discovery stage including dependencies mapping on an ultra-fine granularity.
- Automation of the auditing process including service accounts usage and changes to detect anomalies.
- Prescriptive suggestions in accordance with out-of-the-box and tailored security and compliance policy
Service Account Management with Authomize
Authomize, as an automated authorization governance solution enables organization to track all their service accounts and identify those that are over permissioned.
Authomize also helps organizations to take actions to mitigate the risk of overblown permissions assigned to service accounts, by reporting on the actual usage of each permission and actionable recommendations on how to achieve a better security posture with service accounts.
Customers discovered many unknown/lost service accounts, achieved a significant reduction the access footprint of service accounts and eliminated unused service accounts without any risk to the normal operation of production environments.