by Bhavdip Rathod, IAM Solution Architect, Sailpoint Technologies, Inc
This article focuses more on the real-world challenges and which best practices should be adapted to overcome those challenges in order to successfully manage different types of Service Accounts as part of the overall Identity and Access Management (IAM) program. The objective of this article is not to provide in-depth insights of the significance of managing Service Accounts. There is a good amount of information out there which describe how critical it is to manage Service Accounts with utmost care to keep the organization safe from some of the destructive cybersecurity attacks and data breaches. The information shared here comes from the real-world experiences and research work I have done on this topic for years in the field while working on various implementation projects for Service and Privileged Account Management. Certain types of service accounts (“superuser accounts”) give non-restrictive access to the system and critical resources. Therefore, cybercriminals see these types of accounts as best and easiest route to sensitive personal (PII) data mostly because of the fact that most organizations do not have solid control and tighter policies around managing service accounts. Ignorance and mismanagement of service accounts can lead to the increasing “insider threat” type of cybersecurity attacks. It is a dangerous cybersecurity threat that often goes largely disregarded. Insider threat comes from the company’s own employees who have access to companies’ sensitive and financial information.
Insider threats are often hard to remediate, and even harder to detect at first place. It’s important to keep an eye on the employees who have elevated access through the service accounts in your organization. So, more than ever, it is paramount for businesses to identify and mitigate the risk associated with service accounts by implementing the right technologies and processes around Service Account Management.
What is a Service Account?
To simply put it, a service account is often described as an account that does not correspond to an actual person. One can term in “non-human” account to refer to this concept. The service account is a special type of accounts belongs to system services and applications, instead of the individual end user.
Sample Types of Service Accounts:
|Shared||Any account that can be used by two or more users on a system. The credentials are shared between users.|
|System (also called “superuser” account)||Any account (mostly non-restrictive) that is built-in to a system to enable administration, communications or processing services within the system (e.g., root on UNIX, admin on Windows, etc.). They are often referred to as privileged accounts.|
|Non-Interactive||Any account with which an end user CAN NOT log in; these accounts are normally used for a system process or service (e.g. to run the automated scripts in the system, schedule task, etc.).|
|Secondary||Any account besides the user’s individual primary account will be considered as a secondary account. (e.g. in AD, many times users have their additional admin accounts in addition to their primary AD account to do their job)|
Note: Above are just the examples. There could be many more classifications of accounts that might fall under the service account category.
Challenges in Service Accounts Management Implementation
In today’s digitally enabled world and the constantly changing nature of big enterprise companies make service account management challenges. Companies must be able to adapt the new technologies, applications, devices, and their people. Below are some of the top technical and business challenges that I have observed very closely while working in the field:
- Identifying an Authoritative Source of Data for Service Accounts – Most organizations do not have a source of all their service accounts (non-human). The first challenge most companies encountered while planning for service account management is that they could not find all the service account and where they were used. In large enterprise companies, all the service accounts are scattered across various systems and servers. We are talking about thousands of servers and each has multiple service accounts. Therefore, it’s challenging for companies to keep track of all of them.
- Classification of service accounts – Most companies focus on classifying human account types only (e.g. employee, contractor, vendor, partner, etc.) and often forget to include service accounts in their Information Security policies. And because of that service accounts get off the radar from companies’ overall security goals.
- The manual process of managing service accounts onerous – Manual process of changing the password of service accounts at a regular interval is very labor intensive and expensive for the organization. Also, keeping track of the usage of these accounts become a challenge for organizations.
- Identifying owners for service accounts – This is one of the biggest challenges most of the organizations face while implementing the processes around service account management. Most organizations do not know or struggle to find out who owns each service account. Because service accounts exist in thousands in an organization on different systems, it is a very daunting task to identify the owner of these accounts. Employees are always reluctant to take ownership of these accounts due to the nature of the account. To efficiently manage service accounts, identifying and assigning ownership for these accounts is very important.
- No enough Auditing and Alerting of service account usage – Due to the lack of awareness about the criticality of service accounts, the use of service accounts is not adequately audited in most organizations. As a result, when cybercriminals grip a service account to access sensitive information no traces were left behind to track the malicious activities. With increasing government compliance standards, the pressure to keep data secure and comply with regulatory standards is mandatory. The consequences for not meeting compliance standards (e.g. PCI, SOX, HIPPA, etc.) are severe. Not only your business can slap with hefty penalties on a failure of the audit, but it could result in complete failure of the business in extreme circumstances. So, the efficient set up of service account auditing becomes a challenge for the companies.
- Extending IAM solution to include service account management with comprehensive PIM/PAM (Privileged Identity Manager/Privileged Account Manager) products – Automation and efficient management of service accounts can be achieved by using PIM/PAM products that are available in the market. But everything comes with the cost. And CISOs (Chief Information Security Officer) usually struggle with convincing the business to allocate the separate budget to buy and support these products. You must have buy-in and support from upper management and all areas of the organization in order for the service account management program to move forward and succeed.
Best Practices for Service Account Management Implementation
Any efficient SAM solution makes employees more productive by giving them elevated access to systems and applications quickly and more securely. Implementing a SAM solution protects access to sensitive systems and significantly reduces the risk of getting compromised by disclosed passwords. Service account management using any comprehensive Privileged Account Management (PAM) products/solution reduce cyber vulnerabilities and simplifies the process of rotating and generating new and complex passwords for service accounts. It is highly recommended to use one of the PAM products (e.g. IBM, CyberArk, Sailpoint, Liberman, etc.) to automate and securely implement processes around service account management. Below are some best practices that should be adapted for the successful implementation of service account management effectively and securely.
- Maintain an up-to-date repository of all service accounts – Consider integrating with Privileged Account Management product. This will help establish an authoritative source, classification of accounts, and potential ownership of all accounts managed by the system.
- Apply the least privilege and segregation of duties (SoD) principles – Applying these two principles are very critical for secure and robust service account management. Assign the only minimum required privileges to service accounts. Start with the most restrictive permissions possible and build out from there. And separation of duties means no one user can perform all privileged actions on a given application or system. A healthy Role Based Access Control (RBAC) practices can be very useful here.
- Password Management – This is the most critical. Most of times administrator prefer to set these accounts with password “Never expires” or use the same password for all the service accounts. This practice makes service accounts most vulnerable to cyber-attacks. Rather, develop a mechanism or have PAM product for managing these passwords and changing them at periodic intervals. Additionally, create complex passwords policies and strictly enforce them.
- Manage the full lifecycle of service accounts – It is recommended to use PAM system to implement workflows around full lifecycle processes of the service account. Use check in/check out functionalities of PAM tools for securely sharing the password to privileged users and change password of service account after every use. Also, disable inactive service accounts.
- Utilize “owner” or “managed” attribute for each service account – Spend a good amount of time to identify and assign the owner to each service account for accountability. Define appropriate owner for the service accounts in your PAM system using any of these attributes.
- Establish privilege access request approval process – If the users need additional access rights, they must follow the established documented access request and approval process. Only upon approval, they should be granted the required elevated access for the time required to perform the task. Administrators only use the service or privileged accounts only when is it absolutely required. Otherwise, they should always use their regular accounts.
- Risk analysis of each service account – Utilize the security risk assessment practices to identify the danger each privileged service account poses and focus on the riskiest ones. Some PAM products provide risk scoring capabilities to define risk scores of users if they have many privileged service accounts tied to them.
- Access Review Certification for service accounts – Review permissions attached to privileged service accounts periodically. Keep track of all the changes in detail. Do access review at least a month for privileged accounts if possible.
- Extensive Auditing – Keep informed about what activities privileged users perform with extensive logging and monitoring techniques. Logging and auditing are very important to keep service accounts secure. A PAM product with end-to-end service account usage logging capabilities can be very helpful in recovering quickly from cyber-attacks.
- Educate your employees – Provide continuous education to your staff about any change in service account management policies, processes, and classifications. Everyone in the organization should know how to manage and use their service account credentials. Security is everyone’s responsibility and is most effective when everyone understands it.
- Document service account management policies – Last but not least, make sure your policies and account classifications are well documented and approved by management. So, they can be clear and strictly enforced.
By implementing these recommended best practices and integrating them with comprehensive PAM solution, you should be able to place very robust security for your service accounts. Combining service account management as part of a broader category of Identity and Access Management (IAM) ensures automated control of user provisioning and de-provisioning along with best security practices to protect all identities and all types of accounts. Special attention to service account security can enhance all your cybersecurity efforts and help protect your organization in the most effective and efficient way possible. An efficient service account management solution enables you to keep cybercriminals away and enforcing good behavior from internal employees at risk of misusing their privileged service accounts.
About the Author
Bhavdip Rathod is an Identity and Access Management Solution Architect at Sailpoint Technologies, Inc. Bhavdip is an experienced cyber security technologist and architect with a specialization in Identity and Access Management (IAM). He is primarily responsible for providing innovative solutions to the companies in the field for their most complex challenges in the Identity and Management area to strengthen their security infrastructure and prevent potential cyber and data breaches. He has a strong understanding and in-depth experience of Identity and Access Management (IAM) Frameworks and industry best practices. Bhavdip had served as an SME and Expert Advisor on the largest and most complex IAM Implementations for various retail, financial, healthcare and manufacturing organizations in the last 10 years. Bhavdip serves as an IAM Expert Advisor and speaker at various IAM user groups and conference events. Bhavdip holds a Master of Science degree with Commendation from University of Hertfordshire, United Kingdom (UK).