How many service accounts do you have in use across your organisation? Tens? Hundreds? No idea?
If you’re like most modern enterprises, the real number is likely to run into the thousands. The reality is that you probably only know about and actively manage a very small proportion of these, with the remainder existing in the ‘wild west’ of privileged access.
When you stop to think that, according to Verizon’s annual Cyber-breach report, 81% of breaches start with compromised credentials, this is an alarming thought.
In order to understand what causes this problem, and why service accounts are such a security risk, we should take a step back to think about what a service account actually is and why we need them.
A service account is usually an account in Active Directory or another LDAP directory which is used by an application to gain access to data held in the directory (e.g. information about your users). As a simple example, maybe you have a CRM system which uses LDAP to authenticate your users. For this to work, the CRM system needs a service account with rights to read all information about your users, which it uses to log into the directory to authenticate your users.
Usually, service accounts have static passwords, because changing them is considered to be risky – if you change the password in Active Directory then you also need to let the application using the service account about the new password, and if you get it wrong there is a risk of interrupting service. In many cases, administrators simply don’t take the risk.To make matters even worse, in many cases login details for service accounts are held in plain text in configuration files on the application servers using them – meaning that if there is a compromise then potentially the password can be easily stolen. Given that the advice we give to users is to never write down a password, it is something of an anomaly that we essentially do just that with hundreds of privileged accounts across the network.
Taken together, this is a tremendous blind spot which many organisations have when thinking about their overall security posture. When you boil it down, organisations are taking huge risks with service accounts because managing them seems like too much trouble.
So how can we address this issue? The best way is to treat service accounts in the same way that we treat our users – we need to take the core principles of Identity Governance and Administration (IGA) and apply them to service accounts. In practice this means managing the full lifecycle of a service account, from creation until it is no longer needed, using templates to ensure that service accounts are created in line with policy, and incorporating approval workflows and identity certification to ensure that service accounts are only created when really needed and are regularly assessed to ensure that they are still required.
The final piece is to ensure that we are using a Privileged Access Management system to ensure that passwords are regularly rotated for service accounts with automation ensuring there is no interruption to service. Find out more and download the Service Account Security for Dummies written for IT managers, administrators and security professionals and an essential briefing on this overlooked part of cyber security.
Whichever way your organisation decides to go, the most important thing is to wake up to your blind spot and to start making plans to deal with the ever-growing security risk associated with service account sprawl.
Written by Tom Eggleston
With over 15 years industry experience, ProofID’s Tom Eggleston eats, drinks and sleeps identity and access management. A regular industry speaker in Europe and the US, Tom knows how to balance technical evangelism with the real world, finding practical solutions to the identity challenges faced by modern businesses. As CEO of ProofID Tom has been instrumental in growing the company into the leading provider of managed identity solutions, employing over 50 people across the UK and the US.