You break it, you buy it: Fear of unknown dependencies hinders service account governance
Chris Smith
Thousands of services run on a typical corporate network. They include multiple services which are core to network security, network services, and IT automation, such as Windows services, scheduled tasks, batch jobs, application pools within IIS, and more. To connect automatically across a network to databases, file systems, and network services, these services rely on privileged service accounts.
“This is an area where much risk is concentrated; yet clients often struggle to manage and rotate credentials for nonhuman users,” Gartner warns in the MQ for PAM 2018.
Forrester also points out the issue in the Wave for PIM: “These privileged credentials are usually not inventoried, changed, or controlled, meaning that hackers can use them to gain easy access to business-critical applications.”
Forgotten service accounts are never rotated, audited, or decommissioned. The risk of a data breach increases exponentially
Who is responsible for service accounts?
The person responsible for the service is likely not the one responsible for the service account. Unlike many types of privileged accounts, service accounts aren’t tied to a unique human identity, which means there may not be a named person who is held accountable for their management. Service accounts run in the background and can go unnoticed for long periods.
It’s easy for a service account to get “lost.”
- The original person who set it up may leave and neglect to pass on vital information about its purpose.
- The original system tied to a service account may no longer be needed, but the account may live on.
- Accounts may have been set up for temporary purposes, like software installation or system maintenance, but left in place long after their use.
Forgotten service accounts never have credentials rotated, and they don’t get audited or decommissioned. The risk of a data breach increases exponentially.
Unknown dependencies of service accounts give IT limited management options
Unknown, unmanaged service accounts put IT operations between a rock and a hard place. You may want to clean house and reduce your number of service accounts. But you run the risk of bringing down a chain of critical business or technical processes if you turn off the wrong ones. If that happens, instead of simply running in the background, service accounts would come front and center in the worst way possible.
Therefore, many IT teams simply find it less risky to keep service accounts in place. In fact, many service accounts are set to never expire, so systems don’t break unexpectedly.
To avoid turning them off, IT staff may also use the same account for multiple services, share accounts with each other, or even hardcode passwords or store them in clear text. When service accounts are used for multiple services, the permissions are often set wide open (with admin level privileges) because it’s easier for IT to manage than setting up a least privilege level of access for each service individually. That practice means one service account has access to an entire kingdom.
IT teams responsible for managing identities, privileges, access and trust need a solution to discover, document, secure, establish governance, monitor, and eventually decommission service accounts. They also need the ability to track where and how service accounts are used in order to prevent, detect and suppress unauthorized usage or even turn accounts off.
For businesses looking to gain a comprehensive picture of their privileged attack surface, service account governance is an essential step.
Check your own organization’s service accounts
You can start planning your strategy for service account management and security by launching your discovery process for free.
Free tool: Privileged Account Discovery for Windows.