Service account governance: Reduce your attack surface with Account Lifecycle Manager
Barbara Hoffman
Service accounts abound in every organization. Failure to manage them leads to significant risk. This has been a critical issue for organizations that use Active Directory and have grown to a level that accounts can no longer be managed by hand. Almost all medium to large organizations suffer from extreme service account sprawl, perpetuating the unmanaged, uncontrolled expansion of their privileged account attack surface. Service accounts are basically a ticking time bomb in the privileged account world.
In numerous blogs, we have covered service account governance in depth from fear of unknown dependencies to managing the service account lifecycle from provisioning to disposal, bringing to light the dangers of not recognizing and taking control of the service accounts in your overall privileged account attack surface.
We are excited to announce the release of our newest solution, Account Lifecycle Manager. Delinea’s Account Lifecycle Manager is a solution that automates and streamlines service account governance, finally allowing organizations to control their service account sprawl. Now our customers can easily secure, provision, and decommission service accounts to harden and ultimately shrink their attack surface with Account Lifecycle Manager.
See Account Lifecycle Manager in Action:
Through countless interactions with our customers during the development of our Account Lifecycle Manager solution, we continued to hear the inherent difficulties involved in managing service accounts. In these conversations, our team was somewhat surprised to hear that the largest challenges our customers faced – lie not in the discovery and provisioning of these accounts, which was our original focus, but in the decommissioning or end of lifecycle stage of service account governance.
With this release, Delinea has streamlined the full-service account lifecycle from automated provisioning, through automated review and removal of unused accounts. Account Lifecycle Manager enables decommissioning of service accounts without service disruptions as well as tracking accounts owned by departing employees. This new solution provides easy notifications when accounts should be decommissioned. When we say “decommission” we mean not only the deprovisioning of an account but also the point at which an account should be renewed, re-approved, disabled, or expired. This process can be automated and tailored to fit any organization’s needs with webhooks so the notifications can be sent to other systems such as ServiceNow or Remedy.
Alerts include:
- Review – Account Lifecycle Manager requests users to acknowledge renewal, but does not turn the account off in any way.
- Disable – The user is asked to acknowledge renewal and sets the account to “disable” if not renewed.
- Expire – Account Lifecycle Manager notifies users that the account must be re-approved before renewal. If the account is not renewed, the account is expired on the appropriate date.
- Delete – The user is asked to acknowledge renewal. If the account is not renewed, it is deleted along with the credentials in Secret Server.
Now IT teams have the solution they need to improve service account governance and seamlessly control service accounts to mitigate the risk of breaches, service interruptions, and human error.
Account Lifecycle Manager empowers organizations to manage and control service accounts with workflows, automated provisioning, governance, compliance, and de-provisioning capabilities. Account requests follow approval workflows and are easily tailored to any organization to meet their specific requirements.
Account Lifecycle manager integrates with Secret Sever, and in combination, these two products address end-to-end Privileged Access Management. It is like no other solution on the market, and we would love you to try it in your organization with a 30-day free trial.