The NIST framework aligns five core actions: Identify, Protect, Detect, Respond and Recover.
Five words which seem pretty straight forward until you try to apply them. When it comes to identities and accounts, the struggle becomes real. Consider the topic of service accounts. Identification alone is a struggle. Taxonomy, tagging, organization, administration all sound nice however, when networks and accounts were first established, few guidelines existed. If a request for a new service account was submitted, chances are it was created. Set it up and name it what you like.
Service accounts play an important role, however, they often go overlooked and unmanaged.
Why does it matter? Service accounts are a great way for a bad actor to gain a foothold, dwell, traverse a network, and remain undetected. So enticing for the wrong reasons.
Service accounts by nature can be a challenge to inventory. Is there a naming convention? Can you detect a service account in the wild? Who is the owner, is the account still needed, what is the associated application, configuration settings, do they provide an interactive login, the list goes on.
An effective service account management program is an effective way to manage the access and mitigate risk.
The following are best practices to help secure service accounts:
- Perform a discovery scan on the network to identify service accounts, regardless of naming
- Create a log or inventory that includes Owner, Purpose, application, etc.
- Method of security - does it involve Kerberos? Are the settings locked down or wide open?
- Interactive logins - can a user log in as a service account?
- Credentials - are the credentials set to never expire and auto rotate?
- PAM solution to value and administer service accounts
Service accounts are part of Privileged Access Management (PAM) within the identity domain. If you're looking to develop an effective PAM Program, mature your existing approach, or learn more about solution features and functionality, WWT has a team of experts and OEM partners who are ready to help you at each phase of the journey.