Organizations of all sizes continue to be challenged with managing the risk of non-user (a.k.a. shared, service, system, or generic) accounts provisioned with elevated access rights, and the move to cloud environments is only accelerating this risk. It is critical that organizations develop an approach to effectively manage these accounts given the inherent risk posed.
While some firms have taken laudable measures to protect themselves against cyberattacks, such as requiring users to deploy strong passwords and multifactor authentication, many continue to identify vulnerabilities unintentionally created by IT staff. The use of these accounts can trump other controls or allow circumvention.
Non-user accounts are typically used by “non-human” users, such as applications, systems, web services, and/or scripts. Many system and service accounts have highly privileged permissions to computer systems, web services and APIs, applications and/or databases. Credentials may be known and used by multiple individuals within the organization. They are often not controlled or disabled due to system limitation or ease of use. These accounts may be root and superuser accounts with administrator type privileges, giving users a wide range of access to systems and infrastructure.
With the increasing complexity of IT systems and infrastructure, and especially the migration to cloud platforms, companies rarely have the time or manpower to perform a holistic review of these accounts at all IT layers. Those responsible for IT compliance or internal audit are often surprised to learn that their organization has hundreds, or even thousands, of poorly guarded non-human service or shared accounts, making them vulnerable to unwanted activity from both internal and external threats.