Is Your Service Account Having an Identity Crisis?

by | May 30, 2024

As you step through your dazzling corporate office lobby, you walk past large floor to ceiling screens displaying the latest company headlines, stock price, and market news. You make your way to the elevator lobby. Once there, you punch the floor code prior to entering the “smart” elevator, ensuring a speedy ride up the skyscraper. As you make your way to an assigned seat booked the night before, you load up on a fresh drink dispensed by a state-of-the-art espresso machine. Midday, you swing by the all-in-one print machine, tap your badge and have it print out the latest multi-page sales proposal you worked so hard on the night before.

Did you recognize the common thread across all these activities? Service Accounts.

All these devices were connected to your corporate network running state-of-the-art network security and segmentation systems. To work seamlessly, they needed a unique “identity” so that network controls can ensure that the coffee machine does not talk to the printer and have it spit out Java memes. At most companies, this is called “identity” a “service account.” All these identities reside in some corporate directory, such as Active Directory. Typically, this corporate directory also contains all the employees and contractors who work at the company. All these users (people and machines) can lead to interesting, and potentially threatening challenges.

IT help desk teams spend hours every day within the Active Directory console managing users, resetting passwords, and stumbling across random service account names like “CEO brew maker.” They are always asking the question: “What exactly is this account doing?” Remember, most people have NEVER stepped near the CEO’s office, nor have a clue there is a bespoke coffee maker that keeps the CEO going like a marathon runner. One fine day someone notices that this “service” account has not changed its password in 4 years, and best practice dictates they need to force a password change on that account. And that results in no coffee for the CEO. All hell breaks loose, and nobody knows why the coffee maker stopped working. That is exactly what happens when you tinker with a “service account.”

This is where Zilla Security comes to the rescue. Our unique understanding of a “user” allows you to map a “service account” within your various identity directories to “real humans” at your company. Now when your CISO wants to do an account access review using Zilla’s access review solution, we automatically let the  “human” who owns the account be involved in the process. In short, Zilla provides TLC by assigning an owner to each “service account,” reducing the possibility of an account being deactivated mistakenly. We also have the unique ability to identify accounts at risk when the owner leaves the company, and you need to re-assign the ownership of this “service account” to another human.

Think of it as a digital identity makeover for your service accounts! By assigning ownership and conducting access reviews, you’ll not only give your “service accounts” a clear sense of purpose, but also tighten up your information security practices. It’s a win-win for everyone.

Author

  • Ashish Desai

    Ashish Desai is the DevOps Team Lead at Zilla Security, responsible for managing the global cloud infrastructure systems hosting Zilla worldwide.

    Prior to joining Zilla, Ashish worked at Fidelity Investments, the largest mutual fund company in the USA. He was a founding member of the cloud security team, instrumental in onboarding the company to AWS and Azure.

    Additionally, he held various roles in corporate security, end-user computing, and large-scale transformational projects that impacted over 50,000 employees and contractors globally.

    Connect with Ashish via LinkedIn.

    View all posts

Recent Posts