Service account
A service account or application account is a digital identity used by an application software or service to interact with other applications or the operating system. They are often used for machine to machine communication (M2M), for example for application programming interfaces (API).[1] The service account may be a privileged identity within the context of the application.[2]
Updating passwords
[edit]Local service accounts can interact with various components of the operating system, which makes coordination of password changes difficult.[3] In practice this causes passwords for service accounts to rarely be changed, which poses a considerable security risk for an organization.[3]
Some types of service accounts do not have a password.[4]
Wide access
[edit]Service accounts are often used by applications for access to databases, running batch jobs or scripts, or for accessing other applications. Such privileged identities often have extensive access to an organization's underlying data stores laying in applications or databases.[3]
Passwords for such accounts are often built and saved in plain textfiles, which is a vulnerability which may be replicated across several servers to provide fault tolerance for applications. This vulnerability poses a significant risk for an organization since the application often hosts the type of data which is interesting to advanced persistent threats.[3]
Service accounts are non-personal digital identities and can be shared.[3]
Misuse
[edit]Google Cloud lists several possibilities for misuse of service accounts:[4]
- Privilege escalation: Someone impersonates the service account
- Spoofing: Someone impersonates the service account to hide their identity
- Non-repudiation: Performing actions on their behalf with a service account in cases where it is not possible to trace the actions of the abuser
- Information disclosure: Unauthorized persons extract information about infrastructure, applications or processes
See also
[edit]- Kerberos Service Account, a service account in Kerberos (protocol)
- Administered service account, a service account within managed services
- Privileged identity management
- Robotic process automation
References
[edit]- ^ "Understanding service accounts | IAM Documentation". Retrieved 2023-01-05.
- ^ "How to Manage and Secure Service Accounts: Best…". Retrieved 2023-01-05.
- ^ a b c d e "Ldapwiki: Service Account". Retrieved 2023-01-05.[user-generated source]
- ^ a b "Best practices for working with service accounts | IAM Documentation". Retrieved 2023-01-05.