In the privileged access management (PAM) world, how do you best remediate the risk when service accounts are being automatically managed? ie: credentials changed (or not changed)
We are doing some regular and automated crtedential rotation, while having pw complex policy and MFA policies in place. Moreover, duty rotations and internal\3rd party audits to check the potential risks\vulnerabilities
Can you explain what the risk is you want to remediate?
For example some risk causes could be: failure of a service (or dependency) when account creds automatically change, lock out of a service account, lack of break-glass access during PAM unavailability, lack of compliance with authentication standard, insufficient audit evidence for cred change/use.
All things being equal, in terms of risk, regularly changing service account passwords isn’t necessary if:
— Passwords are long (minimum 25 characters)
— Complex (a mixture of lower case, upper case, numbers and symbols)
— Protected by an account lockout policy (5 bad passwords and the account locks out and needs manually to be unlocked by an administrator)
— Stored securely (I assume you are referring to service accounts in the context of Microsoft Windows and Active Directory, in which case they are stored in a hashed, encrypted format).
If the passwords are machine-generated and so composed of random characters and adhere to these rules, and when they are set, they are not recorded or remembered, then even better.
I do see companies change service account passwords every 6 months or once a year as a protection against staff leaving the company but still knowing the passwords to service accounts. But I see this as more of a ritual than protection against a real risk.
If you still want/need to change service account password regularly, then you can use Windows managed service accounts. You can also use a PAM tool like Cyberark or Delinea (formerly Thycotic). But as I say, I don’t think this is necessary purely from the standpoint of risk.
1 Like