Cyber Security Account Validation
Improving Security and Business Agility
Service Account Management (SAM) is part of an organization’s overall Identity and Access Management (IAM) program or compliance. Service accounts are highly privileged accounts that an application or service uses to interact with other applications or services. These specialized accounts are typically used by an application to access data, operating systems, or resources to perform a specific task.
Types of Service Accounts
According to research, more than 50 percent of all cybersecurity breaches are due to misuse of privileged service accounts. Control of these types of accounts is a significant factor in compliance across most regulations in all industries. Taxonomy of these types of accounts differs from company to company, but they can be broken down into the following major classifications:
- Local Admin Accounts: An organization typically uses these accounts to perform maintenance or set up new workstations.
- Privileged User Accounts: These are the most common form of privileged service accounts and usually have unique and complex passwords giving them power across the network.
- Domain Admin Accounts: Domain admins have privileged access across all workstations and servers on a Windows domain.
- Emergency Accounts: These accounts provide unprivileged users with admin access to secure systems in case of an emergency.
- Service Accounts: These accounts are privileged local or domain accounts used by an application or service to interact with the operating system.
- Application Accounts: Just as the name suggests, applications are used to access databases and provide access to other applications.
Our client was challenged with company growth that resulted in unadministered accounts, expired accounts, and overprivileged accounts. To eliminate security risks, they needed to reconcile for IT ownership. Our client was aware of over 4,000 service accounts with over 25,000 entries. They needed to validate account ownership and to remove interactive log-in for service accounts where applicable.
Our client was looking for a partner to gather requirements and perform validation for Service and Privileged User accounts to reduce risk and improve operational efficiencies.
Cyber Security Challenges
Service account sprawl drastically increases cybersecurity risks to an organization. For many organizations, service accounts are often neglected, and they can increase through many applications running in the background while going unnoticed. Turnover of personnel, untrained employees, and the willingness of hackers to spend considerable time looking for ways to breach a system creates significant challenges for any company.
The task of service account validation is a combination of the following attributes:
- Awareness: Management of privileged access is a significant challenge for most organizations. Organizations are increasingly aware of the need to control and monitor access to privileged accounts.
- Culture: Many organizations allow unrestricted and unmonitored use of privileged credentials shared among users, thereby severely limiting the possibility of personal accountability.
- Inventory: Many organizations assign full privileges to developers, administrators, and others, with limited process and oversight.
- Tooling: Effective procedures around managing privileged access and shared accounts are cumbersome without specialized tools.
- Identity Governance (IGA): A lack of access governance model for privileged accounts in most organizations leads to governance issues, such as accumulation of privileged access, orphaned accounts, ownership conflicts, and others.
Organizations need to balance significant security risks associated with privileged access against requirements for operational efficiencies. Project leaders must communicate expectations to ensure a team is well prepared for the changes and prevent outages.
Our client looked for a partner that recognized these unique challenges and offered various potential solutions in an unbiased approach to achieve its goals quickly and smoothly. We worked with the client to ensure they understood our service delivery options:
- Project-Based Resources: Provide technical resources on a contingent basis to support project needs.
- Talent Management Solutions: Allow our clients to stay focused on project deliverables while managing the resources and the resource plan for the project.
- Hybrid Managed Solutions: Allow our clients to manage the broader program while we manage components or projects as part of the overall program.
- Outsourced Managed Solutions: Allow our clients to outsource the entire project to us, including project management, resource planning, and resource management.
- Professional Services: We deliver a specific, high-quality project outcome to the client on time and within budget.
Our experts spent time with the client’s team to understand their needs and craft a comprehensive solution. We recognized the need to carefully manage the security changes with an adaptive but proven process to scale to meet the overall project schedule. When developing the solution, our engineers prioritized network infrastructure security. We also worked with the client to create a customized and flexible pricing model.
Our teams recognize a service account validation project can take many shapes, sizes, and we work with our clients to best meet their requirements. This project consisted of two phases:
- Discovery Phase
- Account Validation and Remediation Phase
The Discovery phase consisted of a small team focused on validating the accounts list, scoping applications, and analyzing tools and operating systems to determine the level of effort and process requirements. This preliminary phase allowed our team to properly scope and scale the solution and provide accurate pricing for each account validated. After the Discovery phase, the entire team was onboarded to complete the Account Validation and Remediation phase.
During both phases, The Select Group Managed Solutions Team took responsibility for the client’s project performance. Our planning process identified the different capabilities required to create a scrum team to discover and validate service accounts with high-level skills:
- TSG Program Lead
- Data Entry Specialist
- Data Analysts
Our process begins with appointing a long-term engagement manager to be the single point of contact for our client, ensuring service-level agreements (SLAs), deliverables, and milestones. The engagement manager also identifies and manages the project’s scope, including all financial performances like invoicing and budget tracking, in addition to team performance issues.
A program leader manages the team’s day-to-day tasks for many solutions while overseeing project milestones and performance.
Managed Service Results
The client’s decision to partner with The Select Group delivered the project on time and allowed them to meet their overall internal business objectives. The client leveraged our creative approach to managing this project and use of the Discovery phase. Our rapid fulfillment of an entire team and deliverables-based approach allowed us to stay engaged at scale with the client.
Benefits to the client included:
- Increased operational efficiencies and reduced costly errors.
- Deduced time spent hiring and providing personnel oversight.
- An improved governance process.
- Improved business agility and enabled competitive services to respond to demand quickly.
- A significant reduction in security risk.