Service Account
   HOME

TheInfoList



Click Here for Items Related To - Service Account
OR:
Service Account on:   [Wikipedia]   [Google]   [Amazon]

A service account or application account is a digital
identity Identity may refer to: * Identity document * Identity (philosophy) * Identity (social science) * Identity (mathematics) Arts and entertainment Film and television * ''Identity'' (1987 film), an Iranian film * ''Identity'' (2003 film), an ...
used by an
application software Application software is any computer program that is intended for end-user use not operating, administering or programming the computer. An application (app, application program, software application) is any program that can be categorized as ...
or service to interact with other applications or the
operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...
. They are often used for machine to machine communication (M2M), for example for
application programming interfaces An application programming interface (API) is a connection between computers or between computer programs. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build su ...
(API). The service account may be a
privileged identity Privileged may refer to: Film and television * ''Privileged'' (TV series), a 2008 US television series * ''Privileged'' (film), a 1982 Hollywood film Other uses * Immunologically privileged site, a body location where immune response to ...
within the context of the application.


Updating passwords

Local service accounts can interact with various components of the operating system, which makes coordination of
password A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services t ...
changes difficult. In practice this causes passwords for service accounts to rarely be changed, which poses a considerable security risk for an organization. Some types of service accounts do not have a password.{{Cite web , title=Best practices for working with service accounts {{! IAM Documentation , url=https://cloud.google.com/iam/docs/best-practices-service-accounts , access-date=2023-01-05 , language=en


Wide access

Service accounts are often used by applications for access to
databases In computing, a database is an organized collection of data or a type of data store based on the use of a database management system (DBMS), the software that interacts with end users, applications, and the database itself to capture and ana ...
, running batch jobs or scripts, or for accessing other applications. Such privileged identities often have extensive access to an organization's underlying data stores laying in applications or databases. Passwords for such accounts are often built and saved in plain textfiles, which is a vulnerability which may be replicated across several servers to provide
fault tolerance Fault tolerance is the ability of a system to maintain proper operation despite failures or faults in one or more of its components. This capability is essential for high-availability, mission-critical, or even life-critical systems. Fault t ...
for applications. This vulnerability poses a significant risk for an organization since the application often hosts the type of data which is interesting to advanced persistent threats. Service accounts are non-personal digital identities and can be shared.


Misuse

Google Cloud lists several possibilities for misuse of service accounts: *
Privilege escalation Privilege escalation is the act of exploiting a Software bug, bug, a Product defect, design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resource (computer science), resources that ar ...
: Someone impersonates the service account * Spoofing: Someone impersonates the service account to hide their identity *
Non-repudiation In law, non-repudiation is a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract. The term is often seen in a legal setting when the authenticity of a signature is being challeng ...
: Performing actions on their behalf with a service account in cases where it is not possible to trace the actions of the abuser * Information disclosure: Unauthorized persons extract information about infrastructure, applications or processes


See also

* Kerberos Service Account, a service account in
Kerberos (protocol) Kerberos () is a computer-network authentication protocol that works on the basis of ''tickets'' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily ...
* Administered service account, a service account within
managed services Managed services is the practice of outsourcing the responsibility for maintaining, and anticipating need for, a range of processes and functions, ostensibly for the purpose of improved operations and reduced budgetary expenditures through the ...
*
Privileged identity management Identity and access management (IAM or IdAM) or Identity management (IdM), is a framework of policies and technologies to ensure that the right users (that are part of the ecosystem connected to or within an enterprise) have the appropriate acce ...
*
Robotic process automation Robotic process automation (RPA) is a form of business process automation that is based on software robots (bots) or artificial intelligence (AI) agents. RPA should not be confused with artificial intelligence as it is based on automation tech ...


References

Software Cybersecurity engineering