HOME

TheInfoList



Click Here for Items Related To - Service Account
OR:
Service Account on:   [Wikipedia]   [Google]   [Amazon]

A service account or application account is a digital identity used by an
application software Application may refer to: Mathematics and computing * Application software, computer software designed to help the user to perform specific tasks ** Application layer, an abstraction layer that specifies protocols and interface methods used in a ...
or service to interact with other applications or the
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also i ...
. They are often used for machine to machine communication (M2M), for example for
application programming interfaces An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how ...
(API). The service account may be a privileged identity within the context of the application.


Updating passwords

Local service accounts can interact with various components of the operating system, which makes coordination of
password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...
changes difficult. In practice this causes passwords for service accounts to rarely be changed, which poses a considerable security risk for an organization. Some types of service accounts do not have a password.{{Cite web , title=Best practices for working with service accounts {{! IAM Documentation , url=https://cloud.google.com/iam/docs/best-practices-service-accounts , access-date=2023-01-05 , language=en


Wide access

Service accounts are often used by applications for access to
databases In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases spa ...
, running batch jobs or scripts, or for accessing other applications. Such privileged identities often have extensive access to an organization's underlying data stores laying in applications or databases. Passwords for such accounts are often built and saved in plain textfiles, which is a vulnerability which may be replicated across several servers to provide
fault tolerance Fault tolerance is the property that enables a system to continue operating properly in the event of the failure of one or more faults within some of its components. If its operating quality decreases at all, the decrease is proportional to the ...
for applications. This vulnerability poses a significant risk for an organization since the application often hosts the type of data which is interesting to advanced persistent threats. Service accounts are non-personal digital identities and can be shared.


Misuse

Google Cloud lists several possibilities for misuse of service accounts: *
Privilege escalation Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The re ...
: Someone impersonates the service account * Spoofing: Someone impersonates the service account to hide their identity *
Non-repudiation Non-repudiation refers to a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract. The term is often seen in a legal setting when the authenticity of a signature is being challenged ...
: Performing actions on their behalf with a service account in cases where it is not possible to trace the actions of the abuser * Information disclosure: Unauthorized persons extract information about infrastructure, applications or processes


See also

* Kerberos Service Account, a service account in Kerberos (protocol) * Administered service account, a service account within
managed services Managed services is the practice of outsourcing the responsibility for maintaining, and anticipating need for, a range of processes and functions, ostensibly for the purpose of improved operations and reduced budgetary expenditures through the re ...
* Privileged identity management * Robotic process automation


References

Computer security Software