We constantly highlight the critical nature of service accounts and the importance of appropriate service account management. Recently, a customer came to us following a Sarbanes-Oxley (Sox) audit they failed largely due to mismanaged service accounts. It’s a story we’re hearing more and more frequently. Regulators are finally catching on to what we already know.
Companies that don’t manage access well face a double dilemma. There is an increased risk of breaches AND there’s growing likelihood auditors will find IT Controls to be deficient leading to fines or costly remediation.
SOX for Service Accounts
SOX requires all publicly-traded companies to establish internal controls and procedures for financial reporting, and must document, test, and maintain these controls to prove effectiveness. Many IT General Controls are rooted in access management.
For instance, there may be control over who can post assets to the balance sheet. If this control can be manipulated without anyone’s knowledge, financial data could become corrupted. This could be either unintentional or deliberate, but either way is a recipe for serious fraud.
Service accounts are typically created with elevated permissions, with privileges that need to reach into systems to perform their specific function. These systems, especially remote systems, can include General Ledgers, ERP, and Bank APIs among others that house this regulated financial data.
In the case of Enron, a malicious internal actor could modify assets before and after the firm’s financial audit. More often, attackers are individuals that have an ax to grind with the company. These individuals could be employees or even contractors. The most obvious case is when such a person is let go or fired. What they do is identify an account, usually a service account, and then they elevate the privileges.
With this access, they could wreak all kinds of havoc. Service accounts are particularly attractive in this scenario for a few reasons. First, it’s an account that likely isn’t going to go away, given potential disruptions. Second, the password probably isn’t going to change. Third, privileges are easily elevated, and last but not least, no one’s usually watching.
Beyond insiders, cyberattackers are going after these credentials to access critical systems and exfiltrate data. Auditors recognize more and more that in most organizations service accounts are not being properly managed. If someone does something with one of these, malicious or legitimate, no one notices.
What Auditors are looking for when they audit your Service Accounts?
We have seen auditors focus on two main areas when it comes to managing service accounts. The first is how often passwords are being changed. We force users to do this on a regular basis, but when it comes to non-human service accounts, it’s almost always a hassle given the dozens of services dependent on them, and is often neglected.
Second, accounts that don’t expire. Service accounts are often big offenders here. Deprovisioning is a critical stage often overlooked, and one of the biggest challenges our customers struggle with. Service accounts may have been set up for temporary purposes, such as software installation, but left in place long after they’re actually required. The original system tied to a service account may no longer be needed, but the account may live on with no supervision. There are a hundred reasons these accounts are left unchecked. To stay compliant and secure, you need to establish a process for identifying them, and either be prepared to defend the reasons for no expiration or demonstrate the process by which they are reviewed.
Don’t Panic
Depending on who you talk to, going through one of these audits is as about as much fun as a root canal. Getting dinged on your SOX audit can be a nightmare—particularly if there are large fines involved—potentially translating into no bonuses or raises, and worst-case scenario, the unemployment line.
But it doesn’t have to be this big of a headache if you’ve got all your ducks in a row. You can read more about best practices for managing service accounts in our recent book Service Account Security for Dummies or watch the quick video below on how Delinea's Account Lifecycle Manager can help you automate the process.