Service account

From HandWiki
Revision as of 05:24, 27 June 2023 by S.Timg (talk | contribs) (simplify)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Short description: Digital identity used by systems and APIs

A service account or application account is a digital identity used by an application software or service to interact with other applications or the operating system. They are often used for machine to machine communication (M2M), for example for application programming interfaces (API).[1] The service account may be a privileged identity within the context of the application.[2]

Updating passwords

Local service accounts can interact with various components of the operating system, which makes coordination of password changes difficult.[3] In practice this causes passwords for service accounts to rarely be changed, which poses a considerable security risk for an organization.[3]

Some types of service accounts do not have a password.[4]

Wide access

Service accounts are often used by applications for access to databases, running batch jobs or scripts, or for accessing other applications. Such privileged identities often have extensive access to an organization's underlying data stores laying in applications or databases.[3]

Passwords for such accounts are often built and saved in plain textfiles, which is a vulnerability which may be replicated across several servers to provide fault tolerance for applications. This vulnerability poses a significant risk for an organization since the application often hosts the type of data which is interesting to advanced persistent threats.[3]

Service accounts are non-personal digital identities and can be shared.[3]

Misuse

Google Cloud lists several possibilities for misuse of service accounts:[4]

  • Privilege escalation: Someone impersonates the service account
  • Spoofing: Someone impersonates the service account to hide their identity
  • Non-repudiation: Performing actions on their behalf with a service account in cases where it is not possible to trace the actions of the abuser
  • Information disclosure: Unauthorized persons extract information about infrastructure, applications or processes

See also

References