TL;DR: Shared accounts are a security hazard. Yet, like cockroaches, no matter how hard you try to eliminate them, they survive. Here are four key tips to managing accounts of all kinds, including pesky shared accounts.
From little startups to major Fortune 500 companies, organizations share one big cybersecurity challenge—managing accounts. This is especially tricky when it comes to shared accounts, where many users pass around the same login credentials. Shared accounts make it hard to understand who is doing what, when, and where.
Hackers love this ambiguity, and a shared account is often an ideal way to break into an organization. For those who have malicious intentions internally, shared accounts are a perfect way to cover your tracks or atomize blame.
Named accounts can be problematic, too. Credential theft can obfuscate who was actually using the account, and sometimes even trusted users take risky actions in production environments.
As more and more companies migrate to cloud-based infrastructure, improperly managed accounts are a growing cybersecurity risk. Organizations can take steps to protect themselves by carefully managing both shared and named accounts.
Allen Alford, the host of the Defense in Depth podcast, recently held a LinkedIn comment discussion about shared logins—and people had a lot to say about the challenges of managing these accounts. Furthering the conversation, our founder and CEO, Jake King, recently spoke on the Defense in Depth podcast about the dangers of shared accounts. In this post, we’ll dive into four tips for managing accounts of all kinds.
Tip 1: Map Your Account Landscape
Whether an organization is new or has been around for decades, accounts tend to build up. For older organizations—especially those that have been through IT and other technological changes or migrations—forgotten accounts, shared accounts, and duplicate accounts are pretty much inevitable. These accounts can be hard to find, too. Sometimes, accounts are generated by cloud services without an organization even knowing.
The first thing organizations can do is to get a solid picture of accounts over time. This goes for both named or shared accounts—understand where there are logins that can be used to access your organization’s databases, software, and hardware.
Tip 2: Assess the Relative Risk of Accounts
Business moves fast today, and companies need to keep up with the times—sometimes a shared account may be necessary for a specific kind of business activity or process. It may be that shared accounts are used, but for relatively low-risk and minor activities. Or you may uncover that a bunch of old, named logins that provide access to sensitive infrastructure present a serious risk. Sometimes, there is a risk/benefit analysis that needs to happen.
Once you have an inventory of accounts, it’s time to assess risk. First, do a risk analysis. Ask:
Where can we close down accounts?
How can we limit the access or reach of these accounts?
If there are shared accounts, could the work be executed via named accounts?
If so, can we migrate them to named accounts?
Why do these accounts exist in the first place?
That last question—why do these accounts exist—is often rooted in cultural practices. Which brings us to our next tip.
Tip 3: Talk to People
Humans. People behave the way they do for a reason. If employees are making or using accounts in insecure ways, there’s probably some rationale behind their decisions. For example, in DevOps culture, engineers are always looking for ways to make work frictionless and collaborative. With that ethos in mind, they may create shared accounts or manage individual accounts in less than secure ways that let them go faster. And in some ways, putting up barriers is antithetical to Linux’s open source, collaborative nature. For example, we’ve spoken with a major company that had a single account with over 100 users. Easy for users? Yes. Easy to detect whether someone from outside the organization had gained access? Absolutely not.
This can be solved with education and the right tools. Help users understand why certain behaviors are a bad idea, listen to their concerns, and provide tools to support their work needs. At the end of the day, many people are just trying to get their job done in the best way possible. If you give them tools that help them do their jobs well while also operating within the bounds of security best practices, odds are they’ll happily use them.
Tip 4: Rethink Access Management
Ultimately, accounts themselves are a tool—they allow access. So the challenge here is to find a better way to allow access without sacrificing security. There are two goals to balance here: big categories to tackle security for accounts:
Making accounts easy to use
Monitoring and logging user activity for auditing and security
On the first, one of the biggest complaints from users is often that they have too many accounts, platforms, and passwords to remember.
Helping users do their jobs more efficiently requires sophisticated yet user-friendly technology, layered with cultural shifts and education, as noted above.
Tools like Okta can simplify the login process, making named accounts across multiple platforms and products less cumbersome for users.
Once users are using accounts properly, it’s time for one of the most important tools in any organization’s security toolkit: monitoring and logging user activity. Without good logs of what users are doing, when, and where, organizations are flying blind. They may have no idea when a security incident occurs. Lack of logs can also get organizations in trouble with compliance mandates—especially if the organization manages sensitive data, like health or financial information. Every company should be logging user activity and monitoring those logs for fishy behavior.
Some organizations turn to privileged access management (PAM) tools to solve this. However, PAM can add a barrier and slow down processes, which is challenging for fast-paced companies that are trying to ship software quickly. It also is a limited line of defense: once someone gets past the PAM tool, they have unfettered access inside the production environment.
Leading companies are rethinking cloud access. For example, Cmd’s products can track who is logging into an account, even if that’s a shared account. We provide access, while logging all changes for a complete picture. We also have integrations with YubiKey, Slack, and others to allow two-factor authentication for added security. This allows companies to tolerate shared accounts where they are business-critical, but to understand who is using the accounts and prevent bad behavior.
Creating Secure Logins, Regardless of Account Type
While the best practice is to always and only issue named accounts, whether we like it or not, shared accounts are a reality of business today. Most organizations will have a mix of both. As cloud-based services and infrastructure continues to grow, companies of all kinds will need to rethink security, including access management. The good news is that there are now tools, technologies, and frameworks available to better manage account security. With the right combination, organizations can continue to move fast, create great software, and compete in today’s business environment.
How are you managing account permissions? Any issues with shared or named accounts? Leave us a comment on LinkedIn or Twitter to share your experiences.