Security+: differentiating common account management practices [updated 2021]
Account management is one of the most important aspects of an organization’s security posture. Not only do the decisions affect how users interact with their network and systems, but account management embodies many key security principles. Therefore, understanding the range of account types as well as how to employ and manage each is a foundational skill of Security+ professionals.
No matter what applications or systems you are using, when you log in with your credentials, your username is assigned a level of authority and access to functions, resources and data. While these permissions are handled behind the scenes, each user is associated with one of several account types. A user account holds the most limited amount of access to a system, but it is also the level that the vast majority of users have. A user-level account often prevents the installation of new applications, changes to global settings or rules, and limits other functions or files, focusing on core business functionality.
A shared account, sometimes known as a generic account, can be utilized by more than one assigned user. This account type is often used by teams that share similar functions, known as group-based access, or by casual users that need access to a system in a limited capacity. While shared accounts allow for flexibility, they also introduce challenges, including the inability to tie a specific person to an action made while logged in. Each person with access to the generic account can also access the same functions and files as everyone else, which could lead to data integrity issues. Some organizations also utilize guest accounts, which are temporary and for specific, legitimate work needs such as consultants, interns or auditors.
Service accounts control the privileges and functions of an application. Through service accounts, applications only have access to specific functions and data based on their function and needs. This account type provides a nice balance between complete system-wide permission and fine-tuned privileges based on the exact needs of the software by granting access, permissions and rights in a completely custom fashion.
Administrative functions of a system that require global access are accomplished using a privileged account. Not for everyday tasks, privileged accounts should be defined for each administrative user and should be paired with a standard account, so other services such as email or internet browsing cannot interfere with administrative functions. Privileged accounts should be defined for each administrative role and system within an organization, allowing for separation of duties and preventing too much power from being placed in too few accounts.
Account management concepts
Coupled with defining the right level of access a user needs are a range of account management concepts. The principle of least privilege is a guideline that grants a user the least amount of access, permissions and privileges needed for them to perform their work. The assignment of privileges should also be periodically audited for misalignment between a user’s needs or role, their level of access and usage to check for changes, privilege creep as jobs change or the need to deactivate accounts.
Offboarding users who no longer need access to a system is just as important as following best practices when establishing an account. Some organizations utilize a standard naming convention for consistency and organization to help with this, which can also help users to remember their username or easily identify the types of services within a system. User rights can also be defined by location-based policies that permit access based on geographic requirements or time-of-day restrictions that help to prevent unauthorized access outside of defined time boundaries.
Account recertification refers to several account management principles. First, recertification refers to performing a periodic assessment of a user’s responsibilities against their account permissions and rights, confirming the principle of least privilege. Recertification can also verify if a user has the proper level of skill or knowledge to have access to a certain account type. Finally, recertification of an IT system’s account management controls can also occur, validating if a system can adhere to proper levels of account security.
Account policy enforcement
Just because all users have the right level of access and account type to meet their business function does not mean an organization is as secure as it could be. That’s where account policy enforcement comes into play.
Credential management is an overall service that stores, manages and often audits logins of user credentials in a central location, offered to both individuals and enterprise networks. Using credential management tools eases the overall administrative burden, allowing for the local or cloud-based credential storage for a range of accounts within one digital container. This functionality is different from a group policy in Windows systems, which allows for an administrator to maintain consistent configuration and security settings set as group policy objects that activate when users log in.
Other password policies can be established across an enterprise to contribute to a sound security posture. Password complexity, which dictates the character and length requirements, is often paired with expiration and password history rules that set parameters on when passwords need to be changed (a good rule of thumb is 90 days) and when a password can be reused, if at all. Account lockout is another policy that automatically disables an account when a certain threshold of incorrect passwords are used to log in, requiring a user to recover access to their account with a new password or by satisfying other requirements, such as security questions. Combined, these policies can help to prevent brute force password cracking or limit the risk if a password is exposed.
Pursuing secure account management practices
Establishing sound account management practices and enforcing strong policies is a core skill set of Security+ professionals. These skills also go a long way toward supporting the overall management of staff within an organization, especially as they seek to find a balance between ease of use and data integrity concerns. Knowing how and when to employ the different account management tools and policies can help you achieve your goal of earning your credential.