While today’s tech world is fast developing individual accounts rights and privileges, many organizations are using shared credentials to access shared resources.
Shared resources can be tied to pretty much any platform or network tool, from email accounts, to servers and databases.
An organization may end up using shared accounts for a variety of reasons. Sometimes the particular online tool leaves no other option. Email accounts for instance can only be accessed by one set of credentials. Regardless the reason, shared accounts present a host of security risks to the network.
Activity Tracking and Visibility
To really achieve access visibility and track activity on an online platform, administrators first need to know which users are accessing accounts and when. Shared accounts create a major hole in this regard. If a shared account is breached for instance, knowing which user was logged in at the time is a big part of mapping the attack chain of the incident.
Credentials Compromise due to Employee Turnover
The natural flow of business means employees move around within the organization. They switch departments or leave the company altogether. For an organization to change credentials every time a user with shared-account access leaves or switches departments is not only unscalable its also impracticable, leaving a lot of room for human error. A recent prosecution by the U.S. Department of Justice highlighted this risk all too clearly. According to reports, a former analyst at an autism treatment center in Tennessee likely used shared credentials when he illicitly accessed patient databases at his former place of employment.
Shared Credentials can be Re-Shared:
Once administrators share access credentials to one user, that user then has the ability to share them again. Not knowing who holds credentials is an organization’s worst nightmare especially when dealing with administrator accounts. Credentials falling into the wrong hands can allow a user to assume a privileged identity which could lead to Corporate Account Takeover (CATO).
One factor authentication :
Shared credentials make it hard to apply second factor authentication (2FA) to an account. Second factor such as SMS, OTP, or push notification tend to be bound to one particular user, since only one user can carry the Out Of Band (OOB) device–whether it be a cellphone or a hardware token–necessary for authentication.
The two options organizations think they have
The issues with shared accounts have not gone unnoticed. While organizations try to keep track of who holds which credentials using band-aid solutions, the industry has produced two primary types of solutions:
- Password managers
Password managers allow users to share passwords without revealing the actual credentials. This sounds ideal but the passwords still need to be transmitted, which means they become exposed. This makes them vulnerable to capture by hackers via man-in-the-middle attacks (MITM) or other data interception methods. As an industry leader in password sharing warned (in their own user-guide no less) “savvy end users could potentially access the password” while in transmit by capturing it “using advanced techniques.”
- Privileged Access Management (PAM) solutions
PAM solutions provide scrupulous monitoring over shared accounts and present the highest level of identity security. But that means they are expensive ranging between $80 – $300 per machine, and are usually enrolled to only privileged users with access to critical systems. While PAM solutions solve the problem of shared accounts, they present a huge cost in money and IT resources.
The Third Option – Secret Double Octopus
The authentication solutions of Secret Double Octopus are tailored to the needs of the modern day business environment.
The challenge of securing shared accounts has been a constant complaint from industry clients for years. The traditional ways of protecting their digital identities such as multi-factor (MFA) tools, were unsuitable to shared accounts.
That’s why Octopus developed an innovative approach, giving admins the option to turn shared accounts into services, allowing full access control over shared resources and opening the door for secure multi-user access to a single account.
Binding the user to a shared account service allows:
- Monitoring: When a user requests access to a shared account, a challenge is created in the form of a push notification, requiring the user to pass the challenge using the biometric capabilities of his/her mobile device. This gives managers full visibility over which users have logged into the shared account and when.
- Multi Factor Authentication (MFA): Binding a user to a shared account allows additional layers of authentication. Our password-free MFA will prevent man-in-the-middle or any other credential stealing attack.
- Centralized approach: Secret Double Octopus’s admin panel gives administrators a “one stop shop” to manage access to shared accounts, allowing users to be added and removed upon need. Shared accounts can be added at a group level making enrollment a seamless, and easy process
- Employee turnover: When employees leave, their access to the shared account is completely revoked. Removing a user means removing access from all resources, not just the ones personally associated with the user.
- Re-Sharing is prevented: Moving beyond single factor authentication that relies on passwords means credentials cannot be shared. This frees IT from worrying about who might access shared accounts and when, as only they hold the power to grant shared access.
Shoring Up the Network, Reaping the Benefits
Securing shared accounts allows companies to take advantage of all the logistical benefits of mutually used credentials. With the high assurance and seamless solutions of Secret Double Octopus, organizations will not have to compromise on security to maximize workflow and efficiency.