Security News > 2023 > April > "It's The Service Accounts, Stupid": Why Do PAM Deployments Take (almost) Forever To Complete

"It's The Service Accounts, Stupid": Why Do PAM Deployments Take (almost) Forever To Complete
2023-04-03 11:20

While there are various reasons for the difficulties PAM deployment introduces, the most prominent one regards the protection of service accounts.

Service accounts are user accounts that are created for machine-to-machine communication.

Onboarding service account to a PAM solution is a close to impossible task, making them the biggest hurdle in the way of successful PAM deployment.

In most environments you can't tell the full number of service accounts unless strict monitoring and documentation of creation, assignment and deletion of service accounts were practiced throughout the years - which us hardly the common practice.

The typical way service accounts connect to different machines to perform their task is with a script that contains the names of machines to connect to, the actual commands to execute on these machines, and most important - the service account's username and password that are used to authenticate to these machines.

The clash with the PAM onboarding happens because while the PAM rotates the password of the service account inside the vault, there is no way to automatically update the hardcoded password in the script to match the new one the PAM has generated.


News URL

https://thehackernews.com/2023/04/its-service-accounts-stupid-why-do-pam.html