Service Account Reuse

Reusing service accounts where a single account is shared across multiple services, applications, or even environments poses significant security risks. This practice can lead to permission sprawl, exposing accounts with sometimes elevated privileges to a broader attack surface.

Additionally, it complicates auditing and troubleshooting by obscuring the source of specific actions or issues. Detecting and mitigating service account reuse helps maintain a secure, auditable, and well-managed environment.

This check will evaluate the activity of an account between 10 and 100 days ago, during which the account was active for at least 0 days. These values can be configured in the check settings.

The check will alert when the account's risk score is above 100. The score is bucketed into three categories: Low (80-94), Medium (95-99), and High (100). The threshold for alerting can also be configured in the check settings.

Recommended Actions

If you do not recognize or expect the IP, ISP or user agent being used by the account, contact the account owner to confirm that this is legitimate activity. If there is doubt, you should treat the account as compromised and rotate any passwords, keys or other credentials associated with the account.

Create unique service accounts for each application or service that you need such an account for and implement the least privileged permissions for each of them. You should also regularly audit these accounts to make sure they are still necessary and remove any unused or orphaned accounts.

Default Settings

Evaluation Period (days): 100

Minimum Account Age for Evaluation (days): 10

Minimum Historical Active Days (days): 0

Risk Score Alert Threshold (percentage): 100

Compatibility

Okta