Service accounts are only used when necessary for system authentication (no association with natural persons) or system-to-system authentication. The purpose of a service account is always documented. Each unique application-to-service link should have a unique service account.
Service Accounts are never used to perform actions as natural persons.
Service Accounts are configured according to Least Privilege and, where used, have stronger password complexity requirements than regular accounts. Where possible passwordless authentication is used for service accounts.
Regular user accounts can only be used to automate tasks for the individual user and not for generic processes.
Changes to service accounts are performed according to the 4-eyes principle. Service accounts are registered in the CMDB and have an owner.
Abuse cases of service accounts are identified. There is active security monitoring of service accounts with elevated privileges.
Specification
Password domain policies are configured for the various roles of service accounts. Every supported platform has a device management tool to check and enforce the policies automatically.
Password complexity for service accounts:
- Minimum of 32 characters
- Stored in a password vault with encryption and MFA
- When individuals that had access to service accounts change their employment with the organisation, service account passwords they had access to need to be rotated
System to system sessions need to be reinititated periodically, recommended time is 24 hours.
ISO 27001 & 27002:2022
A5.3,
A5.8,
A5.15,
A5.16,
A5.17,
A5.18,
A8.3
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.02 Authentication mechanisms