Shared accounts can seem inevitable in the workplace. But while they can be handy, they also come with problems. Compliance regulations like PCI DSS say we should have our own accounts and not share them. But why? Let’s dig deeper to understand why shared accounts might be an issue.
What is a Shared Account?
A shared account refers to a single set of login credentials that multiple individuals, typically within an organization, use to access specific software or digital resources. At first glance, it might seem like a practical solution. Why juggle numerous passwords when one set can provide many users with the access they need?
However, with increased accessibility comes heightened risk. The more individuals with these credentials, the higher the likelihood of security incidents. Every additional user represents another potential point of risk. This could be due to inadvertent mistakes, like accidentally sharing the credentials or leaving them exposed, or more malicious intentions, such as intentional misuse of data. Additionally, when several users share the same account, pinpointing responsibility for any unauthorized or inappropriate actions becomes incredibly complex.
What Can Shared Accounts Cost?
Sharing login credentials might seem like an innocent or expedient solution to urgent business requirements or budget constraints. Why not let another employee quickly access a tool or data using shared credentials? However, as history has shown, these seemingly harmless decisions can lead to significant repercussions.
Here are some notable incidents that stemmed from shared accounts or mishandled credentials:
Twitter’s Bitcoin Scam
Perhaps one of the most publicized breaches, this event compromised several high-profile Twitter accounts, including those of Barack Obama, Joe Biden, Elon Musk, and Bill Gates. A theory suggests that the attackers might have taken advantage of shared internal tools and credentials. The outcome? Those notable accounts tweeted out a Bitcoin scam, tarnishing Twitter’s reputation in the process.
Code Spaces’ Irreparable Damage
Code Spaces, a SaaS providing source code repositories, experienced a devastating intrusion. Attackers accessed their Amazon Web Services (AWS) control panel, possibly exploiting shared or poorly managed credentials. The company couldn’t recover from the damages and was subsequently forced to close its doors.
Target Data Breach
Though not stemming from internal account sharing, the Target incident underscores the risks of sharing network credentials externally. Target’s system was infiltrated using credentials from a third-party vendor, effectively turning a trusted external connection into a significant vulnerability. This breach exposed the credit card details of 40 million customers and the personal data of an additional 70 million. It’s a stark reminder that even external credential sharing can carry the same risks as internal shared accounts.
Uber’s Credential Oversight
In a significant breach, Uber inadvertently exposed the data of approximately 50,000 drivers. Digging deeper, it was found that a crucial portion of Uber’s codebase, which held login credentials for their database, had been left available on GitHub. While this wasn’t a case of deliberately sharing an account, it underlines the broader challenges and pitfalls within credential management. Shared accounts form just one aspect of this larger concept.
The Uber incident reminds us that mishandling any aspect of it can lead to dire consequences.
When it comes to credential management, opting for a quick fix like account sharing might be tempting, but the consequences can be vast — affecting financials, tarnishing reputation, and eroding trust. The incidents highlighted above are a testament to the immense risks involved. It’s imperative to always value security over short-term convenience.
The Draw of Shared Accounts
Driven by our intrinsic preference for simplicity and the ever-present business goal of cost-efficiency, shared accounts present themselves as an enticing solution. Here’s why many find them appealing:
- Simplified Access: Merging into one access point enhances coordination and speed.
- Memory Ease: Reducing the multitude of passwords simplifies daily operations.
- Cost-Effective: Businesses can potentially reduce per-user expenses.
Together, these advantages position shared accounts as a tempting option in both our personal and professional landscapes.
Why Shared Accounts Aren’t Always the Best Route
While our inherent desire for ease and cost-cutting measures nudges us towards shared accounts, security best practices starkly highlight the lurking dangers. These account-sharing methods might seem efficient but often contradict essential security guidelines:
Compromised Accountability: In a shared account setup, pinpointing responsibility during a security incident becomes daunting. It’s harder to identify who might have acted negligently or maliciously when everyone has the same access.
Heightened Vulnerability
Security best practices consistently emphasize the principle of least privilege — only granting access to those who truly need it. Shared accounts inherently defy this principle, increasing the risk of breaches.
Loss of User-Specific Auditing
One of the cornerstones of security is the ability to audit user actions. With shared accounts, tracking individual user behavior is nearly impossible, making audit trails less effective.
Such drawbacks underline why many security frameworks and compliances often discourage the use of shared accounts. Balancing convenience with security demands a thorough understanding of these underlying risks.
Choosing the Right Path
The digital realm is a vast and intricate ecosystem where the drive for efficiency often competes with the imperative of security. Shared accounts, embodying this conflict, present both a tempting solution for businesses looking to streamline and a potential risk highlighted by security best practices.
In truth, while the convenience of shared accounts cannot be denied, the associated perils are significant. Compliances and security frameworks aren’t just bureaucratic red tape; they are distilled wisdom from years of observing and understanding cyber threats.
It’s always prudent to approach shared accounts with a hefty dose of caution. If they are deemed necessary for a business operation, they must be paired with robust security measures to mitigate the inherent risks. Remember, in the world of digital security, it’s not just about finding the easiest route but the safest one. Often, the safest path requires forethought, vigilance, and a commitment to best practices. Sharing is caring, but not when it compromises security.
Make IT More Efficient and Secure with JumpCloud
The right cloud directory helps you improve insider risk management with automation and ready-made compliance solutions. This approach increases IT efficiency and reduces wasted licenses, eliminates time-consuming manual work, and streamlines the identity lifecycle. Ultimately, IT team members will be freed up to focus on the deeper, more complex parts of their jobs to add more business value.
JumpCloud’s open directory platform empowers you to:
- Securely connect employees to their devices (systems, mobile, servers), IT applications (on-prem or the cloud), files (cloud hosted or on-prem) and networks via VPN or Wi-Fi
- Leverage best in class security using Zero Trust principles
- Limit management overhead and improve security and user manageability with a workflow-friendly platform that automates group memberships and provisioning.
- Connect your cloud servers (hosted at AWS, Google Cloud, Azure, or elsewhere) to your existing AD or LDAP user store
- Comprehensively manage Windows, Linux, macOS, iOS, and Android endpoints regardless of location
- Connect users to applications that leverage either LDAP or SAML-based authentication
- Manage user access to VPN and Wi-Fi networks securely through a cloud RADIUS service
- Implement multi-factor authentication (MFA) everywhere
All of these capabilities (and more) create a platform that connects users to virtually all of their IT resources regardless of provider, platform, protocol, or location, while also enabling admins to automate the onboarding and offboarding process and gain detailed visibility into all access transactions. You can try JumpCloud for free to determine if it’s right for your organization.
Our customers tell us that asset management is also important for security and IT operations. JumpCloud is enhancing its platform to unify SaaS, IT security, and asset management.