Episode 85 — Spotlight: Account Management (AC-2)
Welcome to Episode 85, Spotlight — Account Management, also known as Control AC-2. Account governance sits at the heart of access control because every permission granted in a system ties back to an account. When accounts are unmanaged, even the strongest technical defenses fail. Proper account management ensures that only the right people have the right access at the right time—and that this access disappears the moment it is no longer justified. This control may sound procedural, but it protects against one of the most common sources of breach: leftover or misused credentials. Disciplined account governance transforms identity management from routine administration into a sustained line of defense.
Building on that principle, defining account types and scope clarifies what needs to be managed. Accounts can include human users, service identities, application accounts, or external collaborators. Each has different risk profiles and lifecycle patterns. For instance, a contractor’s account may exist for weeks, while a database service account may persist for years. Documenting these distinctions avoids confusion during audits and provisioning. Scope must also include cloud platforms, network devices, and local systems—anywhere authentication occurs. Without a clear definition, unmanaged accounts can multiply unnoticed. Once the organization agrees on what “an account” means, consistent governance becomes achievable and measurable.
Periodic recertification and attestation form the feedback loop that keeps privileges aligned with reality. Managers or system owners review account lists at regular intervals—quarterly or semiannual—to confirm that access remains appropriate. Any discrepancies trigger remediation actions. For instance, a manager might discover that a departed contractor’s account remains active in a forgotten application. Certification reports provide auditors with proof that oversight is continuous, not episodic. Attestation also sharpens awareness among leaders, reminding them that access is a living responsibility. Regular reviews turn governance from a static policy into a recurring act of stewardship.
Shared accounts—where multiple users share credentials—should be prohibited whenever possible, and tightly controlled when unavoidable. Shared access eliminates accountability, as activities cannot be tied to specific individuals. In rare cases where shared credentials are required, such as legacy systems, compensating controls like logging, frequent password changes, and activity monitoring must apply. For example, a maintenance account on an old system might be checked out through a password vault that records who used it and when. Transparency converts shared access from an unmanaged risk into a monitored exception. The guiding rule remains: one person, one identity, one audit trail.
Break-glass accounts—emergency credentials used to restore access when systems fail—require exceptional control and review. These accounts bypass normal restrictions and therefore represent concentrated power. They should remain disabled until an emergency occurs, with activation logged, monitored, and promptly revoked afterward. A post-incident review must confirm that use was justified and that credentials were changed immediately after. For example, activating a break-glass account during a directory outage should trigger alerts to security and audit teams. Treated casually, these accounts become vulnerabilities; treated formally, they preserve continuity without compromising trust.
Timely deprovisioning remains the final, crucial test of account discipline. The goal is immediate revocation once employment or engagement ends. Systems should synchronize with human resources to trigger automatic disablement and removal. Reports showing average deprovisioning times help measure control effectiveness. For example, reducing the gap between departure and account closure from twenty-four hours to one hour sharply limits exposure. Evidence of this timeliness—tickets, logs, and confirmation emails—serves as audit proof. Delayed deprovisioning is not merely inefficiency; it is risk quantified in minutes and hours. Precision here defines program maturity.
Common pitfalls include incomplete inventories, inconsistent approvals, and failure to review dormant or service accounts. Quick fixes often involve automation and cross-department communication. For instance, integrating identity management with HR systems closes gaps between personnel changes and access updates. Another fix is enforcing multi-factor authentication on all privileged accounts, shrinking the risk window for stolen credentials. Training managers on recertification duties also prevents rubber-stamping reviews. These improvements require no major investment—just sustained attention. Pitfalls fade when governance is treated as culture, not compliance alone.
