Understanding MAS Regulations and the Imperative of Service Account Protection

In the dynamic landscape of financial services, regulatory frameworks play a pivotal role in ensuring stability, security, and fair practices. Singapore, with its reputation as a global financial hub, is no exception. The Monetary Authority of Singapore (MAS) stands at the forefront of regulatory efforts, setting guidelines to safeguard the integrity of the financial system. One crucial aspect that businesses must consider in order to comply with MAS regulations is service account protection.

MAS Technology Risk Management Guidelines

The Monetary Authority of Singapore (MAS) is Singapore’s central bank and financial regulatory authority. MAS plays a crucial role in ensuring the stability, integrity, and development of the Singapore financial sector. The regulatory framework established by MAS covers a wide range of financial activities, including banking, insurance, securities, and the broader financial markets.

The Technology Risk Management (TRM) Guidelines are a significant part of MAS regulations. These guidelines are designed to address the challenges and risks associated with the increasing reliance on technology in the financial industry. The TRM Guidelines provide a framework for financial institutions to manage technology risks effectively and ensure technology infrastructure resilience and security.

MAS Guidelines: The Identity Protection Aspect

As today’s threat landscape continues to evolve, we’re seeing an increasing trend in identity-based attacks that utilize compromised credentials for malicious access to resources. A number of these attacks occur both as standalone malicious acts, such as account takeovers, and critical components of larger-scale operations, such as lateral movement and ransomware propagation. These identity-based attacks pose a critical business risk in both cases.

Acknowledging the different risks and challenges for financial institutions, the MAS guidelines include a dedicated access control section that explicitly deals with user access management, privileged access management, managing and protecting service accounts, and remote access management. It also makes multiple identity-related references in the context of cyber resilience, incident response, and auditing. Complying with these identity-related principles and practices would materially increase the financial institution’s overall resilience to cyberattacks.

MAS Highlights the Need for Service Account Protection

One critical aspect of MAS regulations is the focus on privileged access management, which includes the protection of service accounts.

Service accounts are special user accounts created for applications, services, or automated processes to interact with various systems and resources. These accounts often have elevated privileges to perform specific tasks without the need for human intervention. Examples include database access, system updates, and integration with external platforms. Despite their significance, service accounts can become potential security risks if not adequately protected.

According to their framework in MAS Guidelines Section 9: Access Control 9.2.2, System and service accounts are used by operating systems, applications, and databases to interact or access other systems’ resources. The FI should establish a process to manage and monitor the use of system and service accounts for suspicious or unauthorised activities.

While MAS regulations acknowledge the importance of service accounts, there is growing recognition that more attention needs to be given to their protection due to the vital role they play in the overall security framework.

Service Account Protection Is Essential — Not a Nice to Have

Service accounts are non-human or machine-to-machine (M2M) accounts used by applications, systems, and services to perform automated tasks in a network, often with privileged access.. Due to the critical role these accounts play within an enterprise environment, service account protection is vital to every cyber security strategy.

If not properly managed, service accounts can pose significant risks. An attacker may compromise service accounts, take control of them, and then utilize their access privileges to move undetected throughout an environment. Service accounts can be inadvertently assigned a high level of privilege equivalent to an admin, creating a security issue if admins are not fully aware of the exact behavior and activity of those accounts.

Further, organizations often lack full visibility into service accounts and how they are used, making it difficult to detect unauthorized access or malicious activity. Additionally, service accounts can’t be subject to password rotation for various reasons; for example, they can be embedded in scripts and could break critical processes if their passwords are rotated.

Therefore, service account protection is essential to prevent unauthorized access, detect malicious activity, manage high access privileges, and ensure the secure and efficient operation of automated tasks within a network.

Silverfort’s Service Account Protection Capabilities

Silverfort automates the discovery, access control, and protection of all service accounts in the environment, providing organizations with granular visibility into every non-human identity and machine-to-machine authentication, as well as its sources, destinations, authentication protocols, and activity volume. Silverfort monitors the behavior of every service account and, upon detection of a risky deviation, can trigger an immediate response by either alerting or blocking access in real time.

With Silverfort’s service account protection capabilities, service account management is automated and simplified while dramatically reducing the risk of security breaches caused by mismanaged service accounts. This is how Silverfort automates the entire service account life cycle:

Automated Discovery

Automatically discover all service accounts within the environment and map their sources, destinations, privilege levels, and common usage patterns.

Activity Monitoring

Continuously monitor service account activity in real time. This includes tracking and the usage patterns, access requests, and behavior of each service account. Any deviation from the service account’s standard behavior is immediately identified.

Real-Time Protection

Set access policies that alert or block access for single or multiple accounts whenever they deviate from their standard behavior. This prevents adversaries from using service accounts for malicious access, even if they have compromised them.

Want to learn more about how Silverfort can assist you in complying with MAS service account requirements? Schedule a call with one of our experts or fill out this form for a pricing quote.