Protecting shared service accounts is always a hard task,
especially when they have admin privileges.
Having a strong password and sometimes rotating them isn’t enough, especially when we talk about the cloud. You need that additional layer of security as the access anywhere approach could be perfect for your users but leave a potential gateway for someone to abuse. Having MFA, wrapped inside a conditional access rule could be the way to better secure these accounts.
The examples I will use will be based on Azure but the concept can still be applied to other vendors.
The easiest and potentially quickest option would be using a virtual SMS service.
With this you could configure MFA for these accounts to send a OTP to this virtual inbox.
This is just one of the services out there which will allow you to access a virtual SMS service. You could then access this when being prompted with the OTP code. If your SMS service was ever comprised, the hacker would only see expired codes. They would not know the credentials and visa verse. You could also forward on the SMS to multiple numbers
Conditional Access: Enable MFA, Excluding Trusted IPs (Left)
If you wanted to stay away from the MFA route as it could lead to complications, you could always user conditional access to control access to these accounts. If these are service accounts, they will most likely be running services on your infrastructure and not being used directly by users. If you have a link between your on-premise and cloud, you can control the access point here. If you are cloud only, you can use the Public IP you are accessing the service from. What this is doing is stopping any outsiders from brute forcing their way in with these credentials. If the authentication traffic isn’t coming from the Trusted IP, it simply won’t be accepted, even if they have the correct credentials. The next layer on top of this is to enable MFA but exclude those Trusted IPs. Because you haven’t set MFA on the account, this method can never be brute forced. The only way around this would be to come from the Trusted IP and bypass the MFA prompt.
Conditional Access: Enable MFA Always (Right)
SMS isn’t always the most secure method, so you might want something a little different. Having an OTP application installed on a dedicated server could give you a better option. Services like Lastpass can offer a random generated code that can be linked to these accounts. This would then act as your OTP service which is hidden behind your infrastructure security. If you dedicate a server for this purpose you could also set the conditional access to come from the servers Public IP. This would keep access control firmly within your infrastructure. You would then add layers of security around who can access this server and OTP account. Again, the two parts needed for access would be different, so you would need both parts to be granted access to these accounts.
These are just some of the methods that you could potentially use to protect those shared credentials.