The present disclosure relates to security and, more specifically, to a method and system for managing identity changes to shared accounts.
In information technology (“IT”) systems, shared accounts are typically the most important accounts. Shared accounts may include privileged accounts such as administrator accounts, superuser accounts, and other accounts with rights and privileges that may be used for system administration. Shared accounts may be exclusive (i.e., only one user or a limited number of users can access the shared account at any given time) or not exclusive (i.e., an unlimited or large number of users can access the shared account at the same time). Existing systems may provide users with permission to access and use a shared account with a password for that shared account. To provide security for the shared account, this password may be modified periodically.
In certain existing systems, a server may manage and control access to shared accounts. A user may be required to log or sign into the server to view a list of shared accounts that the user has authorization to access. Upon viewing the list of shared accounts, the user may check out a particular shared account in the list by selecting that particular shared account. The server then may provide a password for the particular shared account to the user. The user then may use the provided password to access the particular shared account. Once the user is done using the particular shared account, the user may then check in the particular shared account on the server.
In sophisticated cases, when a user checks out a particular account from the server, the server may issue a one-time password for the particular shared account. The user then may use this one-time password to access the particular shared account. After the user checks in the particular shared account, the one-time password then is modified to a randomly generated password, not known to the user. If that same user or another user with authorization to access the account checks out the particular shared account, the server would issue a new one-time password to the user or other user. By issuing a new one-time password each time a shared account is checked out, the server may provide an added level of security to the shared account.
However, in existing systems, users may be able to access a shared account by first logging into another account (e.g., an individual account) and then using a command to switch to a shared account. Such commands may be referred to as “identity change instructions.” When a user uses an identity change instruction to switch to a shared account, the user may be able to bypass the security measures of the server that manages and controls access to that shared account. In fact, that server may not even be aware that a user is using the shared account. Accordingly, such situations pose security issues for enterprises that want to prevent or block unauthorized access to a shared account.