Why Every Leader Should Understand Zero Standing Privilege

by Jake Wengroff

Zero standing privilege (ZSP) is an applied zero-trust security strategy for privileged access management (PAM). The term “zero standing privilege” was developed by industry analyst firm Gartner, and in practice, ZSP posits that no users should be pre-assigned any administrative account privileges. Instead, with ZSP, users’ privileges are assigned at the moment of the attempt to authenticate — not beforehand and not by default.

Zero-trust security forbids authorization based on static, predefined trust boundaries. By granting privileges at the time of access, ZSP significantly reduces the risk of privilege abuse and compromise, even if it is unintentional on the part of employees and customers.

The History of Zero Standing Privilege

Though Gartner devised the term zero standing privilege, there have been other milestones along the way in the adoption of this security model. According to CXO REvolutionaries, some of these milestones include:

2001 – The IEEE Standards Association publishes the 802.1X protocol for network access control (NAC).

2004 – The Jericho Forum, a UK-based working group, is chartered, introducing the principle of de-perimeterization or removing the boundaries between a company and the outside world using encryption and other security protocols.

2009 – BeyondCorp, Google’s interpretation of the zero-trust model, is founded. This enabled employees the freedom to work securely from anywhere without a VPN.

2017 – Continuous Adaptive Risk and Trust Assessment (CARTA) is designed as a risk management framework by Gartner.

2019 – Gartner introduces the concept of the secure access service edge (SASE).

2020 – The National Institute of Standards and Technology (NIST) publishes SP 800-207 as a unified framework for establishing zero-trust architecture (ZTA).

2021 – Gartner considers the security components of SASE as a new market category known as the secure service edge (SSE).

Importance of Zero Standing Privilege

The principle of least privilege states that users should only be allowed the minimum permissions to perform specific tasks. Even when the principle of least privilege is followed, attackers can find a way to escalate privileges since some standing privilege has been assigned.

Because of the delays involved in identifying a breach, attackers have quite a large window of opportunity to steal credentials, compromise privileged accounts and penetrate an organization. However, ZSP makes it much more difficult for attackers to exploit privilege escalation vulnerabilities since a core tenet of ZSP is that privileges should only be assigned during the time of access — and then revoked once the reason for access is addressed. As such, ZSP is a core feature of a modern PAM solution.

How To Apply the ZSP Model in Your Organization

As with the introduction of any new strategy or methodology, planning is key. Program stakeholders might reach beyond the IT department and may include HR, legal and even senior management. However, in the long run, the organization’s security will be vastly improved.

Below are four ways to apply ZSP across an enterprise:

  1. Implement a role-based access control (RBAC) model, where users are mapped with roles and privileges at a granular level.
  2. Remove standing privileges from all user accounts. This can be easily applied if authorization policies, such as RBAC, are implemented to manage user roles and privileges.
  3. Implement a just-in-time access (JIT) access request workflow: A JIT access workflow will enable users to initiate access and privilege elevation requests with the desired period for the privilege. Upon review, administrators can either grant or deny requests.
  4. Grant short-lived access to privileges, including short-lived or one-time credentials. These are key for a successful ZSP implementation, as a long-lived privilege assignment in a ZSP implementation poses risks similar to not using ZSP at all because it increases the time window to compromise or escalate privileges.

Your Zero Standing Privilege Solution

The Migus Group can help you better understand zero-trust privilege and how its implementation fits into your identity and access management policies across your organization. Contact us today to learn more.

Jake Wengroff writes about technology and financial services. A former technology reporter for CBS Radio, he covers such topics as security, mobility, e-commerce and the Internet of Things.