In a traditional access management solution, an authorized user may have enhanced privileges to perform certain tasks. This privilege is persistent for that user. We know this as “standing privilege.”
Zero Standing Privilege (ZSP) is a term coined by Gartner, an analyst firm. In essence, ZSP removes the persistence of privileged access entirely, and elevates privilege at the moment it is needed via just-in-time (JIT) mechanisms (more on that shortly).
“Effective PAM practice embraces the entire concept of least privilege, granting only the right privileges to only the right system and to only the right person for only the right reason at only the right time.” - Michael Kelley, Gartner - Remove Standing Privileges Through a Just-in-Time PAM Approach
With standing privilege, high-level users are granted the access they need to perform their work and fulfill their duties. Even though such privilege may be substantially monitored and restricted, the persistence of the elevated privileges increases the attack surface for bad actors.
29% of the total breaches in cyberattacks involved the use of stolen credentials, according to The Verizon Data Breach Investigations Report (DBIR).
ZSP helps reduce the risk of a data breach and hacked accounts/systems by ensuring no one has automatic trust, and that trust (and privilege) is only granted for the length of time needed to perform the task.
What is JIT?
Just-in-time (JIT) privilege allows your employees to gain temporary access to the tools and systems they need to perform their task without lengthy manual approval processes. These automated systems allow your employees to be productive while also maintaining the integrity and security of your systems. JIT allows you to only give elevated privilege to the specific tools and systems they need in order to complete their task, unlike blanket admin privileges in a standing privilege solution. This access is automatically revoked when the task is complete, ensuring that the lowest level of trust is granted most of the time.
Reaching ZSP starts with auditing current practices and admin access. This will guide the rest of the process in implementing ZSP, but a common approach might be:
- Move your admin team/s to a JIT approach to make sure your most vulnerable user accounts are the most secure.
- Ensure all secrets and credentials are managed appropriately, such as being stored in a secrets vault, and rotating credentials.
- Adopt the new practice and culture within your organization to ensure that all accounts are given the minimal amount of access, for the minimal amount of time, to maximize your security.
If you are interested in finding out more about ZSP, and ways in which you can implement it within your organization, reach out to us, and we’d be happy to help.