Zero Standing Privileges (ZSP) is an identity security principle that advocates for the removal of all persistent privileges for users within an enterprise’s estate. Practically, Zero Standing Privileges is a progression from the concept of just-in-time access. This intelligent privilege control TM reduces risk by preventing a user from accessing the system by removing all entitlements until temporary access is authorized and granted.
Why is Zero Standing Privileges important?
Adopting Zero Standing Privileges is crucial for an enterprise’s identity security program as workloads shift to more dynamic environments. In the cloud, security teams can no longer rely on traditional methods of securing these environments, such as network perimeters. In many cases, identity becomes the most effective place to implement controls. Removing standing privileges and then granting privileges in limited and considered amounts is one of the most effective ways to enhance these identity controls and massively reduce the risk of credential theft and lateral movement.
What are standing privileges?
Standing privileges are ongoing access rights provisioned for human and machine identities in hybrid and multi-cloud environments. The term ‘standing’ describes these privileges – also known as permissions or entitlements – and allow access even when they’re not actively in use.
For example, accounts with standing privileges are often used for administration of long-lived systems like domain controllers. In public cloud and SaaS environments, most organizations federate privileges to identity and access management (IAM) roles and groups that can be assumed for daily operations by separate individual users in the workforce, as well as developer and IT teams. But regardless of where standing privileges exist, they come with significant cybersecurity risk.
What are the cybersecurity risks of standing privileges?
If compromised by credential theft and other identity-centric attacks, human and machine identities with standing privileges pose cybersecurity risks for their organizations. Beyond credential theft, attacks that rely on lateral movement and privilege escalation tactics also require standing privileges.
Even with thorough application of privilege controls and security best practices like the rule of least privilege, organizations should aim to reduce standing privileges to limit the blast radius of potential attacks. This is consistent with the ‘assume breach’ mindset of Zero Trust security programs.
What is just-in-time access?
Privileged access management (PAM) programs use a range of different mechanisms to elevate administrative access on a just-in-time basis.
- JIT Group Membership – a user is added to a user group with privileged access for a temporary period of time
- JIT Creation of Account – an account or role with administrative access is created upon request for a temporary period of time
- JIT Enabling of Administrative Accounts – a user receives the ability to use an existing administrative account or role for a temporary period of time
These approaches all reduce risk, but they still come with standing privileges attached to the roles and accounts. In each of the examples above, the roles and accounts exist in the organization’s directory or cloud identity and access management stores, meaning attackers can still gain unauthorized access outside the JIT workflow.
If attackers gain access to an identity provider, domain controller or any role with privileges to modify IAM permissions in the cloud, they can easily navigate through an organization to reach their intended objectives – often data exfiltration or business disruption.
What’s the difference between just-in-time access vs. Zero Standing Privileges?
A Zero Standing Privileges approach uses the same concept of requiring users to obtain access as and when needed, but goes a step further.
Just-in-time access models use a binary “on/off” view of end user access. Zero Standing Privileges extends past that binary state by truly removing accounts, roles and/or entitlements. In a true Zero Standing Privileges strategy, organizations dynamically create a net-new account or role, or dynamically create net-new entitlements for an existing role. After use, permissions should be removed and deleted so they cannot be re-used without proper authorization.
In-this model, identities are left with zero entitlements. So even if an attacker gains access – for example, to a developer login to an AWS console – they have no entitlements to read, edit, download or access any resources and services within the organization’s cloud environment.
using the principle of least privilege.
How does Zero Standing Privileges work from a user experience perspective?
From an end user perspective, Zero Standing Privileges is best achieved with federated identity, especially in cloud environments where federated access is the norm. A persistent identity will ensure accuracy in logging and session audit and improve live monitoring of actions, which is critical for satisfying compliance requirements.
The first action a user will take is to authenticate and request the temporary alignment of a role or series of entitlements. This role should be established using the principle of least privilege. Any request should be time-bound considering that longer time windows increase the exposure to risk.
This request, made up of the entitlements and the time needed, should then be processed. In a simple implementation of Zero Standing Privileges, this could be handled in a manual approval flow. Wherever possible, attempts should be made to automate this process.
Once an assigned approver grants approval, the system provisions the entitlements or role to the user’s federated identity.
The user then undertakes their planned work. As part of the connection process, the platform configures the relevant access for the defined period of time.
Upon completion of the work, the user either shuts the ZSP session off or allows the grant to expire. The ZSP system will enforce the removal of all the entitlements or roles requested.
The user is returned to the default state of zero permissions.
How do you implement Zero Standing Privileges?
Like other concepts, such as the principle of least privilege, ZSP is a journey. In order to elevate just-in-time access, organizations must only grant relevant entitlements for a limited time, tightly integrate ZSP mechanisms with ITSM or ChatOps tooling to accelerate approvals, and implement continuous monitoring, logging, and auditing to effectively detect and respond to any unauthorized access attempts or anomalies.
Several best practices are emerging for a Zero Standing Privileges implementation, outlined When pursuing the north star of Zero Standing Privileges, organizations should stick to time, entitlements and approval (TEA). Each of these settings should be carefully managed as part of a Zero Trust, defense-in-depth cybersecurity mindset.
- Time: The time duration of a user’s session is a sensitive topic. Ending privileged sessions too early can disrupt end user efficiency, but allowing privileged access for an extended period of time can increase risk. Organizations should adapt the time duration of to the task at hand.
- Entitlements: Consistent with the principle of least privilege, no user should have any permissions that are not strictly necessary for the task at hand. Organizations adopting Zero Standing Privileges should ensure that dynamically created roles are scoped with only entitlements necessary for a specific user’s specific session – and nothing more.
- Approvals: Especially with developer teams, it’s important to integrate access requests and automated approvals into the ChatOps and ITSM tools developers already use to minimize friction and disruption to their innovation. Implementing Zero Standing Privileges should not require adjustment to existing approval workflows, nor extra work for approvers.
