- Zero Trust
- Why Remediant?.
- Resource Center
- Contact Us
If we agree that standing privilege is defined as that accounts have persistent privilege access for all time on some set of systems. Zero standing privilege is the exact opposite. It is the purest form of just-in-time administrator access, ensuring that the principle of least privilege is enforced, by granting, to authorized users, the privileged access they need for the minimum time and only the minimum rights that they need. By eliminating standing privileged access risk through the Zero Trust model, we can reduce today’s growing attack surfaces and strengthen organizations against lateral movement attacks.
This figure outlines the risk exposure of an account with standing privileges versus an account in a Zero Standing Privilege environment:
Determine your current privileged access risk by identifying active administrator credentials. First, discover persistent accounts across workstations and map out admin access on a system-by-system basis:
Example chart describing the number of admin credentials in an enterprise environment – 21M admin rights across ~50K systems
The second component is the ability to measure changes to access over time. As mentioned in previous sections, admin rights can change for many different reasons. New members are always added as Help desks and Administrator teams grow. However, old members who leave their teams or the company, aren’t always removed in a timely fashion.
Example - the number of admin credentials in an enterprise environment – 21M admin rights across ~50K systems
When you remediate standing privileged access risk, start by “stopping the bleeding.” Prevent the creation or bifurcation of new rogue administrator accounts. It is critical that firms have the ability to do this across all types of systems (Windows, Mac, Linux) and all types of access (local, group, domain).
After you stop the “bleeding,” review the access identified in Step 1. Determine which accounts are not appropriate. Revoke inappropriate access, ideally in bulk.
The last step to achieving Zero Standing Privilege is shift administrators into a just-in-time mode that allows them to gain access to the system they need to perform required tasks, but only for the right time frame and only to the right system(s). Access should be revoked once the work is complete and only provisioned back (limited to the right system for the right time frame) when needed again.
Michael Kelley, Gartner
Remove Standing Privileges Through a Just-in-Time PAM Approach
It is encouraging to see the market has started to recognize standing privilege as a key risk that needs to be addressed and that vaulting secrets and rotating local admin passwords on critical servers are not sufficient. Attackers are targeting workstations as low-hanging fruit and using the admin access available from those workstations to gain lateral movement across networks.
The credential has become a commodity that will be breached. So, focus and spend needs to start shifting towards the access the credentials provide. As an industry, if we do not take a Zero Standing Privilege stance in our environments, stolen credentials will continue to be the low-hanging fruit attackers target as they perpetuate the data breaches and ransomware that have become increasingly prevalent in today’s headlines.