download-lp

Getting to Zero Trust for
Privileged Users

If we agree that standing privilege is defined as that accounts have persistent privilege access for all time on some set of systems. Zero standing privilege is the exact opposite. It is the purest form of just-in-time administrator access, ensuring that the principle of least privilege is enforced, by granting, to authorized users, the privileged access they need for the minimum time and only the minimum rights that they need. By eliminating standing privileged access risk through the Zero Trust model, we can reduce today’s growing attack surfaces and strengthen organizations against lateral movement attacks.

This figure outlines the risk exposure of an account with standing privileges versus an account in a Zero Standing Privilege environment:


Graph (2)
Gartner-Cool-Vendor-2019-remediant

Learn what Gartner says about Zero Trust and Removing Standing Privilege.

Achieving Zero Standing Privilege

1

Measure standing privilege

Determine your current privileged access risk by identifying active administrator credentials. First, discover persistent accounts across workstations and map out admin access on a system-by-system basis:

chart-2
Example chart describing the number of admin credentials in an enterprise environment – 21M admin rights across ~50K systems

The second component is the ability to measure changes to access over time. As mentioned in previous sections, admin rights can change for many different reasons. New members are always added as Help desks and Administrator teams grow. However, old members who leave their teams or the company, aren’t always removed in a timely fashion.

Graph (3)Example - the number of admin credentials in an enterprise environment – 21M admin rights across ~50K systems

Once standing privilege is measured, it can be managed. This brings us to the second question – how do you protect and ultimately achieve Zero Standing Privilege?

The next three steps outline a phased approach to protecting an enterprise environment and achieving Zero Standing Privilege.

2

Freeze access to systems to prevent net new admin access from being created


When you remediate standing privileged access risk, start by “stopping the bleeding.” Prevent the creation or bifurcation of new rogue administrator accounts. It is critical that firms have the ability to do this across all types of systems (Windows, Mac, Linux) and all types of access (local, group, domain).

3

Review access and remove unauthorized accounts 


After you stop the “bleeding,” review the access identified in Step 1. Determine which accounts are not appropriate. Revoke inappropriate access, ideally in bulk.

4

Shift approved administrators to Just-in-Time Access


The last step to achieving Zero Standing Privilege is shift administrators into a just-in-time mode that allows them to gain access to the system they need to perform required tasks, but only for the right time frame and only to the right system(s). Access should be revoked once the work is complete and only provisioned back (limited to the right system for the right time frame) when needed again.

“Effective PAM practice embraces the entire concept of least privilege, granting only the right privileges to only the right system and to only the right person for only the right reason at only the right time.”
Michael

Michael Kelley, Gartner
Remove Standing Privileges Through a Just-in-Time PAM Approach

Zero Standing Privilege is an inflection point in privilege management.

It is encouraging to see the market has started to recognize standing privilege as a key risk that needs to be addressed and that vaulting secrets and rotating local admin passwords on critical servers are not sufficient. Attackers are targeting workstations as low-hanging fruit and using the admin access available from those workstations to gain lateral movement across networks.

The credential has become a commodity that will be breached. So, focus and spend needs to start shifting towards the access the credentials provide. As an industry, if we do not take a Zero Standing Privilege stance in our environments, stolen credentials will continue to be the low-hanging fruit attackers target as they perpetuate the data breaches and ransomware that have become increasingly prevalent in today’s headlines.

Get a demonstration of Remediant SecureONE today!

See firsthand how to stop lateral movement & prevent ransomware attacks by removing 24x7 admin access.
Schedule Your Demo Now