Introducing Zero Standing Privilege
by Mahesh Babu, on May 12, 2020
If we agree that standing privilege is defined as that accounts have persistent privilege access for all time on some set of systems. Zero standing privilege is the exact opposite. It is the purest form of just-in-time administrator access, ensuring that the principle of least privilege is enforced by granting, to authorized users, the privileged access they need for the minimum time and only the minimum rights that they need. This elimination of standing privilege through zero standing privilege is really a key inflection point in the understanding of privilege access today. The figure below outlines the risk exposure of an account with standing privileges versus an account in a Zero Standing Privilege environment:
Figure: Risk exposure of an account with standing privileges versus an account with zero standing privilege
Achieving Zero Standing Privilege
- Measure standing privilege – As mentioned above, the first step to addressing standing privilege is understanding what administrator credentials exist. There are two key components to measuring standing privilege successfully. The first component is the ability to discover and identify persistent accounts across workstations and servers and map out admin access on a system by system basis:
Figure: Example chart describing the number of admin credentials in an enterprise environment – 21M admin rights across ~50K systems
The second component is the ability to measure changes to access over time. As mentioned in previous sections, admin rights can change for many different reasons. New members are always added as Helpdesks and Administrator teams grow. However, old members who leave their teams or the company, aren’t always removed in a timely fashion.
Figure: Example - the number of admin credentials in an enterprise environment – 21M admin rights across ~50K systems
Once standing privilege is measured, it can be managed. This brings us to the second question – how do you protect and ultimately achieve Zero Standing Privilege?
The next three steps outline a phased approach to protecting an enterprise environment and achieving Zero Standing Privilege
- Freeze access to systems to prevent net new admin access from being created: The first step to remediating standing privilege is to “stop the bleeding” by preventing the creation of new rogue administrator accounts are not created or bifurcated. It is critical that firms have the ability to do this across all types of systems (Windows, Mac, Linux) and all types of access (local, group, domain).
- Review access and remove unauthorized accounts: Once the “bleeding” has stopped, the next step is to review the access identified in step 1 and determine which accounts are authorized and which accounts are not (and to what system(s)). Unauthorized access should then be revoked, ideally in bulk, to quickly mitigate one of the accounts being compromised.
- Shift approved administrators to Just-in-Time Access: The last step to achieving Zero Standing Privilege is shift administrators into a just-in-time mode that allows them to gain access to the system they need to perform required tasks, but only for the right time frame and only to the right system(s). Access should be revoked once the work is complete and only provisioned back (limited to the right system for the right time frame) when needed again.
Effective PAM practice embraces the entire concept of least privilege, granting only the right privileges to only the right system and to only the right person for only the right reason at only the right time.”
- Michael Kelley, Gartner - Remove Standing Privileges Through a Just-in-Time PAM Approach
Zero Standing Privilege is an inflection point in privilege management. It is encouraging to see the market has started to recognize standing privilege as a key risk that needs to be addressed and that vaulting secrets and rotating local admin passwords on critical servers are not sufficient. Attackers are targeting workstations as the low hanging fruit and using the admin access available from those workstations to spread across networks.
The credential has become a commodity that will be breached. So, focus and spend needs to start shifting towards the access the credentials provide. As an industry, if we do not take a Zero Standing Privilege stance in our environments, stolen credentials will continue as attacker low hanging fruit and continue to contribute to 80% of data breaches.