Admin rights are a double-edged sword: While IT pros require elevated rights to do their jobs, those privileges can be misused by the admins themselves — as well as abused by adversaries who have compromised their accounts.
The first step in defending against these risks is fairly straightforward: Reduce the number of admin accounts by denying local admin rights to business users. While users often resist this measure, they typically don’t actually require local admin rights to do their jobs, and removing those rights limits the power adversaries will gain by taking over their account. For example, they will be unable to install keyloggers or run malware.
But that leaves all the other highly privileged accounts in the IT environment, which represent an even bigger risk. Those accounts grant rights that their owners actually need to perform their assigned duties, such as adjusting infrastructure configurations, creating accounts for new employees or resetting user passwords. Therefore, organizations cannot simply revoke these elevated rights in the same way that that they remove local admin rights; they also need a mechanism for providing elevated privileges when necessary.
An effective approach for solving this challenge is zero standing privileges (ZSP). ZSP replaces risky privileged accounts with temporary, just-in-time access. This article explains how ZSP works and how it overcomes the challenges inherent in traditional approaches to privileged access management (PAM).
Why Traditional PAM Solutions Leave a Huge Attack Surface Area
Traditional privileged access management solutions are designed to help organizations secure accounts with elevated access rights. Organizations typically have dozens or even hundreds of these accounts. Traditional PAM solutions often store the privileged account credentials in a password vault. Authorized individuals then check out their credentials each day to gain administrative access to the systems they manage, such as a particular database or system like Active Directory.
However, trying to tightly control privileged access using traditional PAM techniques like a password vault leaves a gaping security risk. When powerful accounts exist all the time, those standing privileges are always vulnerable to being misused by their owners or taken over by attackers.
Moreover, even if strong access controls are in place, these tend to amass far more rights than are actually needed. As a result, they are ripe for misuse by their owners and takeover by adversaries. Indeed, admin credentials are a top target of malicious actors because they empower them to gain privileged access to sensitive data, systems and other critical IT resources.
What Is Zero Standing Privileges?
Zero standing privileges is a modern approach to PAM that overcomes the shortcomings of traditional tools. The goal is to reduce the number of accounts with elevated privileges to as close to zero as possible. Instead, privileged access is granted only when it’s needed, scoped precisely to the job at hand and automatically removed immediately afterward. As a result, a ZSP strategy empowers you to slash your attack surface area and reduce the risk of data breaches and business disruptions. And by tightly controlling privileged access, ZSP tools are a valuable component in a Zero Trust cybersecurity model.
The role of a cashier in a retail business provides a useful analogy. Most of the time, the cash register remains locked. It pops open only when a transaction requires the cashier to access it. Once the transaction is completed, the drawer locks again automatically. As with ZSP, there’s no ever-present button that the cashier can press to open it whenever they wish.
ZSP Example
To see how ZSP works, let’s follow what happens when an admin named Alex needs to gain privileged access to a sensitive IT resource in order to perform an assigned task:
- Alex submits a request that details the task and what privileges are required to complete it.
- When the request is approved, the ZSP solution creates a temporary identity with just enough privileges to perform the task.
- The task is performed either interactively by Alex (e.g., using RDP to a server) or by the system on their behalf (e.g., by rebooting a server).
- When the task is complete, the temporary identity is deleted automatically.
Key Elements of ZSP
As the example illustrates, the ZSP model is based on providing limited access for a limited window of time. Accordingly, ZSP tools must deliver both just-in-time (JIT) access and just-enough privilege (least privilege).
- JIT access — Users do not have standing privileged accounts. Instead, they are granted elevated access right when they need it, and only for the time required to perform their specific task.
- Just-enough privilege — The principle of least privilege dictates that each account be granted only the access rights required for its assigned tasks. ZSP solutions must respect this principle during the JIT provisioning of privileges and grant the user only the access rights they need to specific the applications, systems or other IT resources required for the task at hand.
Additional Valuable ZSP Capabilities
Advanced ZSP solutions offer additional valuable capabilities, such as:
- Request and approval workflows — In most cases tasks, a request for a privileged session must be reviewed by appropriate personnel, who can approve or deny it. Automated workflows streamline this process and therefore can be vital for solution acceptance and adoption.
- Real-time session monitoring — Continuous monitoring of privileged activity is essential for real-time detection and mitigation of suspicious behavior, mistakes and other potentially harmful actions.
- Session recording and playback — Being able to review session recordings is invaluable for investigations and individual accountability. And having a comprehensive audit trail of privileged activity can be required during compliance audits.
How Netwrix Can Help
The Netwrix privileged access management (PAM) solution empowers you to implement PAM best practices and mitigate the risks associated with privileged access. This leading-edge PAM solution will identify standing privileges and replace them with just-in-time, just-enough access. It also provides automated request/approval workflows and enables you to monitor, log and play back privileged sessions so you can intercept threats before they escalate. Plus, its comprehensive suite of state-of-the-art features are a valuable part of a broader Zero Trust strategy.