How to mitigate the risks of privileged access with Zero Standing Privilege.

Ransomware and other forms of devastating cyber-attacks against public and private sector organisations have become depressingly familiar headlines in recent years. While this might give the impression that organisations are most at risk from external threats, the fact is that the biggest security risk often comes from inside the business, specifically through users entrusted with privileged access. Indeed, 42 per cent of breaches originate through credential abuse, whether by accidental or deliberate misuse.

Of course, unrestricted privileged access is not necessary for undertaking the majority of administrative tasks. Nevertheless, administrators often issue wide-ranging access as standard, which increases the risk of both internal and external breaches occurring. Despite this, identity and access management (IAM) leaders often struggle to restrict the level of privileged access on offer because administrators and IT operations staff have become accustomed to using these accounts on-demand.

One of the most effective ways to reduce the associated risks is by implementing a privileged access management (PAM) solution, since it significantly reduces an organisation’s attack surface area. However, traditional PAM approaches are complex and costly to implement, and their vault-centric idea does nothing to remove or limit the attack surface area. On the contrary, a modern PAM strategy, known as zero standing privilege (ZSP), decreases the chances of a successful malicious infiltration without adversely affecting business efficiency. With ZSP, administrators are granted just enough privilege to complete a specific task, and only for as long as needed to complete it. This ‘just-in-time’ (JIT) approach significantly reduces the risk of ‘super-user’ accounts being exploited by internal or external threats.

This article will explain how organisations can effectively implement the principle of ‘least privilege’ and mitigate the risk of privileged access. It will outline why IAM-focused security and risk management leaders should prioritise reducing excessive privilege, and thereby bolster their overall security posture, in the following ways:

Restrict the scope of accounts available to users

Organisations have traditionally addressed the risk posed by privileged accounts by taking a vault-centric approach. While this provides better protection than nothing, significant risk remains given that most privileged accounts are always available for use, with more access than is strictly necessary. IT teams must therefore go further to reduce the spread of privileged access in their environment. As a first step, they should first assess the extent of privileged permissions that have been allocated and on what basis – in other words, when and for how long is each permission valid for.

A JIT approach can help organsiations to limit the amount of time in which privileged access is available to users. This will not remove privileged accounts from the environment entirely, but crucially, they will only be available at the moment they are needed (and for no longer), which limits the risk of legitimate credentials being abused
or misused.

Taking a balanced approach to achieving ZSP

To achieve true ZSP without compromising business operations, most organisations will need to carefully select the most appropriate JIT PAM controls. For instance, IAM leaders may opt for a blended approach which incorporates JIT, session management and the more traditional vaulting approach. At this stage in the process, it is important to assess the legitimate uses of privilege and the current workflows associated with those uses. These are key questions a security team should answer before making IAM decisions:

  • How will changes to privileged access impact present-day workloads?
  • What resources are required to implement a given approach for the privileged access in question?
  • Will additional tools be needed to enable this approach?

Once these considerations have been made, there are a number of different options for implementing JIT. To name a few, personal privileged accounts may be placed under the control of a PAM tool, or shared accounts under the control of a vaulting and session management tool. ZSP privilege escalation is another option, which grants temporary “one-time” privileged access for a defined set of tasks over a defined period of time. Whichever approach (or combination) the security team chooses, it is vital to have discussions with business and other IT leaders about which mechanisms will best suit the environment. Once everyone agrees on JIT approaches to implement that are suitable for the privilege workflows in the environment, then work can begin on implementation.

During this stage of JIT deployment, setting priorities and determining gaps in the organisation’s existing cybersecurity set-up is key. This will necessitate an assessment of current technical capabilities, along with updates to policy documents to reflect JIT/ZSP methods as the default for privileged access. It will also require standard operating procedures to reflect the methods selected for current workflows.

Ultimately, organisations that take a considered and iterative approach to their JIT/ZSP initiatives will stand to reap the benefits of reducing the risks associated with standing privilege, while minimising the impact on business operations and maximising return on investment
in PAM technologies.

Martin Cannard

Martin Cannard, VP of Product Strategy at Netwrix

Ab Initio partners with BT Group to deliver big data

Luke Conrad • 24th October 2022

AI is becoming an increasingly important element of the digital transformation of many businesses. As well as introducing new opportunities, it also poses a number of challenges for IT teams and the data teams supporting them. Ab Initio has announced a partnership with BT Group to implement its big data management solutions on BT’s internal...

WAICF – Dive into AI visiting one of the most...

Delia Salinas • 10th March 2022

Every year Cannes held an international technological event called World Artificial Intelligence Cannes Festival, better known by its acronym WAICF. One of the most luxurious cities around the world, located on the French Riviera and host of the annual Cannes Film Festival, Midem, and Cannes Lions International Festival of Creativity. 

Bouncing back from a natural disaster with resilience

Amber Donovan-Stevens • 16th December 2021

In the last decade, we’ve seen some of the most extreme weather events since records began, all driven by our human impact on the plant. Businesses are rapidly trying to implement new green policies to do their part, but climate change has also forced businesses to adapt and redefine their disaster recovery approach. Curtis Preston,...