How to mitigate the risks of privileged access with Zero Standing Privilege.

An image of , Cyber Security, How to mitigate the risks of privileged access with Zero Standing Privilege.

Ransomware and other forms of devastating cyber-attacks against public and private sector organisations have become depressingly familiar headlines in recent years. While this might give the impression that organisations are most at risk from external threats, the fact is that the biggest security risk often comes from inside the business, specifically through users entrusted with privileged access. Indeed, 42 per cent of breaches originate through credential abuse, whether by accidental or deliberate misuse.

Of course, unrestricted privileged access is not necessary for undertaking the majority of administrative tasks. Nevertheless, administrators often issue wide-ranging access as standard, which increases the risk of both internal and external breaches occurring. Despite this, identity and access management (IAM) leaders often struggle to restrict the level of privileged access on offer because administrators and IT operations staff have become accustomed to using these accounts on-demand.

One of the most effective ways to reduce the associated risks is by implementing a privileged access management (PAM) solution, since it significantly reduces an organisation’s attack surface area. However, traditional PAM approaches are complex and costly to implement, and their vault-centric idea does nothing to remove or limit the attack surface area. On the contrary, a modern PAM strategy, known as zero standing privilege (ZSP), decreases the chances of a successful malicious infiltration without adversely affecting business efficiency. With ZSP, administrators are granted just enough privilege to complete a specific task, and only for as long as needed to complete it. This ‘just-in-time’ (JIT) approach significantly reduces the risk of ‘super-user’ accounts being exploited by internal or external threats.

This article will explain how organisations can effectively implement the principle of ‘least privilege’ and mitigate the risk of privileged access. It will outline why IAM-focused security and risk management leaders should prioritise reducing excessive privilege, and thereby bolster their overall security posture, in the following ways:

Restrict the scope of accounts available to users

Organisations have traditionally addressed the risk posed by privileged accounts by taking a vault-centric approach. While this provides better protection than nothing, significant risk remains given that most privileged accounts are always available for use, with more access than is strictly necessary. IT teams must therefore go further to reduce the spread of privileged access in their environment. As a first step, they should first assess the extent of privileged permissions that have been allocated and on what basis – in other words, when and for how long is each permission valid for.

A JIT approach can help organsiations to limit the amount of time in which privileged access is available to users. This will not remove privileged accounts from the environment entirely, but crucially, they will only be available at the moment they are needed (and for no longer), which limits the risk of legitimate credentials being abused
or misused.

Taking a balanced approach to achieving ZSP

To achieve true ZSP without compromising business operations, most organisations will need to carefully select the most appropriate JIT PAM controls. For instance, IAM leaders may opt for a blended approach which incorporates JIT, session management and the more traditional vaulting approach. At this stage in the process, it is important to assess the legitimate uses of privilege and the current workflows associated with those uses. These are key questions a security team should answer before making IAM decisions:

  • How will changes to privileged access impact present-day workloads?
  • What resources are required to implement a given approach for the privileged access in question?
  • Will additional tools be needed to enable this approach?

Once these considerations have been made, there are a number of different options for implementing JIT. To name a few, personal privileged accounts may be placed under the control of a PAM tool, or shared accounts under the control of a vaulting and session management tool. ZSP privilege escalation is another option, which grants temporary “one-time” privileged access for a defined set of tasks over a defined period of time. Whichever approach (or combination) the security team chooses, it is vital to have discussions with business and other IT leaders about which mechanisms will best suit the environment. Once everyone agrees on JIT approaches to implement that are suitable for the privilege workflows in the environment, then work can begin on implementation.

During this stage of JIT deployment, setting priorities and determining gaps in the organisation’s existing cybersecurity set-up is key. This will necessitate an assessment of current technical capabilities, along with updates to policy documents to reflect JIT/ZSP methods as the default for privileged access. It will also require standard operating procedures to reflect the methods selected for current workflows.

Ultimately, organisations that take a considered and iterative approach to their JIT/ZSP initiatives will stand to reap the benefits of reducing the risks associated with standing privilege, while minimising the impact on business operations and maximising return on investment
in PAM technologies.

An image of , Cyber Security, How to mitigate the risks of privileged access with Zero Standing Privilege.

Martin Cannard

Martin Cannard, VP of Product Strategy at Netwrix

AI alignment: teaching tech human language

Daniel Langkilde • 05th February 2024

However, Embodied AI refers to robots, virtual assistants or other intelligent systems that can interact with and learn from a physical environment. In order to do this, they’re built with sensors that can gather data from their surroundings, with this they also have AI systems that help them analyse data they collect, and ultimately learn...

CARMA announces acquisition of mmi Analytics

Jason Weekes • 01st February 2024

CARMA announces acquisition of mmi Analytics, expanding expertise in Beauty, Fashion, and Lifestyle sectors The combined organisation is set to redefine the landscape of media intelligence, providing unparalleled expertise and comprehensive insights for PR professional and marketers in the exciting world of beauty, fashion and lifestyle.

Managing Private Content Exposure Risk in 2024

Tim Freestone • 31st January 2024

Managing the privacy and compliance of sensitive content communications is getting more and more difficult for businesses. Cybercriminals continue to evolve their approaches, making it harder than ever to identify, stop, and mitigate the damages of malicious attacks. But, what are the key issues for IT admins to look out for in 2024?

Revolutionizing Ground Warfare Environment with Software-Enabled Armored Vehicles

Wind River • 31st January 2024

Armoured vehicles which are purpose-built for mission-critical operations are reliant on control systems that provide deterministic behaviour to meet hard real-time requirements, deliver extreme reliability, and meet rigorous security requirements against evolving threats. Wind River® has the partners and the expertise, a proven real-time operating system (RTOS), software lifecycle management techniques, and an extensive track...

The need to prove environmental accountability

Matt Tormollen • 31st January 2024

We are currently in the midst of one of the most consequential energy transitions since records began. The increasing availability of clean electrons has motivated businesses in the UK and beyond to think green. And for good reason. Being environmentally conscious attracts customers, appeases regulators, retains staff, and can even gain handouts from government. The...

Fuelling Innovation in Aftermarket

Jim Monaghan • 31st January 2024

One section of the motor trade is benefitting from the cost-of-living crisis: with consumers keeping their cars for longer, independent repairers are in huge demand. But they are also under pressure. Older cars need more repairs. They require more replacement parts, tyres and fluids. With car owners looking for value and a fast turn-around, independents...

The return of the five-day office week

Virgin Media • 25th January 2024

Virgin Media O2 Business has today published its inaugural Annual Movers Index, revealing four in ten companies are back to the office full time, despite widespread travel delays and disruptions With 2023 cementing the cost-of-living crisis, second hand shopping and public transport use surged as Brits sought to save money Using aggregated and anonymised UK...