How to mitigate the risks of privileged access with Zero Standing Privilege.

An image of , Cyber Security, How to mitigate the risks of privileged access with Zero Standing Privilege.

Ransomware and other forms of devastating cyber-attacks against public and private sector organisations have become depressingly familiar headlines in recent years. While this might give the impression that organisations are most at risk from external threats, the fact is that the biggest security risk often comes from inside the business, specifically through users entrusted with privileged access. Indeed, 42 per cent of breaches originate through credential abuse, whether by accidental or deliberate misuse.

Of course, unrestricted privileged access is not necessary for undertaking the majority of administrative tasks. Nevertheless, administrators often issue wide-ranging access as standard, which increases the risk of both internal and external breaches occurring. Despite this, identity and access management (IAM) leaders often struggle to restrict the level of privileged access on offer because administrators and IT operations staff have become accustomed to using these accounts on-demand.

One of the most effective ways to reduce the associated risks is by implementing a privileged access management (PAM) solution, since it significantly reduces an organisation’s attack surface area. However, traditional PAM approaches are complex and costly to implement, and their vault-centric idea does nothing to remove or limit the attack surface area. On the contrary, a modern PAM strategy, known as zero standing privilege (ZSP), decreases the chances of a successful malicious infiltration without adversely affecting business efficiency. With ZSP, administrators are granted just enough privilege to complete a specific task, and only for as long as needed to complete it. This ‘just-in-time’ (JIT) approach significantly reduces the risk of ‘super-user’ accounts being exploited by internal or external threats.

This article will explain how organisations can effectively implement the principle of ‘least privilege’ and mitigate the risk of privileged access. It will outline why IAM-focused security and risk management leaders should prioritise reducing excessive privilege, and thereby bolster their overall security posture, in the following ways:

Restrict the scope of accounts available to users

Organisations have traditionally addressed the risk posed by privileged accounts by taking a vault-centric approach. While this provides better protection than nothing, significant risk remains given that most privileged accounts are always available for use, with more access than is strictly necessary. IT teams must therefore go further to reduce the spread of privileged access in their environment. As a first step, they should first assess the extent of privileged permissions that have been allocated and on what basis – in other words, when and for how long is each permission valid for.

A JIT approach can help organsiations to limit the amount of time in which privileged access is available to users. This will not remove privileged accounts from the environment entirely, but crucially, they will only be available at the moment they are needed (and for no longer), which limits the risk of legitimate credentials being abused
or misused.

Taking a balanced approach to achieving ZSP

To achieve true ZSP without compromising business operations, most organisations will need to carefully select the most appropriate JIT PAM controls. For instance, IAM leaders may opt for a blended approach which incorporates JIT, session management and the more traditional vaulting approach. At this stage in the process, it is important to assess the legitimate uses of privilege and the current workflows associated with those uses. These are key questions a security team should answer before making IAM decisions:

  • How will changes to privileged access impact present-day workloads?
  • What resources are required to implement a given approach for the privileged access in question?
  • Will additional tools be needed to enable this approach?

Once these considerations have been made, there are a number of different options for implementing JIT. To name a few, personal privileged accounts may be placed under the control of a PAM tool, or shared accounts under the control of a vaulting and session management tool. ZSP privilege escalation is another option, which grants temporary “one-time” privileged access for a defined set of tasks over a defined period of time. Whichever approach (or combination) the security team chooses, it is vital to have discussions with business and other IT leaders about which mechanisms will best suit the environment. Once everyone agrees on JIT approaches to implement that are suitable for the privilege workflows in the environment, then work can begin on implementation.

During this stage of JIT deployment, setting priorities and determining gaps in the organisation’s existing cybersecurity set-up is key. This will necessitate an assessment of current technical capabilities, along with updates to policy documents to reflect JIT/ZSP methods as the default for privileged access. It will also require standard operating procedures to reflect the methods selected for current workflows.

Ultimately, organisations that take a considered and iterative approach to their JIT/ZSP initiatives will stand to reap the benefits of reducing the risks associated with standing privilege, while minimising the impact on business operations and maximising return on investment
in PAM technologies.

An image of , Cyber Security, How to mitigate the risks of privileged access with Zero Standing Privilege.

Martin Cannard

Martin Cannard, VP of Product Strategy at Netwrix

A New Journey to the Cloud

Don Valentine • 23rd January 2023

ERP implementation has changed. And for those companies facing the 2027 maintenance deadline for SAP ECC 6, that is good news. In today’s cloud-first, ‘adopt not adapt model, there are no more white boards. No more consultants offering to customise software to meet any business need. And no more long drawn implementations – followed by...

Travel industry, ‘check-in’ on cart abandonment

Andrew Armitage • 23rd January 2023

People are not loyal to travel brands now – they can’t afford to be. With the right deal and customer experience, there is an opportunity to capture the huge number of customers who will be shopping for their summer deals this month and beyond.

Five Benefits of Cloud-Based Test Automation

Adil Mohammed • 17th January 2023

Test automation has increased in popularity in recent years, however, previously, software has been hindered by a slow pace and an inability to scale with companies at every stage of growth. These challenges became increasingly apparent during the Covid-19 lockdowns when workforces were forced to move almost fully remote. Right now, we are still adjusting...

Five Benefits of Cloud-Based Test Automation

Adil Mohammed • 17th January 2023

Test automation has increased in popularity in recent years, however, previously, software has been hindered by a slow pace and an inability to scale with companies at every stage of growth. These challenges became increasingly apparent during the Covid-19 lockdowns when workforces were forced to move almost fully remote. Right now, we are still adjusting...

Protecting Data Irrespective of Infrastructure

Simon Pamplin • 16th January 2023

The cyber security threat has risen so high in recent years that most companies globally now accept that a data breach is almost inevitable. But what does this mean for the data protection and compliance officers, as well as senior managers, now personally liable for protecting sensitive company, customer and partner data?

Protecting Data Irrespective of Infrastructure

Simon Pamplin • 16th January 2023

The cyber security threat has risen so high in recent years that most companies globally now accept that a data breach is almost inevitable. But what does this mean for the data protection and compliance officers, as well as senior managers, now personally liable for protecting sensitive company, customer and partner data?