Zero Standing Privileges (ZSP): Vendor Myths vs. Reality
Several new vendors entering the privileged access management (PAM) market are boldly claiming they can – or will soon be able to – provide access with zero standing privileges (ZSP).
In reality, these lofty vendor claims likely ignore the limited use cases of their own technology. This betrays a fundamental misunderstanding of PAM – the most challenging problem in cybersecurity.
ZSP is absolutely a critical component for the future of identity security, especially in an evolving IT landscape. Still, organizations will always need a comprehensive range of controls to secure the complexities of their hybrid and multi-cloud environments.
In a crowded market, there are some myths about zero standing privileges to look out for and realities to consider when building a modern PAM program. Understanding these myths and the corresponding realities is crucial for making informed decisions and implementing effective security measures. Let’s dig into some of the most common misconceptions and the truths behind them.
Myth 1: A Zero Standing Privileges Approach Replaces the Need for Credential Vaulting and Rotation
Reality: Embracing ZSP reduces risk, but privileged accounts and credentials will always be necessary – and they must be secured.
Remember the July 2024 CrowdStrike outage?
The Fortune 500 does, reportedly suffering over $5 billion in direct losses after a bad software update to the CrowdStrike Falcon sensor agent crashed millions of Windows devices worldwide.
Many organizations turned to “break-glass” accounts with standing privileged access to reboot their systems and recover their IT operations.
These privileged accounts and credentials – many securely managed by PAM solutions – were essential for organizations to restore their internal and customer-facing services. Without these emergency accounts, the CrowdStrike-induced outages and associated costs could have been even worse, proving that secure credential management will always be needed.
A July 2024 CrowdStrike Falcon sensor agent update took millions of global Windows machines offline, causing many organizations to use ‘break-glass’ accounts to recover operations.
In cloud environments, some privileged accounts and credentials can never be replaced. Take, for example, the AWS root account, a super user account required for any organization to start working in AWS. The AWS Root account cannot be deleted – and AWS Security Guidance is crystal clear – organizations must safeguard root user credentials with strong password policies, multi-factor authentication (MFA), dual control processes and other identity security best practices. Similar root and registration accounts – and similar best practices – exist in other leading cloud providers.
Another challenge comes with credentials and secrets used by machine identities like service accounts, RPA bots and application accounts. While some innovative vendors – including CyberArk – provide just-in-time (JIT) and dynamic provisioning of application secrets, today, most machine-to-machine communication still relies on credentials like passwords and SSH keys for authentication. Without secure vaulting and rotation of these secrets, organizations expose themselves to credential theft attacks like those that led to major breaches like those at CodeCov, SolarWinds and Uber.
All organizations should follow identity security best practices to reduce the use of shared accounts and credentials with privileged access. Pursuing a ZSP approach is an effective step in reducing risk. But some usage of such identities will always be necessary, both for proper configuration of cloud and software development environments as well as for emergency scenarios like recovering from the CrowdStrike outage.
Myth 2: Just-in-Time Elevation Equals Zero Standing Privileges
Reality: Very few vendors can create dynamic privileges – and remove them after use. Despite aggressive marketing, most vendors merely elevate access to pre-existing roles and accounts with always-on privileges.
Most vendors’ marketing capabilities for access with ZSP only elevate users to a pre-existing account or role with privileged access. This is a JIT privileged access approach, where a user does not log in with a privileged credential and instead receives temporary access to use an account or role.
It’s important to acknowledge this JIT approach reduces risk – but it comes with standing privileges attached to the roles and accounts. These roles and accounts still exist in the organization’s directory or cloud identity and access management (IAM) stores, meaning attackers can still gain unauthorized access and circumvent the JIT elevation workflow. For example, suppose an attacker moves laterally to gain access to an identity provider, domain controller or any role with privileges to modify IAM permissions in the cloud. In that case, they can freely use these pre-existing accounts and roles.
A true zero standing privileges approach requires exactly that: Zero. Standing. Privileges. This means no privileged roles or accounts exist that an attacker could compromise. None. Instead, organizations create net new permissions and roles when an end user needs access – and delete those permissions after a time-bound session.
Very few vendors today can provide this true ZSP approach. To evaluate those who can, consider the TEA – time, entitlements and approvals – settings that govern privileged access for your organization.
You’ll need granular control of all three. It’s important to have flexibility when granting time-bound access so that end users don’t have privileged access for longer than they need. Similarly, entitlements must be granted according to the rule of least privilege, so end users only have permissions to perform necessary tasks. Approvals are a critical last step. Especially with developer teams, it’s important to integrate access requests – and automated approvals – into the ChatOps and ITSM tools developers already use to minimize friction and disruption to their innovation.
Myth 3: Embracing Zero Standing Privileges Eliminates the Need for Session Isolation, Command Filtering and Other Post-Authentication PAM Controls
Reality: Even without standing privileges, organizations need defense-in-depth controls to reduce the risk of insider threats and lateral movement.
Embracing JIT, ZSP and passwordless authentication approaches can help minimize the risk of stolen passwords and credentials – but PAM programs need to consider additional measures to protect against insider threats and the spread of malware and ransomware.
Zero Trust identity security philosophies stress the need to “never trust, always verify” access.
For this reason, it’s essential not only to validate privileged access attempts with adaptive MFA but also to implement defense-in-depth controls after login, such as session isolation, which prevents the spread of malware, or command filtering in privileged sessions to reduce insider threats.
TLDR: Don’t Believe the Vendor Hype
ZSP is an exciting direction for identity security programs, but most vendors claiming they can deliver it ignore reality. Today’s organizations need comprehensive, nuanced privilege controls for all the use cases in their increasingly complex IT environments. Carefully evaluate any solution trusted with securing privileged access, comparing your organization’s needs with claims from any vendor (including CyberArk).
Want to explore the nuances of implementing zero standing privileges? Join our webinar to learn about the practical applications of just-in-time access and ZSP.
Sam Flaster is a director of product marketing at CyberArk.