How to mitigate the risks of privileged access with Zero Standing Privilege.

Ransomware and other forms of devastating cyber-attacks against public and private sector organisations have become depressingly familiar headlines in recent years. While this might give the impression that organisations are most at risk from external threats, the fact is that the biggest security risk often comes from inside the business, specifically through users entrusted with privileged access. Indeed, 42 per cent of breaches originate through credential abuse, whether by accidental or deliberate misuse.

Of course, unrestricted privileged access is not necessary for undertaking the majority of administrative tasks. Nevertheless, administrators often issue wide-ranging access as standard, which increases the risk of both internal and external breaches occurring. Despite this, identity and access management (IAM) leaders often struggle to restrict the level of privileged access on offer because administrators and IT operations staff have become accustomed to using these accounts on-demand.

One of the most effective ways to reduce the associated risks is by implementing a privileged access management (PAM) solution, since it significantly reduces an organisation’s attack surface area. However, traditional PAM approaches are complex and costly to implement, and their vault-centric idea does nothing to remove or limit the attack surface area. On the contrary, a modern PAM strategy, known as zero standing privilege (ZSP), decreases the chances of a successful malicious infiltration without adversely affecting business efficiency. With ZSP, administrators are granted just enough privilege to complete a specific task, and only for as long as needed to complete it. This ‘just-in-time’ (JIT) approach significantly reduces the risk of ‘super-user’ accounts being exploited by internal or external threats.

This article will explain how organisations can effectively implement the principle of ‘least privilege’ and mitigate the risk of privileged access. It will outline why IAM-focused security and risk management leaders should prioritise reducing excessive privilege, and thereby bolster their overall security posture, in the following ways:

Restrict the scope of accounts available to users

Organisations have traditionally addressed the risk posed by privileged accounts by taking a vault-centric approach. While this provides better protection than nothing, significant risk remains given that most privileged accounts are always available for use, with more access than is strictly necessary. IT teams must therefore go further to reduce the spread of privileged access in their environment. As a first step, they should first assess the extent of privileged permissions that have been allocated and on what basis – in other words, when and for how long is each permission valid for.

A JIT approach can help organsiations to limit the amount of time in which privileged access is available to users. This will not remove privileged accounts from the environment entirely, but crucially, they will only be available at the moment they are needed (and for no longer), which limits the risk of legitimate credentials being abused
or misused.

Taking a balanced approach to achieving ZSP

To achieve true ZSP without compromising business operations, most organisations will need to carefully select the most appropriate JIT PAM controls. For instance, IAM leaders may opt for a blended approach which incorporates JIT, session management and the more traditional vaulting approach. At this stage in the process, it is important to assess the legitimate uses of privilege and the current workflows associated with those uses. These are key questions a security team should answer before making IAM decisions:

  • How will changes to privileged access impact present-day workloads?
  • What resources are required to implement a given approach for the privileged access in question?
  • Will additional tools be needed to enable this approach?

Once these considerations have been made, there are a number of different options for implementing JIT. To name a few, personal privileged accounts may be placed under the control of a PAM tool, or shared accounts under the control of a vaulting and session management tool. ZSP privilege escalation is another option, which grants temporary “one-time” privileged access for a defined set of tasks over a defined period of time. Whichever approach (or combination) the security team chooses, it is vital to have discussions with business and other IT leaders about which mechanisms will best suit the environment. Once everyone agrees on JIT approaches to implement that are suitable for the privilege workflows in the environment, then work can begin on implementation.

During this stage of JIT deployment, setting priorities and determining gaps in the organisation’s existing cybersecurity set-up is key. This will necessitate an assessment of current technical capabilities, along with updates to policy documents to reflect JIT/ZSP methods as the default for privileged access. It will also require standard operating procedures to reflect the methods selected for current workflows.

Ultimately, organisations that take a considered and iterative approach to their JIT/ZSP initiatives will stand to reap the benefits of reducing the risks associated with standing privilege, while minimising the impact on business operations and maximising return on investment
in PAM technologies.

Martin Cannard

Martin Cannard, VP of Product Strategy at Netwrix

The Future of Smart Buildings: Trends in Occupancy Monitoring

Khai Zin Thein • 12th June 2024

Occupancy monitoring technology is revolutionising building management with advancements in AI and IoT. AI algorithms analyse data from IoT sensors, enabling automated adjustments in lighting, HVAC, and security systems based on occupancy levels. Modern systems leverage big data and AI to optimise space usage and resource management, reducing energy consumption and promoting sustainability. Enhanced encryption...

The need to weave agility throughout the business

John Craig Swartz SVP at POWWR • 11th June 2024

With geopolitical tensions, more extreme weather events and the legacy of a global pandemic, it is more difficult for energy suppliers to preserve their margins and remain competitive than ever before. To thrive in the current climate, it is imperative that a supplier makes marginal gains wherever they can. Profitability within the sector today hinges...

Artificial general intelligence is closer than expected

AI expert Stuart Fenton • 10th June 2024

Whilst most of the attention around artificial intelligence (AI) thus far has been on ChatGPT, it is just the tip of the iceberg. In many ways, ChatGPT shouldn’t be thought of as true AI as it is – at its heart – just generative, learned behaviour. The future of AI, in contrast, is a system...

The State of Data Streaming

Confluent • 06th June 2024

Confluent survey: 90% of respondents say data streaming platforms can lead to more product and service innovation in AI and ML development 86% of respondents cite data streaming as a strategic or important priority for IT investments in 2024 For 91% of respondents, data streaming platforms are critical or important for achieving data-related goals

The State of Data Streaming

Confluent • 06th June 2024

Confluent survey: 90% of respondents say data streaming platforms can lead to more product and service innovation in AI and ML development 86% of respondents cite data streaming as a strategic or important priority for IT investments in 2024 For 91% of respondents, data streaming platforms are critical or important for achieving data-related goals

Grant Funding Awarded to Advance Cancer Therapeutics Discovery

Dr Alan Roth • 04th June 2024

The CRUK (Cancer Research UK) Scotland Institute and Oxford Drug Design, a biotechnology company with core expertise in AI drug discovery, have announced that their joint application for the MRC (UK Medical Research Council) National Mouse Genetics Network (NMGN) Business Engagement Fund has been awarded.

Grant Funding Awarded to Advance Cancer Therapeutics Discovery

Dr Alan Roth • 04th June 2024

The CRUK (Cancer Research UK) Scotland Institute and Oxford Drug Design, a biotechnology company with core expertise in AI drug discovery, have announced that their joint application for the MRC (UK Medical Research Council) National Mouse Genetics Network (NMGN) Business Engagement Fund has been awarded.