PAM360 »
Last updated date : 17 May 2024

ZSP is a crucial component of the Zero Trust security model and is the end goal of privileged access management (PAM) controls, such as just in time (JIT) access, adaptive authentication, the principle of least privilege, and access control workflows.

What are standing privileges?

Standing privileges are typically "always-on" administrative access privileges that anybody can use to gain permanent access to critical systems. Some of the best examples of standing privileges include:

  • Credentials that are shared with and used by multiple stakeholders and teams without any time limit.
  • Privileged user accounts, SSL and TLS certificates, authentication tokens, and passphrases that are left unmanaged and unmonitored for a prolonged period.
  • Credentials and secrets that are hard-coded within plaintext files or scripts that are not rotated regularly.

 

In many organizations, those responsible for managing business-sensitive IT resources, such as servers, databases, and applications, are usually granted critical privileges. This is because their roles typically require continuous, instant access to such sensitive systems for day-to-day operations and maintenance purposes.

While standard PAM tools offer options to share these privileges with users, these privileges are usually permanent. Furthermore, access is typically granted on an all-or-nothing basis, based on the needs of the overall role or department rather than those of the actual individuals. If and when these privileges are exposed or misused by malicious insiders and other threat actors, it can spell doom for organizations.

What PAM tools should ideally offer are fine-grained access controls that allow administrators to provide access to mission-critical assets only on a case-by-case basis.

Security risks posed by standing privileges

The emergence of hybrid work has expanded the attack surface, and an influx of new attack vectors has crept in ever since. Nevertheless, standing privileges remain a lucrative target for cybercriminals as all it takes is one weak or compromised credential for attackers to bring an enterprise down overnight, as was the case in most of the breaches in the recent past.

Once a threat actor infiltrates an organization's security perimeter, they can exploit standing privileges to move laterally within the network without leaving any trace. Verizon's 2022 Data Breach Investigations Report said, "The human element continues to drive breaches. This year, 82% of breaches involved the human element. Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike."

Standing privileges in the wrong hands are a perfect recipe for disaster as they can be exploited by attackers through privilege escalation attempts if an employee's credentials are compromised. This enables hackers to gain unlimited, undetectable access to classified data and systems.

Furthermore, the exploitation of these privileges is difficult to identify as attackers technically impersonate a phantom user with the high-stakes administrative rights that these privileges carry. Standing privileges give users access to multiple IT assets and devices, making them low-hanging fruit for attackers.

The primary problem associated with standing privileges is that they are neither managed nor updated regularly because they are used by multiple users, multiple teams, and multiple business processes simultaneously. Thus, altering them without prior planning and intimations to the stakeholders could bring critical business processes and workflows to a grinding halt.

Let's consider embedded credentials as an example. These credentials are hard-coded in scripts and text files and are usually used by multiple stakeholders working on CI/CD pipelines, RPA processes, and engineering workflows. If embedded credentials are altered without any prior intimation, this could lead to the failure of multiple critical processes at once. Furthermore, if these credentials are exposed even by chance, anybody with malicious intent could exploit them to breach an organization's cardinal information systems.

Coming to grips with standing privileges with least privilege and JIT access controls

To minimize the security risks posed by standing privileges, organizations should employ the principle of least privilege, which involves providing users with only the access privileges that suffice for their routine tasks. JIT access provisioning applies the principle of least privilege by granting users time-limited, exclusive access to shared, sensitive resources. This is achieved by creating temporary administrative accounts that expire as soon as the access period ends.

This entire process can be automated using a PAM tool that comes with built-in JIT privilege elevation capabilities. A good PAM tool should also offer role- and policy-based access controls, thereby making it easier for administrators to assign users default access privileges that are commensurate with their job roles. With such a tool, admins can also dynamically trigger access policies with follow-up actions for every access request raised.

If and when users require administrative access to endpoints, they can be provided with JIT elevated access and securely demoted after the request window closes. Furthermore, the credentials of such sensitive endpoints should be automatically rotated to ensure they do not stay put and eventually become the standing privileges that attackers covet.

With least privilege access controls in place, organizations can effortlessly prove compliance with regulatory bodies, such as HIPAA, the GDPR, SOX, the PCI DSS, the CCPA, and ISO. Furthermore, to qualify for cyber insurance coverage, organizations are required by insurers to implement least privilege access and remove admin rights to tighten their IT security protocols.

Plus, JIT workflows, when integrated with ITSM tools, can significantly strengthen security by requiring users to present a ticket ID stating their access requirements, with requests being instantly approved or vetoed. Thus, JIT workflows limit administrative privileged access to last only as long as necessary, which can be as little as five minutes, resulting in a substantial reduction of the attack surface.

Standing privileges: The employee offboarding journey

About 75% of insider attacks are carried out by ex-employees. These ex-employees, for the purposes of revenge and self-aggrandizement, can exploit credentials to which they still have access to engage in malicious activities, such as running critical reports, downloading the PII of customers, and accessing sensitive file systems.

When employees leave an organization, there needs to be a mechanism that revokes their critical access privileges before wiping their existence from the organization's directory environment. This will help the IT team ensure that the privileges, such as the passwords and critical accounts they had access to, are no longer tied to them.

A comprehensive PAM solution will trigger custom workflows to automatically revoke all the privileges associated with the users and seamlessly transfer these privileges to other privileged users in the organization. This way, organizations can ensure that the departing employees do not carry any critical data and credentials with them that could be exploited.

Ensuring ZSP: Best practices to begin with

ZSP is promoted by the industry movers and shakers as a milestone that enterprises must aim to achieve. However, due to the proliferation of machine identities and complicated business workflows, achieving complete ZSP may be a challenging endeavor. Organizations must, however, practice the principle of least privilege as a minimum security control to condense their attack surface.

For organizations that are just getting started, ZSP can be marginally achieved through ephemeral accounts. Here are some ZSP best practices that IT teams should follow as part of their access management routines:

  • Mandate a request-release process in which users will first have to raise a request for privileged access. Based on the merits of the request, access to IT resources can be granted or denied by the admins.
  • Assign default, minimal privileges to users for executing their daily tasks. Elevate their privileges temporarily using ephemeral accounts as and when they present a valid need that requires them to gain administrative privileges over endpoints.
  • Rotate the credentials of IT assets and endpoints after every user session to ensure old passwords are no longer valid, thereby preventing any unauthorized access in the future.
  • Control and limit access to sensitive applications and commands.
  • Employ controls to monitor and audit privileged sessions.
  • Implement multi-factor authentication, which adds another layer of security to privileged entities.

 

The best route to ZSP includes implementing a PAM solution, which includes and automates all these best practices. PAM solutions aid you in taking the first step towards ZSP by automatically discovering and onboarding privileged accounts, thereby ensuring that no accounts are left unmanaged or unaccounted for. These tools offer granular access control workflows, JIT access, and least privilege controls to enable administrators to effectively scrutinize privileged access routines and reserve access privileges for administrative users.

As PAM tools continue to evolve with the cyber landscape, organizations will naturally take the leap towards achieving total ZSP.

How does ManageEngine PAM360 help in your journey to ZSP?

PAM360 is a full-stack PAM solution that helps enterprises secure, monitor, audit, and regulate their privileged access routines. PAM360's built-in Zero Trust access capabilities enable IT teams to implement JIT and least privilege access, application and command controls, and policy-based access provisioning, thereby ensuring that the right users have administrative access to sensitive resources.

Plus, PAM360's built-in session management engine provides direct, one-click access to remote endpoints without exposing their passwords. All sessions initiated through the PAM360 console can be monitored, audited, and recorded, and administrators can also terminate sessions if and when users engage in suspicious activity.

PAM360 offers seamless integrations with enterprise IT tools and business apps to help you extend privileged access security across all your business workflows and bolster your security posture.