Just-in-Time (JIT) Access Series Part 3: Zero Standing Privileges

May 4, 2020

Welcome back to the conclusion of our three-part series on Just-in-Time (JIT) access.

In part 1 we discussed what Just-in-Time access is and where it fits in to our Privileged Access Management (PAM) strategy, then in part 2 we looked at two of the typical JIT PAM approaches that vendors take. This final part will focus on the Zero Standing Privileges (ZSP) approach.

As a quick reminder, the two elements of privilege that we need to control with Just-in-Time Privilege are:

  1. Scope – Just Enough Access
    • What systems of applications can the user access?
    • How much privilege does the user or application require in order to perform its function?
  2. Time – Just-in-Time
    • When do they need the privilege?
    • How long do they need it for?

Privilege Elevation and MFA

If you’ll recall, in Gartner’s report, “Remove Standing Privileges Through a Just-in-Time PAM Approach,” [GET IT HERE] we read: “Basic PAM (vaulting and session management) will help mitigate the risk of the existence of privileged accounts. JIT reduces the risk of privileged access abuse, and ZSP reduces the attack surface of the privileged accounts themselves.”

Gartner Remove Standing Privileges

The approach of privilege elevation, outlined in part 2, was almost perfect. You could control both the time and scope element, but there was one weakness: privileges were always assigned to the user. That means that anyone who compromised the machine or user account would also have those privileges.

You may hear vendors claim that they can do Multi-Factor Authentication (MFA) for privilege elevation, and certainly this would reduce some of the risk. We have to be realistic about implementing that across the user base, some of which may not be administrators but may be standard business type users. Admins will soon have enough of multiple MFA prompts, and will soon complain.

How About ZSP?

What if you could take privilege elevation and instead of having static policies, have roles which control the scope of privilege?

What if you could request access to these roles either via a central platform, an IT Service Management (ITSM) tool like ServiceNow, or an Identity Governance and Administration (IGA) tool such as SailPoint to specify the time element?

A Zero Standing Privileges approach is exactly that. It provides the benefits of privilege elevation but removes the risk of standing privilege in the event of compromise.

If you summarize the benefits, this is the most secure JIT method:

  • Removal of risk of users having standing privilege
  • Control of time for which privilege is granted
  • Control of scope / level of privilege granted
  • Will not require creation of privilege accounts on target systems

To learn more about Just-in-Time Access and Zero Standing Privileges, and why they are critical to a Least Privilege approach to PAM, watch our CyberCast On-Demand titled, “Enforcing Least Privilege: Just Enough, Just-in-Time."

To discover how our Privilege Elevation Service can help your organization enforce Just-in-Time access, visit https://www.centrify.com/privileged-access-management/privilege-elevation/.