Just-in-Time (JIT) access series part 3: Zero Standing Privileges
Chris Owen
This post is part of a series on Just-in-Time (JIT) Access.
Read: Part I | Part II | Part III
Welcome back to the conclusion of our three-part series on Just-in-Time (JIT) access.
In Part 1 we discussed what Just-in-Time access is and where it fits into our Privileged Access Management (PAM) strategy, then in Part 2 we looked at two of the typical JIT PAM approaches that vendors take. This final part will focus on the Zero Standing Privileges (ZSP) approach.
As a quick reminder, the two elements of privilege that we need to control with Just-in-Time Privilege are:
- Scope – Just Enough Access
- What systems of applications can the user access?
- How much privilege does the user or application require in order to perform its function?
- Time – Just-in-Time
- When do they need the privilege?
- How long do they need it for?
Privilege Elevation and MFA
If you’ll recall, in Gartner’s report, “Remove Standing Privileges Through a Just-in-Time PAM Approach,” we read: “Basic PAM (vaulting and session management) will help mitigate the risk of the existence of privileged accounts. JIT reduces the risk of privileged access abuse, and ZSP reduces the attack surface of the privileged accounts themselves.”
The approach of privilege elevation, outlined in part 2, was almost perfect. You could control both the time and scope element, but there was one weakness: privileges were always assigned to the user. That means that anyone who compromised the machine or user account would also have those privileges.
You may hear vendors claim that they can do Multi-Factor Authentication (MFA) for privilege elevation, and certainly, this would reduce some of the risks. We have to be realistic about implementing that across the user base, some of which may not be administrators but may be standard business-type users. Admins will soon have enough of multiple MFA prompts, and will soon complain.
How About ZSP?
What if you could take privilege elevation and instead of having static policies, have roles that control the scope of privilege?
What if you could request access to these roles either via a central platform, an IT Service Management (ITSM) tool like ServiceNow, or an Identity Governance and Administration (IGA) tool such as SailPoint to specify the time element?
A Zero Standing Privileges approach is exactly that. It provides the benefits of privilege elevation but removes the risk of standing privilege in the event of a compromise.
If you summarize the benefits, this is the most secure JIT method:
- Removal of risk of users having the standing privilege
- Control of time for which privilege is granted
- Control of scope/level of the privilege granted
- Will not require the creation of privilege accounts on target systems