Zero Standing Privileges (ZSP)
What are Zero Standing Privileges?
Referring to the least privilege definition—just enough privilege, granted just-in-time, for a limited time—Zero Standing Privileges (ZSP) is analogous to just enough privilege.
ZSP is a term coined by the analyst firm, Gartner. It advocates better IT security by removing standing privileges in the form of accounts that have administrative rights associated with them. The existence of such accounts carries significant risk by increasing the attack surface for privilege abuse.
Removing these accounts is ideal but not always possible
Such accounts should be secured in a vault and access strictly controlled based upon a need-to-know involving management oversight via a workflow-based access request and approval mechanism. This helps ensure that privileged accounts are only available to legitimate actors (human users or applications and services) when they are needed, i.e., just-in-time, via a password checkout mechanism.
Even if we secure these accounts in a vault, however, the privileges are still attached to them (i.e., they’re fully armed), and so, there remains a residual risk. For example, checking out a Windows local administrator account password to configure a printer is overkill, and a malicious actor could abuse such privileges extensively.
One way to mitigate this risk is not to touch the vaulted account passwords but instead couple just-in-time privileges with privilege elevation. This allows a legitimate user who has minimum privileges to request what they need and then elevate privilege at the time of execution of a command or application (just-in-time) that requires such rights. The incremental privileges are tied to the command or application—not to the broader login session—and they’re automatically revoked when the command completes, or the application exited. In this way, just enough privileges via elevation supports the ZSP model.
Just-in-Time (JIT) Access Series Part 3: Zero Standing Privileges