The problem Privileged Access Management (PAM) solutions seek to solve can be simply formulated: How do I appropriately provide and protect privileged access to my information technology assets? Traditional PAM solutions have focused on deploying controls on top of an enterprise’s existing identity practices, whether that’s providing password and session management for shared built-in administrator accounts or a password-of-the-day for personal privileged accounts.
These approaches all rely on the same thing – protecting identities that permanently possess privileges on systems, databases, applications, etc. However, these “always-on” privileges can be stolen and misused and they remain a prized tool for attackers; their very existence creates a risk to an organization that should be mitigated. Why should we accept that risk or focus on mitigations? Enter a better way with Zero Standing Privileges.
The concept of Zero Standing Privileges has the objective to eliminate these “always-on” privileges.
Why Zero Standing Privileges (ZSP)?
Simply put: administrative privilege provides the means attackers need to complete their mission, whether that involves data exfiltration, data destruction, or other objectives. When an organization has identities with “always-on” privileges they must spend money and effort to control access to them, monitor their use, protect them from misuse. But for much of each day, these highly privileged identities lie fallow, unused but still posing risk. Many traditional PAM projects struggle because of the sheer volume of standing privileges and prior efforts to implement least-privilege models, while noble, have only exacerbated the sprawl.
Traditional PAM approaches have focused on managing and controlling access to privileged account passwords or temporarily elevating privileges to control when users can act with administrative privileges. For example, Jill, a server administrator, may check out a password-of-the-day for her personal privileged account “admin-Jill” each morning. Or, she may use a solution like sudo to have her privileges elevated on demand.
The focus of each of these approaches, however, is on ensuring that Jill uses her privileges in an authorized manner – but, Jill is a good employee and not an attacker seeking every avenue to compromise the organization. In both of these approaches, the privileges granted to her personal privilege account or in sudo configuration are persistent and are at risk to be abused by a motivated attacker.
Just Enough Privilege (JEP), Just in Time (JIT)
What if we can eliminate these standing privileges and replace them with a policy-driven process for obtaining privileged access only when it’s needed and scoped only to the job at hand? The answer is Just in Time privileged access and Just Enough Privilege grants.
In a JIT workflow, there are no standing privileges for Jill — there’s no sudo configuration to maintain, no personal privileged account to monitor. Instead, Jill’s potential privileges are detailed in a centralized policy. When Jill’s job duties require her to obtain privileged access, she initiates an activity which describes what she wants to do, and on what resources she needs to do it.
Behind the scenes, an activity identity is created or activated and just enough privileges granted to perform only the desired task. The activity is then performed interactively by Jill (e.g. remote desktop protocol (RDP) to a server) or by the system on her behalf (e.g. reboot a server). Upon completion of the activity, the privileges are revoked from the activity identity and it is destroyed or disabled.
By adopting this workflow, the privilege attack surface is reduced to the window during which Jill is actively using privilege; no passwords or artifacts remain for an attacker to steal. Unlike traditional PAM where the focus is on protecting the means (e.g. privileged accounts or configuration) that confer privilege, the focus of the Just in Time workflow is on the user. All Jill needs to know is that she needs to reboot a specific server, and the system will take care of providing, securing, and destroying that privilege when she’s done.
The zero standing privileges objective can be realized through just in time privilege access, improving operational sustainability for your privilege access program and drastically reducing the privilege attack surface. We’d love to hear your thoughts and questions on zero standing privileges and just in time privilege access below.
To learn more about our Zero Standing Privileges (ZSP) solution, visit our STEALTHbits Privileged Activity Manager webpage.
Gerrit Lansing is STEALTHbits’ Field CTO. In his role, Gerrit leads strategic initiatives to improve customer engagement and STEALTHbits’ products and positioning. He brings with him over a decade of experience in information security, with a focus on identity and privileged access management. Prior to joining STEALTHbits, he started his career as an Information Security Analyst at Liberty Mutual before joining CyberArk Software where he held multiple roles including Director of Consulting Services and Chief Architect.
Gerrit holds a Bachelor of Arts in Administrative Science from Colby College in Waterville, ME.