The problem Privileged Access Management (PAM) solutions seek to solve can be simply formulated: How do I appropriately provide and protect privileged access to my information technology assets? Traditional PAM solutions have focused on deploying controls on top of an enterprise’s existing identity practices, whether that’s providing password and session management for shared built-in administrator accounts or a password-of-the-day for personal privileged accounts.
These approaches all rely on the same thing – protecting identities that permanently possess privileges on systems, databases, applications, etc. However, these “always-on” privileges can be stolen and misused and they remain a prized tool for attackers; their very existence creates a risk to an organization that should be mitigated. Why should we accept that risk or focus on mitigations? Enter a better way with Zero Standing Privileges.
The concept of Zero Standing Privileges has the objective to eliminate these “always-on” privileges.
Why Zero Standing Privileges (ZSP)?
Simply put: administrative privilege provides the means attackers need to complete their mission, whether that involves data exfiltration, data destruction, or other objectives. When an organization has identities with “always-on” privileges they must spend money and effort to control access to them, monitor their use, protect them from misuse. But for much of each day, these highly privileged identities lie fallow, unused but still posing risk. Many traditional PAM projects struggle because of the sheer volume of standing privileges and prior efforts to implement least-privilege models, while noble, have only exacerbated the sprawl.
Traditional PAM approaches have focused on managing and controlling access to privileged account passwords or temporarily elevating privileges to control when users can act with administrative privileges. For example, Jill, a server administrator, may check out a password-of-the-day for her personal privileged account “admin-Jill” each morning. Or, she may use a solution like sudo to have her privileges elevated on demand.
The focus of each of these approaches, however, is on
ensuring that Jill uses her privileges in an authorized manner – but, Jill is a
good employee and not an attacker seeking every avenue to compromise the
organization. In both of these approaches, the privileges granted to her
personal privilege account or in sudo configuration are persistent and are at
risk to be abused by a motivated attacker.
Just Enough Privilege (JEP), Just in Time (JIT)
What if we can eliminate these standing privileges and replace them with a policy-driven process for obtaining privileged access only when it’s needed and scoped only to the job at hand? The answer is Just-in-Time privileged access and Just Enough Privilege grants.
In a JIT workflow, there are no standing privileges for Jill
— there’s no sudo configuration to maintain, no personal privileged account to
monitor. Instead, Jill’s potential privileges are detailed in a centralized
policy. When Jill’s job duties require her to obtain privileged access, she
initiates an activity which describes
what she wants to do, and on what resources she needs to do it.
Behind the scenes, an activity
identity is created or activated and just
enough privileges granted to perform only the desired task. The activity is
then performed interactively by Jill (e.g. remote desktop protocol (RDP) to a
server) or by the system on her behalf (e.g. reboot a server). Upon completion
of the activity, the privileges are revoked from the activity identity and it
is destroyed or disabled.
By adopting this workflow, the privilege attack surface is
reduced to the window during which Jill is actively using privilege; no
passwords or artifacts remain for an attacker to steal. Unlike traditional PAM
where the focus is on protecting the means (e.g. privileged accounts or
configuration) that confer privilege, the focus of the Just in Time workflow is
on the user. All Jill needs to know is that she needs to reboot a specific server,
and the system will take care of providing, securing, and destroying that
privilege when she’s done.
The zero standing privileges objective can be realized through just in time privilege access, improving operational sustainability for your privilege access program and drastically reducing the privilege attack surface. We’d love to hear your thoughts and questions on zero standing privileges and just in time privilege access below.
To learn more about our Zero Standing Privileges (ZSP) solution, visit our Stealthbits Privileged Activity Manager webpage.