The Privileged Access Management (PAM) market has seen a wave of new entrants, each boasting that their technology can achieve the elusive goal of Zero Standing Privileges (ZSP). These claims paint an enticing picture, but most vendors overlook one critical detail: ZSP, while essential, is not a one-size-fits-all solution.
Yes, ZSP is a fundamental building block for securing identities, especially in today’s hybrid and multi-cloud ecosystems. But believing that ZSP alone can resolve the complexities of PAM is misguided. To properly secure privileged access in such intricate environments, organizations need to be aware of both the myths and realities surrounding ZSP. Here’s what you need to know:
Myth #1: Zero Standing Privileges(ZSP) Eliminates the Need for Credential Vaulting and Rotation
Reality: While ZSP reduces risk by limiting access, privileged accounts and credentials are here to stay. They are the foundation of privileged access—both in emergencies and in regular operations.
The July 2024 CrowdStrike outage was a stark reminder of the need for traditional credential management. When a faulty update crashed millions of Windows devices, organizations scrambled to use “break-glass” accounts with pre-existing privileges to restore operations. Without those accounts, the disruption would have been even more catastrophic. This incident highlights that privileged credentials and accounts cannot be eliminated; they need to be secured, even in a ZSP model.
Credential vaulting and rotation remain critical for securing these “emergency” and machine-based accounts. For example, root accounts in cloud environments like AWS cannot simply be eliminated. These accounts are necessary for initial setup and core administrative functions, and they require secure handling through strong password policies, multi-factor authentication (MFA), and other identity best practices.
Similarly, machine identities (e.g., service accounts and bots) still rely on credentials like SSH keys for authentication. While innovative solutions like dynamic provisioning can help reduce reliance on static secrets, secure vaulting and rotation are still essential to protect these credentials from misuse.
Myth #2: Just-in-Time (JIT) Elevation Equals Zero Standing Privileges
Reality: Most vendors that claim to offer ZSP are merely providing Just-in-Time (JIT) access, which is not true ZSP. JIT approaches only offer temporary access to pre-existing roles or accounts, which still have standing privileges in the system.
For example, many JIT implementations elevate users to pre-configured roles within identity directories or IAM solutions. While this reduces continuous exposure, it doesn’t eliminate standing privileges because those roles still exist and can be misused if compromised.
True ZSP requires creating and removing permissions dynamically—without any privileged roles lingering in the background. This level of ZSP is rare and requires granular control over Time, Entitlements, and Approvals (TEA). Each access session must be defined by its own time-bound criteria, granting only the minimum permissions necessary and then revoking them immediately after use. Unless a vendor can offer this level of flexibility and control, their ZSP capabilities are likely limited.
Myth #3: Zero Standing Privileges (ZSP) Removes the Need for Session Isolation and Command Filtering
Reality: Implementing ZSP alone does not absolve organizations of the need for robust, post-authentication security measures like session isolation and command filtering.
Even in a ZSP model, additional layers of defense are necessary to prevent insider threats and lateral movement attacks. For instance, session isolation can help contain any malware or malicious code that might enter a privileged session, and command filtering can ensure that users are restricted to performing only approved actions.
ZSP helps minimize risk before access is granted, but it cannot fully mitigate the risks that arise during and after a session. Implementing these post-authentication controls ensures that the “never trust, always verify” principle is upheld throughout the privileged session.
Conclusion: Look Beyond the Vendor Hype
Zero Standing Privileges is a promising direction for securing privileged access, but don’t get caught up in the hype. Today’s vendors often exaggerate their capabilities, failing to address the full scope of a modern PAM program’s needs.
When evaluating PAM solutions, focus on your organization’s specific requirements and assess whether the vendor’s technology addresses them comprehensively. A successful PAM strategy should incorporate ZSP along with traditional credential management, JIT access, and robust post-authentication controls. Only by taking a holistic approach can you achieve the security, flexibility, and resilience needed to protect your organization in an increasingly complex threat landscape.
How can we help you at Technosprout?
Amidst a myriad of MSSP options in the market, why opt for Technosprout? How can we help? What sets us apart?
Achieving cyber confidence begins with a solid strategy and governance. Technosprout leverages an “Assess, Design, Implement and Manage” four-pronged approach that leads organizations methodically through business transformation throughout the lifecycle
Our managed security services provide customized, comprehensive solutions, addressing specific business needs strategically along with the best certified experts and an experience of 7+ years in the market.
Want to explore the nuances of implementing zero standing privileges? don’t let your organization be the next target. Empower your organization and secure your privileged users. We help implement and manage your Privileged access partnering with CyberArk for complete risk mitigation. Strengthen your Identity and Privileged Access Management (PAM) with CyberArk Dynamic Privilege Access and Technosprout Managed Services. Contact Today!
