CyberArk Glossary >

Zero Standing Privileges (ZSP)

What Is Zero Standing Privileges?

Zero Standing Privileges (ZSP) is a security principle that advocates for the removal of persistent access privileges for users within an enterprise network. Practically Zero Standing Privileges is the next logical progression from just-in-time access. Just-in-time Access massively reduces the risk of credential theft posed by standing access as a user is not able to log in until this temporary access is granted. Zero Standing Privileges leverages the same concept of requiring users to obtain access as and when needed instead of granting continuous access rights but extends past that using the principle of least privilege.

These principles help reduce the risk of account takeover, credential theft and identity compromise. The concept of Zero Standing Privileges is the best direction to solve these challenges, both by removing standing privileges to limit implicit trust and providing several levels of control to verify access. .Rather than elevating the requested user to an administrative role, security teams can instead allocate just the permissions the user needs to accomplish the task required. This gives the benefit of reducing the impact of the access if an attacker was able to takeover the account.

Why Is ZSP Important?

Adopting Zero Standing Privileges is crucial for an enterprise’s identity security program as workloads shift to more dynamic environments, often in the cloud. Security teams no longer have access to traditional means of securing these platforms such as network perimeters. As such, they need to find a way to reduce the attack surface. Removing any standing privileges then granting them back in limited and considered amounts is one of the most effective ways to do that.

How Do You Implement Zero Standing Privileges?

Much like other concepts such as the principle of least privilege, ZSP is more of a journey. An organization needs to find ways to elevate access just-in-time yet make sure the elevation is not to a role with high-risk entitlements that will not be used (e.g. an administrative role). Organizations should instead elevate admins and engineers to role with limited access to achieve the results intended. These roles should be constantly evaluated as to the risks and exposure they may pose using Cloud Infrastructure entitlements Management (CIEM) Tooling. Organizations should also consider leveraging workflows to gate these elevations and provide additional levels of control. Finally, continuous monitoring, logging and auditing should be in place to detect and respond to any unauthorized access attempts or anomalies effectively.