Using Zero Standing Permissions to Achieve a Zero Trust Model

There is a reason the security community is embracing the zero trust (ZT) principle with renewed energy – because it helps prevent breaches by eliminating implicit trust from a system’s architecture.

Instead of automatically trusting users inside a network, ZT dictates that every access point requires validation. All users – whether on-prem or in the cloud, human or service IDs – must be authenticated, authorized, and validated for security configuration and posture before being granted access to applications and data.

Shifting network defenses toward a comprehensive security model like ZT allows organizations to restrict access controls to networks, applications, and environments. This improves granularity and reinforces an additional layer of security across data. Rather than trying to protect an ever-evolving attack surface, ZT architecture and policies foundationally defend networks through consistent monitoring and maintenance.

As good as zero trust sounds in theory, however, putting it into practice is difficult. The reasons for implementing ZT are clear, and it is wise to do as much as possible toward enforcing ZT policies quickly. But when an organization has multiple environments with thousands of users that operate on established processes, it is easy to see why many struggle to initiate a true ZT model.

The problem is exacerbated in the cloud, where proliferating service IDs and human users work in concert to develop software at a rapid pace to achieve scale. The question is, how can security teams develop ZT policies that do not impede workflows?

Organizations move to the cloud for speed, agility, and cost-savings. And while it is understood that cloud and on-prem environments are fundamentally different with unique security requirements, common among them is the lack of visibility and control among users and access management. Validating and monitoring every user across each environment is a Herculean task.

As a result, any organization attempting to implement ZT risks slowing the pace cloud builders must maintain to meet business objectives.

The irony is that developer models with a need for speed do not have to be at odds with the security controls recommended by zero trust. The friction arises when you try to fold ZT policies into a network architecture designed for velocity. DevOps cannot be encumbered by strict security controls, and security controls must not impede DevOps’ ability to deliver the goods.

Alternatively, if ZT policies are implemented through strategic access management practices, DevOps can build quickly and SecOps can protect an organization’s data, applications, and networks. It is this dynamic – square peg, round hole – that prevents most companies from achieving zero trust.

As a result, attack surfaces grow, user access management is cumbersome and lacks visibility, and, when a security incident occurs, the operational velocity DevOps require to do their jobs and organizations rely on to grow grinds to a halt.

To solve this riddle, let’s step back from zero trust and focus on zero standing permissions (ZSP).

Zero Standing Permissions

Gartner defines ZSP as “the target state for privileged access in an organization to minimize risk of stolen credentials, privilege abuse, breaches, data loss and non-compliance.” Unlike zero trust, which is a security framework that can be interpreted in diverse ways, ZSP is a tactical step organizations can take to move closer to a zero-trust model.

Keep in mind that ZT is not a product or platform; it is a concept. ZSP, on the other hand, is not conceptual. It is a necessary approach to managing user privilege access across network environments.

The ability to dynamically add and remove privileges across your environment enables DevOps and SecOps to achieve their respective objectives – DevOps have the access they need when they need it while ZSP elevates an organization’s overall security posture.

Small and large organizations across industries recognize the importance of moving toward a zero-trust policy. But it is easy to get sidetracked on the way there. Zero standing permissions is one of the fastest and most assured ways of securing users in cloud environments without slowing down DevOps.

Britive helps you maintain ZSP across your entire cloud environment by granting ephemeral Just-In-Time (JIT) privileges. A unified access model provides cross-cloud visibility for human and machine IDs across all operation-critical cloud applications.

With Britive, you can:

  • Minimize the blast radius of your highest risk cloud users
  • Eliminate permanent accounts & standing privileges
  • Maintain zero standing privileges (ZSP) across your cloud services–without the hassle of building a DIY cloud PAM (Privileged Access Management) solution
  • Automatically grant & revoke elevated privileges—all without admin involvement

Remember, permanent elevated privileges leave you open to increased data loss and account damage due insider threats and hackers 24/7.

Temporarily granting and expiring JIT privileges with Britive instead minimizes the potential blast radius of your privileged human and machine identities – all while making sure DevOps has the access it needs to achieve velocity and grow your business.

Author