October 2, 2019

Gartner: standing privileges in IT are a risk

How many years has the cybersecurity industry talked about “the password problem”? And how many years has the conclusion always been the same: passwords are one of the weakest links in the cybersecurity chain. They are always either too simple, stolen or lost. Or they become too complex to remember. But everybody has to use them. Right? Think again.

We can’t claim to be able to eliminate all the passwords from the world. But with us, you no longer need them, when your employees or subcontractors access your IT infrastructure where the critical data, customer-facing applications, production environments, hosts and business-critical networks reside in. So privileged users, like your system database administrators, DevOps and software engineers, security architects, Linux and Unix system administrators rejoice: now, you can get and grant access to the lifeblood of your company without having to deal with any type of permanent credentials whatsoever.

Since we at SSH.COM are proud to be listed as a just-in-time, lean privileged access management (PAM) vendor in Gartner’s “Remove Standing Privileges Through a Just-in-Time PAM Approach”, we thought we'd give you an overview of how to reimagine, redefine and revolutionize the way privileged access management (PAM) is approached, accompanied by quotes from our friends at Gartner.

Cloud is ephemeral; access should be too

“The existence of privileged access carries significant risk, and even with PAM tools in place, the residual risk of users with standing privileges remains high. Security and risk management leaders engaged in IAM must implement a zero standing privileges (ZSP) strategy through a just-in-time (JIT) model.” – Gartner

In the times of digital yore, when many existing PAM solutions were designed, the IT infrastructure was static and servers permanent. Fast-forward to the age of the cloud, and there can be hundreds or even thousands of instances spun up every day, even in a medium-sized company. That same number of instances could be eliminated just as quickly and easily.

This is the age of impermanence. Yet many companies and PAM solution providers still use permanent credentials which in Gartner's terms is an example of ‘standing privileges’. These are not just a risk. They are bad for you operational efficiency: you end up constantly creating, managing, hunting and eliminating permanent credentials all the time - in an environment where the back-end is constantly shifting and the 'joiners, movers, leavers' is an always-on process. Just think about the sheer number of audit log files generated per access credential, user, vaulted password, eliminated credential. We are no longer talking about terabytes of log data per day: it’s terrorbytes!

Furthermore, managing permanent credentials adds a lot of complexity and inertia into the mix simply because managing them is often relying on agent-based software that might take months, even years to install. Read more about why you should streamline your PAM deployments and maintenance here.

We designed a solution that is multi-cloud-native, on-prem friendly and grows at cloud scale. The cloud forces companies to redesign their application architecture anyway, so we've come up with a PAM architecture that gives you a head start on your journey towards the cloud and carries you to the future as you cloudify even more.

In our solution, access is established using what we call unique, ephemeral certificates that are applied just-in-time (JIT) for authentication and that automatically expire after the connection to the target host has been made. There no longer is the need to rotate, store or worry about permanent credentials, since they have been removed from the equation and are no longer a burden to your operations. In our opinion, ZSP model is not only about security: it's also a matter of business velocity. 

Standing privileges are a risk

“When personal privileged accounts exist in an environment, even when controlled by a PAM tool, the account and, therefore, the privileges exist, leaving the risk of standing privileges in the environment.” – Gartner.

There it is: if you have standing privileges in the environment, no matter how you manage, rotate or vault them, they constitute a risk. Some of the risks associated with permanent credentials include PAM bypass where the first session is established through a PAM solution as mandated by company security policies but the subsequent logins are actually an entirely different matter.

Another example is lateral movement inside a network. Using this method, a skilled user can self-provision greater levels of privilege for himself and hop from one server to another. Often this means getting access to more valuable and sensitive information than originally intended.

Legacy PAM vendors often emphasize the importance of rotating and vaulting permanent credentials. The reason might be that their solutions weren’t designed to be cloud-native and they need to retrofit and patch up their solutions to stay relevant. But how can you be sure that all credentials are really accounted for, in rotation and policy-compliant, when they need to be created, eliminated, hunted - and on-boarded to a vault - all the time? The most straightforward solution is not to to try to live with powerful and permanent privileges, but to get rid of them entirely! That is true risk mitigation.

Go beyond PAM basics – especially with 3rd parties

“PAM basics like vaulting and session management help mitigate the risk of the existence of privileged accounts. JIT (just-in-time) reduces the risk of privileged access abuse, and ZSP (zero standing privileges) reduces the attack surface of the privileged accounts themselves.“ – Gartner

We believe that permanent credentials are a permanent addition to the attack surface for nefarious actors. Privileged credentials are a desirable target for hackers, since they are generally trusted to be in control of highly-privileged users or monitored by one system or another. Outsourcing has a lot of business benefits but it also means that you have to grant powerful access to people working outside your company. Now if you combine permanent privileged accounts given to 3rd parties and hackers who actively harvest permanent credentials, the potential attack surface increases exponentially. Even when controlled by "PAM basics like vaulting'.

It is because you have to trust that:

  • 3rd parties have permanent credentials at their disposal only for as long as necessary
  • all permanent credentials are actually discovered, in control, vaulted and their passwords rotated
  • consultants have the least amount of privilege required for the completion of each task to avoid privacy and compliance violations
  • all subcontractors use the credentials responsibly
  • nobody shares credentials with high-levels of privilege externally (and further down the supply chain)
  • all activities can be identified and traced back to individual subcontractors
  • nobody accidentally misconfigures permanent credentials or forgets to remove them from the network

Smart money is on the future

“By 2022, 40% of privileged access activity will leverage ZSP through JIT privilege elevation, effectively eliminating standing privileges, up from just 10% today.” - Gartner

We understand it is important to address the problems of today but you just can’t ignore the problems of the future either. We know your current and legacy systems won’t disappear overnight so that is why 'on-prem friendly and cloud-native' is our mantra. When you are using any combination of on-premises and multi-cloud systems (AWS, Azure, GoogleCloud), managing access based on permanent credentials can turn into an extremely complicated and time-consuming mess. This, again, is one of the reasons why just-in-time, ephemeral access is gaining popularity.

Ephemeral access without standing privileges is nothing new to us. In 2016, we held a breakfast seminar together with BT Security, and Deloitte, and proudly presented the idea of “Dynamic service provision requires dynamic security thinking” as a precursor to our current JIT enabled solution. The solution itself - called PrivX -was introduced eight months later. We've been saying that PAM solutions need a new approach for quite some time now.

 Check out the video below to get an overview of PrivX!

SSH-PrivX-Lean privileged_access-man

Some highlights include:

  • direct interfacing with your identity management system (IAM/Active Directory/LDAP)
  • role-based access controls (RBAC) linked with authorizations in IAM and automatically updated for any changes
  • SSO for privileged users (software engineers, DevOps, subcontractors, IT architects…)
  • “set it and forget it” for admins – PrivX stays in sync and automatically discovers new hosts
  • ephemeral, credential-less authentication for mitigating the risks associated with standing privileges 
  • agentless installation for easy of maintenance and lightning fast deployment
  • consolidated access and view to workloads in multi-cloud (AWS, Azure, GoogleCloud) and on-prem environments
  • lean, micro-services architecture for future-proof scalability
  • “Not an IT project” – minimal training, instant on-boarding, automatic off-boarding and super low TCO

How about thinking beyond “basic PAM methods” and starting your journey towards a zero standing privileges (ZSP) and just-in-time (JIT) model - together with us. PrivX  brings you one giant step closer towards that goal. 

You can get the Gartner research here (takes you to the Gartner site). 


Tag(s): Gartner , PAM , just-in-time

Jani Virkkula

Currently employed by SSH.COM as Product Marketing Manager, Jani is a mixed-marketing artist with a strong background in operator and cybersecurity businesses. His career path of translator->-tech writer -> marketer allows him to draw inspiration from different sources and gives him a unique perspective on all types...

Other posts you might be interested in