Overview
Zero Standing Privileges (ZSP) is the "North Star" of modern PAM. It argues that no user should possess privileges permanently.
In a legacy model, Alice is a "Domain Admin" forever. If she is phished on Saturday, the attacker is a Domain Admin. In a ZSP model, Alice is a "Standard User" by default. If she is phished on Saturday, the attacker gets nothing (because she only elevates to Admin on Monday morning for 2 hours).
ZSP moves PAM from "Protecting the Credential" (Vaulting) to "Removing the Privilege" (JIT).
Architecture
Reference Pattern: The JIT Compiler for Access
Access is "compiled" (created) only when needed and "garbage collected" (removed) immediately after.
Diagram
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| ZSP Method | Ephemeral Accounts, Group Membership, Tokens | Group Membership | Adding/Removing users from AD Groups is reliable and auditable. |
| Cloud ZSP | AWS IAM Roles, Azure PIM | Native Tools | Use Azure PIM to make users "Eligible" for roles, not "Active." |
| Legacy Apps | Vaulting, JIT | Vaulting (Fallback) | Some apps can't handle JIT. Fall back to vaulting the static admin password. |
| Emergency | Break Glass, Standard JIT | Break Glass | If the ZSP system is down, you have NO admins. You need a physical backdoor. |
| Scope | Humans, Service Accounts | Humans First | Service Accounts need ZSP too (Dynamic Secrets), but Humans are the phishing targets. |
Implementation
Phase 1: Clean Up "The Admins"
- Empty the "Domain Admins" group (except for the Break Glass account).
- Create a "Just-In-Time Domain Admins" shadow group.
- Configure the PAM tool to populate the shadow group on request.
- Goal: The "Domain Admins" group is empty 99% of the time.
Phase 2: Server & Endpoint
- Remove all persistent members from local "Administrators" groups.
- Implement LAPS (Local Administrator Password Solution) or JIT Group Policy.
- Goal: No lateral movement paths.
Phase 3: Cloud Eligibility
- Convert all AWS/Azure admin assignments to "Eligible" (PIM) or "Session-based" (Identity Center).
- Enforce MFA on activation.
- Goal: Cloud console access is zero by default.
Risks
- Operational Delay: "I can't wait 5 minutes to be an admin!" (Mitigation: Auto-approval for standard tasks).
- Revocation Failures: The user is granted admin access, but the revocation script fails. They remain an admin forever without anyone knowing.
- Audit Confusion: Auditors asking "Who are your admins?" The answer is "Nobody," which confuses them. You need reports showing "Who was an admin."
KPIs
- Standing Access Count: Total number of users with permanent privileged assignments (Target: Trending to 0).
- JIT Success Rate: Percentage of access requests granted automatically via JIT policy vs. manual approval.
- Access Duration: Average duration of privileged sessions (Target: < 4 hours).
- Exception Count: Number of approved exceptions (users allowed to keep standing access).