Why standard identity frameworks will never achieve Zero Standing Privilege (ZSP)
In a recent Cyber Hut webinar, SGNL CTO and Identity 25 winner Atul Tulshibagwale joined fellow identity security experts including Ian Glazer, former SVP of Identity Product Management at Salesforce and current board member of the OpenID Foundation, to shed light on authorization’s new-found prominence in access security.
While strong authentication will always remain critical to warding off attacks, limiting (and, ideally, eliminating) access rights in the first place reduces the blast radius and minimizes the damage that external and internal threat actors can inflict. Read on to discover why the shift from static to dynamic authorization systems at enterprise companies is essential to achieving Zero Standing Privilege (ZSP) — and how today’s popular access security tools like RBAC fall short.
Authorization systems often operate under fixed rules where access controls are strictly defined by user roles or groups. These approaches were designed for simpler IT environments largely contained within the network and protected by a firewall. But the classic moat-and-castle model started showing its weaknesses in the 2000s and 2010s with expansion of cloud services and proliferation of mobile devices.
The decentralization trend kicked into hyperdrive during COVID, and it, of course, shows no signs of reversing course. On top of this, nearly 80% of all data breaches involved compromised identities. Hence, we must evolve from merely security-in-depth to identity-in-depth.
So what does that mean for identity security and IAM teams?
Begin by recognizing that employees don’t need just-in-case access — they need just-in-time access that’s based on business context. Enterprises should evaluate dynamic authorization frameworks like modern privileged identity management (PIM) that eliminate standing privilege entirely and provide limited, time-bound access only when necessary. These frameworks offer vastly more flexibility and responsiveness, allowing companies to achieve the much sought-after Zero Standing Privilege that drastically reduces the potential blast radius. If attackers compromise an identity with no standing access, there’s little they can do to harm a company.
To increase protection, a PIM should support Continuous Access Evaluation Profile (CAEP), a standardized way for systems to continuously share user and access updates for improved security. As zero trust becomes standard, continuous evaluation of access rights across the distributed environment is crucial. CAEP overcomes identity silos through a non-prescriptive framework for sharing risk signals.
A modern PIM coupled with CAEP can integrate into the existing tech stack to address the gaps that privileged access management (PAM), identity governance and administration (IGA), and access control frameworks present. This combo provides CISOs and their teams with a true dynamic authorization system that:
By tapping into AI and machine learning (ML), dynamic authorization frameworks like a modern PIM can process the vast amounts of data required to make real-time access decisions with a response to >95% of the queries within 100 ms. Manual processes simply cannot scale to enterprises’ authorization needs.
At SGNL, we’ve built a modern PIM that protects critical systems and data — and fully supports CAEP. SGNL’s dynamic approach to access management achieves Zero Standing Privilege across your cloud applications like Azure, AWS, GitHub, and Salesforce, as well as on-prem systems.
Check out the full webinar for more insights from Atul, Ian, and The Cyber Hut founder Simon Moffatt.
Want more of the latest identity-first security topics and trends delivered to your inbox? Helpful and insightful content, no fluff.