How Zero Standing Privilege, CAEP and Dynamic Authorization all come together
Large organizations can have a number of different technologies that relate to identity: Identity Providers, Identity Governance and Administration (IGA) systems, Privileged Access Management (PAM) systems, 2FA providers, Identity Orchestration Systems and possibly developer frameworks such as Open Policy Agent, and machine identity frameworks such as SPIFFE/SPIRE. So when SGNL states their offering to be a “Modern Privileged Identity Management” system, a question we get asked sometimes is: What exactly is that and how does it relate to all these other terms we’ve seen?
A core focus of SGNL is ensuring that, when users in the extended workforce (i.e., employees, contractors, and temps) access critical systems, their access is limited to what their current context demands - or “just-in-time” access, instead of what is the sum total of anything the employee may need to do ever (which we’ve heard people refer to sometimes as “just-in-case” access).
There are a few key tenets to SGNL’s approach:
Since this deals with privileged access, you might wonder how this compares or contrasts with IGA and PAM.
IGA systems are great for provisioning user accounts into various systems, directories, and databases. They provide rich user interfaces for managing entitlements, groups, and roles, and flexible workflows that can be adapted to your organization’s needs. They provide a good baseline for managing standing access permissions in your organization, which may be sufficient for a number of systems.
SGNL complements IGA systems (and in fact, SGNL integrates with IGA as a system of record) in order to provide zero standing access to critical systems, where standing access may cause significant risk exposure. SGNL thus provides a greater return on your IGA investments by ensuring that the access limits offered by IGA are further tightened without impacting user experience or defining new management processes.
PAM systems mostly use a “shared secret” model of operation. Users check out these secrets as needed, use them in the target systems, and then check them back in. PAM systems often provide conveniences so that the user hassle is minimized and secrets are rotated so that exposure is limited if a user makes an unauthorized copy of a secret. Which users can or cannot check out secrets is generally determined using roles, groups, and entitlements, and your PAM system may often be integrated with your IGA system for this purpose.
There are a large number of critical services and systems where the shared secret model is the only option. These systems (e.g., routers or on-premise servers) often do not provide single sign-on-based access directly to users, therefore users have to obtain a shared secret (e.g., a “root” account and password).
Newer systems, especially those that run in the cloud, most often provide single sign-on capabilities. Once users log in using their own employee account, their access privileges are most often determined by roles and groups within the target system. IGA systems can be used to provision these memberships in the target system.
Where the target system offers single sign-on, SGNL’s Modern Privileged Identity Management approach has several advantages:
Here are a few other articles on the SGNL website about Zero Standing Privilege:
Want more of the latest identity-first security topics and trends delivered to your inbox? Helpful and insightful content, no fluff.