ZSP vs Manual Privileges:

Different Strategies, Vastly Different Outcomes

Atul Tulshibagwale, CTO, SGNL
August 20, 2024
Follow us on

Managing who has access to what is why companies have IAM programs and strategies, but how those efforts work varies. Traditional manual privilege management and the emerging strategy of Zero Standing Privilege (ZSP) represent two very different approaches to this problem, each with its own outcomes. Let’s compare these strategies and focus on why ZSP might be the future of secure access management.

The Pitfalls of Manual Privilege Management

Manual privilege management attempts to tightly control access by ensuring only a select few have standing access to critical systems. On paper, this sounds secure, but in practice, it often leads to a complex web of processes that are difficult to manage and prone to error. It does not scale well.

One common issue is the proliferation of roles and groups. As organizations grow and evolve, they create more roles and groups to meet specific needs. Over time, this can result in a sprawling number of roles that either overlap or are misaligned with the actual purposes for which they were created. This sprawl makes it increasingly difficult to determine who should belong to which group, leading to either over-permissioned users or critical access gaps.

Another issue involves the need for access reviews. Organizations often place the burden of periodic access reviews on managers, who must assess entitlements across various systems. These reviews are frequently too technical and time-consuming for most managers. For instance, a manager might be asked whether an employee still needs access to a specific entitlement, like ‘sales-fileowners.’ Without a clear understanding of what this entitlement entails or how it impacts daily operations, managers are likely to err on the side of caution, rubber-stamping approvals rather than conducting thorough reviews. This widespread rubber-stamping perpetuates excessive standing access, leaving the organization vulnerable to security risks.

Even with Attribute-Based Access Control (ABAC), where permissions are granted based on user attributes, complexity remains a significant challenge. ABAC’s flexibility makes it particularly vulnerable to maintenance issues when policies change. The access control logic often becomes distributed across various parts of the application, making it difficult to update consistently. Moreover, ABAC relies heavily on the availability and reliability of data sources; if these are compromised, the entire access management strategy can fail. While distributed code can be a problem in any access control method, ABAC tends to amplify this issue due to its dynamic and context-sensitive nature.

The Promise of Zero Standing Privilege (ZSP)

Zero Standing Privilege (ZSP) offers a radically different approach. Instead of trying to limit standing access, ZSP eliminates it altogether. No one has default access to critical systems or resources. Instead, users are automatically granted access only when their current tasks demand it, and that access is automatically revoked when the task is completed or reassigned.

This approach not only minimizes the risk of privilege misuse but also simplifies the management of access rights. There’s no need to constantly update and review roles or groups to align with changing business needs because access is dynamic and tied directly to specific tasks. Moreover, ZSP is designed to work seamlessly across internal systems and third-party SaaS platforms, leveraging either proprietary integrations or industry standards like the Shared Signals Framework (SSF) and its Continuous Access Evaluation Profile (CAEP).

By adopting ZSP, organizations can significantly reduce the risk of privilege-related breaches and streamline their access management processes. It’s a strategy that aligns with the principle of least privilege, ensuring that access is granted only when and where it’s needed, and never lingering longer than necessary.

Practical Examples of Privilege Management

To better understand the differences between manual privilege management—which includes Role-Based Access Control (RBAC) and ABAC—and ZSP environments, let’s consider how access to AWS resources would be managed under each system:

  • Manual RBAC: In a manual RBAC system, an engineer might be assigned to a predefined role, such as “AWS Admin.” This role grants them standing access to all AWS resources necessary for their job, regardless of whether they need that access at any given time. As roles expand or change over time, the risk of over-permissioning increases, and access may remain long after it’s necessary.
  • ABAC: In an ABAC system, access might be granted based on attributes such as the engineer’s department, project involvement, and current location. Sometimes the attribute values are manually set (e.g., in a database field), and sometimes they are automated; for example, if the engineer is part of a critical incident response team, they could automatically receive elevated privileges to AWS resources during an incident. When attributes are set manually, it leads to standing access just like in RBAC. When they are automatically determined, however, the logic to determine this access and to source the attribute values would be distributed across the system; any changes to access policies could require significant updates across multiple parts of the application, making maintenance complex. ABAC operation can also suffer from latency and availability issues arising from the data sources from which the attributes are sourced at the time of making an access decision.
  • ZSP: With ZSP, no one has standing access to AWS resources by default. Instead, when the engineer begins working on a task that requires specific AWS permissions, they are automatically granted just-in-time access based on the task’s requirements. Once the task is completed, the access is immediately revoked. This ensures that privileges are tightly controlled and only granted when absolutely necessary, minimizing the risk of misuse.

Conclusion

As organizations come to understand the complexities of access management, it’s becoming increasingly clear that manual privilege management is no longer sufficient. The challenges of role sprawl, policy maintenance, and data dependency make it a cumbersome and risky strategy. Zero Standing Privileges, on the other hand, offers a more dynamic, secure, and manageable solution. By eliminating standing access and automating privilege assignments based on real-time needs, ZSP can help organizations better protect their critical assets in an increasingly complex digital landscape.

Best practices and the latest security trends delivered to your inbox