The most significant change in the lifespan of identity security thus far is zero standing privileges (ZSP). Considered to be the next evolution of just-in-time (JIT) access, although it may seem needlessly complex at first, ZSP feels as natural as turning off lights when you leave a room\u2014once you wrap your head around the concept.\n\nBut first, a bit about me and the journey to ZSP.\n\nI\u2019m lucky enough to have had a diverse career in tech that\u2019s had me in a series of roles, from being an engineer to working with advisory consultants. During my time building infrastructure at scale, there\u2019s been a constant demand for concepts that address the risk posed by privileged access without impacting Ops productivity. As it turns out, years later, as I led CyberArk\u2019s Strategic Alliances Solutions Architecture practice, I saw this exact challenge from another viewpoint. People want to behave in a way that keeps their organizations safe, but they expect to remain productive\u2014not blocked by intrusive controls.\n\nThe ZSP concept meets that need.\n\nThe journey to zero standing privileges\n\nLeast privilege, or the principle of least privilege (PoLP), is always a no-brainer. If you don\u2019t need access, you should not have access.\n\nI ran a team of operations engineers many years ago supporting a large-scale Infrastructure-as-a-Service (IaaS) platform. In looking at what we could do to improve the security of our platform, least privilege made perfect sense to us\u2014it felt like a boundary that defined if something was in scope for our team or not.\n\nA glimpse, from the author\u2019s perspective, of 400 servers \u2013 or about 2% of the platform managed by his team in 2013.\n\nWe ran with the principle of least privilege\u2014piloting various implementations and methodologies. But ultimately, that journey fell flat. The team, comprised of what would now be called platform or site reliability engineers, hesitated to give up the access rights they felt they might need during an incident. Any team dealing with a critical situation is very familiar with the idea that it\u2019s hard to build a technical plan for \u201cwhen it goes wrong.\u201d Things never break in the way you expect.\n\nIn looking for the next concept that might allow us to improve the security of our platform, just-in-time (JIT) access was an easy winner. The only thing holding us back was our collective \u201cwhen it goes wrong mindset\u201d where, during a critical situation, we\u2019d often want to troubleshoot at a large scale across the entire platform, potentially accessing hundreds of servers, routers, and switches to identify the issue. This wasn\u2019t an unreasonable concern, but one that could be exploited by any attacker present.\n\nAs it turns out, I left the organization before anyone definitively identified the correct solution. I considered it a real miss that I never actually determined the right way to improve the identity security of our platform.\n\nThe reality was that we needed something that combined these concepts with consideration for the operational impact. This is where the concept of ZSP becomes highly relevant.\n\nWhat is zero standing privileges?\n\nIn short, ZSP evolved from JIT access because it was a necessity. Simply turning on and off administrative access for a user didn\u2019t offer enough risk reduction for many modern enterprises.\n\nZSP is the concept that an identity sits with no entitlements on the resource it will be used to access\u2014until the identity is needed and entitlements are requested. When granted, those permissions are only the ones required. It\u2019s giving access to the right people at the right time\u2014no more and no less. This represents a massive attack surface reduction as the account itself is now useless\u2014even if an attacker could log in, they can\u2019t do anything because they have zero permissions.\n\nAs such, ZSP is an excellent concept, sitting at the intersection of JIT access and least privilege. It addresses those frustrating \u2018what-ifs\u2019 that held me back due to the requirement of rapid access grants.\n\nThe author attempts to bypass a cloud provider\u2019s controls to demonstrate the power of ZSP.\n\nZero standing privileges add further protection to just-in-time as a concept. With JIT access, you\u2019ll be unable to enable just the right number of privileges to that account. This is arguably the core requirement of ZSP.\n\nOnly allowing an account to have the privileges it needs by exception rather than standing entitlements and returning it to no privileges puts you in a situation where you can minimize that account\u2019s exposure. Elevating access just in time does reduce the risk of credential theft. But, once access is provided, internal or external bad actors have more entitlements to exploit, enabling lateral movement and privilege escalation. A ZSP approach also reduces the volume of systems or services an attacker could compromise when they gain access. This is easily one of the most effective strategies for reducing risk.\n\nHow to make ZSP a reality\n\nFirst, you\u2019ll need to find a way to handle elevation, a mechanism to align a user to a group of permissions. For a realistic chance of adoption, elevation mechanisms must be integrated into service management or ChatOps to speed up the handling of approvals.\n\nYou\u2019ll also need to move away from thinking in the binary \u2018is this an admin or not\u2019 mindset and consider how the user access level poses a risk and find tooling to manage that. The distinction between privileged and non-privileged access is nebulous in modern Infrastructure as a Service (IaaS) environments. Lastly, you\u2019ll need to ensure that whatever permissions you grant get removed as soon as the session ends.\n\nIf you\u2019re looking for a modern, dynamic way to secure access in your cloud platform (as I once was), check out the CyberArk executive POV, \u201cWhy Cloud Identity Security and Why It Seems So Hard.\u201d\n\nJosh Kirkwood is a senior product marketing manager at CyberArk.