Absolute Zero: Zero Trust And Zero Standing Privileges

November 12, 2020
Jeff Ahlerich

The concept of “zero trust” in the cybersecurity world isn’t overly complicated on the surface — never trust, always verify. It means approaching everyone and every database or system as potentially malicious. So, in the case of zero trust, we’re talking about guilty until proven innocent.


Depending on who you ask, zero-trust security protocols can include users and data sources, or it could apply to all network traffic. However, this raises a critical question: Is the concern just about verifying users, sources, and network traffic? Today’s cybercriminals have become much more sophisticated, even hiding malware in images and other digital content.

Take an email phishing scam, for example: If your company set up zero-trust security measures to always verify email senders before releasing that message to the intended individual within your company, you may think you’re safe. However, what happens when the verified sender’s email is compromised, or the sender unknowingly shared an image or file that was corrupted with malware? If you don’t extend zero-trust to attachments, images, or other digital content, it could mean a significant vulnerability in your network security. Instead, it’s safer to apply the zero-trust methodology to not only users, data sources, and network traffic, but all content that travels through that network as well.

What about the internal user accounts and any existing standing privileges? How do they fare in the trust conversation?


Similar to a zero-trust security policy, many security experts abide by zero standing privileges as well. The term, coined by Gartner, specifically refers to persistent account access within an organization that could lead to significant vulnerabilities and risk to the network. Some of these standing privileges may come from:

  • Administrative or maintenance access
  • Persistent shared accounts
  • Superuser accounts
  • Persistent third-party privileges that were never offboarded

Each of these user access privileges provides a potential access point for malicious activity. The more access points a network has, the more difficult it is to protect. Removing or minimizing standing privileges will enable IT security teams to reduce the potential attack surface, mitigate the risk of data breaches, and support security compliance initiatives.

In fact, according to Gartner, "The existence of privileged access carries significant risk, and even with PAM [privileged access management] tools in place, the residual risk of users with standing privileges remains high. Security and risk management leaders engaged in IAM [identity and access management] must implement a zero standing privileges strategy through a just-in-time model."

“Just-in-time” access means that users will only have access to the system for a limited amount of time, and with only the minimum rights needed to perform the needed tasks. This provides greater structure and security for not only who is able to access the network and for what purpose, but also for a pre-defined amount of time.


Don’t trust. Always verify. Whereas humans are apt to trust more freely, technology doesn’t hold that same bias. Instead, we determine whether our IT systems will trust (or not), how much or little we expect our systems to trust users, data, network traffic, and other information, and who will have access to view or edit information within our systems. We are in control. And with control comes responsibility.

By leveraging a zero-trust and zero standing privileges IT security model, we can reduce the inherent risk to our networks, including costly data breaches. Although it’s never easy to pull back on the freedom and access your team may be used to having, it’s an important security measure that likely outweighs any disappointment or frustrations you may hear across the organization.

join our email list