Remove Standing Privileges Through A Just-in-Time PAM Approach

This research note is restricted to the personal use of brad.shewmake@centrify.com.
Remove Standing Privileges Through a Just-in-

Time PAM Approach
Published: 6 September 2019 ID: G00389807
Analyst(s): Michael Kelley, Felix Gaehtgens, Abhyuday Data
The existence of privileged access carries significant risk, and even with
PAM tools in place, the residual risk of users with standing privileges
remains high. Security and risk management leaders engaged in IAM must
implement a zero standing privileges strategy through a just-in-time model.
Key Challenges
■ Many security and risk management leaders have “business as usual” PAM practices that
violate the principle of least privilege by granting undifferentiated privileged access to users on
a permanent basis.
■ PAM approaches using vaulting and session recording (basic PAM) have been prioritized in
many organizations. But their focus is on visibility and control of existing privileged accounts
and activities, which leaves privilege elevation and delegation approaches immature to
nonexistent.
■ Many privileged accounts for interactive use are “fully armed” with an unnecessarily high level
of standing privileges, violating the principle of least privilege and leaving a risk surface.
■ Organizations struggle to introduce changes to privileged access operational models because
administrators and IT operations staff are used to having personal privileged accounts they can
use at their discretion.
Recommendations
To properly mitigate the risk of standing privileged access, security and risk management (SRM)
leaders responsible for IAM should closely follow the vision of the principle of least privilege and:
■ Drastically reduce, with a goal toward eliminating, standing (i.e., “always on”) privileged access
by using just-in-time (JIT) approaches. This will ensure that privileges are only granted when a
valid reason for them exists, with zero standing privileges (ZSP) as the goal.

■ Investigate the different approaches for JIT privileged access, and choose the combination that
best balances the expected effort to change organizational practices against the security, risk
and operational outcomes.
■ Map required and desired JIT capabilities against product offerings to choose the right PAM
tools (or augment existing tools with additional solutions). Keep in mind that some capabilities
are not generally available in most PAM tools but may be roadmapped by vendors.
Table of Contents
Strategic Planning Assumption............................................................................................................... 2

Introduction............................................................................................................................................ 3
Analysis.................................................................................................................................................. 3
Remove Standing Privileges Through a Just-in-Time Approach........................................................ 5
The Foundational Elements of JIT/ZSP PAM..................................................................................... 7
Investigate Different JIT Approaches to Reduce or Remove Standing Privileges................................8
Map Required and Desired JIT Capabilities Against Product Offerings to Choose the Right PAM
Tools...............................................................................................................................................11
JIT and ZSP Technology Approaches in the Market........................................................................ 12
What Are the Risks for JIT Approaches?.........................................................................................14
Next Steps..................................................................................................................................... 15
Gartner Recommended Reading.......................................................................................................... 15
List of Tables
Table 1. Description of JIT Methods for Achieving ZSP........................................................................... 9
List of Figures
Figure 1. A Use Case Example Comparing Basic PAM Approaches to JIT/ZSP...................................... 6

Figure 2. The Five W’s of Privileged Access.......................................................................................... 12
Strategic Planning Assumption

By 2022, 40% of privileged access activity will leverage ZSP through JIT privilege elevation,
effectively eliminating standing privileges, up from just 10% today.
Page 2 of 16 Gartner, Inc. | G00389807

Introduction
Proper management of privileged access requires following the principle of least privilege. This
principle states, broadly speaking, that someone or something should have exactly the minimum
rights required to carry out a specific task. However, many organizations start from a point where
certain users have access to highly privileged accounts and, in many cases, personal privileged
accounts, which provides them privileged access whenever they want and with little limitation. This
violates the principle of least privilege in multiple ways:
■ Rather than limiting the time when privileged access is granted (“at the right time”), access is
granted to users on a standing basis (“always on/always available”).
■ Rather than limiting access to the minimum required for a particular task, privileged accounts
often have broad administrative privileges (i.e., superuser or equivalent). This is done to cover all
possible administrative tasks that may be required of the privileged users within the near or
medium future.
■ Rather than granting access to the specific system or application in scope for a particular
administrative task, privileged accounts are often granted on multiple systems at the same time,
by using central authentication and directory services, allowing access that is not required.
Without a structured plan to instill proper secure practices and processes, in combination with the
deployment of appropriate PAM tools, users will routinely receive more privileges than required for
administrative tasks. These excessive privileges introduce significant risk. The net effect will be that
PAM initiatives will have limited effectiveness, while a considerable attack surface remains. How
should SRM leaders plan a successful PAM initiative that follows the principle of least privilege as
closely as possible?
The answer lies in drastically reducing, with a goal toward eliminating, standing (i.e., “always on”)
discretionary access to privileges by using just-in-time (JIT) approaches for privileged access.
When personal privileged accounts exist in an environment,

even when controlled by a PAM tool, the account and,
therefore, the privileges exist, leaving the risk of standing
privileges in the environment.
Analysis
In the 2019 Verizon Data Breach Investigations Report, three of the top four attacks represented
1
failures in IAM practices, stolen credentials, phishing and privilege abuse. The volume of news
about breaches of confidential data comes at a pace that leaves consumers numb, and creates the
illusion that, given the failure of so many for protecting confidential information, the principle of least
privilege is an unattainable goal.
Gartner, Inc. | G00389807 Page 3 of 16

In the area of privileged access management (PAM), tools exist today to dramatically reduce that
attack surface. Yet, many organizations are not using PAM tools and approaches. Or, the
organizations that have created a PAM practice have stopped at “basic PAM” (vaulting and session
management). But an effective PAM practice embraces the entire concept of least privilege,
granting only the right privileges to only the right system and to only the right person for only the
right reason at only the right time.
PAM vendors are maturing in placing tools in the hands of leaders that help them implement the
fundamentals of least privilege. PAM practices in the market have found some success in only
allowing the right person the right access to the right resource; however, achieving this at only the
right time is where many have fallen short of the mark for least privilege.
Zero standing privileges (ZSP) is the purest form of JIT, which addresses the final guidance of the
principle of least privilege “at only the right time,” by eliminating the risk of standing privileges.
Standing privileges can take multiple forms: accounts with continuous privileges in the form of
privileged group memberships or static rules that allow the execution of privileged commands. One
very common example of a practice that violates the principle of least privilege is personal
privileged accounts. These are accounts that are routinely issued to administrators in many
organizations. These accounts typically hold excessive privileges to a broad number of systems and
are available for use any time. When personal privileged accounts exist in an environment, even
when controlled by a PAM tool, the account and, therefore, the privileges exist, leaving the risk of
standing privileges in the environment.
Standing privileges present a risk surface by their nature of being “fully armed and always
available,” even when under the management of a PAM tool. ZSP “disarms” privileged accounts
until the time when those privileges are really required. The fundamental purpose of a JIT/ZSP
approach is to reduce the attack surface for privileged access abuse. Basic PAM (vaulting and
session management) will help mitigate the risk of the existence of privileged accounts. JIT reduces
the risk of privileged access abuse, and ZSP reduces the attack surface of the privileged accounts
themselves.
The fundamental approach to PAM has not changed; a mature PAM practice must still capture all
privileged risk for an organization. It remains paramount that organizations implement a strategy and
practice that successfully address the four pillars of PAM (see “Best Practices for Privileged Access
Management Through the Four Pillars of PAM”).
ZSP is the next natural step for privileged access maturity. It

“disarms” privileged accounts when not in use, until such time
when those privileges are really required.
Briefly, the four pillars of PAM represent the fundamental approaches for mitigating risk represented
by privileged access within the modern enterprise: track and secure, govern and control, record and
audit, and operationalize. All pillars apply to ZSP and JIT, but the first two pillars are particularly
relevant to understanding why ZSP and JIT must be prioritized in your PAM practice:

■ Pillar No. 1, track and secure, ensures all privileged accounts are tracked in terms of their life
cycle. It includes discovery of all privileged access and is foundational for a successful PAM
practice. Divide access into two categories: people-based (interactive) and software-based.
Inventory and vault all accounts that provide elevated access, and inventory and group use
cases according to common patterns.
■ Pillar No. 2, govern and control, eliminates excessive privileges and plans and governs
privileged access according to the privileged use patterns and use cases. This is where JIT is
critical, and a ZSP approach becomes a powerful method for eliminating excessive privileges.
JIT is necessary to reach the minimum level of maturity in pillar No. 2, meaning that after discovery
and vaulting of all privileged access accounts is in place, the PAM practice must be expanded to
remove standing access to privileged accounts through JIT approaches.
After basic JIT steps, ZSP is the next natural step for privileged access maturity. It “disarms”
privileged accounts when not in use, until the time when those privileges are really required. ZSP is
attained by refining and complementing existing JIT concepts.
PAM basics like vaulting and session management help

mitigate the risk of the existence of privileged accounts. JIT
reduces the risk of privileged access abuse, and ZSP reduces
the attack surface of the privileged accounts themselves.
Remove Standing Privileges Through a Just-in-Time Approach

The first goal of a JIT PAM approach is better IT security by removing standing privileges, which
reduces the attack surface for privilege abuse. As pillar No. 1 explains, the first step of a PAM
practice is discovering and vaulting privileged accounts. However, even with all accounts identified
and vaulted, the accounts still tend to have static privileges attached to them (i.e., they are fully
armed). To begin to mitigate this, create operational accounts with limited privileges, for example a
“tomcatadm” account for the sole purpose of “administer the Tomcat application server.” Therefore,
the continuing maturity of a PAM program should include the elimination of personal, highly
privileged accounts, as well as any other privileged account that grants wide-reaching and “always
on” access, and migrating these use cases to JIT/ZSP approaches.
This is an acceptable next step in maturity, and significantly less risky than granting and using
personal highly privileged accounts, but it is still not the endgame in terms of an ideal situation
because:
■ More accounts need to be created, each of them for a particular purpose.

■ These accounts must be limited (i.e., “rightsizing” of privileges for a specific task).

■ It is more expedient and manageable to create fewer accounts with more privileges than the
other way around, so there is a balance between manageability and security (more privileges
equal more risk).
Some newer JIT technologies covered in this research have the potential for mitigating some of
these issues.
Figure 1 provides a use case example comparing basic PAM approaches to JIT/ZSP.
Figure 1. A Use Case Example Comparing Basic PAM Approaches to JIT/ZSP
In Figure 1, we compare the use cases against the activities of an employee, Joe. Joe is an
administrator for Windows systems. For the day that we outlined in the figure, these events
occurred:
■ 8:00 a.m. — Joe came to work and began responding to email.

■ 9:00 a.m. — He checked out an admin account and connected to his production task scheduler
server to check that an overnight process ran as expected. This work took about 10 minutes.
Joe then went to check on a co-worker, helping them with a difficult script.
■ 10:00 a.m. — Joe attended the production meeting for servers.
■ 11:00 a.m. — He grabbed an early lunch.

■ 12:30 to 1:30 p.m. — Joe checked out an admin account from the PAM tool and installed,
configured and worked to troubleshoot a new software application on the company’s
development SQL servers. When complete, he checked the password back in.
■ 1:30 p.m. — Joe worked on email and some training.
■ 4:00 p.m. — He checked to ensure that overnight processes were queued up and ready to run.
Then Joe read a manual about Java scripting, worked to edit a script he had been working on,
and saved it for testing tomorrow.
■ 4:45 p.m. — Joe walked out the door to meet his family for dinner.
For JIT/ZSP, Joe did all the work referenced in the previous example; however, at no time did he
check out a privileged account, nor does one even exist for him to do so. His access was granted
on demand, (or even automatically for approved tasks) individually approved, limited in scope, and
removed when no longer necessary. As shown by Figure 1, the amount of risk for compromise,
presented by the existence of a privileged account available for a bad actor, was dramatically
reduced.
In a JIT/ZSP model, no privileged account exists for people to

use; privileged access is only temporary, assigned, or created
and removed on demand.
The Foundational Elements of JIT/ZSP PAM

SRM leaders with responsibility for PAM must familiarize themselves with the different methods and
choose tools that support the ideal combination. They must analyze PAM use cases to identify
which ones have the potential for being addressed with JIT. Most companies will find that a hybrid
approach of vaulting, session management and JIT is the best approach for them.
There are a number of JIT approaches available today in the market, and new technologies and
approaches have been surfacing with each having unique elements. Gartner identifies three
requisite foundational capabilities for a modern JIT approach:
■ A set of processes and workflows (defined by PAM policy) that manage both privileged access
requests and fulfillments for an environment (including employees, consultants, vendors and,
potentially, software).
■ For a JIT approach to be successful, some elements of adaptive access, or predefined
approval policies, should be applied to help reduce complexity and friction. For example,
using risk scoring, or predefined approvals, to automatically approve access for a defined
task in a defined time window for a defined user access request.
■ A mechanism to allow privileged task execution for a normal (nonprivileged) user ID for a
defined amount of time on a defined resource, or set of resources, for a defined set of tasks. Or,

the ability must exist to create one-time (ephemeral) privileged access that has these same
restrictions.
■ An ability to record and monitor all activities completed with the temporarily elevated access
during the time of privileged access.
Investigate Different JIT Approaches to Reduce or Remove Standing Privileges

Using JIT helps get organizations closer to the goal of implementing the principle of least privilege
through eliminating or reducing standing privileges for people. Only the right access for only the
right person to only the right system is granted for only the time needed. This could be achieved by:
■ Implementing an approved change request

■ Responding to an outage or troubleshooting
■ Fulfilling a service desk task to support a user
■ Regular maintenance
There are multiple approaches to implementing JIT for privileged access (see Table 1). These
approaches can be complementary, and most SRM leaders will choose to use at least two or three
of these approaches in combination.

Table 1. Description of JIT Methods for Achieving ZSP
JIT Approach Description Meets Principle of Least Meets Zero Standing

Privilege Approach Privileges Approach
Personal Users retain a personal No. On its own, this pattern ■ No. When personal
Privileged privileged account; but its violates the principle of least accounts exist in an
Accounts Under password is vaulted, and privilege since these accounts environment, even when
the Control of a access is controlled by a universally provide excessive controlled by the PAM
PAM Tool PAM tool. privileges. tool, the account leaves
standing privileges in the
environment.
■ Personal privileged
accounts should be
eliminated in favor of
nonprivileged accounts
with privilege elevation,
JIT access or shared
accounts.
Shared Shared accounts that grant ■ This pattern requires ■ No. Standing privileges
Accounts Under privileged access are additional controls like from shared privileged
the Control of a vaulted and controlled by a session management to accounts (especially
Vaulting and PAM tool but can be made ensure that usage is highly privileged accounts
Session available on request for accounted to an individual such as domain admin)
Management legitimate reasons.
user’s request and approval are still considered
Tool
mechanisms for access to standing privileges, even
shared accounts. if they are under control of
a PAM tool.
■ Shared accounts should be
limited in terms of who, ■ It is possible that these
what, where, when and why, accounts can be disabled
but this approach can and vaulted to eliminate
comply with the principle of standing privileges, but it
least privilege. may not be practical to
disable all shared
accounts.
Privilege A normal, nonprivileged ■ No. This pattern does not No. This does not meet the
Elevation account is granted meet the principle of least standard for ZSP since even
(PEDM, privileged access by a privilege. though the account is only
Sudoers) static elevation policy, used when required, the
meaning that elevation is ■ Even if sufficient policy privileges granted through
always available for a exists to refine access to policy are always there and
defined set of tasks. only what is necessary and available.
sufficient visibility in terms
of recording is available,
access to the account is
always available.
ZSP Privilege A normal, nonprivileged Yes. This pattern does meet the Yes. This meets the standard
Elevation account is temporarily principle of least privilege if for ZSP because no privileges


granted “one-time” sufficient policy exists to refine exist prior to the grant of
privileged access for a access to only what is necessary access or after the grant of
defined set of tasks, for a and sufficient visibility in terms of access has expired.
defined period of time. recording is available.
JIT Group ■ A normal, ■ Yes. This pattern does meet ■ Yes. This meets the
Membership nonprivileged account the principle of least standard for ZSP because
is temporarily added to privilege as long as granular the group membership is
a group, which grants access is defined. temporary.
privileged access
(such as local ■ For example, if local ■ The user only has access
administrator). administrator is the only to the privileged access
group defined, excessive associated with the group
■ The group privilege is likely for users during the time of need,
membership is being added to the JIT and it is removed
controlled by a tool, group. afterward.
and users receive or
lose privileged access
by virtue of the tool
adding and removing
them from that group.
JIT Account ■ Automatic creation of Yes. This pattern does meet the Yes. This meets the standard
Creation and a privileged account principle of least privilege as long for ZSP because the account
Removal for a period of time, for as the granted privileges are only exists for the period of
a specific task. sufficiently granular in nature. time necessary for the
privileged task to be
■ The account is deleted accomplished.
when the assigned
task is complete.
JIT Enabled/ Administrative shared ■ No. This pattern does not ■ Yes, under certain
Disabled accounts that exist in the meet the principle of least conditions.
Administrative network or on devices can privilege, as by nature,
Accounts be enabled and disabled by these accounts represent ■ This does represent a
JIT approaches to provide high levels of privilege. flavor of ZSP, and the
JIT access. account, while disabled,
■ Using this method for JIT cannot provide access;
will typically grant excessive however, that account still
access. exists fully armed, so it
must be managed by a
■ Limiting access to only PAM tool.
critical personal privileged
accounts is the way most
organizations manage this
risk.
JIT Security An ephemeral, one-time Yes. This pattern does meet the Yes. This meets the standard
Tokens access (many times a principle of least privilege as long for ZSP since the account will
mechanism like a as the account created is only exist on a one-time basis,
certificate) account is provided granular access, only leaving no standing access
the required access for the


created for a specific task, required task on the required after the task has been
device and person. system. completed.
Built-In High- A handful of admin ■ Yes. These accounts can ■ No. These accounts
Level accounts cannot be deleted meet the principle of least cannot function in any
Administration or disabled, but represent privilege as long as they are ZSP model; they must be
Accounts excessive privileges managed by a PAM tool and considered exceptions.
(accounts like root, as long as effective policies
enterprise and domain ■ However, the list of
for access and use exist.
admin, SA). accounts that function at
■ In general, these accounts this level is small, and
should not be made they are manageable
available for access except through a PAM tool, with
for extreme circumstances. defined processes for use,
and monitored by a SIEM
tool.
Source: Gartner
Map Required and Desired JIT Capabilities Against Product Offerings to Choose the
Right PAM Tools
After you have implemented a privilege discovery process, inventory and group use cases for
privileged access according to the model shown in Figure 2. Weigh each use case against the five
W’s model to define access in terms of:
■ Who is requiring it?

■ How often?
■ When do they require it (and for how long)?
■ How deep (what level) do they require access?
■ How broad (where) do they require access?
■ What is their justification for privileged access (why)?
Identify use cases that require infrequent access to subsegments of the environment according to
Figure 2. In general, start with the less complex use cases, for example, small numbers of users for
infrequent access to a small number of targets (the use cases highlighted in red and orange in
Figure 2). Then use the knowledge and momentum gained through this process to move on to more
complex use cases like frequent and widespread access.

Figure 2. The Five W’s of Privileged Access
JIT and ZSP Technology Approaches in the Market

The capabilities for providing ZSP through JIT approaches are still maturing, but there are several
examples of just-in-time technologies existing or emerging in the market. This does not represent an
exhaustive list:
■ Privilege elevation and delegation management (PEDM):

■ PAM vendors like ARCON, BeyondTrust, Broadcom (CA Technologies), Centrify, CyberArk,
Micro Focus, One Identity and Thycotic provide agent-based PEDM for JIT access. Clients
must install an agent on a target, and that agent has the ability to allow a normal account to
execute and elevate specific privileged commands according to policy.
■ On most UNIX/Linux systems, privileged access is provided through the “sudo” command,
which implements a policy-based JIT approach. To start, users log into a UNIX system with
their normal account. There is a “sudoers” file that defines the sudo policy, who can use
sudo and what commands are available to that user. In this scenario, users log into the
server with the normal account. When they want to perform an administrative task, they
issue the sudo command, for example, “sudo/etc/init.d/apache restart,” to restart the
Apache web server. If they are allowed by policy to execute this command, their normal
account is granted temporary privileges, allowing them to execute the command.
■ JIT group membership:
■ Microsoft has a JIT approach to privileged access in Azure AD. Clients can define
administrative access (tasks, targets) in the tenant and a framework of access approvers.
When someone needs elevated access to perform administrative tasks, they request

access through the framework, and an approver (someone who has the appropriate
decision rights to determine the necessity of access) receives the request and approves or
denies the access for a defined period of time. Access is granted to the requestor’s normal
account, meaning they are granted elevated access to perform administrative tasks. The
elevation happens by adding the account to specific privileged security groups. Once the
task is complete (or the time limit for access has expired), the requester’s account will return
to normal access (by removing the account from the privileged security groups), and the
requester will no longer have, or be able to acquire, administrative access on their own.
■ Several vendors such as BeyondTrust and Hitachi ID Systems can add users to a security
group temporarily, during the lifetime of a session as part of a vaulting and session
management approach. This approach works very well in combination with other controls,
such as privilege elevation or UNIX/Linux “sudo.”
■ A vendor called Remediant can discover and visualize administrative privileges by reading
and mapping local configurations that exist on systems, for example, /etc/passwd for Linux
servers and local administrators on Windows. As a next step, Remediant can take control
and remove all users from administrative groups, removing all administrative access. From
there, administrative users can request access to do administrative tasks on certain servers
or devices, much like the Microsoft model. To gain access on a time-limited basis,
Remediant adds the normal account of that user into the appropriate local group, elevating
administrative access for that one user on that one device. Once the task is complete, the
user’s account is removed from the group, removing standing privilege.
■ JIT security tokens:
■ Broadcom (CA Technologies) can generate JIT security tokens for access to privileged AWS
resources. This approach can be used for administrative access to AWS configuration
consoles, but it is particularly useful for automation to grant a well-defined set of privileges
to scripts.
■ Another vendor, SSH.COM, is introducing an approach to JIT access with its “lean” PAM
approach. This approach uses “ephemeral” access, granting one-time, short-lived
certificates for elevating user access.
JIT approaches hold promise to reduce some of the complexity of PAM through automation and
policy-based approaches. Approval overhead can be reduced by defining scenarios where
administrative access is preapproved and granted automatically when requested or automatically
assigned.
Once initial use cases are successfully leveraging JIT privileged access, map out a migration path
for the remaining vaulting and session management PAM use cases with a goal of migrating
everything except the most difficult use cases to your JIT strategy.
For smaller companies, a JIT approach is deemed “good enough” for managing privileged access,
but for most, adopting a ZSP approach through JIT represents the next steps of maturity for PAM.
The more dynamic approach of JIT holds promise for reducing both complexity and cost for PAM
projects — while at the same timing reducing security risk. This means that in some scenarios

adding JIT can actually shrink adoption timelines and, potentially, reduce user “friction” for adopting
PAM by reducing the effort of interacting with the PAM tool to accomplish administrative tasks.
Finally, as companies migrate most of their computing to cloud platforms, a more dynamic
approach for managing elevated access is needed.
What Are the Risks for JIT Approaches?

There are no bullet-proof methodologies for PAM implementations. Even JIT/ZSP approaches
present security or operational risks that must be mitigated:
■ A hacker could compromise the identity of someone who “could” be granted administrative
access for a short time.
■ All PAM tool implementations, privileged access and session management (PASM) or
privilege elevation and delegation (PEDM) — including JIT and ZSP — must include MFA,
which can mitigate this risk (see “Transform User Authentication With a CARTA Approach to
Identity Corroboration” for various approaches).
■ Someone who has been granted elevated access for a short period of time “could” use their
elevated access to provide themselves standing access to systems after the elevated access
expires.
■ First, minimize activities to only the necessary access. For example, granting access to
install software on a server need not include the ability to modify security settings or broad
privileges such as access to modifying the local admin group. As with all PAM best
practices, all PAM activity must be recorded. Proper continuous discovery processes are
always required, as are frequent and regular reviews of access. Lastly, any privileged access
that bypasses the PAM tool (such as logging into a privileged account without the control of
PAM tools) should raise a red alert.
■ Depending on the technology chosen, taking a JIT approach to PAM could be more complex
and more expensive than basic PAM approaches.
■ Take a long-term approach to ZSP/JIT. Start with the “low-hanging fruit” use cases and
map out a migration path for the remaining use cases. It is likely that most organizations will
use a hybrid approach — using vaulting and session management (basic PAM) for many
use cases and adding JIT for use cases that lend themselves well to that approach or are
higher risk use cases. In addition, some newer approaches to JIT PAM (outlined in the JIT
and ZSP Technology Approaches in the Market section above) — like managing temporary
privileges through groups or granting one-time access — hold promise to reduce both
complexity and cost, at least for a portion of the environment.
Take a long-term approach to ZSP/JIT.

Next Steps
The goal of a mature PAM practice is to implement the principle of least privilege across all
privileged access use cases. Security and risk management leaders seeking to properly mitigate the
risk of standing privileged access must continue to mature their PAM practice through the following:
■ Immediately plan for removal of all personal privileged accounts, migrating that access into
shared accounts managed by a PAM tool or to JIT/ZSP approaches.
■ Upon completion of discovery of PAM use cases, weigh use cases against the “five W’s” (see
Figure 2) to find additional use cases for JIT access and to map migration paths from vaulting
and session management to JIT, if appropriate.
■ Leverage the JIT capability that exists in your PAM tool, or if you’re choosing a PAM tool,
evaluate JIT capabilities of vendors (including roadmapped items) as part of your selection
process. While the entirety of PAM risk must be captured by a PAM tool, perhaps your most
prominent PAM use, Windows server access, for example, can be addressed using a JIT
approach.
■ Tighten identity life cycles for users as part of an overall identity governance and administration
strategy. Governance of administrative accounts is critical in a vaulting and session
management approach. But a JIT approach depends on bulletproof identity life cycle
management that guarantees no unauthorized users have access. Remember that normal user
accounts have the potential to be granted administrative JIT access; thus normal accounts
must be properly secured.
Gartner Recommended Reading

Some documents may not be available as part of your current Gartner subscription.
“Magic Quadrant for Privileged Access Management”
“Best Practices for Privileged Access Management Through the Four Pillars of PAM”
“IAM Leaders’ Guide to Privileged Access Management”
“Transform User Authentication With a CARTA Approach to Identity Corroboration”
“Architecting Privileged Access Management for Cyber Defense”
Evidence
Gartner recorded over 550 inquiries on PAM over the past 12 months. In talking with clients about
PAM, they regard it as a top security initiative, with clients at various stages of maturity in
implementation.
1 “2019 Data Breach Investigations Report,” Verizon.

GARTNER HEADQUARTERS
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096
Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM
For a complete list of worldwide locations,

visit http://www.gartner.com/technology/about.jsp
© 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This
publication may not be reproduced or distributed in any form without Gartner's prior written permission. It consists of the opinions of
Gartner's research organization, which should not be construed as statements of fact. While the information contained in this publication
has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of
such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice
and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner Usage Policy.
Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research
organization without input or influence from any third party. For further information, see "Guiding Principles on Independence and
Objectivity."

Remove Standing Privileges Through A Just-in-Time PAM Approach

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Remove Standing Privileges Through A Just-in-Time PAM Approach

Uploaded by

Copyright:

Available Formats

This research note is restricted to the personal use of brad.shewmake@centrify.com.