%201.svg){kind=small}
Zero Standing Privileges (ZSP) / Keine Dauerhaften Privilegien (ZSP)
Zero Standing Privileges (ZSP) is an advanced principle where no accounts (human or machine) retain continuous privileged access. Instead, all privileged rights are granted just-in-time, on demand, and immediately revoked once the task completes.
ZSP extends Just-in-Time (JIT) to the entire environment, aiming for a state where there are literally no permanent admin roles or root accounts. Any user wanting to perform an admin action must obtain ephemeral privileges each time. Typically, ZSP is enforced by a PAM solution or a trust broker that issues short-lived credentials.
While conceptually similar to JIT, ZSP goes further by disallowing even “some” accounts from always having privileges—there’s truly zero standing privileges. It’s a hallmark of a fully matured privilege management strategy, usually part of a zero trust approach.
How does it affect identity security?
ZSP drastically minimizes the risk of credential theft or insider abuse. If no account permanently has privileged rights, attackers cannot simply steal an admin credential and roam free. Even domain admin or root credentials become ephemeral tokens—once a session ends, the token is void. This eliminates the “keys to the kingdom” scenario.
ZSP also enforces continuous auditing: every privileged action is preceded by an explicit request and approval, generating logs for accountability. Therefore, from an identity security standpoint, ZSP addresses a core weakness—long-lived privileges—which often lead to major breaches if compromised.
ZSP is particularly relevant to cloud computing where resources spin up and down frequently. Cloud providers already encourage ephemeral credentials (e.g., AWS STS, Azure temporary roles). Under a ZSP model, even root or global admin roles in the cloud must be checked out via a secure workflow with limited tokens.
Implementing ZSP can be challenging in large, dynamic environments, but the payoff is a near-complete removal of standing admin exposure.
Case studies
In mid-2022, GitLab reported a case where an attacker stole an internal team member’s credentials but found no standing privileges attached. The attacker attempted to request elevated access, triggering a security alert. Because GitLab had implemented a zero standing privilege model for engineering accounts, the attacker’s session was blocked before any privileged actions could be performed.
Another instance is the Microsoft LAPSUS$ group infiltration attempts, where short-lived privileges in Microsoft’s internal systems limited the group’s ability to gain broad control, highlighting how ephemeral admin sessions hamper attackers. In both examples, ZSP prevented an otherwise easy takeover of admin capabilities.
Everything you Need to Know
Zero Standing Privileges (ZSP) is an identity security principle that mandates the total elimination of persistent administrative access for human and machine identities. - Remove permanent rights - Set default zero access - Enable dynamic provisioning
ZSP removes standing credentials to reduce the attack surface and support Zero Trust principles through continuous verification of every access request. - Eliminate persistent credentials - Minimize lateral movement - Reduce attack surfaces
Just-in-Time (JIT) access grants temporary elevated permissions only for specific tasks and automatically revokes them upon completion to prevent privilege creep. - Grant rights temporarily - Revoke access automatically - Limit session duration
Organizations must deploy automated Privileged Access Management (PAM) tools and robust policy frameworks to manage the dynamic provisioning of rights. - Deploy PAM software - Automate rights provisioning - Establish policy frameworks
This model mitigates risks associated with credential theft and the exploitation of high-value super-user accounts by removing permanent administrative entry points. - Prevent credential theft - Stop privilege creep - Block lateral movement
%201.svg){kind=small}
