In the world of cybersecurity, we’ve spent the last decade building digital fortresses. We told companies: “Put your administrative passwords in a vault, lock them up, and you’ll be safe.” For a while, that was true. But as the healthcare sector and other critical infrastructures have learned, the “fortress” model is no longer enough.
During a recent discussion on the evolution of Privileged Access Management (PAM), experts highlighted a shift from simple password storage to a more aggressive, identity-centric defense strategy. Here is why your business needs to move beyond the vault and embrace the power of Zero Standing Privileges (ZSP) and MFA in Depth.
Why your business needs to embrace ZSP and MFA
The death of the "Permanent Admin"
Traditionally, an IT administrator has “standing privileges”, meaning they have high-level access 24/7, whether they are fixing a server or just checking their email. This is a goldmine for hackers. If an admin’s account is compromised at 2:00 AM, the hacker has the “keys to the kingdom” until someone notices.
The Solution: Zero Standing Privileges. With technologies like Delinea, companies are moving toward a model where users have zero rights by default. Rights are only granted “Just-In-Time” (JIT) for a specific task and for a limited window. Once the work is done, the privileges vanish. For a hacker, stealing such an account is like stealing a key that only works for five minutes a day, it’s practically useless.
Stopping "lateral movement"
A common nightmare scenario for security teams is Lateral Movement. A hacker enters your network through a low-security device (an unsecured server or workstation) and “hops” from one server to another until they reach your sensitive patient data or financial records.
Standard vaults don’t stop this because, once a hacker is inside, the servers themselves often lack the intelligence to challenge the intruder.
The Solution: Identity-at-the-Source. By using a host-based agent on the servers, you turn the server itself into a gatekeeper. Even if a hacker moves sideways to another server, that server will demand proof of identity that the hacker simply doesn’t have.
MFA is not a one-time event
Many organizations use Multi-Factor Authentication (MFA) as a one-time check when employees log into their devices. However, in a high-risk environment, relying on the “front door” alone isn’t enough.
The Solution: MFA in Depth. Every critical action becomes a checkpoint.
- Want to access the vault? MFA.
- Need to view a sensitive password? MFA.
- Want to escalate your rights to “Administrator” to change a database? MFA.
By layering MFA throughout the process, you create a “defense in depth” that makes it nearly impossible for an external actor, who doesn’t have the physical token or biometrics of the employee, to do any real damage.
Making the SOC team your best friend
In any modern enterprise, the Security Operations Center (SOC) is the heartbeat of defense. However, the SOC is only as good as the data it receives.
When you implement a modern PAM solution, every privilege elevation and access request is logged and sent to your SIEM (Security Information and Event Management) tool. This level of visibility transforms security operations. It allows security teams to shift from reactive “firefighting” to proactive monitoring, giving them insight into exactly who did what, when, and why.
Conclusion: From complexity to maturity
As seen in recent implementations at major healthcare hubs like AZ Rivierenland, the transition to a Zero Trust model is a journey. It starts with securing your passwords in a vault, but it ends with a dynamic environment where access is a temporary privilege, not a permanent right.
In today’s world, where “it’s not if, but when” a breach occurs, the goal is to make your internal accounts so restricted and so heavily monitored that even a successful breach leads to a dead end. Zero Standing Privileges and MFA in Depth are essential tools in achieving this goal.
