The Challenge: Eliminating Standing Privileges
In the modern threat landscape, the presence of standing privileged accounts—where users retain elevated permissions 24/7—is a critical security vulnerability. Even if strong MFA is enforced, these accounts remain high-value targets. The industry goal is to implement a robust, scalable Zero Standing Privilege (ZSP) model using native Okta Identity Governance (OIG) capabilities, ensuring the most sensitive roles are only active when explicitly needed.
The Solution: A Two-Tiered Access Governance Model
This solution uses a unique, two-tiered access model within OIG that separates long-term eligibility from short-term activation. This design ensures continuous governance while dramatically reducing the active attack surface.
Tier 1: Role Eligibility (The Long-Term Vetting)
This tier determines who is allowed to access the privileged role.
- Mechanism: Access Request Condition (ARC) tied to an Eligible Group (a group not directly used for application access).
- Approval Process: Requires strict, multi-step human review, typically including Line Manager Approval and Role Owner Approval.
- Governance: Membership is subject to recurring User Access Review (UAR) (e.g., every 90 days).
- Result: The user gains the permanent right to activate the role, but the role is not yet assigned in the target application.
Tier 2: Just-in-Time Activation (The Daily Elevation)
This tier handles the temporary elevation needed to perform a task.
- Mechanism: A separate ARC tied directly to the final privileged group/role in the target application. This request is only visible to members of the Tier 1 Eligible Group.
- Time Boxed: Access is strictly limited (e.g., 4, 8, or 12 hours) and automatically revoked by OIG.
- Flexibility: Approval can be customized (e.g., self-approved via manager relationship in Okta) or enforced (e.g., peer approval) based on the role's sensitivity.
- Result: The user is dynamically assigned the Super Admin role for a specific time, achieving ZSP.
Security Controls: More Than Just Time-Boxing
This solution provides maximum security by leveraging complementary Okta controls:
- Secondary Accounts (Best Practice): Organizations often use separate privileged accounts with highly stringent Authentication and Session Policies (e.g., requiring YubiKey, Device Trust, FIDO2, etc.). This ensures the credentials used for privileged actions are far more secure than the user's day-to-day account.
- Target Application Integration:
- For applications using SAML/OIDC, leveraging group assignments can effectively cut off the SSO path. The user cannot log in until they activate their JIT access through the OIG workflow.
- For SCIM-integrated apps, the activation triggers JIT provisioning and entitlement assignment in the target system for the time-boxed duration.
Okta as the PIM Platform: A Look Ahead
This entire framework is built entirely using first-party Okta IGA and Workflow capabilities, demonstrating that Okta can serve as a robust PIM solution for any integrated application.
Stay tuned for our follow-up How-To Guide which will provide step-by-step instructions for deploying this ZSP model in your own Okta environment!
Access more Okta-on-Okta content below:
Transforming onboarding with passwordless security
Our proactive security journey: Adopting Okta Identity Threat Protection
Enhancing security: Identity proofing for new hires
The fast lane to access: Bulk provisioning with Okta Workflows
