TL;DR: Ransomware incidents such as Colonial Pipeline exposed a deeper problem than malware alone: old credentials, missing multifactor authentication, and standing access let attackers move through critical systems, according to Britive Team. Zero trust only works when teams remove persistent access and treat identity as the perimeter.
At a glance
What this is: This commentary argues that ransomware pressure exposed identity failures, not just perimeter weaknesses, and that zero standing privilege is the practical control point.
Why it matters: For IAM and NHI practitioners, the lesson is that stale credentials, unmanaged access, and slow revocation create the conditions ransomware operators need.
👉 Read Britive's analysis of ransomware, zero trust, and standing access
Context
The core problem is not that organisations lack security tools. It is that identity controls often leave old access in place long after a person or service should no longer be trusted. In NHI governance, that means the security boundary is really a lifecycle problem: if credentials, privileges, and authentication paths outlive their purpose, ransomware operators only need one weak point to turn access into impact.
The Colonial Pipeline case, as discussed in the source article, is a useful example because it shows how an old login credential can become a durable foothold when standing privileges are not removed. That pattern is not unusual. It is the same operational failure that affects service accounts, tokens, and other NHIs when revocation, monitoring, and MFA enforcement lag behind business change.
Key questions
Q: How should security teams reduce ransomware risk with zero trust?
A: Start by removing standing access wherever possible, then require time-bound access for elevated tasks and critical systems. Zero trust is effective only when identity is re-verified at the point of access and old privileges are removed quickly. For NHIs, pair that model with rotation, expiry, and lifecycle controls so stale credentials do not remain usable.
Q: When does MFA fail to stop ransomware attackers?
A: MFA fails when the real problem is not login strength but lingering authorization. If an attacker already has a valid credential that still carries standing privilege, MFA may not block reuse in every path, especially for non-interactive or legacy workflows. Teams need revocation, short-lived access, and least privilege in addition to stronger authentication.
Q: What is the difference between zero trust and zero standing privilege?
A: Zero trust is the broader model that assumes no identity or device should be trusted by default. Zero standing privilege is the access pattern that removes permanent rights and grants access only when needed. In practice, zero standing privilege is one of the ways organisations make zero trust real for both human users and NHIs.
Q: How can organisations govern old credentials in cloud environments?
A: Treat old credentials as security defects, not administrative leftovers. Build inventory, ownership, expiry, and revocation into identity operations so access ends when its business need ends. For cloud and NHI use cases, combine automated rotation, JIT provisioning, and monitoring for reuse after deprovisioning.
Technical breakdown
Why standing access becomes a ransomware enabler
Standing access is persistent entitlement that remains valid until someone removes it. In practice, that means an attacker who finds a credential can often use it immediately, without waiting for approval or re-authentication. For NHIs, the risk is higher because service accounts, API keys, and tokens are often embedded in workflows and forgotten during offboarding or system changes. Zero trust reduces this risk only when access is continuously evaluated instead of assumed to be valid forever.
Practical implication: Inventory every persistent credential and replace permanent access with task-scoped, time-bound authorization.
How zero trust changes the identity control model
Zero trust shifts the security model away from trusted network zones and toward verified identity, device posture, and least privilege at the moment of access. The important change is not simply adding MFA. It is removing default trust and requiring proof for each access decision, especially where cloud apps, VPNs, and administrative consoles are involved. For NHIs, that means separating authentication from enduring privilege and ensuring each token or secret only authorizes the minimum necessary action.
Practical implication: Use policy-based access decisions that expire automatically and require re-approval for elevated actions.
Why JIT and zero standing privilege matter in cloud environments
Just-in-time access and zero standing privilege reduce the lifetime of credentials and privileges to the shortest practical window. That matters because ransomware operators do not need broad access if one durable credential can unlock enough systems to spread. The article’s point is architectural, not cosmetic: if the access path remains always on, the organisation is trusting a state that may no longer match reality. For NHIs, short-lived access is a governance control, not just an administrative convenience.
Practical implication: Map high-risk human and non-human accounts to JIT workflows and require explicit expiry for every elevated session.
Threat narrative
Attacker objective: The attacker’s objective is to turn a stale credential into trusted access that can support ransomware placement and business disruption.
- Entry occurred when attackers obtained a valid old login credential for a VPN rather than relying on phishing or malware delivery.
- Escalation was possible because the credential retained standing access rights after the user should have lost them.
- Impact followed when VPN access gave the attackers a path into critical internal systems that could support ransomware deployment.
Breaches seen in the wild
- Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Zero standing privilege is the operational answer to ransomware’s identity problem. The source article is correct to focus on old credentials, because persistent access is what turns a single stolen secret into a durable intrusion path. Zero trust is only meaningful when access is removed by default and re-granted for a specific purpose. For practitioners, that means privilege expiry must be built into access design, not treated as cleanup work.
Ransomware exposure in NHI environments often begins with lifecycle failure, not advanced exploitation. Service accounts, tokens, and VPN credentials are frequently created faster than they are retired, monitored, or rotated. That creates a governance debt that attackers can cash in later. The practical conclusion is that identity lifecycle controls are a ransomware control, not just an IAM hygiene issue.
Ephemeral credential trust debt: the longer a credential remains valid after its intended use, the more likely it is to become an attacker-controlled access path. This is especially true in cloud and hybrid environments where access spans multiple tools, not one perimeter. Organisations should treat every long-lived secret as a liability until expiry, rotation, and review are enforced.
MFA alone does not solve stale access. The article correctly notes that missing multifactor authentication was part of the problem, but MFA is not a substitute for revocation and least privilege. If a credential remains valid when it should not, the organisation has merely added a stronger lock to the wrong door. Practitioners should pair MFA with entitlement removal and JIT provisioning.
Zero trust only scales when identity governance reaches NHIs. The article frames digital identity as the new perimeter, and that is right, but many programmes still focus on human users first. In ransomware scenarios, machine identities, administrative accounts, and inherited privileges are often the easier path. Teams should extend zero trust controls to every identity type, not just employees.
From our research:
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging (37%) and over-privileged accounts (37%), according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
- For the wider control picture, see Ultimate Guide to NHIs , Key Challenges and Risks for the governance gaps that let stale access persist.
What this signals
Ephemeral credential trust debt: the longer a secret remains valid after its intended use, the more likely it becomes an attacker-controlled pathway. That matters for programme design because lifecycle discipline now has direct resilience value. Teams should align this with NIST SP 800-207 Zero Trust Architecture and make expiry, re-authentication, and entitlement review mandatory control points.
With 1 in 4 organisations already investing in dedicated NHI security capabilities and another 60% planning to do so within the next twelve months, the governance baseline is shifting from ad hoc control to dedicated programme ownership. That is the moment to decide whether NHIs sit inside IAM operations, cloud security, or a separate control domain, because unclear ownership slows revocation and monitoring.
The practical next step is to connect access governance to workload identity and secret management rather than treating them as separate problems. The Guide to SPIFFE and SPIRE is relevant here because workload identity becomes easier to govern when the identity is issued, verified, and expired as part of the runtime trust model.
For practitioners
- Implement continuous revocation for stale credentials Identify accounts that retain access after role change, departure, or project end, then enforce immediate disablement and automated expiry for every credential path.
- Replace standing VPN access with task-scoped access Move privileged remote access to just-in-time workflows with explicit approval, short session windows, and post-session logging for human and non-human identities.
- Extend MFA to all privileged and non-human access Require phishing-resistant MFA where possible, and apply it to administrative consoles, API-facing service paths, and any access route that can reach critical systems.
- Audit secrets and tokens for long-lived trust Catalogue API keys, certificates, and tokens that outlive their use case, then rotate or replace them with short-lived credentials tied to a defined workload or session.
- Monitor for anomalous reuse of old credentials Correlate authentication logs with HR, contractor, and lifecycle events so access from dormant or deprovisioned identities is flagged before it can be operationalized.
Key takeaways
- Ransomware campaigns often succeed because identity is left standing after it should have been revoked.
- The scale of the problem is visible in NHI research, where credential rotation and monitoring remain the main failure points.
- Practitioners should shift from permanent access to time-bound, lifecycle-managed privilege across both human and non-human identities.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | PR.AC | Zero trust is the article's core model for eliminating standing access. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access review are central to stopping stale credential abuse. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential rotation failures are a primary risk pattern in NHI compromise. |
Apply zero trust to every access path and remove implicit trust from legacy VPN and admin workflows.
Key terms
- Zero Standing Privilege: Zero Standing Privilege means no account or secret keeps permanent access by default. Access is granted only when needed and for a limited purpose, which reduces the window available to attackers who find old credentials or unused entitlements.
- Just-in-Time Access: Just-in-Time Access is a provisioning model where elevated permissions exist only for the duration of a specific task. It is used to replace always-on privilege with short-lived access that can be approved, logged, and expired automatically.
- Ephemeral Credential: An ephemeral credential is a short-lived secret, token, or certificate that expires quickly after issuance. These credentials reduce the value of theft, but they still require strong lifecycle controls because misuse is possible while they remain valid.
- Non-Human Identity: A Non-Human Identity is any digital identity used by software, workloads, bots, or agents rather than people. These identities often operate at machine speed and can accumulate risk when rotation, monitoring, and ownership are unclear.
Deepen your knowledge
Zero trust, zero standing privilege, and NHI lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are tightening access after ransomware lessons of your own, it is worth exploring.
This post draws on content published by Britive covering ransomware, zero trust, and standing access. Read the original.
Published by the NHIMG editorial team on 2025-12-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
