Notifications
Clear all
Topic starter
22/06/2026 3:14 pm
TL;DR: Compromised credentials, phishing, RDP exposure, and weak telemetry remain the core enterprise access risks in Whiteswan Security’s analysis, which argues for MFA everywhere and zero standing privilege to reduce lateral movement and slow attacker progress. The deeper issue is that identity programmes still assume password compromise is the main event, when in practice persistent access and weak monitoring decide the blast radius.
NHIMG editorial — based on content published by Whiteswan Security: MFA and Zero Standing Privileges for stronger enterprise defense
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should security teams reduce risk from stolen credentials in enterprise environments?
A: Start by assuming a password will be exposed and design the environment so that a valid login does not equal broad access.
Q: Why do standing privileges make compromised accounts so dangerous?
A: Standing privileges give an attacker reusable access the moment one account is compromised, which turns a single successful phishing or password attack into a wider internal threat.
Q: How can organisations tell whether their identity controls are actually working?
A: Look for reduced access persistence, fewer unexpected privileged sessions, and stronger detection of unusual remote access activity.
Practitioner guidance
- Enforce MFA on every external and privileged entry point Require step-up authentication for email, VPN, RDP, administrative portals, and any path that can reach directory services or critical systems.
- Replace standing privilege with just-in-time access Move privileged rights out of permanent group membership and into task-scoped elevation that expires when the work ends.
- Correlate identity telemetry across sign-in and remote access Join authentication logs, privilege elevation events, and RDP session data so suspicious patterns are visible in one view.
What's in the full article
Whiteswan Security's full article covers the operational detail this post intentionally leaves for the source:
- MFA Anywhere implementation context for reducing friction across access points
- RDP hardening scenarios that show how attackers pivot after initial access
- Telemetry examples that help teams spot anomalous login and privilege activity
- Practical framing for pairing MFA with zero standing privilege in enterprise environments
👉 Read Whiteswan Security's analysis of MFA, zero standing privilege, and RDP risk →
MFA and ZSP: are your enterprise access controls keeping up?
Explore further
22/06/2026 3:17 pm
MFA everywhere is not a sufficient control if standing access remains the default. MFA reduces the value of a stolen password, but it does not remove the durable entitlement that lets a compromised identity keep moving after login. The programme failure here is assuming authentication hardening and privilege governance are separable disciplines. Practitioner conclusion: treat MFA and ZSP as one access-control system, not two independent projects.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Confidence gaps in NHI governance are reflected in another finding from the same research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps.
A question worth separating out:
Q: What should teams prioritise first, MFA or zero standing privilege?
A: They should implement both, but the priority order depends on the current exposure. If remote access and stolen credentials are the main path in, MFA should be immediate. If privileged accounts are already broadly reusable, zero standing privilege may reduce risk faster because it removes the access attackers want after they authenticate.
👉 Read our full editorial: MFA and zero standing privilege are still the control gap in enterprise access
