Part one of this series discussed the history and backstory of just-in-time, its history in the 1970s with Toyota manufacturing plants and how this methodology has made its way into cybersecurity in the form of just-in-time (JIT) privileged access. In this next entry, we’ll dive into how the CyberArk Privileged Access Security Solution has both built on existing functionality and evolved in order to address JIT.
To begin, there is always going to be a need to secure permanent accounts that require usernames and passwords, like service accounts, built-in admin accounts and domain controller credentials. Secure Just-in-time access also requires recording and monitoring privileged activity and sessions. Without this capability, there is no way for an organization to ensure that even provisional access is being leveraged as it was intended. CyberArk’s approach is that, even if a privileged account exists for only a few minutes, during those minutes it’s still vulnerable to compromise and, thus, still needs session audit for tracking and visibility.
At a high level, the important concepts for just-in-time are the ability to remove unnecessary standing access and to provide access only as needed. JIT access is granted by either routing an approval request to an administrator for validation or through a set of rule-based policies that define who can reasonably access what. This approvals process can also be automated leveraging APIs and through a variety of integrations, including IT Service Management (ITSM) solutions (available via the CyberArk Marketplace).
The underlying purpose of JIT is to provide the minimum level of privilege for the minimum amount of time with full session audit whenever possible. These concepts are at the core of how CyberArk looks at just-in-time access. Here is an overview of how CyberArk addresses JIT:
Broker and remove access. The CyberArk Privileged Access Security Solution enables the creation of policies that require users to provide a justification for connecting to a specific target for a defined time frame. Users must already have a standing, privileged shared account for which CyberArk manages the credentials. This is how many CyberArk customers have implemented JIT controls to date and it provides a primary route to implement JIT controls for customers who are looking to thoroughly safeguard their most critical assets.
Ephemeral accounts. Ephemeral accounts are one-time accounts created on the fly, which are immediately deprovisioned or deleted after use. When using ephemeral accounts, ensuring that sessions are recorded and audited is critical. CyberArk has two different ways to do this.
- Integration with AWS Security Token Service (STS). The STS integration enables AWS Identity and Access Management users to request temporary, limited privileged credentials. CyberArk integrates with STS to automatically generate role- or policy-based temporary sessions for the AWS Management Console or API level access, which can be recorded and monitored in real time.
- Integration with the Privileged Session Manager SSH Proxy and Active Directory (AD) Bridging, a feature of CyberArk Least Privilege Server Protection’s software. The CyberArk Privileged Session Manger SSH Proxy can grant dynamic access to Unix and Linux systems based on AD Permissions. If access is approved based on AD permissions, then the Privileged Session Manager SSH Proxy brokers an SSH connection to the target, creating a temporary account for the requesting user based on their username and creates the session to the user. The account is removed after the session once access is no longer valid.
Temporary Elevation. CyberArk has long supported the ability to elevate privileges to allow users access to privileged accounts or to run privileged commands. This quarter CyberArk is introducing new capabilities for JIT Elevation and Access with Endpoint Privilege Manager. This release provides customers with the ability to temporarily provide local admin access to Windows workstations, servers, and Macs on a by-request, timed basis and to remove access when time is up. JIT Elevation and Access with Endpoint Privilege Manager is an agent-based solution that provides a full audit trail for privileged activities with the ability to terminate applications and sessions in real time.
Additionally, since the release of Version 10.6 of the CyberArk Privileged Access Security Solution, CyberArk has provided an agentless alternative to JIT Elevation and Access. With this functionality, users can get Windows local admin access through the CyberArk web console for a set period of time.
Whether it’s standing or just-in-time access, organizations need a way to secure privileged accounts, credentials, and secrets. With CyberArk, customers can implement the approach that makes the most sense for their organization taking into account their security and operational requirements.