Using the just-in-time (JIT) access methodology, organizations can give elevate human and non-human users in real-time to provide elevated and granular elevated privileged access to an application or system in order to perform a necessary task. Cybersecurity industry analysts recommend JIT access as a way of provisioning secure privileged access by minimizing standing access.
JIT access helps organizations provision access so that users only have the privileges to access privileged accounts and resources when they need it, and not otherwise any other times. Instead of granting always-on (or standing) access (or standing access), organizations can use JIT access to limit access to a specific resource for a specific timeframe. This granular approach mitigates the risk of privileged account abuse by significantly reducing the amount of time a cyber attacker or malicious insider has to gain access to privileged accounts before moving laterally through a system and gaining unauthorized access to sensitive data.
JIT access can be seen as a way used to enforce the principle of least privilege to ensure users and non-human identities are given the minimum level of privileges. JIT access can also ensure that privileged activities are conducted in accordance with an organization’s Identity Access Management (IAM), IT Service Management (ITSM) and Privileged Access Management (PAM) policies along with its entitlements and workflows. It is essential that any JIT access strategy enables organizations to maintain a full audit trail of privileged activities. This way organizations can easily identify who or what gained access to which systems, what they did at what time and for how long. Some agent-based privileged access management solutions provide organizations with the additional ability to actively monitor sessions and terminate risky privileged sessions in real-time.
Types of Just-In-Time Access
- Broker and remove access. This approach enables the creation of policies that require users to provide a justification for connecting to a specific target for a defined period of time. Typically, these users have a standing, privileged shared account and credentials for that account are managed, secured and rotated in a central vault.
- Ephemeral accounts. These are one-time-use accounts, which are created on the fly and immediately deprovisioned or deleted after use.
- Temporary elevation. This approach allows the temporary elevation of privileges, enabling users to access privileged accounts or run privileged commands on a by-request, timed basis. Access is removed when time is up.
How to Enable Just-In-Time Access
Following is a typical workflow for enabling JIT access. Keep in mind that users start out with zero standing access – i.e. no privileges by default:
- A human or non-human user requests privileged access to a server, virtual machine or network device.
- The request is verified against a pre-approval policy or is reviewed by an administrator who has the power to grant or deny the request for short-term privileged access. This approvals process can be automated to reduce friction for end-users and operations teams.
- After gaining approval, the human or machine user is elevated to the access needed to enter the system and perform their specified task. This access can last for only a few minutes or for a few months, depending on the user’s specific task(s) and the organization’s governance policies.
- After the task is complete, the user logs off and their access is revoked or deleted until it is needed again.
Why is Just-In-Time Access Important for Your Organization?
- It helps organizations improve their overall cybersecurity posture by significantly reducing the risk of privileged access abuse and lateral movement by threat actors.
- It helps simplify the administrator experience by removing the need for review cycles and wait days while still maintaining current workflows.
- It helps improve compliance and simplifies auditing by minimizing the number of privileged users and privileged sessions and providing full audit trails of all privileged activities.
How to Implement Just-in-Time Access in Your Organization
To enforce just-in-time access, organizations typically take one or some of the following steps:
- Maintain a standing, privileged shared account with credentials that are centrally managed and regularly rotated.
- Create granular policies that require human and non-human users to provide specific justification for connecting to target systems and applications that house sensitive data, for specific periods of time.
- Record and audit privileged activity across all ephemeral accounts and enable alerting and response to anomalous behavior or activity.
- Enable the temporary elevation of privileges to allow human and non-human users to access specific privileged credentials and accounts or to run privileged commands.
The use of just-in-time access to enforce the principle of least privilege is an important part of Zero Trust. Zero Trust models demand that organizations verify anything and everything trying to connect to systems before granting access. As many organizations accelerate their digital transformation strategies, they are shifting from traditional perimeter security approaches to the Zero Trust framework to protect their most sensitive information and data.