Saviynt Blog | Security News and Research

Just-in-Time Access | Privileged Access Administration

Written by MJ Kaufmann | Dec 11, 2020 8:00:00 AM

Ernest Hemmingway said, “The best way to find out if you can trust somebody is to trust them.” It’s terrible advice, especially when it comes to privileged access management (PAM). Ensuring security requires trusting only those who are trustworthy. But it’s not easy to determine who’s trustworthy in a world where platforms and applications live in the cloud. Employees are working remotely, and companies rely on contractors more than before. Access management is more important than ever. Standing privilege is dangerous because it grants unlimited access to people and systems who may become compromised or disgruntled. 

The Zero Trust security paradigm eliminates standing privilege. It trusts no one. Instead, a Privileged Access Management (PAM) system evaluates each access request according to a predetermined policy and/or a set of criteria based on analytics. But the security that Zero Trust provides doesn’t just happen because identity is evaluated for each user, device, or application seeking access. Much of the power behind Zero Trust lies in time-limited access to privileged resources and no permanent privileged accounts. Let’s look at exactly why time-bound privileged access is so critical to Zero Trust.

How Time-Limited Access Facilitates Least Privilege

In tandem with identity-based security assessments, time constraints on privileged access make Zero Trust a powerful framework. Least privilege says that users should only have access to the precise resources needed to complete a job (rather than being granted access to the entire network or large portions of it). Least privilege minimizes risk because it limits the damage done if the user becomes compromised or malicious.

Implementing least privilege is challenging when users are dynamic, moving from one role to another, from one team to another, over time. Resources they needed for one job are no longer needed for the next. This is where time-limited access comes in. If privileged access is automatically eliminated after a period of time, permissions won’t linger under the radar, and access management becomes less cumbersome.

Gate Keeping with AI Allows Quick Threat Detection

With Zero Trust, there’s no such thing as privileged accounts. Instead, users must request access to resources as they need them. The privileged access management (PAM) solution evaluates each request. If the system designates the risk as low-level, the user gains access. But abnormal activity, like requesting privileged access to files from another department, triggers an admin review alert. 

In a PAM solution, where all activity is continually monitored and evaluated, the system becomes smarter over time. It spots anomalies faster. For example, is a user requesting access at an unusual time? Are they requesting access to something that no one else on their team is requesting access to? A robust PAM solution driven by AI makes it possible to spot potential breaches early and address them before significant damage occurs.

Time-Limitation Ensures Temporary Access

Tying privileged access to a specific time frame makes it possible to ensure access is temporary. When the time expires, the permissions are taken away, or the key is destroyed, preventing a hacker from using them. If the user needs continued access, they must submit another request for that privileged resource. Time-limited access prevents users from maintaining access they don’t need or shouldn’t have after they’ve moved to a new role or team. 

Benefits of Time-Limited Access

Granting time-limited access to resources allows permissions to automatically revert to a locked-down state after the task at hand is completed. This has three primary benefits:

  1. Administrators no longer need to remember to lock down once the privileged work is done, reducing insider threats.
  2. If access credentials are compromised by an outside attack, the scope of the damage is limited.
  3. Compliance requirements are met automatically by tracking when access is granted and revoked.
Zero Standing Privilege 

Least privilege is the standard, and Zero Trust is the ideal. Zero standing privilege, which rests on just-in-time delivery of privileges, is a means by which organizations can achieve it. To get to a Zero Trust model, privileged accounts must be eliminated. Even for admins (admin credentials can be hacked) because the damage can be substantial. Every access request must be evaluated to ensure it’s appropriate for the user’s current roles and responsibilities. And it should be time-limited to prevent lingering permissions. Zero standing privilege is a practical way to give users access to the precise resources they need, just for the specific period of time required.

 
Watch our Deep Dive into Zero Trust video to learn more about how Zero Trust can empower your security architecture. You’ll learn how to:
  • Explore an intelligent identity perimeter 
  • Achieve Zero Standing Privileges with Just-in-Time Privilege Elevation and time-bound access
  • Simplify and streamline dynamic access management with “right-sized” access
  • Gain complete control and visibility through continuous risk assessment
  • Prevent data breaches and insider threats with real-time insights
  • Support multi-cloud and hybrid infrastructure

Saviynt helps ease the move to the Zero Trust Model by drawing the perimeter at identity. Identity centered solutions provide a foundation for Zero Trust. Zero standing privilege, in-depth visibility, automation, and centralized, continuous monitoring are crucial pieces of Zero Trust. 

Learn how the risk of privileged access in the cloud differs from traditional PAM security challenges and why it matters now more than ever before in this webinar on Getting Pam Right Is Critical Now More Than Ever.