What is Just-in-Time (JIT) Access?
TABLE OF CONTENTS
- What is Just-in-Time Access?
- Why is Just-in-Time Access /Just-in-Time PAM Important?
- Just-in-Time vs Least Privilege
- Comparison of JIT Approaches
- Saviynt & Just-in-Time PAM
- Additional Resources
Just-in-time (JIT) access provisioning is a security practice that grants users, processes, applications, and systems an elevated level of access for a limited amount of time, as needed to complete necessary tasks.
Privileged Access Management (PAM) systems manage what data an account has access to and when they have access. The latest access management solutions include just-in-time provisioning features that embrace Zero Trust and zero-standing privileges (ZSP).
Why is Just-in-Time Access/Just-in-Time PAM Important?
Privilege access misuse is a factor in nearly every cyber breach. To reduce risk and/or mitigate the impact of a cyber breach, there are two key factors that we can control: scope and time.
- Scope: Least privilege or “Just-Enough Privilege” controls the scope of privilege, ensuring that individuals or systems only have the minimum access necessary.
- Time: Just-in-Time (JIT) Access controls the amount of time someone has privileged access to our environments.
Implementing and automating JIT reduces your attack surface and helps to prevent expensive and brand-damaging security breaches. Its approaches achieve:
- Faster deployment and simpler management
- Time bound and task specific access
- Enablement/disablement of administrative accounts
- One-time access tokens created for a specific task, device, and person
Just-in-Time vs. Least Privilege
The principle of least privilege focuses on access control and setting up minimal access privileges for every user and identity. Least privilege states that users should only have access to the required resources needed to complete a job (rather than being granted access to the entire network or large portions of it). If the user becomes malicious or compromised, least privilege reduces the damage they can do. In an environment where users are dynamic, moving between roles and teams, implementing least privilege is challenging. Users need resources for one job that they no longer need in the next. Time-limited JIT provisioning enables you to remove those privileged accounts altogether, so an individual’s permissions won’t accumulate and linger off the radar.
Least privilege is the standard and ZSP is the ideal. ZSP targets a state of complete removal of standing privileged accounts, and a move towards an ephemeral, or just-in-time privilege model. Just-in-time authentication grants users elevated permission to the exact resources they need, just for the specific period of time required, instead of persistent, 24-hour access to every resource.
Comparison of JIT Approaches
Privilege Elevation & Delegation Management (PEDM)
Privilege Elevation and Delegation Management (PEDM) tools distribute access based on job roles and predefined policies. These define who can have access to each part of a system, as well as what they can do with that access. Often this is accomplished by placing an agent on an endpoint. However, elevation policies are typically static policy files that always apply to the user. If that user or their machine is compromised, the attacker gains those privileges.
JIT Group Membership
A standard non-privileged account is temporarily added to a group that grants privileged access. Groups can be used to govern access to local privileged groups, Active Directory, and cloud services. Although access is time-bound and task-specific, the model works only when privileged groups are well-defined. Over time, even well-defined groups start to morph as exemptions get granted. Before long, groups deviate from their original purpose.
Enabled/Disabled Administrative Accounts
Administrative shared accounts on networks or devices are enabled or disabled to provide needed access. In this JIT access model, shared administrative accounts that exist on devices or in the network get ‘enabled’ to allow users to perform specific tasks. When the task is complete, these accounts get disabled. Although privilege is not persistent, once enabled, full privilege is unleashed. Shared accounts usually contain excessive privileges, and can be difficult to manage.
JIT Security Tokens
JIT security tokens provide short-lived certificate-based access to critical IT resources. Instead of using username/password credentials to obtain access, the user obtains a one-time security token to access the target system. Tokens are typically used with SSH-based workloads and provide granular, task-specific access. In contrast to manual configurations, which are extensive and time-consuming, dynamic cloud ecosystems can compound difficulties quickly and efficiently.
JIT Account Creation/Removal
A privileged account is created for a defined task and is eliminated upon task completion. This methodology helps eliminate standing privileged accounts that may be exploited in a cyber incident. In this model, organizations keep a few admin/root accounts that are vaulted for break-glass purposes. All other privileged accounts exist for a finite period, with limited permissions. JIT Account Creation/Removal meshes with the core tenets of Zero Trust. Without a truly converged, identity-based PAM solution, this approach is difficult to achieve. This approach is difficult to achieve without a truly converged, identity-based PAM solution.
To extend JIT PAM for cloud-based workloads, organizations can simplify operations with a SaaS-delivered cloud PAM layer. By integrating into existing identity and security environments, security leaders can easily monitor excessive cloud entitlements.
Saviynt and Just-in-Time PAM
JIT PAM is driven by Identity. Saviynt’s Identity Cloud platform combines industry-leading identity governance with cloud-native privileged access management to deliver true PAM and IGA convergence. Saviynt’s intelligent IGA capabilities provide a deep understanding of identities, organization roles, access rights, and usage to enforce appropriate, least-privilege access. Traditional PAM tools were not built with governance in mind, which makes them ill-equipped to provide fine-grained access decisions.
Eradicate persistent accounts, standing privilege, and establish governance from Day 1. Saviynt’s Identity Cloud converged identity platform enables enterprises to leverage a vast library of out-of-the-box integrations to provision privileged access management in days, reducing operational complexity. Our EIC platform supports rapid, sustained progress.
Additional Resources
https://saviynt.com/products/privileged-access-management-pam-for-cloud-software-solutions
https://saviynt.com/white-papers/just-in-time-pam/
https://saviynt.com/solution-guides/saviynt-iga-and-pam/