Just-in-time access provisioning is a security practice that grants users, processes, applications, and systems an appropriate level of access for a limited amount of time, as needed to complete necessary tasks. As a part of the Identity and Access Management (IAM), the practice ensures resources are available as they’re required.
What data an account has access to, and when they have access, is managed by Privileged Access Management (PAM) systems. The latest PAM solutions include just-in-time access provisioning features that embrace Zero Trust and zero-standing privileges.
An example of a just-in-time access model is Gartner’s Zero Standing Privilege (ZSP), which applies Zero Trust principles to problems in privileged access management. ZSP means that instead of granting administrative privileges to accounts on a permanent basis, users, devices, or services are granted access to privileged resources for a limited time only, on the basis of need. Each access request is decided according to predetermined policies or criteria based on behavioral analytics.
By implementing a sophisticated PAM solution that features just-in-time access provisioning, organizations can move towards Zero Trust and reduce the risk of security breaches. Whether an organization’s IT ecosystem is in the cloud, on-premise or hybrid, ensuring standing privileges – or administrative access doesn’t persist – is a crucial security feature. Traditional PAM solutions often lack Zero Standing Privilege capabilities. It requires limited access to administrative identities and an access request to allow for Just-in-Time provisioning granting administrative access. Administrative access must be explicitly enabled, and usage is monitored, allowing machine learning algorithms to identify anomalous behavior. Breaches can be caught early before attackers move laterally across organizational IT ecosystems when used appropriately.
An integrated approach to privileged access management should weave together visibility, governance, and security into a single platform. An integrated Cloud PAM solution allows organizations to achieve frictionless identity and resource onboarding, as well as automated detection and remediation of misconfigured digital assets. Zero-Trust principles, applied to privileged access through an integrated, identity-led approach, provide organizations with a robust framework to improve their overall security posture.
Implementing and automating just-in-time access provisioning reduces your attack surface and helps to prevent expensive and brand-damaging security breaches. Security breaches lead to data exposure, and that’s not the kind of publicity any company wants. The economic impact can be tough to stomach, but more importantly, it causes irreparable damage to your brand and customers’ trust. That doesn’t even account for the expense of eDiscovery, legal fees, and notification costs.
The ephemeral nature of the cloud and the broad range of deployments — including hybrid, multi-cloud IT, and “shadow IT” environments — make securing enterprise resources challenging. Legacy PAM solutions offer limited visibility of privileged access across infrastructure and applications. This lack of visibility coupled with the complex relationships between entitlements allows excessive privileges to go unnoticed. With each addition of a new resource or service, there is a chance that over-permissioning will occur.
According to an IDC survey of CISOs in the US, 80% of respondents can’t identify excessive access to sensitive data in cloud production environments. Two of the top three threats identified were lack of adequate visibility and permission errors. It’s virtually impossible to fix the unknown. Unless organizations can detect these misconfigurations and related vulnerability gaps, it’s hard to remediate them, let alone apply automated, policy-based preventative controls.
Automating just-in-time access provisioning reduces these risks, moving organizations closer to Zero Trust design and zero-standing privileges. Adhering to the Zero Trust paradigm means that whenever privileged access is granted, it’s granted for a limited time only, and is intended to be just enough access for the task at hand. Zero Trust combines ZSP with intelligent context-based decision-making that takes place every time a user or application submits an access request. It enables organizations to secure identity as the new perimeter and prepares them to defend modern infrastructures against today’s threats.
Just-in-time access provisioning and automated account revocation is a capability available in Saviynt’s Cloud Privileged Access Management (PAM) solution.
To ensure appropriate privilege, PAM must reinforce Just-in-time principles for cloud access — a core requirement for Zero Trust frameworks. But this is incompatible with legacy solutions built on the premise of vaults and credential rotation for privileged – but always-on – access.
Further, the manual management is a non-starter to overburdened IT teams. Consider the range of IoT devices, workloads, and other silicon identities in use. Each requires key management and dynamic provisioning of rights to allow for task completion and de-escalation to a safe state. Under this workload, Cloud PAM with automated risk analysis and governance capabilities must be table-stakes.
Saviynt recognized the need to remove all standing privileges, for instance, confronting the vaulting of all discoverable, privileged credentials. This dated approach to PAM never reduced the number of privileged accounts, nor limited the risk of standing privilege therein. Vaults didn’t solve the problem, they centralized it.
With Cloud PAM, Saviynt allows organizations to remove these accounts and incorporate least-privilege principles. Using a just-in-time approach to privileged access, end-users receive the right level of privilege for their immediate task — across all assets, applications, and platforms. This is why Saviynt designed a cloud PAM platform with Zero Trust, zero-standing privilege, and Just-in-time access at the center. Without an on-prem footprint, the platform adds versatility: secure privileged access and critical asset protection across the entire infrastructure.
When a user makes a Just-in-Time request via a PAM solution, these can either go through an approval process or be automatically approved. Once the request has been verified, the user will be connected to the target system using a one-time token or credential. This ensures that the account cannot be compromised or reused by others. The access is then removed once the user finishes their session. To reach out for the provisioning process, the PAM solution requires creating an account on the target.
PAM has focused on vaulting and least privilege over the last 15+ years. When it comes to vaulting, the practice has always been to discover all privileged accounts and vault them away, giving users the ability to checkout credentials or initiate privileged sessions. This doesn’t help reduce the attack surface as those credentials are still persistent. Yes, they might be rotated, but we’ve only centralized the problem, not solved it.
Some basic first steps make the transition relatively easy before moving to a model, such as zero standing privilege. First and foremost, make sure to vault and manage all default built-in credentials such as Administrator, Root, SA, etc. Then concentrate on your users and the access they have. Moving to a JIT model for server/workload access is an excellent first step to removing users’ administrative rights for these workloads. Then if their account is compromised, an attacker does not automatically gain access to critical resources, limiting their success.
Servers and workloads are generally seen as stage 1; from there, you should look at further reducing standing access to applications both on-prem and SaaS, consoles, and CLIs. Converged IGA and PAM solutions are perfect for this as they contain many connectors for different platforms that can perform provisioning tasks. They also contain access request capabilities and great workflow tools to help with approval workflows.
Many traditional PAM vendors are now promoting Just-in-Time methodologies as a best practice. The biggest difference is the scope of Just-in-Time. Traditional PAM vendors focus on infrastructure, promoting Just-In-Time to servers/workloads. They usually focus on Unix/Linux systems; however, some have now started to do this for Windows. Unfortunately, they tend to stop, as they do not have a connector ecosystem that allows them to provide access to other applications or cloud platforms. This is where a converged platform comes into play as converged vendors have an entire ecosystem of connectors that can be used for provisioning.
In short, no. Just-in-Time can still allow the same access to the user; it’s just not “always-on” access. With PAM, a user requests to access a system or application, which does not change with Just-in-Time. It’s the same request process and the same approvals process.