Just-in-Time (JIT) access series part 1: Is Just-in-Time enough?
Chris Owen
This post is part of a series on Just-in-Time (JIT) Access.
Read: Part I | Part II | Part III
In the Privileged Access Management (PAM) space, there are some new trends gaining traction within the market, and a big shift taking place from what has been the legacy approach to PAM.
What do we mean by the legacy PAM approach? Well, ten years ago, PAM was all about password vaulting with most enterprise and mid-size organizations implementing a vault solution. The reality is that a vault solution alone is not enough, and certainly not when a digital transformation has changed the modern cybersecurity landscape so significantly over the past decade.
In reality, vaults should only really be used for break-glass (emergency) access. For modern privileged access, least privilege solutions should be used, which allow users to log on using standard user accounts and then perform elevation to run the tasks, applications, or commands they wish to run.
One of the newest trends in the market at present is Just-in-Time PAM, or simply JIT PAM.
What Is Just-in-Time PAM?
Gartner released a research report in 2019 titled, “Remove Standing Privileges Through a Just-in-Time PAM Approach,” where the analyst firm looked at this approach to Privileged Access Management with two goals in mind: Just-in-Time PAM, and Zero Standing Privileges (ZSP).
“The fundamental purpose of a JIT/ZSP approach is to reduce the attack surface for privileged access abuse. Basic PAM (vaulting and session management) will help mitigate the risk of the existence of privileged accounts. JIT reduces the risk of privileged access abuse, and ZSP reduces the attack surface of the privileged accounts themselves,” the Gartner report says.
It also goes on to say that, “Zero standing privileges is the purest form of JIT, which addresses the final guidance of the principle of least privilege ‘at only the right time,’ by eliminating the risk of standing privileges.”
Where Does Just-in-Time (JIT) Fit In?
When thinking about why organizations embark on PAM projects, I know from my time in this space I’ve seen two very constant requirements that have not changed:
- Reduce the number of privileged accounts within an organization.
- Reduce the risk associated with users having privileged access.
For the rest of this post, we'll focus on point 2 – reducing the risk associated with users having privileged access. This requirement is currently morphing, as digital transformation leads to technological changes. We now need to worry about the risk associated with systems, APIs, and service accounts having too much privilege, as well as users.
Privilege really is a necessary evil, but that doesn’t mean it’s a bad thing. It just means we have to apply controls around its usage.
There are two things that we can really control here:
- Scope – Just Enough Access
- What systems of applications can the user access?
- How much privilege does the user or application require in order to perform its function?
- Time – Just-in-Time (JIT)
- When do they need the privilege?
- How long do they need it for?
As the Privileged Access Management vendor landscape changes with a move away from pure vaulting and new vendors enter the landscape with solutions explicitly for the Just-in-Time PAM space, it’s important to remember those two points above because not all solutions were created equal. Those that can control the time element cannot necessarily control the scope element, and vice versa.
The Gartner report outlines nine different JIT approaches, and organizations may well be implementing a mixture of them. As PAM solutions each market their JIT capabilities, there are definitely some things that you should be aware of with how these approaches actually work.
This post is part of a series on Just-in-Time (JIT) Access.
Read: Part I | Part II | Part III
Implementing Least Privilege shouldn't be hard