Just-in-Time Privilege Elevation and Cloud Suite Demo
In this video we look at a few examples of just-in-time access in action using Cloud Suite. We step into the shoes of an IT administrator who’s received a help desk ticket asking us to log into two systems, and walk through the process of granting the appropriate privilege as experienced by the requester and the approver.
Let’s see a few examples of just-in-time access in action using Cloud Suite.
We’ll step into the shoes of an IT administrator. We’ve received a help desk ticket asking us to log into two systems—an AWS-hosted Windows instance to transfer a set of log files to another server using a privileged app called WinSCP.
Then, on an AWS-hosted Linux instance, we need to investigate a potential breach that requires a full root privilege to facilitate detailed forensic analysis.
We’ll begin by requesting access to log in to the Windows box through the Cloud Suite portal.
Let's log in to that portal. It’s worth noting that just-in-time access needs to be available to any user from anywhere. Cloud Suite is consumed as a service, so we only need a browser and an internet connection.
I’ll fast-forward through the MFA. Although note I’m using a FIDO2 phishing-resistant authenticator in this demo as a best practice for admin access to sensitive systems such as Cloud Suite.
Now that I’m logged in, I’ll navigate to the list of managed systems to find the ones I’m specifically interested in.
Here’s the Windows box. In the contextual menu I’ll bring up a list of vaulted accounts I can log in with.
The one I need to use is called CheckoutAccount. As you see, I don’t have permission to use it; I must explicitly request access.
Although I can request permanent access, it’s a best practice to time-box access to avoid standing privileges. The underlying workflow engine will pass this information plus additional data to the approvers, so they have enough context to make a qualified and informed grant or deny decision.
For this demo I’m approving my own requests. So back in Cloud Suite I’ll navigate to the requests page, open up the pending request, and approve.
Let’s go back to the system and bring up the account list once more.
Now you see the padlock icon is gone. When the Approve button was clicked, the workflow engine automatically provisioned me with permission to log into that system.
Let’s switch gears now and request access just-in-time to run privileged apps on Windows and Linux.
Back in Cloud Suite, I’ll navigate to the Windows system I need for this and I'll log in with my enterprise account. Note when using my own account, Cloud Suite knows who I am and provides a built-in “Use My Account” option that streamlines the user experience.
There on the desktop is the WinSCP application I need to run with elevated rights. Cloud Suite integrates with the native Windows User Account Control, or UAC, so the user has a familiar experience.
Now you see the Delinea option—Run with Privilege in the drop-down. Since I don’t have permissions to elevate, I’m able to request access, just-in-time.
Let’s pop over to our approver Wade and just like before when we approved login, we can approve this elevation request.
Let’s go back and attempt elevation again.
As you see, once we re-authenticate, we’re able to run the application with elevated administrative rights.
Finally, let’s take a look at the Linux use-case.
Just like Windows, I’ll ask Cloud Suite to log me in using my enterprise account. To obtain full root permissions on this system to perform forensic analysis of a breach, I want to use the substitute user or su command. This requires elevation using sudo.
As you see, I don’t have permission to do this, so I’m prompted to request those rights. After filling out the fields, I can submit the request to workflow. The approval process is the same as in the Windows example, so I’ll fast-forward.
I’ll run the substitute user command once more and I’m being asked to re-authenticate as a safety measure. We can optionally do MFA here as well for additional identity assurance, and now I have a root session.
Just to round this out, just-in-time access control is also critical on user workstations. End user account takeover and compromising the user’s workstation is the primary way threat actors gain access to the server network.
I’m logged into my Windows workstation where we have Delinea Privilege Manager installed.
On the S: drive is an installer I want to run. It requires admin rights to launch. Notice the launch is intercepted by Privilege Manager since it hasn’t been approved for me to run. I must request access to run this privileged application. I'll enter a reason and again for demo purposes, I'm self-approving.
Back in the request dialog you see the state has changed, allowing me to continue with the installation.