Just-in-Time Privilege Elevation Overview and Cloud Suite Demo
In this short video we provide an overview of least privilege, just-in-time access, and using Cloud Suite to grant appropriate privilege.
Just in Time access. It’s top of mind these days and rightly so. The digital transformation is ongoing, as organizations continue to join the cloud revolution and transform their business. For most organizations, the resulting hybrid IT infrastructure paints a much bigger target on their backs, increasing the risk of a data breach and ransomware attack.
In response, organizations are looking for new approaches to securing access and privilege by adopting best practices and frameworks like zero standing privileges, Forrester’s Zero Trust framework, and Gartner’s CARTA. A common element amongst all these is the principle of least privilege where we remove implicit trust in our users, giving them minimum rights.
For this approach to work, however, we must also provide those users the means to request elevated rights when legitimately required. This is where just-in-time access comes into play.
Just-in-time access is also known as a “broker and remove” process. It includes workflows that act as a broker or intermediary to process user requests, relay those requests to one or more approvers, and then provision additional rights if the request is approved.
These rights are temporary and so the workflow automatically removes them once the time limit has expired and automatically rotates the account password to reduce the risk of abuse.
The main goals, here, are to remove standing or “always-on” privileges and reduce the amount of time a user has access to critical systems and data. Broker and remove.
In the broader context of PAM, just-in-time access is used by multiple Delinea products—the Secret Server vault—and at the server level, Delinea Cloud Suite.
However, for this demo we’re going to focus on just-in-time access with Cloud Suite. Here, the use-cases focus on server access and privileged tasks on those servers such as installing or upgrading enterprise software, performing database maintenance, fixing a broken web server, or analyzing system log files to investigate an incident.
Let’s see a few examples of just-in-time access in action using Cloud Suite.
We’ll step into the shoes of an IT administrator. We’ve received a help desk ticket asking us to log into two systems—an AWS-hosted Windows instance, to transfer a set of log files to another server using a privileged app called WinSCP.
Then, on an AWS-hosted Linux instance, we need to investigate a potential breach that requires a full root privilege to facilitate detailed forensic analysis.
We’ll begin by requesting access to log in to the Windows box through the Cloud Suite portal.
Let's log in to that portal. It’s worth noting that just-in-time access needs to be available to any user from anywhere. Cloud Suite is consumed as a service, so we only need a browser and an internet connection.
I’ll fast-forward through the MFA. Although note I’m using a FIDO2 phishing-resistant authenticator in this demo as a best practice for admin access to sensitive systems such as Cloud Suite.
Now that I’m logged in, I’ll navigate to the list of managed systems to find the ones I’m specifically interested in.
Here’s the Windows box. In the contextual menu I’ll bring up a list of vaulted accounts I can log in with. The one I need to use is called CheckoutAccount. As you see, I don’t have permission to use it; I must explicitly request access.
Although I can request permanent access, it’s a best practice to time-box access to avoid standing privileges. The underlying workflow engine will pass this information plus additional data to the approvers, so they have enough context to make a qualified and informed grant or deny decision.
For this demo I’m approving my own requests. So back in Cloud Suite I’ll navigate to the requests page, open up the pending request, and approve.
Let’s go back to the system and bring up the account list once more.
Now you see the padlock icon is gone. When the Approve button was clicked, the workflow engine automatically provisioned me with permission to log into that system.
Let’s switch gears now and request access just-in-time to run privileged apps on Windows and Linux.
Back in Cloud Suite, I’ll navigate to the Windows system I need for this and I'll log in with my enterprise account. Note when using my own account, Cloud Suite knows who I am and provides a built-in “Use My Account” option that streamlines the user experience.
There on the desktop is the WinSCP application I need to run with elevated rights. Cloud Suite integrates with the native Windows User Account Control, or UAC, so the user has a familiar experience.
Now you see the Delinea option—Run with Privilege in the drop-down. Since I don’t have permissions to elevate, I’m able to request access, just-in-time.
Let’s pop over to our approver Wade and just like before when we approved login, we can approve this elevation request.
Let’s go back and attempt elevation again.
As you see, once we re-authenticate, we’re able to run the application with elevated administrative rights.
Finally, let’s take a look at the Linux use-case.
Just like Windows, I’ll ask Cloud Suite to log me in using my enterprise account. To obtain full root permissions on this system to perform forensic analysis of a breach, I want to use the substitute user or su command. This requires elevation using sudo.
As you see, I don’t have permission to do this, so I’m prompted to request those rights. After filling out the fields, I can submit the request to workflow. The approval process is the same as in the Windows example, so I’ll fast-forward.
I’ll run the substitute user command once more and I’m being asked to re-authenticate as a safety measure. We can optionally do MFA here as well for additional identity assurance, and now I have a root session.
Just to round this out, just-in-time access control is also critical on user workstations. End user account takeover and compromising the user’s workstation is the primary way threat actors gain access to the server network.
I’m logged into my Windows workstation where we have Delinea Privilege Manager installed.
On the S: drive is an installer I want to run. It requires admin rights to launch. Notice the launch is intercepted by Privilege Manager since it hasn’t been approved for me to run. I must request access to run this privileged application. I'll enter a reason and again for demo purposes, I'm self-approving.
Back in the request dialog you see the state has changed, allowing me to continue with the installation.
While these demos focused on just-in-time access, it’s worth mentioning that MFA plays a huge role in all just-in-time access scenarios.
If a human adversary, a bot, or malware tries to use a compromised user credential to login to systems or run privileged apps and commands, we must have the option of enforcing MFA policies to block them whether or not access has been requested and approved through just-in-time workflows.
Let’s now summarize the main benefits of just-in-time access and privilege.
Improved cybersecurity posture
JIT mitigates the risks associated with standing privileges and with giving users too much permanent access. We can reduce the overall attack surface using just-in-time.
Simplified access workflow
Productivity and operational efficiency increase through automated workflows. Self-service requests and approvals can be made from anywhere, as and when required.
Strictly controlled and constrained elevated rights
Roles and policies can be granular to strictly control what systems can be accessed and what privileged apps and commands can be run.
Reduced administrative overhead
Through automation (such as credential rotation and elevated rights expiration) we improve operational efficiency. We can eliminate accounts with standing privileges which also eliminates the constant need for password reset and recovery processes.
Enhanced compliance and auditing
By eliminating standing privileges, you simplify audits by logging privileged-access activities in a central location and providing complete audit trails and a granular view of all these activities.
Protected credentials
Combining Cloud Suite with Secret Server enables system access without disclosing the password, preventing misuse such as sharing. After the work is complete, the password is automatically rotated as a further layer of protection.
Secured and managed third-party access
Provide contractors, outsourced IT, and other third-parties time-bound access to systems with granular management of permissions.
That just about wraps it up for this demo. For more information, please visit our website.
