Just-in-Time Access (JIT)
What is Just-in-Time access?
More about Just-in-Time Access:
Just-in-Time (JIT) access is a fundamental security practice where the privilege granted to access applications or systems is limited to predetermined periods of time, on an as-needed basis. This helps to minimize the risk of standing privileges that attackers or malicious insiders can readily exploit.
When your IT and business users are allowed standing (unlimited) access to privileged accounts, you introduce significant risks of compromise by cybercriminals or even accidental exposure. With standing access, you effectively give users an open window to critical data and resources. Should they give a password to another user or have their own password compromised, they will likely provide total control over a privileged account that would probably remain undetected by conventional cybersecurity safeguards.
What are the benefits of Just-in-Time access?
To limit risk and exposure, organizations must apply the principle of least privilege, thereby limiting the three major elements of privileged access: location, actions, and timing.
Advanced Privileged Access Management (PAM) solutions apply a least privilege strategy by controlling where users can access privileged accounts and what actions they can perform once they have accessed an account. Controlling when access is granted adds the critical time dimension to the security equation.
Just-In-Time access helps to remove the risks associated with standing privileges. And, while only about one in ten companies use JIT access today, Gartner projects that 40 percent of privileged access will rely on JIT control of privileged elevation by 2022. The ultimate goal, according to Gartner, is to use a combination of JIT and other security solutions to help maintain security without sacrificing operational productivity.
See which IT systems and users have higher privileges than they need
One of the biggest challenges facing IT teams is trying to manage JIT without an automated solution. Rather than creating JIT accounts to manage privileges, it’s more effective to ensure users and systems gain proper access when needed for a limited amount of time within a Privileged Access Management software solution.
PAM solutions provide a “request access” feature to enable users to request access to privileged information for a specified time. Other features such as “checkout” automatically rotate credentials whenever a checkout time period ends. These features effectively apply the concept of Just-in-Time access in the context of a robust PAM solution.
In more basic JIT implementations, PAM solutions limit the time frame a single user can have access to an account and rotate the credentials after the user checks in the account or the specified time expires. This ensures that the credentials are unknown to whoever just used them, and the risk of privilege abuse is significantly reduced. In more advanced JIT implementations, the PAM solution will rotate the passwords and move accounts in and out of privileged groups on-demand or create brand new accounts and delete them at the end of the checkout window. JIT protects privileged access even in the case where an attacker can compromise the password to the account. The account is rendered useless or is completely eliminated when applying the JIT methodology.
Other forms of JIT include desktop capabilities such as process elevation through Privilege Elevation and Delegation Management (PEDM) tools. This allows end-users to install applications or perform basic troubleshooting tasks without being granted a full administrator account. The ability to escalate themselves to just the right level of access is provided on-demand and just in time.
What is the best place to start implementing Just-in-Time access?
As with any new cybersecurity paradigm shift, the best place to start is always identifying risks to your business. If your organization has already accomplished this, you are one step ahead on your path to implementing JIT. After all your accounts and areas of concern have been identified, you can apply JIT first to your most high-risk accounts or situations. This may include but not be limited to third-party contractor access, high-valued accounts (domain admins, sysadmins, etc.), and DevOps.
Remember, JIT focuses on how long a user has access to privileges. The smaller the time window, the more secure. A word of caution: if you make the window too small, you may get pushback from users about how the PAM solution prevents them from doing their jobs. Once your highest risk concerns have been addressed, you can expand the scope of how and where Just-in-Time access should be applied.
More JIT Resources:
Start your least privilege journey here