In this blog, I want to talk about “Just-in-Time” access and how a client-based approach (versus client-less) to privileged access security is the gift that keeps on giving. Not only is it essential in driving down risk, operational overhead, and cost, but it also aligns with modern best practices such as Zero Trust. As such, it’s an essential element of your security strategy.
Just-in-Time (JIT) is a term you’ll hear from much Privileged Access Management (PAM) vendors used in the context of a best practice—the Principle of Least Privilege (PoLP). With a proper least privilege approach, your admins have zero administrative rights. Thus, they need some means of obtaining elevated rights only when the need arises. JIT access allows them to do this, facilitated by a self-service request/approval workflow.
So, what does JIT buy you? Simplistically, if you graph out risk over time for a typical administrator, you might see something like this.
Looking at the risk axis, which one would you prefer—the blue or the orange?
If you’re not subscribing to a least privilege access security model, your risk will be more like the blue (“No PoLP”) line. It makes sense, right? Superuser accounts available anytime for routine use by admins = standing privileges, more attack vectors, bigger attack surface, unfettered access = greater risk, except, perhaps, at lunchtime.
Contrast that with the red (“PoLP”) line. This is a much lower overall risk, more representative of a least privilege approach to security. Here, privileges are fluid and continuously high, only elevated when required and approved, and automatically choked back down to a least privilege state after use. Also, note each risk spike peaks much lower. With least privilege, you don’t hand over the proverbial keys to the kingdom. You constrain the rights to a subset necessary for the task, e.g., DB maintenance, web administration, or application installation, and thus, the risk is never constantly high.
This least privilege approach incorporating JIT access can be a powerful tool in your arsenal to help combat identity-based data breaches. I say “can be” because there’s a right way and a wrong way. Choosing the wrong path—while mitigating some risk—will still leave you overly exposed.
Logged into a password vault, the user requests additional permissions to access server X and run privileged applications. After approval, the vault logs into system X with a vaulted local administrator account and provisions a brand-new temporary administrator account for the user on server X, just in time. The user can then log in with this new account, do her job, and log out. Sometime later, the vault logs back into System X with the local administrator account and removes the temporary administrator account.
Let’s dissect why this is not ideal.
PAM solutions that employ this method of JIT access—while highlighting “simplicity” and “agentless”—are far from ideal.
The right way begins with a solid PAM architecture. A hub and spoke model implementing a centralized Policy Definition Point (PDP) with distributed Policy Enforcement Points (PEP) on each endpoint is an ideal design to accommodate modern distributed IT infrastructures (see NIST SP 800-207 Zero Trust Architecture). This provides the endpoint PAM intelligence necessary to overcome the challenges outlined above and sets you up for incremental value beyond JIT access.
Implemented as a thin PAM client on each system, the PEP enrolls the system in the PDP, obtaining a unique “machine identity” and establishing a trust relationship with mutual authentication. With this foundation, benefits include:
In our latest Delinea Server Suite release, we add even more value, conquering a sizeable challenge plaguing anyone using Active Directory to store PAM policies. Because of inherent policy replication delays in Active Directory, it can take minutes or even hours before PAM policy updates reach each system/client, making “just in time” ineffective. Without any modification to Active Directory or its schema, Delinea PAM can now update both Active Directory and its PAM clients simultaneously, ensuring that requested permissions are available for administrators as soon as the request is granted.
I hope you see the value that a client-based approach to JIT privileged access security brings to the table. With the average total cost of a data breach being USD 3.86M, this combination is also a business imperative.
For more information on Delinea Server Suite, please see our datasheet.