How just-in-time access helps organizations comply with cyber insurance requirements
Barbara Hoffman
Cyber insurance is a crucial part of an organization's comprehensive risk management strategy. It plays a key role in organizations adopting or expanding their cybersecurity tools.
Insurers are increasingly pressing companies to enhance their security controls and posture, safeguarding them against malware, ransomware, and data breaches. These controls are centered around the principle of least privilege.
Our discussions with clients about cyber insurance typically address one of two issues:
- Companies without cyber insurance must implement cybersecurity tools to fulfill requirements for coverage.
- Companies with cyber insurance must elevate their security posture to meet more stringent requirements and avoid higher insurance rates.
Filling in these cybersecurity gaps will help organizations avoid higher insurance rates. Our recent cyber insurance survey, "Closing the Cyber Insurance Gap - 2023 State of Cyber Insurance Report," confirms that 67% of respondents experienced a 50% to 100% increase in cyber insurance costs.
Why are least privilege and access controls essential components of cyber insurance?
In the same cyber insurance survey, respondents indicated that 49% of the cyber insurance policies require controls covering access controls and Privileged Access Management, coupled with a 38% reduction of admin rights.
Implementing controls for these areas is crucial for insurers to mitigate risks of ransomware, malware, and data breaches. By following the principle of least privilege, only authorized personnel have access to sensitive data and critical systems. Elevated rights are granted temporarily, ensuring maximum security.
In his recent whitepaper on cyber insurance, Delinea security expert Tony Goulding analyzed a typical cyber insurance questionnaire. He highlights how insurance companies now prioritize least privilege, access control, and just-in-time capabilities in their questionnaires.
Here are some highlighted cyber insurance requirements focusing on least privilege:
- Access to a system is authorized only if based upon legitimate business need for access and the least amount of access needed to perform job duties (i.e., “least privilege” access).
- Domain Administrator Accounts are managed and monitored through just-in-time access, are time-bound, and require approvals to provide privileged access.
- Do any of the Application’s users have persistent administrative access to servers and/or workstations other than their own?
Insurers require just-in-time access to help reduce an organization’s attack surface. The following example use cases show how wide an organization’s attack surface can be if not properly managed and secured.
- Elevated rights are granted to the remote, non-admin workers who hold these rights for an extended time.
- Access to the IT systems is given to outsourcing companies, contractors, and vendors.
- Service accounts and other non-human accounts that were not decommissioned when no longer needed.
- Product teams need privileged access to build, test, and launch products.
So, what are the benefits of just-in-time access with Delinea’s Privilege Manager?
With this latest release, IT teams can easily combine just-in-time access with just enough privilege (JEP) to build seamless privileged access policies that meet security requirements while users remain productive.
Elevated privileges can be granted to individuals or groups of users on Windows workstations, which can automatically be removed with customized expiration configurations. For elevated privileges not covered by policies, users can request temporary elevated privileges, with a business justification, to be reviewed by IT and security teams. Full auditing capabilities are available for elevated privilege activities.
Just-in-time access enhancements combined with the existing just-enough-privilege capabilities align with the principles of least privilege and support a zero trust framework that minimizes risk.
Control of granted rights
Administrators can now run a report on users’ activities to see which users were granted rights, what they did with those rights, along with when and where users exercised those rights.
Productivity maintained
Administrators can grant temporary admin rights so users can maintain access to applications and perform their work as usual. Privilege Manager’s new just-in-time capability eliminates the inconvenience of limited application access for business users. No more unnecessary access requests to the help desk are required.
MacOS policies
Additional updates include support for the latest version of MacOS, extending the workstation policy framework by adding several out-of-the-box stand-alone policies that can be easily implemented and introducing certificate-based rules for privilege elevation policies on Macs. We are deploying the following policies:
Policy Name | Description | Action |
Elevate Common Preference Panes | Silently elevates commonly used preference panes such as the Date and Time, Energy Preferences, and Network Settings. | Elevate |
Elevate Xcode | Silently elevates Xcode by granting the system.install.apple-software and com.apple.dt.Xcode.LicenseAgreementXPCServiceRights authorization rights. | Elevate |
Elevate Console | Silently elevates the Console application using a just-in-time elevation action limited to 5 minutes. This policy would allow a user unfettered admin access for 5 minutes. | Elevate |
Elevate JAMF Commands | Elevates the policy and recon JAMF commands after a justification. | Elevate |
Elevate Package Installers | Silently elevates package (pkg) installers and sends feedback to the server about when this policy is triggered. | Elevate |
Monitor sudo Usage | Monitors the usage of the sudo command and sends feedback to the server. | Monitor |
Monitor Admin Applications | Monitors for applications launched requiring admin rights, excluding Apple System applications. This policy can be useful before removing admin rights from end-users. | Monitor |
Implementing Least Privilege shouldn't be hard