Delinea | Privileged Access Management Blog

How JIT Access helps with Cyber Insurance Compliance

Written by Barbara Hoffman | Oct 5, 2023 12:00:00 PM

Cyber insurance is a crucial part of an organization's comprehensive risk management strategy. It plays a key role in organizations adopting or expanding their cybersecurity tools.

Insurers are increasingly pressing companies to enhance their security controls and posture, safeguarding them against malware, ransomware, and data breaches. These controls are centered around the principle of least privilege.

Our discussions with clients about cyber insurance typically address one of two issues:

  1. Companies without cyber insurance must implement cybersecurity tools to fulfill requirements for coverage.
  2. Companies with cyber insurance must elevate their security posture to meet more stringent requirements and avoid higher insurance rates.

Filling in these cybersecurity gaps will help organizations avoid higher insurance rates. Our recent cyber insurance survey, "Closing the Cyber Insurance Gap - 2023 State of Cyber Insurance Report," confirms that 67% of respondents experienced a 50% to 100% increase in cyber insurance costs.

Why are least privilege and access controls essential components of cyber insurance?

In the same cyber insurance survey, respondents indicated that 49% of the cyber insurance policies require controls covering access controls and Privileged Access Management, coupled with a 38% reduction of admin rights.

Implementing controls for these areas is crucial for insurers to mitigate risks of ransomware, malware, and data breaches. By following the principle of least privilege, only authorized personnel have access to sensitive data and critical systems. Elevated rights are granted temporarily, ensuring maximum security.

In his recent whitepaper on cyber insurance, Delinea security expert Tony Goulding analyzed a typical cyber insurance questionnaire. He highlights how insurance companies now prioritize least privilege, access control, and just-in-time capabilities in their questionnaires.

Here are some highlighted cyber insurance requirements focusing on least privilege:

  • Access to a system is authorized only if based upon legitimate business need for access and the least amount of access needed to perform job duties (i.e., “least privilege” access).
  • Domain Administrator Accounts are managed and monitored through just-in-time access, are time-bound, and require approvals to provide privileged access.
  • Do any of the Application’s users have persistent administrative access to servers and/or workstations other than their own?

Insurers require just-in-time access to help reduce an organization’s attack surface. The following example use cases show how wide an organization’s attack surface can be if not properly managed and secured.

  • Elevated rights are granted to the remote, non-admin workers who hold these rights for an extended time.
  • Access to the IT systems is given to outsourcing companies, contractors, and vendors.
  • Service accounts and other non-human accounts that were not decommissioned when no longer needed.
  • Product teams need privileged access to build, test, and launch products.

So, what are the benefits of just-in-time access with Delinea’s Privilege Manager?

With this latest release, IT teams can easily combine just-in-time access with just enough privilege (JEP) to build seamless privileged access policies that meet security requirements while users remain productive.

Elevated privileges can be granted to individuals or groups of users on Windows workstations, which can automatically be removed with customized expiration configurations. For elevated privileges not covered by policies, users can request temporary elevated privileges, with a business justification, to be reviewed by IT and security teams. Full auditing capabilities are available for elevated privilege activities.

Just-in-time access enhancements combined with the existing just-enough-privilege capabilities align with the principles of least privilege and support a zero trust framework that minimizes risk.

Control of granted rights

Administrators can now run a report on users’ activities to see which users were granted rights, what they did with those rights, along with when and where users exercised those rights.

Productivity maintained

Administrators can grant temporary admin rights so users can maintain access to applications and perform their work as usual. Privilege Manager’s new just-in-time capability eliminates the inconvenience of limited application access for business users. No more unnecessary access requests to the help desk are required.

MacOS policies

Additional updates include support for the latest version of MacOS, extending the workstation policy framework by adding several out-of-the-box stand-alone policies that can be easily implemented and introducing certificate-based rules for privilege elevation policies on Macs. We are deploying the following policies:

Policy Name Description Action
Elevate Common Preference Panes  Silently elevates commonly used preference panes such as the Date and Time, Energy Preferences, and Network Settings.  Elevate
Elevate Xcode  Silently elevates Xcode by granting the system.install.apple-software and com.apple.dt.Xcode.LicenseAgreementXPCServiceRights authorization rights.  Elevate
Elevate Console  Silently elevates the Console application using a just-in-time elevation action limited to 5 minutes. This policy would allow a user unfettered admin access for 5 minutes.  Elevate
Elevate JAMF Commands  Elevates the policy and recon JAMF commands after a justification.  Elevate
Elevate Package Installers  Silently elevates package (pkg) installers and sends feedback to the server about when this policy is triggered.  Elevate
Monitor sudo Usage  Monitors the usage of the sudo command and sends feedback to the server.  Monitor
Monitor Admin Applications  Monitors for applications launched requiring admin rights, excluding Apple System applications. This policy can be useful before removing admin rights from end-users.  Monitor