Just-in-Time privileged access eliminates the danger of standing privileges
Dan Ritch
Granting users standing access to privileged resources violates the principle of least privilege and introduces significant risk.
With undifferentiated access, users can (and do) take unauthorized actions because they’re given TOTAL control of a resource. They could give a password to another person, who could then access a resource without appearing in an audit trail. They could access critical resources at any time, perhaps after being fired.
To reduce your attack surface, you need to define limits for all three elements of privileged access.
- Location: Where users exercise privileges
- Actions: What users do with those privileges
- Time: When privileges can be used
The third element of “time” is often the most challenging to define and control for many organizations. It’s not always easy to determine how long an activity that requires privileged access is expected to take. In the absence of an automated solution, it’s common for busy IT administrators to forget to expire or disable privileged accounts.
As a result, many companies have kept privileges in place for too long, neglected to expire passwords and accounts, and failed to remove privileges when projects end or people leave.
Related Reading:
Just-in-Time (JIT) Access Series Part 1: Is Just-in-Time Enough?
Just-in-Time (JIT) Access Series Part 2: JIT Approaches
Just-in-Time (JIT) Access Series Part 3: Zero Standing Privileges
Just-In-Time access eliminates the need for standing privileges
Gartner predicted that by 2022, 40% of privileged access activity will rely on Just-In-Time (JIT) privilege elevation strategies to dramatically decrease standing privileges.
JIT encompasses a broad range of strategies that provide users privileged access when – and only when – they require it. Gartner recommended companies apply a combination of JIT approaches and solutions that balance the effort to change organizational practices against security, risk, and operational benefits.
Time-restricted access can be automated so that users don’t have to wait for human approval
Delinea’s JIT approach to time-bound privileges is to enable “Just-in-Time Access” instead of creating “Just-in-Time Accounts.” Implementing JIT within Privileged Access Management (PAM) ensures users and systems have appropriate access when needed and for the least amount of time required. Time-restricted access can be automated so that users don’t have to wait for human approval. Those users can even access the resources they need without ever knowing the password.
Just-in-Time scenarios you can solve with PAM
Remote workers need JIT access to maintain productivity
PAM allows you to grant users privileged access with a start and end time. This way, even if someone forgets to remove their access, they’ll be locked out.
Advanced PAM tools use workflow features such as “Request Access”, which allows users to request access for a specific amount of time. In addition, “Checkout” features can rotate credentials as soon as the checkout period ends, so even if credentials are not hidden from the user, they won’t be able to return with the same credentials.
With privilege elevation software installed on endpoints, policies dictate exactly which actions can be taken and which processes will be granted administrative rights. This means no user will ever be granted complete control of a resource after requesting access.
Third parties need JIT access on a project basis
IT Administrators often struggle to provide access to third-party contractors, who need to be treated differently than badged employees. PAM solutions allow admins to provide contractors and vendors time-bound access to perform tasks such as troubleshooting, maintenance, and penetration tests. PAM also allows you to define third-party access for certain tasks for one-time-only use.
Service accounts need JIT access for automated IT tasks
While named accounts that users request are frequently reviewed, service accounts and other non-human accounts are often overlooked and can build up over time. Service accounts should be created with specific end dates and built-in steps for ongoing governance and oversight. They can be decommissioned when no longer needed or extended via user review and approval.
Developers need JIT privileged access to build, test, and launch products
PAM solutions provide secure, instant access for developers. Vaults built specifically for quick-turn cycles such as DevOps workflows support ephemeral (temporary) credentials for multiple cloud account types.
Where should you start implementing JIT?
Take a hard look at the different use cases for privileged access in your organization and determine which are most in need of limits.
Instead of granting broad privileges, grant access only to a specific system or application. Instead of creating privileged accounts that cover all possible tasks, specify the scope of activities users can conduct. Instead of providing “always-on” access, limit the time period when privileged accounts can be accessed.
You can start implementing JIT for your high-risk use cases first. You may want to begin with situations known to require only infrequent use. Then, map out a migration path with the goal of including all privileged access under your JIT strategy.
As with all privileged activity, JIT privileged access should be recorded and logged within a central tool to make reporting and auditing consistent. Any privileged activity that happens outside of a central PAM tool should raise a flag.
Implementing Least Privilege shouldn't be hard