Just-in-Time Access
a.k.a.:
- Just-In-Time (JIT) Permission Management
- Just-In-Time Privileged Access Management (JIT PAM)
TL;DR
Grant as little access for as short of a time as possible and record/audit access.
JIT access workflow
At any given point, a JIT access system takes three things into account—location (where a user will utilize a privilege), action (what a user will do with the privilege), and time (for how long the privilege will be available). Here is how it works:
- A user initiates a request for privileged access to a resource such as a network or virtual machine.
- The request now undergoes an approval process that is typically automated for efficiency. If not, an administrator with the requisite authority manually approves or rejects the privileged access request.
- If approved, the user gains the necessary level of privilege tailored for the task at hand. Note that the access is temporary and remains active for the duration needed to complete the designated task.
- Once the user concludes their task and logs out, the access privilege automatically expires, or the account is temporarily deactivated until the next instance.
Types of Just-In-Time Access
Broker and Remove Access or Justification-Based Access
This
approach enables the creation of policies that require users to provide
a justification for connecting to a specific target for a defined
period of time. Typically, these users have a standing, privileged
shared account and credentials for that account are managed, secured and
rotated in a central vault and unknown to users even after using them to reduce the risk of privilege abuse.
Ephemeral Accounts
This
just-in-time access solution mitigates risks through the provision of
short-lived or one-time accounts. In this case, you create a temporary
account to give a user limited access to complete a specific task.
If
a low-level or third-party user needs access to a resource, rather than
creating a standard account, an ephemeral account is the best solution.
This is because giving them access to a business-sensitive
infrastructure for a long time can become a risk that malicious users
can exploit.
You create dynamic access using a
one-time account that gives the user temporary privileges until the
task is done. After completing the task, the account is automatically
disabled or deleted.
Temporary Elevation or Privilege Elevation
A
user makes a request if they need a higher level of privileged access
to perform a task. This approval is either granted by an automated
system or manually approved by the administrator with specifics on how
long the task will take.
This JIT access is
designed to reduce the amount of time a user spends on a critical
system. Once the time allocated to complete the task elapses, the system
takes away the user’s privilege to access the system.
JIT Access: Best Practices
Identify critical assets
Begin by identifying the accounts and assets with the most privileges, particularly those belonging to administrators, which pose the highest risk. Implement JIT access control for these accounts first and then gradually extend it throughout the organization.
Use role-based access control (RBAC)
Utilize role-based access control (RBAC) as supplementary solutions to define granular policies and circumstances for elevated access. Categorize accounts, differentiate their rights, and create control policies that users must satisfy to gain access.
Define and enable temporary access
Apart from justification-based access, establish criteria for users requesting temporary access, including which accounts are eligible and the duration of access. Implement time-based controls, such as granting access to specific resources during predefined days and times.
Record and audit activity
An automated access management solution enables you to log all access activities, receive alerts for suspicious behavior, and record JIT-privileged access. Maintaining a comprehensive digital paper trail is essential for auditing, governance, and compliance with regulations such as SOC2 and PCI-DSS.
Assign responsibility
Delegate responsibilities to employees and determine who will review permission requests. Properly training employees on granting and revoking access, especially during critical incidents like “break glass” and “on-call” situations, minimizes the risk of incidents. Automated JIT facilitates configuring access flows for these scenarios, helping resolve incidents promptly and eliminating bottlenecks.
Use short-lived (ephemeral) credentials
Regularly rotate credentials manually to invalidate them, preventing hackers from exploiting stolen passwords. Employ a centralized vault with the highest level of security clearance to manage these credentials effectively.
source: https://devops.com/what-is-just-in-time-jit-permission-management-and-why-is-it-essential/
Microsoft Entra Privileged Identity Management
Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:
- Provide just-in-time privileged access to Microsoft Entra ID and Azure resources
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multifactor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
- Prevents removal of the last active Global Administrator and Privileged Role Administrator role assignments
source: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure
Related Terms
- Principle of least privilege
- Standing privileges (also called “always-on access”)
- Zero Trust security
