Tuesday, April 30, 2024

JIT Access

Just-in-Time Access

a.k.a.:

  • Just-In-Time (JIT) Permission Management
  • Just-In-Time Privileged Access Management (JIT PAM)

TL;DR

Grant as little access for as short of a time as possible and record/audit access.

JIT access workflow

At any given point, a JIT access system takes three things into account—location (where a user will utilize a privilege), action (what a user will do with the privilege), and time (for how long the privilege will be available). Here is how it works: 
  1. A user initiates a request for privileged access to a resource such as a network or virtual machine.
  2. The request now undergoes an approval process that is typically automated for efficiency. If not, an administrator with the requisite authority manually approves or rejects the privileged access request.
  3. If approved, the user gains the necessary level of privilege tailored for the task at hand. Note that the access is temporary and remains active for the duration needed to complete the designated task.
  4. Once the user concludes their task and logs out, the access privilege automatically expires, or the account is temporarily deactivated until the next instance.

Types of Just-In-Time Access

Broker and Remove Access or Justification-Based Access

This approach enables the creation of policies that require users to provide a justification for connecting to a specific target for a defined period of time. Typically, these users have a standing, privileged shared account and credentials for that account are managed, secured and rotated in a central vault and unknown to users even after using them to reduce the risk of privilege abuse.

Ephemeral Accounts

This just-in-time access solution mitigates risks through the provision of short-lived or one-time accounts. In this case, you create a temporary account to give a user limited access to complete a specific task. 

If a low-level or third-party user needs access to a resource, rather than creating a standard account, an ephemeral account is the best solution. This is because giving them access to a business-sensitive infrastructure for a long time can become a risk that malicious users can exploit. 

You create dynamic access using a one-time account that gives the user temporary privileges until the task is done. After completing the task, the account is automatically disabled or deleted.  

Temporary Elevation or Privilege Elevation

A user makes a request if they need a higher level of privileged access to perform a task. This approval is either granted by an automated system or manually approved by the administrator with specifics on how long the task will take.

This JIT access is designed to reduce the amount of time a user spends on a critical system. Once the time allocated to complete the task elapses, the system takes away the user’s privilege to access the system.

JIT Access: Best Practices 

Identify critical assets

Begin by identifying the accounts and assets with the most privileges, particularly those belonging to administrators, which pose the highest risk. Implement JIT access control for these accounts first and then gradually extend it throughout the organization.

Use role-based access control (RBAC)

Utilize role-based access control (RBAC) as supplementary solutions to define granular policies and circumstances for elevated access. Categorize accounts, differentiate their rights, and create control policies that users must satisfy to gain access. 

Define and enable temporary access

Apart from justification-based access, establish criteria for users requesting temporary access, including which accounts are eligible and the duration of access. Implement time-based controls, such as granting access to specific resources during predefined days and times. 

Record and audit activity 

An automated access management solution enables you to log all access activities, receive alerts for suspicious behavior, and record JIT-privileged access. Maintaining a comprehensive digital paper trail is essential for auditing, governance, and compliance with regulations such as SOC2 and PCI-DSS. 

Assign responsibility

Delegate responsibilities to employees and determine who will review permission requests. Properly training employees on granting and revoking access, especially during critical incidents like “break glass” and “on-call” situations, minimizes the risk of incidents. Automated JIT facilitates configuring access flows for these scenarios, helping resolve incidents promptly and eliminating bottlenecks. 

Use short-lived (ephemeral) credentials

Regularly rotate credentials manually to invalidate them, preventing hackers from exploiting stolen passwords. Employ a centralized vault with the highest level of security clearance to manage these credentials effectively. 

source: https://devops.com/what-is-just-in-time-jit-permission-management-and-why-is-it-essential/

Microsoft Entra Privileged Identity Management

Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:

  • Provide just-in-time privileged access to Microsoft Entra ID and Azure resources
  • Assign time-bound access to resources using start and end dates
  • Require approval to activate privileged roles
  • Enforce multifactor authentication to activate any role
  • Use justification to understand why users activate
  • Get notifications when privileged roles are activated
  • Conduct access reviews to ensure users still need roles
  • Download audit history for internal or external audit
  • Prevents removal of the last active Global Administrator and Privileged Role Administrator role assignments

source: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure

Related Terms


on
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)