1. Planning.

• Assessment
  Begin by identifying who needs access, what resources they require, and the reasoning behind this. Document current access rights and assess if they can be reduced or removed. Utilize an entitlement discovery tool for improved visibility.
• Policy creation
  Establish clear policies for granting and revoking access. Develop guidelines regarding who can request access, the circumstances in which they can do so, and the length of their access. Especially for high-level roles, create time-bound rules.
• Source of truth
  Link your JIT access system with an Identity Provider (e.g., Okta, Google Workspace, Azure AD, OneLogin) to be the primary source for identities. By elevating individual identities over shared accounts, you can improve your authorization controls and the accuracy of audits.

2. Execution.

• Self-serve access requests
  Streamline the process by allowing users to request access through the system instead of through personnel. Boost adoption rates by utilizing IM platforms like Slack or MS Teams. Ensure that requests detail the requester, the necessary service/resource/role, length of access, and the reason.

• Approval process
  JIT access offers an opportunity for companies to assign approval responsibilities to individuals with business context. Resource owners and managers often have more context than IT helpdesks. For efficient responses, utilize messaging platforms and give approvers all the necessary information.

• Conditional approval workflows
  Integrate your predefined policies into workflows that dictate access permissions. Create workflows that specify who can access what, under which conditions. An effective strategy is the use of if-then conditions: IF group “X” requests access to “Y”, get approval from “Z” and notify “M”.

• Integrations
  Increase flexibility by integrating JIT Access with other IT and security systems. Incorporate with IT ticketing systems for automated access based on ticket status. Connect with data classification systems to modify policies based on data sensitivity. Ideally, you’ll be able to label resources and group them together smoothly, collaborating with on-call schedule software for emergency automated approvals. Utilize training systems to grant access following the completion of training.
• Automated provisioning and depovisioning
  Acquire a thorough understanding of Code42 to efficiently grant and revoke fine-grained access automatically within the service. This is essential for JIT Access as it minimizes reliance on people's availability, allowing for automatic deprovisioning of access. Ideally, all permissions will be managed in one location, eliminating the need to build or manage an app-specific environment.
• Access methods
  For Code42 JIT Access, APIs are the most flexible and offer real-time capabilities for access control decisions. However, a combination of methods may be necessary, such as using SAML for authentication, SCIM for user provisioning, and APIs for precise access control.

3. Maintenance.

• Regular audits
  ‍Consistently check access logs to ensure JIT access is performing as intended. Look for any unusual patterns or behaviors either directly or via your SIEM. The user access review can be automated to expedite evidence collection, delegate reviewers, and ensure compliance with the relevant industry standards or regulations.
• User training
  Educate users, particularly those with high-level access, about acknowledging the least privilege access, JIT Access, and its operation. Users should understand how to request access when needed.
• Feedback loop
  Regularly review your JIT access procedures and seek feedback from users and IT staff to identify possible improvements.

By following this structured approach, a robust Just-in-Time Access system for Code42 can be efficiently implemented.