1. Planning.

• Assessment
  Start by identifying who needs access, what resources they need to access, and why. Document existing access rights to see if they can be reduced or completely eliminated. For better visibility, using an entitlement discovery tool might be beneficial.
• Policy creation
  Establish clear policies for both giving and removing access. Include guidance about who can request access, under what conditions, and for how long the access will last. For elevated roles, define time-specific parameters.
• Source of truth
  Synchronize your JIT access system with an Identity Provider (Okta, Google Workspace, Azure AD, OneLogin for example). This will serve as the authoritative source for identities. De/escalating individual identities over shared accounts leads to better access control and more accurate auditing.

2. Execution.

• Self-serve access requests
  Streamline the process by allowing users to request access via the system rather than directly with people. Increase adoption rates by integrating with IM platforms such as Slack or MS Teams. Make sure requests specify who is asking, the necessary service/resource/role, the duration of access, and the reason.

• Approval process
  JIT access lets companies delegate approvals to staff with a better understanding of the business context. Resource owners and heads of business units often have greater insight than IT helpdesks. Use messaging platforms for quick responses, providing approvers all the necessary information to make informed decisions.

• Conditional approval workflows
  Embed your preset policies into workflows that ascertain access permissions. Build them into workflows that control who can access what, and under what conditions. Assign if-then conditions as an efficient method.

• Integration
  Integrate JITA with other IT and security systems to increase flexibility. Connect with IT ticketing systems for automatic access based on ticket status. Link data classification systems to adjust policies according to data sensitivity. Collaborate with on-call schedule software for automatic approvals during emergencies. Train to grant access based on training completion.

• Automated provisioning and depovisioning
  Develop a deep understanding of Cognism to effectively manage access within the service. This is crucial to JIT Access because it minimizes reliance on individuals having available time. Use automated deprovisioning of access, fundamental to JIT Access and the principle of least privilege access (POLP). Manage all permissions in one place, rather than creating or maintaining a different environment for every application in your organization.
• Access methods
  For Cognism JIT Access, APIs are preferable due to their real-time capabilities and flexibility. However, using SAML for authentication, SCIM for user provisioning, and APIs for granular access control decisions might also be necessary.

3. Maintenance.

• Regular audits
  Check access logs routinely to verify that JIT access is functioning as planned. Use either direct inspection or SIEM feeding to identify any unusual patterns or behaviours. Automate the user access review process to expedite evidence collection, assign reviewers, and ensure compliance with relevant industry standards or regulations.
• User training
  Train users, particularly those with elevated permissions, on the importance of least privilege, JIT Access, and how it operates. Make sure users understand how to request access when needed.
• Feedback loop
  Consistently review your JIT access procedures and obtain feedback from users and IT staff to find potential improvements.

By following this structured approach, you'll be able to effectively implement a robust Just-in-Time Access system for Cognism.