1. Planning.

• Assessment
  Start by identifying which people require access, the resources they require, and why. Document current access rights to see if these can be reduced or eliminated. Leveraging an entitlement discovery tool can increase visibility.
• Policy creation
  Create clear policies for both providing and withdrawing access. Guidelines should specify who can request access, under what circumstances, and for what length of time. For roles with elevated privileges, set clear time-limits.
• Source of truth
  Integrate your JIT access system with an Identity Provider (Okta, Google Workspace, Azure AD, OneLogin, etc). This system will act as the reliable source for identities. Illustrating individual identities instead of shared accounts will lead to improved control over authorizations and more accurate audits.

2. Execution.

• Self-service access requests
  Streamline the process by letting users request access via the system, rather than through other personnel. Enhancing the system with IM platforms such as Slack or MS Teams can boost user engagement. Each request should include detailed information on who is making the request, the desired service/resource/role, the duration, and the reasoning.

• Approval process
  Use JIT access as a means to entrust approvals to those with context-specific knowledge of business operations. Resource owners and business unit managers often have better contextual insight than IT support services. Using messaging platforms for quick responses provides the approver with the necessary information to make an informed decision.

• Conditional approval workflows
  Apply pre-established policies within workflows to set access permissions. These can be embedded in workflows to establish who can access certain resources and under what conditions. One effective method is to use if-the-conditions. IF identity group “X” requests access to “Y”, then approval from “Z” is required and “M” should be notified.

• Integrations
  Consider embedding JIT access into other IT and security structures for greater flexibility. Connect it to IT ticketing systems for automated access based on ticket status and with data classification systems to create policy adjustments according to data sensitivity. Ideally, functionally tagging resources and grouping them together will simplify the process. Also, consider collaboration with the on-call schedule software for automatic approvals during critical times. Connect with training systems to provide access based on training completion
• Automated provision and dispossession
  Understanding Heap is vital to provide and retract granular permissions within the service. JIT access requires this because it allows automated dispossession of access and reduces dependence on people. It adheres to the principle of least privilege access (POLP). Ideally, all permissions should be consolidated into a single place to avoid building or managing different environments for each application in your company.
• Access Methods
  For Heap JIT Access, APIs are preferred for their flexibility and real-time capabilities. However, a combination may be necessary, such as using SAML for authentication, SCIM for user provision, and APIs for precise access control decisions.

3. Maintenance.

• Regular audits
  Occasionally inspect access logs to verify JIT access operates as intended. Look for abnormal patterns or behaviours through manual inspection or by feeding the data into your SIEM. Automating user access reviews accelerates evidence gathering, simplifies the delegation of reviewers and ensures system compliance with relevant industry norms or standards.
• User training
  Educate users about the importance of least privilege and JIT Access. They should know how to request access when necessary.
• Feedback loop
  Regularly review JIT access procedures and seek feedback from users and IT staff to ensure improvements are made where needed.

With this structured approach, you will be able to implement an efficient and strong Just-in-Time Access system for Heap.