1. Planning.

• Assessment
  Firstly, identify the staff at KnowBe4 who require access to certain resources and understand why. Evaluate and document existing access rights and reduce or eliminate them where viable. For improved clarity, you can utilize an entitlement discovery tool.
• Policy creation
  Develop explicit guidelines for granting and revoking access. Incorporate rules about who can request access, under what situations and for what time-frame. Put time-bound parameters in place for high-privilege roles.
• Source of truth
  Synchronize your JIT access system with an Identity Provider (e.g., Google Workspace, Okta, OneLogin, Azure AD). This can act as the definitive source of identities. Adopting a system of individual identities over shared accounts will allow for enhanced authorization control and better auditing accuracy.

2. Execution.

• Self-serve access requests
  Streamline the process by implementing a self-serve system, which will allow users to request access through the system itself, rather than going through individuals. Consider integrating with IM platforms like Slack or MS Teams to boost adoption rates. Make sure requests include the requester’s details, the service/role/resource needed, duration, and reason.

• Approval process
  JIT access provides a chance for companies to delegate approvals to those who have a thorough understanding of business context. Resource owners and business unit managers often have a better grasp of this than IT services. You can use messaging platforms for quicker responses and ensure all necessary details are provided for an informed decision.

• Conditional approval workflows
  Integrate predefined policies into workflows to determine access permissions. By assigning if-then conditions, you can dictate who can access what and under which circumstances.

• Integration
  Consider integrating JIT access with other IT and security systems for increased flexibility. Link with IT ticketing systems for automatic access based on ticket status. Use training systems to allow access upon completion of training.
• Automated provisioning and deprovisioning
  A comprehensive understanding of KnowBe4's set-up is critical for granting and revoking access within the system. This method reduces reliance on waiting for individuals to make time and allows for automated removal of access, following JIT Access and Principle of Least Privilege Access (POLPA)'s core principles. You should ideally manage all permissions in one location rather than building a new environment for each application.
• Access Methods
  For KnowBe4 JIT Access, APIs are preferable due to their real-time capabilities and flexibility. However, you may need to combine different methods; for example, using SAML for authentication, SCIM for user provisioning, and APIs for specific access control decisions.

3. Maintenance.

• Regular audits
  Regularly check access logs to ensure that JIT Access is functioning properly. Identify any unusual patterns or behaviors, either directly or by feeding the logs into your SIEM.
• User training
  It's essential to teach users, particularly those with high privileges, about the importance and functioning of least privilege and JIT Access. Ensuring users understand how to request access when needed.
• Feedback loop
  Make sure you consistently review your JIT access procedures. Solicit feedback from users and IT staff to see where improvements can be done.

By adhering to this structured approach, you can efficiently implement a robust Just-In-Time Access system for KnowBe4.