1. Planning.

• Assessment
  Begin with the identification of who requires access to Northpass, the resources those individuals need, and the purpose of the need. Take stock of the existing access rights and see if they can be reduced or removed. An entitlement discovery tool could prove beneficial.
• Policy creation
  Develop clear policies towards granting and revoking access. The policy should delineate who can request access, under what conditions, and for how long. It’s critical to establish time-bound parameters, mainly for privileged roles.
• Source of truth
  Synchronize your JIT access system with an Identity Provider such as Okta, Google Workspace, Azure AD, or OneLogin. This will serve as the authoritative source for identities and help in implementing superior authorization controls by escalating individual identities over shared accounts.

2. Execution.

• ‍Self-serve access requests
  Simplify the procedure by allowing users to request access through the system instead of doing so through individuals. Integrate with IM platforms like Slack or MS Teams to increase rates of adoption. Ensure the request includes the necessary details—individual requesting, necessary service/resource/role, duration, and reason for needing access.

• ‍Approval process
  Leverage the JIT access to delegate approvals to individuals with better context about the business, such as resource owners and business unit managers. Using messaging platforms can expedite responses and ensures approvers have all the information they need to make an informed decision.

• ‍Conditional approval workflows
  Apply your predetermined access policies into workflows that dictate permissions. Use them within workflows specifying who can gain access and under which conditions. One effective method is to use if-then conditions. For instance, IF identity group “X” requests access to “Y”, seek approval from “Z” and send a notification to “M”.

• ‍Integrations
  Incorporate JITA with other IT and security systems for additional flexibility. Link JITA directly to IT ticketing systems, data classification systems, on-call schedule software, or training systems to grant access based on training completion. These linkages will provide more specific control over automated provisioning and deprovisioning of access. ‍
• Access methods
  For Northpass JIT Access, APIs are the preferred method for their flexibility and real-time capabilities. However, a combination might be required; SAML for authentication, SCIM for user provisioning, and APIs to make precise access control decisions.

3. Maintenance.

• Regular audits
  Check access logs periodically to ensure that JIT access is functioning as intended. Look for any unusual patterns or behaviors either directly or by feeding the logs into your SIEM. Automate the user access review process to speed up evidence collection, delegate reviewers, and ensure compliance with relevant industry regulations or standards.
• User training
  Teach users, particularly privileged ones, about the importance of the principle of least privilege, JIT Access, and how it works. Make sure they understand how to request access when needed.
• Feedback loop
  Consistently review your JIT access procedures and seek feedback from users and IT staff.

With this structured approach, you'll successfully put in place a robust and efficient Just-in-Time Access system for Northpass.