1. Planning.

• Assessment
  Start by recognizing who needs access, the resources they need, and why they need it. Review current access rights and evaluate whether they can be diminished or removed. Consider utilizing an entitlement discovery tool for a comprehensive view.

• Policy creation
  Establish transparent policies for both giving and revoking access. Incorporate guidelines about who can request access, under what circumstances, and for how long. Particularly for privileged roles, establish fixed-duration parameters.

• Source of truth
  Synchronise your JIT access system with an Identity Provider (e.g., Okta, Google Workspace, Azure AD, OneLogin). This will serve as the conclusive source for identities. Elevating and reducing individual identities rather than shared accounts will provide better authorization control and audit precision.

2. Execution.

• Self-serve access requests
  Streamline the procedure by having users request access through the system, rather than through individuals. Encourage adoption by integrating with IM platforms like Slack or MS Teams. Ensure requests detail who is requesting, the necessary service/resource/role, duration, and grounds.

• Approval process
  JIT access provides an opportunity for businesses to delegate approvals to individuals with business context. Resource owners and business unit managers often have more insights than IT helpdesks. Utilize messaging platforms for quick responses, providing approvers with all the required information for an informed decision.

• Conditional approval workflows
  Include your predefined policies within workflows that determine access permissions. Include them in workflows that define who can access what, and under what conditions. One practical way is by assigning if-then conditions. IF identity group “X” requests access to “Y”, then refer approval from “Z” and notify “M”

‍‍

• Integrations
  Consider integrating JITA with other IT and security systems for added flexibility; connect with IT ticketing systems for automated access based on ticket status. Link with data classification systems to adjust policies depending on data sensitivity. Ideally, the possibility to tag resources and bundle them together can simplify this process. Collaborate with on-call schedule software for automated approvals during emergencies. Use training systems to grant access based on the completion of training.‍

• Automated provisioning and deprovisioning
  Understand TailScale thoroughly to grant and retract access automatically and specifically directly in the service. This is vital for JIT Access as it minimizes the need to wait for people to act. It allows for the automatic retraction of access, central to JIT access and the concept of least privilege access (POLP). Ideally, control all permissions in one place rather than constructing or managing an environment for every application in your organization.

• Access methods
  For TailScale JIT Access, APIs are desired due to their ease and real-time capabilities. However, you might need a mix. For instance, using SAML for authentication, SCIM for user provisioning, and APIs for precise access control decisions.

3. Maintenance.

• Regular audits
  Occasionally review access logs to verify that JIT access is operating as anticipated. Look for any odd patterns or behaviors either directly or by feeding the logs into your SIEM. Automate the user access review process to expedite evidence gathering, delegate reviewers, and ensure your system adheres to relevant industry regulations or standards.
• User training
  Instruct users, particularly privileged ones, about the importance of least privilege, JIT Access, and its operation. Ascertain users know how to request access when necessary.
• Feedback loop
  Create a regular review of your JIT access procedures. Obtain feedback from users and IT staff to comprehend where refinements can be made.

By adhering to this structured approach, you'll be able to effectively implement a durable Just-in-Time Access system for TailScale.