Company
JIT Access, also sometimes called just-in-time provisioning or just-in-time privileged access management (JIT PAM), refers to a security practice that involves granting access privileges to users for limited periods of time. Grants of access are on an “as-needed” basis. If a developer needs access to GitHub for a week, a JIT Access solution can grant that access, which will automatically expire at the end of a week. The goal of JIT Access is to minimize the risk of standing privileges, i.e., not perpetual access that can be exploited by malicious actors.
The idea of JIT is attractive and relatively simple, but the challenge has always been one of implementation. To work, JIT needs to provide fine-grained and temporary access at high speed. This requires automation, best executed according to the following principles:
JIT Access contrasts with standing permissions, also known as 24/7 access or excessive access, which is the norm in many organizations. This happens mainly because of the administrative burden related to approving, provisioning, and de-provisioning access. DevOps and IT teams are struggling to comply with operationalizing least privilege access.
There’s an old joke in the movie business that asks, “What’s the longest sentence in the history of Hollywood?” The answer is, “Cleopatra ascends the throne.” It took eight weeks to film Elizabeth Taylor “ascending the throne” in 1963, leading to a financial disaster that nearly put 20th Century Fox out of business.
So it also goes in IT, where seemingly simple ideas can cast big shadows over security and IT operations. Take the SOC 2 control CC6.1, which reads, “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives. Entity has developed an Access Control policy and an accompanying process to register and authorize users prior to being issued system.”
Sounds simple, right? Not in practice. Access control tends to be a massive undertaking, and even in the best of circumstances, it can still leave systems and networks vulnerable to unauthorized access. There are many reasons for this, but one of the most important root issues is the difficulty admins have in JIT provisioning access on a granular and time-delimited basis.
Traditional privileged access management (PAM) and identity governance (IGA) platforms have done well in this regard for legacy systems. PAM solutions usually comprise a freestanding system that throttles access to administrative back-end interfaces. IGA solutions can often perform some PAM functions along with generalized access controls. These solutions are overly rigid for cloud-based systems and often require heavy administrative overhead. This has begun changing with the advent of SSO-based authentication, cloud-native capabilities and just-in-time access ( JIT Access). This article defines JIT access and explores why it is necessary, how it works, and how organizations can benefit from it.
The complexity of PAM and IGA has left IT and security managers looking for more efficient and secure ways to work. These solutions tend to be technically challenging and time-consuming to deploy. They may be attached to a particular system, such as a DevOps environment. Integration outside of that initial target system may be a serious project with many hours of professional services.
PAM and IGA also almost always rely on role-based access control (RBAC). With RBAC, a user is assigned to a role, and it is that role or group, rather than the individual user, who gets the access grant. Thus, if Joe joins the accounting team, he has the “Accounting Team Member” role, which gives the privilege of accessing the accounting system. If Joe transfers to the sales team, he will be given a “Sales Team Member” role—and everyone should hope that an admin removes his Account Team Member role so he can no longer access that system. JIT offers a way out of these problems.
Why would an IT department and security team want Just-in-Time Access? The foundational reason for JIT Access is that access control is essential to cybersecurity. It’s an important security countermeasure on its own, but temporary access control is also critical for the effectiveness of other controls. If security teams are unable to grant and revoke access, especially privileged/administrative access to systems, very little else will function properly in a cybersecurity program. For years Gartner has been advocating for replacing permanent privileged access with a just in time access approach to uphold the principle of least privilege and target zero standing privileges (ZSP).
Reducing exposure to external threats - Standing access potentially exposes systems to malicious external actors. Indeed, identity is becoming known as a new security perimeter. Underscoring this point, the Verizon DBIR report revealed that compromised credentials are the number one path attackers take to get to sensitive estates. Credentials figure into 49% of breaches. (Phishing is second at 15%). According to Microsoft, just 1% of permissions are used, while over 50% of identities are super admins.
Attackers can impersonate administrative users by stealing (or guessing) their credentials and gaining access to administrative back ends. There, they can wreak havoc on servers, databases, applications, and more. Such access may remain undetected by conventional cybersecurity safeguards.
Reducing internal risk exposure - Deficient access controls expose systems and data to internal threats, as well. Examples abound. They include former employees who can still log into the network, disgruntled employees, and contractors who no longer need access. Much of the time, internal access control risks occur because of ineffective processes, e.g., someone grants access to a system or development environment and then just forgets about it. The user account remains open, even after the employee leaves the company. Alternatively, there can be accidents or intended problems that arise when people who lack training or experience are granted permission to make significant changes, e.g., bulk deletes of user accounts, premature pushing of code into production, and so forth. JIT helps organizations avoid the risks of giving junior staffers senior-level privileges for prolonged periods of time.
Making it easier to implement “least privilege access” - POLP predominates in security circles. The idea is simple: users should be granted the least possible amount of privilege in any system. Executing least-privilege access can be challenging, however. Without the right tools, it becomes a heavy administrative workload, with managers and admins constantly granting, renewing, or canceling the access privileges they have provisioned. JIT Access solves this problem.
With a JIT Access solution, managers and admins can grant the least privilege and be confident that it has a clear time limit. There is no need for follow up for renewals or revocation.
Reducing administrative and governance burdens - Manual management of access permissions is so labor intensive as to be unworkable, given that the average organization has one IT person for every 89 employees. JIT introduces self-service requests for access, alleviating the load on IT people.
Similarly, the work required to maintain controls for the purpose of governance can overload people who have other jobs to do. There’s a lot of manual checking and cross-checking of approval workflows, permissions, and roles. Depending on the system in use, this may be partially automated, but there are usually many process components required to achieve governance and audit objectives.
JIT privilege elevation instead of a static shared account - Using Just-In-Time (JIT) privilege elevation offers a more secure and efficient method compared to the traditional use of shared accounts. Shared accounts often come with static credentials that not only need to be frequently rotated to maintain security but also run the risk of being compromised. Moreover, these shared accounts lack transparency as they don't provide visibility into which specific individual is accessing them. In contrast, JIT privilege escalation enhances security by elevating an existing identity for a limited time. This not only minimizes the risk associated with long-standing high privileges but also ensures that there's a clear trail of who accessed specific resources, making it easier to monitor and audit.
Users of the Entitle JIT Access platform and comparable solutions are putting them to work across a wide variety of use cases. One of the most popular is managing temporary access for virtual machines (VMs) on the Microsoft Azure cloud. Others include the following:
On-call access to production - People who work in IT and software development know that the work doesn’t necessarily end when the office is closed. Many situations arise when an employee may be “on call” and reachable outside of regular working hours. The employee who is on call may be asked to fix a system for which he does have access privileges. With JIT Access, it is possible to grant that person access for enough time to solve the problem. This enables the employee to perform the on-call duties without having to reach a manager, perhaps late at night, and having him or her log in to a PAM system and grant access to the employee—which then has to be revoked at a later time.
Emergency break-glass protocol - IT and security operations (SecOps) have their share of “In case of emergency, break glass” moments, such as data breaches or major system outages. They usually come with a set of procedures intended to restore normalcy. JIT Access can be part of the “break glass” protocol. In this case, it is possible to set up automatic access permissions for the emergency response team. Access to sensitive resources is only for the emergency period. The JIT system should allow you to track who access resources during the emergency period, which is useful for the compliance and audit aspects of these situations.
Customer success access to customer data - Situations arise in the “customer success” area of a business where an employee may need access to customer data that’s outside of his or her normal purview. Many compliance regulations like SOX and SOC2 mandate that only authorized personnel will have access to customer data in a least privilege access manner. JIT Access enables admins to allow temporary access to customer data, which resolves the customer success need without creating a security or compliance issue.
JIT Access with SSH in non-federated identity and legacy environments - Software development teams may need to grant temporary remote access to resources like GitHub repositories to employees, contractors, and vendors. In many cases, the best solution is to use the Secured Shell (SSH) protocol. A JIT Access platform makes this possible by generating a public/private key pair that enables the temporary user to authenticate his access to the repository.
The JIT Access approach to SSH temporary access is also useful in non-federated identity scenarios like the need to grant access to a production system. In that case, regulatory compliance might mandate that only authorized users can access the system. JIT Access enables compliance. It also provides an audit trail to see who has accessed the system, and so forth.
JIT secrets creation for secrets-based authentication in legacy environments - Certain authentication processes, such as Oauth, use secrets to protect data, especially in legacy environments. A JIT Access solution can incorporate secrets-based authentication into its access granting process. Instead of using a shared account with static credentials that need to be rotated and could be compromised, JIT secret creation will elevate an existing identity instead of using a shared account that has no visibility into which individual is using it. Alternatively, JIT can be used to ensure that access to the shared account vault and its secrets is temporary.
Whether using a third-party solution or building your own, implementing JIT is a three-step process:
Assessment - identifying which users require access, the resources they need, and the reasons they need the access. The best practice is to document existing access rights and see if they can be minimized or eliminated. An entitlement discovery tool can provide the necessary visibility for this task.
Policy creation - defining clear policies for granting and revoking access. Policies should cover who can ask for access, and under what circumstances—and for what duration. Policies need to establish time-bound parameters for access grants.
One source of truth for JIT - This may mean syncing the JIT access system with an Identity Provider (e.g., Okta, Google Workspace, Azure AD, OneLogin).
Self-service access requests - The best practice is to simplify the process by having users request access through the system, not through people. Integrating JIT requests with IM platforms like Slack or MS Teams can enhance adoption. Requests should require users to include details such as the required service or resource, user role, duration of access requested, and the reason for the request.
JIT approval process - allowing organizations to delegate approvals to people in a business context. This should make sense because resource owners and business unit managers often have better context than IT helpdesks. It generally makes sense to establish conditional approval workflows that embed predefined policies that determine access permissions. This may involve if-then conditions, e.g., IF identity group “X” requests access to “Y”, seek approval from “Z” and notify “M”.
Integrating JIT systems with other IT management and security systems - will improve JIT’s overall flexibility and efficiency. For example, linking JIT with IT ticketing systems can speed up requests and issue resolution. Integration with data classification systems lets admin adjust access policies based on data sensitivity, and so forth.
Integrate with the SaaS/IaaS - This will enable granting and revoking access automatically within the service. Doing so will reduce the reliance on waiting for people to make time for this process step. Integration also allows for automated de-provisioning of access and implementation of POLP.
Access method - When integrating your JIT access system with your SaaS or IaaS, the ideal access method hinges on your security needs, scalability requirements, and the provider's capabilities. Common methods include API Integration for real-time control; SAML for standard authentication and authorization exchanges; SCIM for automated user provisioning; and agent-based solutions for environments with limited API access. It's vital to evaluate the inherent security, manageability, and compatibility of each method with your provider. Regardless of your choice, always prioritize robust monitoring, logging, and regular reviews to ensure security and optimal performance.
Like any IT solution, JIT needs to be supported and maintained throughout its lifecycle. For JIT, maintenance should encompass regular audits, among other workloads.
Check logs periodically - ensure that JIT access is working as intended. SIEM integration and periodical user access reviews (UAR) can help identify outliers. In addition, a well-documented JIT access system accelerates the UAR processes by automatically collecting evidence that is required by compliance.
User training - an important companion to all of this. It is worth investing in educating users about POLP, how JIT access works, and how to request it.
Create a feedback loop - helps ensure that issues and concerns about JIT and how it is working will reach the right people, so they can make the necessary corrections and improvements to keep JIT delivering on its promises.
Standing access is a poor practice from both security and compliance standpoints. Traditional role-based IAM and PAM platforms are not well suited to provide the kind of time-delimited and easy-to-manage access that today’s cloud-based landscape requires. JIT Access offers a solution. By provisioning granular, time-bound access on a “just-in-time basis,” a JIT Access solution allows for a true realization of the principle of “least privilege access.” Users get the access they need to get their jobs done, while IT and security managers can worry less about risks arising from malicious actors or internal threats. JIT Access improves security outcomes.
