- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: Today, we’ll take a look at what just-in-time access (JIT) means and what types there are. You’ll also learn about what a JIT access solution can do for your organization. Cybersecurity attacks are a critical concern and this article breaks down how JIT access helps mitigate these attacks. By the end of this article, you’ll understand how just-in-time access works, the best practices to ensure secured implementation, and how StrongDM comes to the rescue.
According to a Forcepoint report, up to 44% of employees can share their privileged access with others, compromising organizational security. More interesting is the fact that almost 50% of privileged employees access critical data out of curiosity.
With traditional privileged access management (PAM) solutions, the risks associated with standing privileged access are still significant. These risks are like ticking bombs waiting to explode.
The moment attackers get access to these privileges, they can alter your organization’s security posture dramatically. This is why the implementation of just-in-time access is important to eliminate these risks.
So, what is just-in-time access all about? Grab your scuba gear and let’s dive in!
What is Just-in-Time Access?
Just-in-time (JIT) access is a feature of privileged access management (PAM) solutions to grant users access to accounts and resources for a limited time when they need them. It reduces the risks associated with giving users more privileges than they require by providing this access only when it’s required.
Just-in-time access applies the principle of least privilege (PoLP) to reduce the risk of standing privileges (also called “always-on access”), where users have unlimited access to accounts, resources, and servers.
Enterprises can make all access temporary by default so that no one has permanent access to mission-critical systems. This way, they can ensure that a user or level of privilege at the time of connection is valid.
If an organization grants users unlimited access to accounts and systems, this creates opportunities for cyberattacks. Low-level accounts shouldn’t have access to your critical infrastructure for too long. Also, the credentials of top-level accounts — such as administrator accounts — are a key target when it comes to cyberattacks.
When these privileged accounts and systems have “always-on” access, they become vulnerable to cybercrimes:
- Account owners can misuse them by giving out their credentials to cybercriminals
- These attackers can access critical resources without being discovered quickly
- Critical information can become exposed to attackers or users even after they’ve left an organization
By providing JIT access, you only allow users limited access to particular accounts and resources when they need them. This reduces risk since these privileges will expire automatically after a set time.
Types of Just-in-Time Access
Standing privileges increase attack surfaces for bad actors to exploit. But, by implementing a just-in-time access solution, you can significantly eliminate these risks.
Here are the three types of JIT access:
1. Justification-Based Access
This is also called the “broker and remove” access. This JIT access approach demands that users justify why they need privileged access. Once justified, these users are then able to connect to a specific resource for a limited period.
The credentials for these accounts are managed and rotated in a central vault and unknown to users even after using them to reduce the risk of privilege abuse.
2. Ephemeral Accounts
This just-in-time access solution mitigates risks through the provision of short-lived or one-time accounts. In this case, you create a temporary account to give a user limited access to complete a specific task.
If a low-level or third-party user needs access to a resource, rather than creating a standard account, an ephemeral account is the best solution. This is because giving them access to a business-sensitive infrastructure for a long time can become a risk that malicious users can exploit.
You create a one-time account that gives the user temporary privileges until the task is done. After completing the task, the account is automatically disabled or deleted.
3. Privilege Elevation
This is also known as “temporary elevation.” A user makes a request if they need a higher level of privileged access to perform a task. This approval is either granted by an automated system or manually approved by the administrator with specifics on how long the task will take.
This JIT access is designed to reduce the amount of time a user spends on a critical system. Once the time allocated to complete the task elapses, the system takes away the user’s privilege to access the system.
Benefits of Just-In-Time Access
There are several advantages of using a just-in-time privileged access solution to manage organizational processes and security.
Here are the top eight benefits of JIT access:
1. Improves Cybersecurity Posture
Just-in-time access control improves the security posture of an organization by reducing the threats caused by standing privileges. When no one has permanent access to a system, unauthorized access, malware, and other security risks drop dramatically.
Several security risks emerge when malicious users exploit privileged accounts. By providing JIT access, you reduce the attack surface. Once a privileged user is done with a task, the account is disabled and privileges expire, improving the company’s security posture.
2. Simplifies Access Workflow
When users make requests for privileged access, the JIT approval process can be automated. This provides a seamless workflow for the administrators, operations team, and end-users without affecting productivity levels.
System administrators don’t have to wait days for review cycles, and users are granted access as needed. Operational efficiency is not affected in any way since privileged access requests can be approved automatically from anywhere.
3. Evaluate Tasks and Privilege Control
By implementing just-in-time access, you can specify what a user gets privileged access to, what types of actions they can perform, and how long that privileged access lasts for.
Through privilege elevation, users can perform certain tasks, such as basic troubleshooting and app installation and updates, without getting access to a high-level administrator account.
Also, you can use just-in-time access for developers to create vaults that support DevOps workflows and give them access to the resources they need to build, test, and launch products when they need this privilege.
4. Enhances Compliance and Auditing
Implementing JIT access improves the compliance of your organization. You’re able to meet compliance requirements by enforcing least-privilege access and providing accurate audit reports.
Just-in-time access allows you to eliminate standing privileges and control privileged sessions. It allows you to simplify audits by logging privileged-access activities in a central location and providing complete audit trails and a granular view of all these activities.
5. Defines Third-Party Access
Providing access to third-party users can be a struggle. But, with just-in-time privileged access management (JIT PAM), administrators can provide contractors and application vendors time-bound access to a system.
You can create one-time accounts or grant third parties temporary privilege elevation to perform certain tasks such as testing, troubleshooting, and maintenance.
6. Provides Credential Protection
Once a user gets access to an account and completes a task on a JIT basis, the system automatically rotates and generates credentials in a secret vault. This way, the credentials are unknown to the user who used them.
The JIT access system can rotate passwords or create new accounts and disable them once the checkout window closes. This JIT security ensures that in cases where attackers steal passwords to user accounts, the accounts and privileges are invalidated.
7. Allows Automated System Tasks
Service accounts and other non-human accounts, require just-in-time access to perform automated system tasks.
You can create these accounts and allow them to perform automated tasks without delay by defining specific timeframes and actions they can perform once approved for privileged access.
8. Eases Management of Privileged Accounts
When organizations implement JIT access, privileged account management becomes easier. Since there are no accounts with standing privileges, this eliminates the constant need for password reset and recovery processes.
Also, a lot of tasks are automated such as credential rotation, privileged access expiration, and account deletion. The process of request approval can also be automated such that the system reviews user requests and grants them privileged access without an administrator being manually involved.
How Does Just-in-Time Access Work?
When an organization decides to implement a “zero standing privileges” approach with just-in-time access, here’s how it works:
For JIT access to work, the company defines the parameters of privileged access to reduce the attack surface. These are:
- Location: Where users make use of privileges
- Actions: What users do with their privileges
- Time: When these privileges can be used
Just-in-time access gives you monitoring control to see who or what has access to which resource, what tasks they performed, and for how long.
So, after your company sets up a just-in-time access solution, how does it work?
Let’s say John, who is an end-user, needs privileged access to perform certain operational tasks. Here’s what the typical JIT workflow looks like:
- John requests privileged access to what he needs, which can be a network, server, or resource.
- The request goes through an approval process. This is best automated to reduce friction and simplify workflows. However, requests can be manually approved by the admin who has the right to accept or revoke the request for privileged access.
- Once approved, John is given the level of privilege he needs to perform the required task. This access only lasts as long as he needs to complete the task.
- After John has completed his task and logs out, his privileges expire or the account is disabled until he needs it again.
This JIT-enabled workflow reduces the attack surface since his privileges expire once his task is complete.
In a just-in-time access implementation, attackers can’t steal passwords since there are no standing privileged accounts. Even in cases where malicious users manage to compromise passwords to systems, JIT access mitigates the risk from this due to either the privilege or account being disabled.
Just-in-Time Access Best Practices
There are certain steps to take when implementing a just-in-time access solution.
Here are six best practices for enforcing JIT access:
1. Set Up Control Policies
Use attribute-based access control (ABAC) and role-based access control (RBAC) policies in tandem with JIT access to specify what tasks and actions users can perform.
Start by categorizing accounts to differentiate the rights accorded to each. Identify administrative tasks and separate admin accounts from end-user accounts. Then, set up control policies for accounts that need least privilege access and for what tasks.
With a just-in-time access solution, you can approve and monitor what privileged access every user has at any point in time.
2. Begin With High-Risk Use Cases
When implementing the JIT PAM solution, it’s more efficient to start with high-risk use cases. Thoroughly audit your cybersecurity system to discover high-risk accounts and vulnerability issues. These use cases might include high-level accounts (such as an admin account or service account) and third-party access.
Then, begin your JIT access implementation for existing vulnerabilities with the highest risks. After you’ve resolved the high-risk vulnerability issues, you can broaden the path of your just-in-time access implementation.
3. Create Granular Justification-Based Policies
Instead of allowing standing privileged access and giving room for cyberattacks over a broad surface area, you can create a just-in-time access policy that grants users access only by request.
Implement granular policies that ask users to request and provide justification for why they need access to a system, resource, or tool for a defined period.
4. Keep Credentials in a Secret Vault
When you create a centralized secret vault and keep all credentials and secrets there, you make security management more effective. The JIT access system rotates credentials in this vault so that they’re unknown to the privileged users and cyberattackers.
Also, a just-in-time access solution makes it easy to fully audit privileged access activities and discover vulnerabilities in systems.
5. Enable Temporary Access
Just like creating justification-based policies, you should implement procedures for temporarily elevating the privileges of users when they need to perform certain tasks.
Enable this JIT solution for human and non-human users that require access to privileged accounts or credentials.
6. Record and Audit JIT Privileged Activities
The JIT PAM system logs privileged access activities across all temporary accounts within the central vault for consistent and accurate logging and auditing.
This just-in-time access solution also alerts you when there’s an anomaly or perceived risk. It notifies you about privileged activities that occur outside of it.
How StrongDM Can Help You Implement Just-in-Time Access
Certain security risks “slip through the cracks” in traditional PAM solutions. This is why organizations need to implement JIT with zero standing privileges (ZSP) to eliminate these risks.
According to Gartner, 40% of privileged access activity will rely on ZSP policies through JIT in 2022.
StrongDM, an infrastructure access platform, uses ZSP and JIT PAM access approaches to strengthen the security posture of your organization.
You can grant frictionless, just-in-time access to users, employees, and contractors by giving elevated privileges to the tools and resources they need to perform their tasks without compromising workforce productivity.
In the process of tending to more critical tasks, administrators sometimes forget to offboard users leaving the door open for attacks on these zombie accounts. StrongDM mitigates this risk by automatically terminating privileged access once a project is complete.
With StrongDM, you can maintain a strong security posture without sacrificing productivity.
You can significantly reduce security risks of your company by implementing a just-in-time access system to enforce zero standing privileges.
Start by identifying and implementing JIT access for your high-risk use cases. Then, expand the scope of your implementation after you’ve addressed the most critical vulnerabilities.
Looking to implement just-in-time access for your infrastructure? Check out our just-in-time access use case or get a no-BS StrongDM demo today.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.