Just-In-Time Access
What Is Just-In-Time (JIT) Access?
Just-In-Time Access is a form of Identity Access Management (IAM). It aims to address the shortcomings of a “standing privileges” approach, where users always have access to enterprise resources and servers. You don’t want a low-level human user or application to have access to a mission-critical system for too long. Instead, go for temporary privileged access, which reduces the risk of cybercriminal attacks.
Specifically, Just-in-Time access is a security methodology common for the enterprise space. By providing granular privileged access in real-time, you ensure that only sanctioned users can access important applications and systems to do work tasks. Just-in-Time access (JIT) is the industry standard for provisioning enterprise access, as it gives only the minimum amount of access necessary to finish the job.
Principle of Least Privilege
To understand the value of just-in-time access, we need to understand the principle of least privilege (PoLP). Having too much access granted to users across your organization results in more entry points for cybercriminals. This reason is why standing access is discouraged in the industry.
Every time you give privileged access with PoLP, you only allow access to a specific resource or within a certain timeframe. The result is less room to work with for a malicious insider to do damage. PoLP overall reduces the potential for cybercrime, as most attacks rely on exploiting privileged accounts. Malware, in addition, cannot spread as quickly with expiring privileges.
Implementing Just-In-Time Access
There are 3 main types of just-in-time access grants:
- Justification-based: Users must justify why they need to connect to a certain resource for a period of time.
- Ephemeral accounts: One-time use accounts are created on the fly and are removed once the work is complete.
- Temporary privileges: The administrator temporarily raises privileges on a by-request basis.
No matter how you approach Just-in-Time access, the process is approximately the same. A user starts by requesting privileged access to do a certain task. The request is verified based on company policy or administrator discretion; the user then gains temporary access to finish the workload and log off. Privilege is removed until it is needed again in the future.
Some best practices for Just-in-Time access include:
- Always recording and auditing activity. Remember that JIT is about more than just passwords; it involves other types of secrets like SSH keys and hashes.
- Keeping administrator accounts separate from standard accounts.
- Rotating credentials regularly so that any stolen privileges become invalid quickly. This strategy is known as a dynamic secret.
- Keeping everything in a central Vault to make management and auditing easier.
Building on this last point, administrators may benefit from having a central DevOps secrets vault to audit all privileges and activities together. This way, finding risky behavior early on is more likely.
The Role of Automation
Secrets management is such a common topic for enterprises that various online software is now available to help manage privileged access. These platforms give you a centralized vault for all your dynamic secrets and allow organizations to have an overview of their access privileges.
These tools simplify administration and speed up the approval process for privilege requests. They are especially useful in compliance and auditing, especially when it comes to tracking activity, current permissions, and secrets.
