Just-in-time (JIT) is an advanced real-time access control method that allows organizations to elevate privileges to critical systems and applications on a time-limited basis.
Just-In-Time is essentially an extension of the Principle of Least Privilege (PoLP), which ensures that users (both human and non-human) only have access to the resources they need to perform their role, or in some cases, a specific task.
Just-In-Time is more granular than other access control methods, such as Role-Based Access Control (RBAC), although RBAC and JIT can actually complement each other.
The main purpose of Just-In-Time is to minimize the level of standing (always-on) access to your critical resources. Restricting access to privileged accounts on a time-limited basis will reduce the number of time adversaries have to exfiltrate data or move laterally to other systems.
In order to successfully implement Just-In-Time, you will need a full audit trail of all important changes relating to privileged accounts, including who gained access to which accounts, how, why, when, from where, and for how long.
You should also use a solution that will trigger alerts when important changes are made, and be able to terminate suspicious sessions in real time.
Types of Just-In-Time Access
This is the simplest Just-In-Time method, which allows the administrator to temporarily elevate the privileges of users, and then revoke them when they expire.
Broker and remove access
This is where one or more privileged accounts are created, with the credentials being stored in a single vault. Administrators can grant/revoke access to these accounts at their will.
Zero standing privilege (ZSP)
This method involves the one-time use of accounts that are created on-the-fly for a specific purpose and deleted or disabled after use. Users are required to request access to these accounts, and they must specify the length of time they need access. Access will be automatically revoked after the specified period of time.
How to Implement Just-In-Time Access
To start with, a user (human or non-human) must request access to a resource. The request is then reviewed by an administrator, who will either grant or deny access if it meets the JIT policy requirements. It is also possible to automate the approval process in order to free-up resources.
Once access has been granted, the user is able to carry out the task for the requested period of time. After the task is complete, the user logs off and their access is immediately revoked.
The simplest way to implement Just-In-Time access would be to set up a standing privileged account that will be shared amongst users. The credentials for this account are centrally managed and regularly rotated.
As mentioned above, you will need to create policies in advance which specify how users are granted access, and how access is revoked.
You will also need to ensure that all access to privileged accounts is constantly monitored and recorded and that real-time alerts and automated responses are triggered when suspicious events take place.
Just-In-Time and Zero Trust
The traditional perimeter security paradigm is becoming less relevant as IT environments become more distributed. Employees are accessing company resources from a broader range of locations, and from a variety of different devices. As such, many organizations are shifting to a zero-trust security model, which stipulates that all users and devices must verify themselves as often as possible to access critical resources.
Just-In-Time access compliments the zero-trust model by ensuring that users have a legitimate need to access critical systems and data.
How Lepide Helps Implement and Maintain Just-In-Time Access
In order to establish policies that specify how and why users are granted access to critical resources, it helps if you first understand which resources users typically access. The Lepide Data Security Platform is a real-time auditing solution that uses machine learning techniques to establish a baseline of user behavior. Using this baseline, administrators are able to determine how access controls should be applied. This in turn will help them design their JIT policies more effectively.