The concept of Just-in-Time (JIT) Access Management is a strategy that aligns real-time requests for usage of accounts directly with entitlements without the static assignment of an account or privilege to an Identity. Companies use this strategy to secure accounts from continuous real-time access by restricting them based on appropriate behavior, context, and other ephemeral properties. This decreases the risk of an always-on account that can be leveraged by a threat actor outside of acceptable use policies and procedures. This method requires organizations to establish criteria for just-in-time access and accept that these accounts are not available outside of potentially break glass scenarios.
Although similar concepts for JIT in the manufacturing space are well established, using the model for a security and operations solutions does present some interesting technical considerations during implementation. The first is around the just-in-time account delegated for access. An account is granted entitlements, privileges, and permissions only when it is actually needed for usage. Most of the time, this is a privileged account and is commonly an administrator account or some special account based on some form of ITSM exception. The goal of a JIT account is to assign the necessary privileges “on the fly” based on an approved task or approval workflow and subsequently remove them once the task is complete or the window or context for authorized access is expired.
The modeling required to take an account and apply the appropriate privileges can be implemented using the following JIT techniques:
- JIT Account Creation and Deletion – The creation and deletion of an appropriate account to meet mission objectives. The account should have traits to link it back to the requesting identity or service performing the operation for logging and forensics. Connectors in the Identity Governance layer can typically manage this requirement.
- JIT Group Membership – The automatic addition and removal of an account into a privileged administrative group for the duration of the mission. The account should only be added in an elevated group when the appropriate criteria are met and subsequently removed when the mission is complete. Again connectors in the IG layer typically manage these group membership requests as part of a normal entitlement modeling and service provisioning process.
- JIT Entitlement – The account has individual privileges, permissions, or entitlements added to perform a mission but only for a limited duration once all criteria are met. These rights need to be revoked once the mission is complete and should include certification that no other privileges were inappropriately altered. These can be managed by connections between the Identity Governance and PAM Solution, or to target application.
- JIT Delegation – The account is linked to a preexisting administrative account(s), and when a specific application or task is performed, the function is elevated using those credentials. This is commonly done using automation or scripting with Windows “RunAs” or ∗Nix SuDo. Typically, the end user is not aware of the impersonation account for this type of operation and may overlap with always-on privileged account delegation. This is typically done only with the integration into a PAM solution.
- JIT Disabled Administrative Accounts – Disabled administrator accounts are present in a system with all the permissions, privileges, and entitlements to perform a function. They are enabled to perform a specific mission and then subsequently disabled again once operational criteria have been satisfied. This concept is no different than having always-on administrative accounts except native enablement functionality is leveraged to control JIT access. This functionality can be achieved by either the Identity Governance system or the PAM endpoint privileged management solution if available.
- JIT Tokenization – The application or resource has its privileged token modified before injection into the operating system kernel. This form of least privilege is commonly used on endpoints to elevate the privileges and priority of an application and not the end users themselves. This technology is the cornerstone for endpoint privileged management for PAM solutions.
For any of these account privileges and entitlements to occur just in time, the following criteria should be considered as triggers. These should also include variables like time and date for change control windows and suspension or termination criteria if indicators of compromise are detected.
- Entitlements – When privileged access management is integrated with camel case, entitlements between the solutions can be synchronized for privileged access. To that end, JIT access can be assigned via PAM solutions directly or through dynamic entitlements provisioning. While the Identity Governance entitlement workflow can sometimes be a longer technology process, it does provide a means of greater control and oversight and again can be best achieved by linking IG with PAM via vendor-supplied integration.
- Workflow – The concept of workflow approvals is commonly associated with call centers, help desks, and the identity provisioning control layer. A request is made for access, and using a defined workflow process, interactive approval is sought from the appropriate approver or owner and access is either granted or denied. With approvals and audit in hand, a JIT account can be enabled. This typically corresponds to the user, asset, application, time/date, and associated ticket in a change control or help desk solution.
- Context-Aware – Context-aware access is based on criteria like source IP address, geolocation, group membership, host operating system, applications installed or operating in memory, documented vulnerabilities, and so on. Based on any logical combination of these traits, JIT account access can be granted or revoked in order to satisfy business requirements and mitigate risk.
- Two-Factor (2FA) or Multifactor Authentication (MFA) – A common method for authorizing privileged access to always-on or JIT privileged accounts is 2FA or MFA. While this does not distinguish between the two access techniques, it does provide additional risk mitigation in assuring the identity does have proper access to a privileged account. It can, however, be used as a JIT trigger for an account using any of the techniques listed here.
JIT triggers are just that, conditions for an account to be placed in a temporary just-in-time state. They can be used standalone or logically grouped with other triggers to instantiate privileged account access. The key takeaway for teams to consider is what policies govern a JIT account for proper access and what conditions should be met for its revocation? These could include
- Time and date windows for access and change control
- Commands or applications that may indicate a compromising event
- Detection of access to sensitive information
- Termination of the primary session
- Existence of corresponding collateral in a ticketing solution
- Inappropriate modification of resources including installing software or modifying files
- Inappropriate attempts at lateral movement
- The manipulation, creation, or deletion of user accounts or datasets
While this is not an exhaustive list, it can help filter the criteria for a JIT account to be made available based on corresponding triggers.
While Just-in-Time (JIT) Access Management is not a new concept, the utilization of always-on accounts has been the primary vehicle for administrative access for the last 40 years. The risk of always-on accounts, unfortunately, is expanding. New highly entitled and privileged accounts are required for virtual, cloud, IoT, and DevOps environments in order to administer solutions. The quantity and location create complexity. And this complexity, in turn, often translates into increased risks around security, operational continuity, and compliance. Traditional perimeter-based security technologies only can protect privileged accounts within their boundaries. Privileged accounts are now truly everywhere. Each of them is potentially another privileged and identity attack vector, and some of them are accessible directly on the Internet. This is where integrating JIT Access Management with Identity Governance can make a significant difference in securing your environment from identity attack vectors
.