KeyData Cyber logo

Exciting News!

KeyData Cyber has acquired BeyondID, a leading AI-powered, Managed Identity Solutions Provider (MISP) with deep expertise in the Okta platform and identity-first zero trust solutions.

Together, we're creating the #1 IAM Services Partner in North America and a powerhouse in total identity security.

Read More
BeyondID and KeyData
BeyondID and KeyData

Just-in-Time Access Explained

How many accounts on your network have been granted permanent permissions? It's a question worth asking, especially today, as the cybersecurity threat environment continues to evolve. I recently sat down with Brian Read, Chief Technology Officer at KeyData Cyber, to discuss what Just-in-Time (JIT) access means and why it's the future of access control.

As Brian explained, a JIT model is a complete departure from how we've traditionally handled access. "With a Just-in-Time access model, users are only granted entitlements when they are needed for the duration that they are needed," he said. This stands in stark contrast to the "standing access" model that has been used for most of the history of computing, where, as Brian notes, "users get their credential and that account has entitlements assigned to it permanently whether the user requires them for that period or not."

While Just-in-Time access workflows are a relatively new concept and not always supported by legacy technologies, this capability can be added by implementing a third-party Privileged Access Management (PAM), Identity & Access Management (IAM), or Access Management (AM) tool. This shift is crucial for modernizing security and reducing the risk of a breach.

Why is Just-in-Time Access Important?

With all the other things we have to manage and control, why should we care about JIT workflows? Just-in-time (JIT) access grants users elevated permissions only when they need them and only for a limited period of time. This approach represents an essential shift away from "standing privileges," where accounts, especially privileged ones, have permanent, "always-on" access to critical systems and data.

JIT access addresses several key security risks in three ways:

  • It Drastically Reduces the Attack Window: By making credentials powerful for only a short duration, JIT access significantly shrinks the window of opportunity for an attacker. If a credential is stolen, it becomes useless after the predetermined time limit has expired, preventing the attacker from having ongoing, perpetual access.
  • It Minimizes the Risk of Permanently Assigned Privileges: Regular accounts with permanent entitlements are a risk, but highly privileged accounts are an especially high-value target. These "keys to the kingdom" allow an attacker to move laterally through a network, access sensitive data, and cause widespread damage. JIT access eliminates this risk by ensuring that no account holds these powerful permissions permanently.
  • It Prevents Ongoing, Unnoticed Access: If a permanent, privileged credential is compromised, an attacker can gain ongoing access to powerful entitlements without arousing immediate suspicion. JIT access prevents this by requiring a new, explicit approval for every request, creating an audit trail and forcing attackers to continuously re-authorize their presence, which is a far more difficult and suspicious process.

Best Practices for Just-in-Time Access

If you are thinking about implementing just in time access for a particular technology, there are some things to keep in mind: 

  • The smaller the window of attack, the better. Session-based entitlement - where access lasts only for the single session or task - is more secure than a time-framed entitlement that lasts for hours or a day. 
  • Every JIT workflow should require strong authentication - MFA should be mandatory before granting any privileged entitlement, but it’s even better to layer on conditional access based on other factors such as device health, network location, or risk score. 
  • Real-time approval with a human approver adds a strong safeguard, although it can introduce some friction into the process so its not always practical. 
  • Entitlements should be automatically revoked as soon as the session or time limit expires — no manual cleanup required. 
  • Organizations should regularly review JIT policies to ensure they align with their security requirements and user needs. 

Unfortunately, you may find that some of these capabilities may not be available in as part of your existing tools, so you may need compensating controls or other compromises to implement these best practices with the tools you’ve got. 

So what does that look like? Brian offered a great example of what Just-in-Time access could look like. 

“The simplest example would be if I was a windows server administrator. Now in the past I would have simply been given the server admin entitlement and the ability to RDP into a sensitive server directly to my account, for as long as I was employed by KeyData. If that account was ever stolen it would likely give an attacker that same ability.

Using a Just-in-Time workflow, I would not be able to RDP to any sensitive servers unless I requested just in time access. So before I can perform my work, I would connect to the access portal, signal my intention to RDP to that server, provide MFA, and pass other request criteria. Only then would I receive the ability to log into that server - and most importantly once my RDP session was over, my ability to login would be revoked.

How to Implement Just-in-Time Access 

There are a lot of variations on how access is requested and how the temporary entitlements are granted.  The key to implementing JIT is matching the security controls to the way that the users need to work. 

How JIT access is implemented depends on the capabilities of your target technology, the privileged access tools available, and the way your business operates. “The gold standard of just in time access,” Brian shared, “is having the privileged access entitlement only exist for a single session. This is typically implemented behind the scenes by either creating a new temporary account and allowing the user to use it for a single session, after which, the account is deleted.”   

Session-based JIT is another option, but it is more sophisticated and will require an enterprise PAM tool like CyberArk or BeyondTrust to implement. Session-based access assigns entitlements for the duration of the session and revokes it once the session is over. 

Can I Implement Just-in-Time Access without Enterprise PAM?

While having modern tools in place certainly helps, you can still implement some basic access controls that can improve your security. Just-in-Time access can be implemented for just about any technology – even legacy ones.  

The next level down for JIT workflows is time bound access – so your privileged access is limited to a set timeframe.  This can be found as a native feature with some technologies –Entra PIM and SAP have built in workflows to grant entitlements for specific time windows, for example.  You can also use IGA or Access Management tools like SailPoint or Okta to assign entitlements for a limited time. 

Don’t have access to any of those tools? Not to worry. There may be other options, like using credential rotation and injection via an enterprise PAM tool or limiting the network path with a zero-trust network access tool like Palo Alto or zScalar, but these are less secure and add friction to the user experience.   

Measurable Benefits of Implementing JIT Access Workflows

Brian explains, “when KeyData approaches an organization that is interested in implementing just in time access, we focus on the problem they are trying to solve – typically reducing risk for one or more core admin workflows.” 

Security is just part of that conversation. Business leaders want numbers and tangible metrics. Here are some of the tangible benefits of implementing JIT workflows:

  • fewer standing accounts   
  • faster onboarding for critical work so users get access they need when they need it 
  • fewer audit findings to remediate  

“One of the most compelling benefits we see,” Brian continued, “is that the logs from your JIT elevations give you amazing insight into who is using privileged entitlements and why.  Some organizations find that this benefit alone is worth the cost of implementing the new workflows.” 

Getting Started with Just-in-Time Access Controls

So you’ve considered the benefits and are ready to build a business case around Just-in-Time access. What’s next?

“Here are some things to remember as you start down this journey,” Brian shared. “It may not be possible to implement the most sophisticated forms of just in time access on all of your core admin workflows. But the reality is that every single privileged workflow can be matured over time with the proper controls and tools to move closer to that ideal state.” 

If you want to learn more about how JIT access controls can improve security for your organization, be sure to visit us at KeyDataCyber.com, where you can schedule a complimentary workshop to assess your security needs and receive a roadmap to a secure, scalable IAM strategy for your organization.

 

Don't know
where to start?

Looking to assess your current state, map out strengths, identify gaps and design a tailored roadmap to an optimal target state IAM program?

Book your complimentary assessment workshop and get started today.

Get Started

KeyData Cyber Connect Newsletter

Head Office

150 York St, Suite 1710
Toronto, Ontario M5H 3S5

Boston Office

One Boston Place, Suite 2600
Boston, MA 02108 U.S.A

Company

Board of DirectorsLeadership TeamTechnology PartnersNewsCareersContactPrivacy Policy

Services

Advisory ServicesImplementation ServicesManaged ServicesTraining Services

IAM Solutions

CIAMWIAM

Success Stories

Case Study LibraryBlogResourcesEvents
KeyData Cyber Logo

Copyright © 2024 KeyData Cyber.
All Rights Reserved.

keydatacyber twitterkeydatacyber facebookkeydata-associates linkedinkeydatacyber instagramKeyData Cyber youtube