“Just-In-Time”, A Key Strategy For Access Security
The digital transformation of companies and the need for remote access to information systems means that the type and number of privileged users (administrators, business managers, suppliers, etc.) is constantly increasing. It is therefore essential to reduce and control the footprint of privileged access in the environment by controlling their scope (which authorizations are granted and where these authorizations are applicable) and duration (when the authorization is granted and for how long). Reducing the risks associated with the abuse of privileged access, or even eliminating privileges altogether (Zero Standing Privilege – ZSP), is the very principle of Just-In-Time (JIT). Although there are several methods to implement it, the main objective of JIT is to control the time of use of the privilege – or possible misuse of it – and to reduce the attack surface (IoT, multi-cloud environment, DevOps use, robotic processes automation, etc.).
As Gartner points out, by 2025, 75% of cyber insurance companies will require the use of the JIT principle when implementing Privileged Access Management (PAM)… so get ready as soon as possible with PAM4ALL!
Why Just-In-Time?
Just-in-Time (JIT) access security is a fundamental practice that helps reduce excessive access privileges and is a key tool in implementing the Principle of Least Privilege and the Zero Trust security model. JIT grants users, processes, applications, and systems specific rights and access to perform certain tasks for a predefined period of time.
As a policy, Just-in-Time security aims to minimize the risk of standing privileges to limit risk and exposure to potential cyberattacks. When too many users have too many privileges at all times, the chances of credential theft, exploitation, and escalation to steal secrets, encrypt data, or bring systems to a halt increase exponentially. Granting elevated privileges only when needed – no more and no less – restricts exposure to a minimum while still allowing users to get on with their work.
Microsoft’s 2021 vulnerabilities report states that elevation of privilege was the #1 vulnerability category, representing 44% of total vulnerabilities, a nearly twofold increase over 2020 (not to mention that removing administrative rights from endpoints would reduce all of Microsoft’s critical vulnerabilities by 56%!)
Thanks to Just-In-Time, an always-on privileged account can very easily be reduced from a permanently active state to just a few minutes. If this approach is applied to all accounts, risks will be reduced extremely quickly. However, JIT will not only protect your accounts thanks to the time factor but also mitigate attack vectors that use techniques such as lateral movement, preventing malicious actors from advancing and elevating their privileges on the network.
Just-In-Time (JIT) security policies help companies to:
- Improve their overall cybersecurity posture
- Eliminate excessive privileges and enact the Zero Standing Privileges policy
- Streamline & automate privilege escalation processes
- Manage human and machine privileged users
- Enable secure remote access to sensitive assets
- Facilitate security without impacting productivity
How does JIT work?
The purpose of Just-In-Time security is to automatically assign the privileges a user needs on the fly and address the 3 main access factors: location, time, and actions. Where is the user trying to access from? Is the user authorized to work during this timeframe, and how long will the user need access? What exactly is the user trying to do with his/her access?
Let’s take the example of Alice, an ACME subcontractor who needs access to the company’s computer system to perform maintenance on some of its key servers. Thanks to the Just-In-Time principle, Alice will be able to create a ticket that, after being approved by the IT department, will give her exclusive access to the specific machine she needs to work on, and no other, for a given period and under predefined conditions.
In Alice’s case, JIT security allows the elevation of her privileges under predefined conditions to ensure the robust security of ACME:
- Access only during normal business hours
- Access to sensitive assets only for specific tasks
- Elevation of application privileges without elevating the user’s entire session
- Secure remote access for employees and external vendors
There are many contextual JIT rules and triggers depending on the uses and characteristics of privileged accounts based on rights, approval workflows, and Multi-Factor Authentication. In each case, it is important to ask what rules govern the use of a JIT access and what conditions must be met for revocation.
How to implement JIT?
The first step would be to audit all user access privileges, company-wide, to determine the scope and scale of the problem. How many users are there? What are their profiles and what applications and systems do they typically request access to? How many user accounts are inactive and how many elevated privileges are rarely or never used?
Based on the answers, the next step will be to establish an internal policy to define the requirements users must meet if they wish to gain access to the target systems: For how long should access be granted? To which functions and equipment? And under what conditions?
You’ll also need to regain control over all passwords and credentials to target systems. Centralizing management and rotation of passwords to applications and IT assets is critical to ensuring comprehensive risk and vulnerability management.
We can now say that you are fully prepared to adopt the “Just-In-Time” security policy, all that remains is to implement the WALLIX PAM4ALL solution!
WALLIX PAM4ALL offers a concrete answer to the problems posed by always-on accounts. PAM4ALL is the unified privilege and access management solution that allows you to secure, control and manage all user access (whether human or machine, from IT administrators to employees or subcontractors), laying the foundations of a Zero Trust architecture based on:
- MFA or Multi-Factor Authentication, which neutralizes the risks associated with compromised credentials using a wide range of mechanisms.
- Remote access management for suppliers, employees, or third-party maintainers by applying granular permissions for individuals accessing the company’s sensitive digital services.
- Session management to increase security oversight and control the “what, how, and when” of internal and external individuals accessing critical business assets.
- Password management with the securing and rotation of passwords and keys as well as the removal of hard passwords. PAM4ALL also allows the separation of workstations from dedicated accounts for the administration of a company’s users (silo) and protects Active Directory access credentials and passwords.
- Least Privilege management to remove local administration rights from workstations to grant the right privileges to the right user at the right time, block lateral movements and stop the spread of malware.
With PAM4ALL, users such as IT administrators with access to accounts no longer have unlimited privileges. Human users and machines can request a temporary elevation of privileges when they need to perform occasional tasks or execute commands that require privileges. Triggers, privilege management and revocation rules, and JIT enforcement methods are under the control of IT, which can tailor JIT usage according to their security policy criteria.
WALLIX PAM4ALL protects all users, even outside the IT team since endpoints are a constant source of vulnerabilities. Least Privilege management allows users to elevate privileges dynamically and transparently for a specific application or process without having to elevate session or user privileges. With PAM4ALL, access is granted, and privilege elevation is allowed “Just in Time”, i.e. at the time a user needs to perform a specific task (running a program, installing trusted software) while blocking unauthorized encryption operations or privilege elevation attempts.
To learn more about Just-in-Time security, watch our webinar: