Layale Hachem, Solutions Engineer at BeyondTrust, lays out the case for Just in Time (JIT) PAM and explaining how it can enable organizations to start to address the “too many accounts; too many privileges” issue.
Much of the GCC region’s IT infrastructure has at least one foot in another organization’s tech environment. This IT sprawl has led to an explosion in the number of user accounts and the privileges they hold. In trying to make our new hybrid world run smoothly, we have knowingly opened many of our windows and doors to third parties. But do we know all the parties that are sneaking through these openings? “Too many privileges open at any one time” is a problem with a ready solution. We make sure that any authorized process or user is only given the access required to perform a necessary task.
Just-in-time (JIT) access, or just-in-time privileged access management (JIT PAM), is the practice of granting access to systems and resources only for the duration required to complete a task; no earlier, no later. While time is the classic basis for defining when permissions expire, other conditions can also be used. What matters is the elimination of the risk-laden practice of having permissions permanently assigned to an account. Standing privileges are a recipe for risk, even if they adhere to the just-enough-access (JEA) principle, where users are granted only enough access to fulfil their role and no more, but are granted this access in perpetuity. To be capable of withstanding modern attack methods, an organization must combine JEA and JIT. In fact, this is the first step in building a zero-trust security framework.
The benefits of JIT are not just theoretical. Consider a JEA account with standing privileged access. Those privileges are available to attackers 24 hours a day, or 168 hours a week, if the account is compromised. Now consider JIT access for a task that is performed once a week and takes one hour. The attack window for gaining privileged access has shrunk from 168 hours to one hour. If we think of the attack window duration as a risk factor, we can say that on that metric alone, risk has dropped by 99.4% in the described scenario.
A police officer’s headache
These simple numbers build the case for JIT PAM. Too many GCC organizations operate too many accounts with unnecessary entitlements. For larger organizations there may be tens of thousands of such accounts. On-premises servers, platforms, and devices combine with cloud-native services to create a police officer’s headache — too much ground to patrol and too few boots to cover it. The answer is to shrink the ground — the attack surface — using JIT. In doing so, enterprises will also remove their blinkers, as many enterprises in the age of cloud are functionally blind when it comes to their IT environment. They will get to know the identities with elevated access (or the potential for it). The end result is tighter security and everything that goes with it, including happier regulators and better options for cyber insurance.
JIT PAM is automated. Privileges are designed in advance, assigned to accounts, and provisioned and revoked in real time. The business knows itself better than any outside consultant or cyber expert ever could. It is fitting that it takes control of the access of every staff member and assigns privileges as needed rather than allowing an account to “own” permissions.
JIT PAM is context-sensitive. Source IP address, geolocation, group membership, host operating system, active or inactive applications, documented vulnerabilities, and more can be used to give or cut off access as needed. Today’s PAM technologies are even capable of assigning bundled JIT permissions so that authorized users can carry out work that takes place across many different applications, platforms, or domains. All of this is invisible to the user, as is monitoring, auditing, reporting, and investigation. Access will be revoked only for predetermined criteria, which in a well-designed framework will guarantee a frictionless experience for legitimate users.
Use wisely
When implementing JIT, use cases go beyond defining and assigning access. Creation and deletion of credentials and permissions bundles should be subject to governance, with everything logged in case needed later for forensics. This includes any additions and removals of accounts to and from administrative groups. JIT PAM can disable sysadmin accounts until their permissions are needed to perform a task. Since they are disabled when not performing a task, they cannot be leveraged as a traditional account with always-on access, even though the administrator’s user experience is effectively the same.
Additionally, a non-admin account can be linked to one or more admin accounts and allowed to assume all their permissions. This can happen instantaneously to perform certain actions, and revoked as quickly when the actions are complete. Under JIT PAM, security teams can also opt for JIT tokenization, where an application or resource has its privileged token modified prior to injection into the operating system kernel. This is useful for endpoint security where the goal is to elevate the privileges of an application rather than an end user.
The user experience remains intact, regardless of the privilege level or role. JIT PAM allows the securing of privileged access for everything from remote work and DevOps to emergency troubleshooting and temporary projects.
Get the JITers
JIT PAM platforms can start to address the “too many accounts; too many privileges” issue by dispensing with the standing-access model. Enforcing least privilege is one thing, but to really stump today’s threat actor, we must also enforce JIT credentials across premises and cloud environments. Supporting technologies will empower organizations to eliminate privilege blindness, as well as allow security teams to add context when calculating risk.
In a modern IT space, zero standing privileges (ZSP) — the total elimination of always-on entitlements — is impractical. IoT setups, for example, require always-on privileges to work properly. But using modern AI-powered cybersecurity technology, organizations get access to rich visualization that will make it easier to identify privileged pathways and identity vulnerabilities. Working together, the latest PAM solutions can allow the region to feel safer knowing attack windows have shrunk to a sliver of what they were previously.