Access management is a top concern for companies – especially when it comes to sensitive customer data and systems. Which employees or systems should have privileged access to certain types of resources, data, the ability to modify it, and for how long? When it comes to reducing risk and provisioning privileged access, more companies are looking at just-in-time privileged access management approach.
What is Just-in-time Privileged Access?
According to Gartner, “The existence of privileged access carries significant risk, and even with PAM tools in place, the residual risk of users with standing privileges remains high. Security and risk management leaders engaged in IAM must implement a zero standing privileges strategy through a just-in-time model.”
A just-in-time (JIT) privileged access model is designed to limit the time a privileged account exists on a critical system, especially with enabled special access. It is not just about limiting the time a privileged user has to access systems. It’s also about eliminating such accounts and access during idle times. The goal is to have zero standing privilege strategy on users and servers by using JIT. This means that privileged accounts and users should be provisioned with just enough permissions and access to effectively perform the required job.
Sounds familiar? If you operate by the principle of least privilege, it should.
Implementing a least privilege approach helps prevent privileged escalation and broad-based administrative privileges. In many organizations, elevated users often receive more privileges then are required for administrative tasks. This is done to cover all possible tasks a user might need now and in the future. However, these standing privileges can pose a risk by increasing a company’s possible attack surface.
For example, a privileged user might only access a specific system for a total of a few hours a week but they are provisioned to have standing access all the time (24×7). This makes it easier for a cybercriminal to exploit that privilege anytime and move laterally through the organization. By implementing a JIT privileged access strategy, the privileged user would only have access to perform the specific task for a few hours a week. As a result, malicious actors can’t access systems and move across your network and systems.
Incorporating Just-in-time to Your PAM strategy
Many companies implementing PAM focus on the core functionality of password management, vaulting and session recording. Remember, PAM solutions work by putting privileged credentials inside a secure repository. Privileged users and accounts must go through the PAM software and be authenticated in order to access their credentials. The PAM software then monitors/logs each session for auditing and compliance.
According to Gartner, companies need to think beyond basic PAM functionally – vaults and session management – and fully implement JIT access management strategies. While most PAM projects don’t start by implementing zero-standing privileges, it should be considered as part of a longer-term strategy.
The industry is seeing greater adoption of PAM software and Gartner estimates that by 2022, 40% of privileged access activity will rely on JIT privilege elevation strategies to dramatically decrease standing privileges.
Companies need to look for PAM software that meets their requirements today but can grow with them to support a zero-standing privilege approach. At Xton, we are strong believers in the ‘least privilege’ approach and built a modern PAM solution around this very principle. In addition to the core PAM functionality, XTAM includes a number of workflow and job management features that support the JIT access model. This includes:
- Continuous Discovery of Privileged Accounts helps you find all accounts (systems, apps, people) with elevated privileged (new and old) and immediately bring these accounts under management to prevent privileged account sprawl.
- Enforce Roles Based Policy Management allows companies to create granular policies that control and limit privileged accounts and users (this includes systems, apps and people). You can use parameters like time of day, physical locations (as determined by IP address), days of the week (workdays) or other combinations. Each account needs specific justification/approvals for accessing the target system or sensitive data for a set time period. With policy-based controls, you make sure that a user or system only has access to the target system/data they need, for a limited time and nothing else. The idea goal is rightsizing each privileged account to a specific task.
- Ability to Provide Temporary Elevated Privileges for a specified period of time to systems or users to perform necessary tasks. In a JIT model, privileged users request temporary privileges. If the user is allowed based on policy, the PAM system will execute the elevated privilege and then remove it when the task is complete.
- Monitor, Record, and Report on Each Privileged Session remain a critical part of a PAM strategy for compliance and auditing. While a JIT strategy reduces your risk, you still need the ability to monitor the privileges when in use. Alerts can be sent to security and IT professionals when users are sharing, accessing or working with your systems.
Using Xton Access Manager alongside a just-in-time privileged access management strategy can help you reduce the number of privileged accounts in your network and controls access to active privileged accounts. This enables the appropriate people or processes to perform work on critical computers and devices at the right time while maintaining the minimal possible permission levels to maximize your network security and reduce your company’s risk.