What is Just-in-Time Access?
Just-in-time (JIT) access is a privileged access management (PAM) component that orchestrates users, applications, and/or system access privileges on an as-needed basis, or for a specified duration. JIT access is practiced as part of an identity and access management (IAM) strategy that ensures the resources are available to those who need them, as they are required. The JIT access method is based on Zero Trust and the principle of least privilege, a framework which maintains that users should only be provided with access to the resources that they need to complete specific, pre-defined tasks.
JIT access ensures that all access is temporary and is granted just at the time of making the connection to the resource. In most cases, access would also be limited by role. With every user having temporary access, organizations can ensure the validity of each user, connection, role, and the level of privileges established at the time of connection, eliminating implicit trust and bolstering security. Benefits of JIT access include:
- Enhanced security posture
- Streamlined access workflows
- Compliance support
- Credential protection
- Efficient privileged accounts management
Types of JIT access include:
Justification-based access control. Justification-based access control is also known as “broker and remove access”, and it uses several privileged accounts, with credentials stored in a secure vault. In order to gain access, users must request access to specific systems for specified amounts of time. The credentials are made available after an administrator approves the request.
Temporary elevation. Temporary elevation is also known as “privilege elevation”, and it gives more permissions to a user account for limited amounts of time, upon request. Once the time has elapsed, the user’s privileges will be revoked, and their permissions will revert to standard permissions.
Ephemeral account. In ephemeral accounts, no standing privilege access accounts exist and, instead, temporary privileges are created on an as-needed basis and are disabled after use. In order to gain access, a user must make a request for the amount of time required to complete a task requiring elevated permissions.
Best practices for JIT access include:
- Control policies. Establish control policies with user accounts that are differentiated according to the needed access levels of individual job roles.
- Triage accounts. Start with the most elevated accounts, such as administrator and service accounts, when reorganizing IT infrastructure.
- Vault credentials. Seal credentials in a centralized vault with the highest security clearance. JIT access systems help to rotate the password, and users do not know the password.
- Monitoring. JIT access systems can record all privileged access, and alerts can be enabled to bring attention to anomalous activity.