Author: Chase Snyder, Sr. Product Marketing Manager at Xage Security
Just-in-time (JIT) access is an approach to reducing the risk of a privileged account being abused by cyberattackers. JIT access improves security by eliminating “always on” accounts for devices and network connected assets. Always-on accounts are a prime target for cyberattackers. Such credentials are often stolen and sold on the dark web, then used by cyberattackers to gain initial access, privilege escalation, or lateral movement as part of a ransomware campaign or for cyber sabotage.
Just In Time, Just Enough Access
Instead of leaving accounts active and at risk of being compromised, organizations can use an access control solution to grant a local or remote user the level of access they need to a specific resource for a limited time period. The user must request access and receive authorization, as well as being required to authenticate into the asset itself. To maximize its effectiveness, JIT access must be layered with other protections, such as MFA for remote access, as part of an overall defensible architecture.
By requiring MFA at multiple steps, organizations can ensure that access to critical assets and applications can be granted in ways that are necessary for the organization, without accepting undue risk that those privileges will be compromised by an adversary.
Role-Based Access Control (RBAC) and Attribute-based Access Control (ABAC)
Granting just-in-time access also requires the ability to identify the level of privileges the user should have based on their role, and possibly other attributes. For example, even a user in a privileged role can be prevented from accessing privileged access based on attributes such as their location, recent behavior, indicators of compromise (IOCs) detected on their device, or other risk signals. Role is one attribute in determining the amount of privilege, and the access time window, but it is not the only factor to be considered.
Ephemeral Accounts
Some just-in-time access solutions will create ephemeral accounts with the correct privileges and time limitations in place, then deactivate the account after the assigned time period. Others will manage access to accounts that continue to exist, using password rotation and layers of MFA to protect the accounts, even if the accounts themselves persist. The term Zero Standing Privileges (ZSP) is sometimes used to describe the ideal state of an environment with no always-on privileged accounts
Zero Trust and the Principle of Least Privilege
Combining just in time access with RBAC and ABAC dovetails perfectly with the zero trust principle of least privilege. This principle is a pillar of the zero trust approach to cybersecurity. Users and non-human identities should only ever have the minimum amount of privilege they need, for the amount of time that they need it, until a needed task is complete.
Privileged Session Management (PSM)
Just in time access complements another vital security practice: privileged session management (PSM). With JIT, the organization controls when a user has access. With PSM, the administrator or security team can observe what’s happening during sessions in real time, and terminate or change permission levels on the fly to protect against risk.
PSM is one of the core capabilities to look for in a privileged access management (PAM) solution. The combination of JIT access and PSM is especially valuable in the context of securely bringing in third parties or contractors for specific tasks. When someone from outside your company needs time-limited privileged access for a specific task, the ability to monitor, record, and even terminate the session in progress is an important security control.
Many enterprises rely heavily on third party service providers, software vendors, contract employees, and other outsiders who want remote access for management and monitoring. Securely enabling vendor remote access is an increasingly urgent security requirement.
Xage Demo of Just In Time Access and Session Management
Xage Security offers just-in-time access, privileged session management, multi-layer MFA, and other critical features to allow enterprises to frictionlessly enable, while securely controlling, necessary access and privileges.
Here’s a brief video showing how Xage enables simple, seamless just in time access, privileged session management, and session termination.