Enabling Just-in-time Access
A true least-privilege security model requires users, processes, applications, and systems to have “just enough” rights and access to perform tasks —and for no longer than necessary.
Just-in-Time (JIT) access provisioning grants a user temporary, on-demand privileged access to resources. It’s a form of access management that is meant to address scenarios in which a user who may not typically need to use certain applications or services can receive timely access to those resources when they need it, but only for a short period of time.
Organizations are increasingly effective at applying the “just enough” access piece using privileged access management (PAM) solutions, but they have largely neglected the time-limited part. Tying privileged access to a specific time frame makes it possible to ensure access is temporary. When the current session is closed, the permissions are taken away, preventing an unauthorized access. If the user needs continued access, they must submit another request for that privileged resource.
Types of Just-In-Time configurations
There are three types of Just-In-Time policy configurations possible:
Enable/ Disable
In this configuration the account on the target server is in disabled mode. When we take the session for that target server the account is enabled and the session gets established successfully. On terminating the session the account on the target server again goes back into the disabled mode.
Provision/ De-provision
In this configuration the accounts get created on both the PAM as well as the target servers. When the accounts are no longer needed they can be de-provisioned in just one click across all the target servers.
Access Based Elevation
In this configuration the account that is added is elevated to higher privileges only for the time duration that the session is taken. After the session is disconnected it is again brought back to its original privilege level.