Just-in-Time Privileged Access Management (JIT PAM) is the method by which organizations can enforce “true” least privilege, to drastically reduce the threat surface. So, what exactly do I mean by “true” least privilege? I’ll provide a condensed overview in this blog, but if you’re interested in a more thorough education on the subject, you should check out our new resource: The Guide to Just-In-Time Privileged Access Management: What It Is, Why You Need It, & How to Implement It.
Least Privilege as Commonly Practiced Today
Least privilege management, as it is typically practiced today, entails restricting privileges/privileged access for users, processes, applications, systems, etc. to just enough access—and nothing more—to perform a legitimate activity. And, this approach itself is immensely effective at reducing the threat surface. For instance, as we reported in our latest annual Microsoft Vulnerabilities Report, 88% of Critical vulnerabilities published by Microsoft over the last five years could have been mitigated by removing admin rights from users, and 81% of all Microsoft vulnerabilities would be eliminated by removing local admin rights. That’s just a small glimpse into the awesome risk-reduction power of enforcing just-enough access—which is the way least privilege is typically conceived of and practiced.
Yet, the abuse and/or misuse of privileges plays a role in almost every cybersecurity breach incident today. Partly, this is because many organizations have still not even implemented the basics of least privilege (i.e. just-enough access). However, it’s also because organizations are neglecting, or overlooking, an essential piece of least privilege—limiting the duration of privileges/privileged access.
Despite enforcing just-enough access, the remaining problem and residual privilege risk is that privileged user accounts—such as Admin or Root—are still:
- always enabled
- always have their entitlements and privileges
- can always perform privileged tasks on an asset
Today, powerful privileged user accounts with always-on (24x7) privileged access proliferate across enterprises. This presents a massive risk surface as it means the privileged access, rights, and permissions are always in a privilege-active mode and ready to be exercised—for legitimate activities as well as for illicit ones. This always-on model essentially equates to a vast over-provisioning of privileges, offering cyber threat actors with a wide window of opportunity in which to act.
What is Just-In-Time Privileged Access Management (JIT PAM)?
A true least-privilege security model requires users, processes, applications, and systems to have just enough rights and access—and for no longer than required—to perform a necessary action or task. Eliminating persistent privileged access for privileged user accounts—and activating it only for the duration it is needed to perform an activity—is the component of least privilege that most organizations have neglected to implement.
Implementing JIT PAM can ensure that identities only have the appropriate privileges when necessary, and for the least time necessary. This process can be entirely automated so that it is frictionless and invisible to the end user.
JIT PAM sharply limits the duration for which an account possesses elevated privileges and access rights, drastically reducing the window of vulnerability during which time a threat actor can exploit account privileges. Additionally, by limiting privileged sessions, JIT PAM simplifies auditing and compliance activities.
Consider a typical always-on privileged account that may be “privilege-active” 168 hours a week. By shifting to a JIT PAM approach, you could reduce that privilege-active state from 168 hours down to several hours, or even just a couple dozen minutes if the account rarely needs to be used. Multiplying this effect across all your enterprise’s privileged user accounts will have a truly massive impact on risk reduction.
Adopting just-in-time as part of your privilege management approach means you can implement a true least-privilege model enterprise-wide. And, the exposure is not just based on time, attack vectors that utilize techniques like lateral movement are also mitigated since there is no “always-on” privileged account to leverage across resources.
Here’s a representation of how your IT environment looks when you have only enforced the just-enough access piece of least privilege.