What is Just in Time Access?

Just-in-time (JIT) access, also known as just-in-time privileged access management, entails providing users with granular access to specific resources only for the finite moments needed. A JIT access model minimizes the threat windows when access can be exploited by external attackers or misused by insiders.

Traditional access control methods provision permissions broadly and for an indefinite period, resulting in excessive permissions and higher risk of cyber exposure. The goal of a just-in-time permissions and access model is to grant ephemeral access to resources only as needed, reducing excess periods of access to sensitive systems or data. In addition, JIT access minimizes the risks of accumulated access privileges over time (privilege creep).

Providing only temporary or time-bound access is also an essential component of adhering to the principle of the least privilege and for enabling zero trust.

The Risks of Standing Privileges and Access

Standing privileges are those privileges which are persistent, meaning they are "always on" and enabled. This means the permissions and access can always be used--whether by an insider, malware, or attacker.

The more accounts with unchecked privileges, and the longer the duration they have access, the more attack vectors exist on the network. Because accounts with standing privileges have constant access, they represent a continuous cyber threat. In the event of a breach where a privileged identity or account is compromised, the attackers gain access to their privileges.

Standing access for vendor accounts is a common risk. Many organizations have poor visibility into the security hygiene of their vendors. With many organizations having dozens, if not hundreds of vendors that need access, standing privileged access presents a substantial risk.

Today, the sprawl of standing permissions and privileges is exponentially worse thanks to the expansion of cloud environments.

To illustrate, Microsoft’s State of Cloud Permissions Risks report found:

  • Over 40,000 permissions across key cloud infrastructure platforms that can be granted to identities, of which more than 50% are high-risk.
  • 50% of cloud identities are Super Admins, which are users or workloads that have access to all permissions and resources.
  • 60% of cloud identities were found to be inactive and haven’t used any of their permissions granted in the last 90 days.

And, in 99% of pentesting cases conducted by IBM’s X-Force Red, the pentesters succeeded in compromising client cloud environments through excess privileges or permissions.

An ideal security state would entail the elimination of all standing privileged access. This desired end state is referred to as zero standing privileges (ZSP). However, some automation accounts, such as service accounts, may need to be in an always-on state to effectively orchestrate workflows.

Learn more about standing privileges and zero standing privilege.

Benefits of a Just-in-Time Privileged Access Model

A just-in-time access model provides considerable benefits, including:

  • Reduced cyber risk: Privileged threat windows and attack surfaces may be minimized more than 90%. This equates to lower risk and impact of cyberthreats, such as ransomware, malware, insider threats, and more.
  • Regulatory compliance: Least privilege and limited standing privileged access are key parts of numerous regulatory and compliance frameworks. In addition, just in time permissions and access minimizes the number of privileged sessions, making it easier to audit privileged activity.
  • Cyber Insurance qualification: Enforcement of least privilege is a foundational security control required by most cyber insurers to qualify for coverage and get the best rates. Cyber insurers appreciate controls just as JIT access that can curb cyber threats and lower risk
  • Reduced workload: JIT access automation removes manual processes and much of the decision-making burden from IT. For instance, dynamically determining and provisioning amongst the tens of thousands of cloud permissions is manually infeasible. JIT access also gives the right users what they need, when the need it, without hassle.

Who Needs Just-In-Time Access?

Any digital organization can benefit from brokering and removing access in adherence to a just-in-time privileged access model. This includes, but is not limited to banking and finance institutions, healthcare organizations, and government agencies. It's also crucial for SaaS companies, which often handle large amounts of sensitive user data.

Individual teams or roles within organizations, such as administrators and DevOps, often require privileged access. These users can utilize just-in-time principles to enhance security (JIT PAM). For example, rather than giving a developer unlimited access to a production server to deploy updates, provide just-in-time access that is active only for the finite moments necessary to deploy the updates.

Vendor access and break glass access are also important use cases.

JIT permissions can be used to provide temporary elevation of access for other roles as well, such as marketing, HR, and even sales. Wherever applied, JIT access helps to improve an organization's security posture.

How Does Just-in-Time Access Work?

PAM, other Identity and Access Management (IAM) solutions, and Permission Management Systems may all address various just-in-time access use cases.

Here are common steps in JIT access workflows:

  1. User requests access
  2. A workflow is triggered - this may be completely invisible to the end user, or may require some further action on their part
  3. Based on context that should blend policy parameters (IP address, geolocation, time of day, vulnerabilities and risks, etc.) an access decision is made. If access is approved, a system dynamically automates access, or a supervisor grants this on a time-limited basis.
  4. Once the allocated time expires, the the objective has been completed, and/or other parameters have been met, the system automatically revokes the given access.
  5. During this time, all access is audited.

Organizations are increasingly adopting just-in-time access, particularly within cloud infrastructure and DevOps environments, where the dynamic nature of the work necessitates giving and revoking access rights frequently. For SaaS applications, just In time access aids in automatically managing the access rights of transient users or automate user management in SaaS environments. This enhances security, while eliminating manual de-provisioning processes. By automating access de/provisioning and adding self-serve access requests capabilities and approval workflows, organizations can ensure SaaS access is fine-grained and time-bound.

Here are some common methods of implementing JIT access:

JIT Account Creation and Deletion: A privileged account is temporarily created to complete an objective, then eliminated, after the task is completed, or an amount of time has expired.

JIT Privileges: Individual privileges, permissions, or entitlements are elevated for an account to perform a mission once all criteria are met, but only for a limited duration.

JIT Group Membership: The automatic addition and removal of an account into a privileged administrative group for the duration required to complete an objective.

JIT Impersonation: The account is linked to a preexisting administrative account(s). When a specific application or task is performed, the function is elevated using the credentials of the preexisting account.

JIT Disabled Administrative Accounts: Disabled administrator accounts are present in a system with all the permissions, privileges, and entitlements to perform a function.

JIT Tokenization: The application or resource has its privileged token modified before injection into the operating system kernel.

Reduce standing access by 90%+. Automate JIT provisioning of permissions and privileges. Contact BeyondTrust to get started.

Prefers reduced motion setting detected. Animations will now be reduced as a result.