Just-In-Time Security : the myth of security versus convenience

 

November 2022

With the rise of remote working, having access to the right organizational resources in a timely and efficient manner is becoming a major competitive advantage. Employees want to feel empowered and supported in working in the best way possible, and this includes having easy and quick access to their companies’ data from multiple devices and different locations. Today’s workforce is agile and flexible, and it brings with it a whole host of productivity and talent benefits. But this also means businesses need to be able to set the right administrative rights and ensure that staff is granted permission to the data they need when they need it.

The principle of Just-In-Time (JIT) access security has recently gained popularity among business leaders, and this is exactly what the name suggests: providing access to IT resources precisely when needed. In a nutshell, it means users are granted privileges to access a system or resource to perform a specific task as and when the need arises.

Why Just-In-Time?

The way we should look at Just-In-Time security is as a foundational practice. It is designed to help bolster security and maintain compliance while providing employees with much needed data access.

Employees want to be able to work from multiple devices, access data from anywhere, and do so easily and efficiently. While this comes as no surprise, over the last 18 months we have seen a major shift towards hybrid working, and now a large number of organizations in almost every industry are adopting it in one way or another.

However, one of the biggest security challenges is that when this access is not available or it becomes complex and inconvenient, employees will simply operate outside the parameters of IT. Employees can see security as a trade-off between ease of use and what is secure, which can become a massive problem for organizations. As a result, businesses need to address this early on, ensure employees have the access they need, and make sure that everyone is understanding cyber risks.

It is still necessary that organizations restrict access to sensitive data, so finding the balance can be a tricky situation. Whether remote or in the office, no business should be allowing its users complete blanket access to sensitive information. Also, providing too many users with too many privileges at all times opens the organization open to an exponentially higher risk of having privileged credentials stolen, exploited, and escalated in order to steal secrets, encrypt data, or bring systems to a halt. Granting elevated privileges only as and when needed —no more and no less— restricts exposure to a minimum while still allowing users to go about their work efficiently.

In a recent study by Oracle and KPMG, 59% of surveyed companies suffered a cyberattack due to privileged credentials being shared or stolen. So, the odds are not in your favor when it comes to granting excessive privileges to users across your organization. Most companies typically give users too many privileges, or too many resources, as a blanket policy.

Therefore, Just-In-Time access security is a foundational practice to help reduce superfluous access privileges, and a key tool in implementing the Principle of Least Privilege and Zero Trust security models. As a policy, Just-In-Time security aims to minimize the risk of standing privileges to limit risk and exposure to potential cyberattack.

This approach, at its core, addresses three main factors of access: location, timing, and actions. Where are users attempting to access from? Are they authorized to work during this timeframe, and how long will they need to retain access? What exactly are they attempting to do with their access?

Non-IT users can also be protected by Just-In-Time security solutions. Workstations are a constant source of vulnerability due to phishing scams and “password fatigue” of users with too many login credentials for too many different systems. However, removing local administrator accounts can cause headaches for hampered users and overburdened helpdesks. Endpoint Privilege Management (EPM) empowers users to seamlessly elevate privileges for a specific application or process without elevating session or user privileges. This effectively eliminates vulnerable endpoint admin rights.

Ultimately, the aim of Just-In-Time security is to reduce — to an absolute minimum — the number of users with elevated privileges, the number of privileges they each hold, and the time duration for which they are granted. This enables organizations to improve cybersecurity posture, facilitated by strategic technology solutions, to minimize vulnerabilities and block malicious actors from potentially advancing and self-escalating privileges across the network.

Putting Just-In-Time security into practice

The first step is to audit all user access privileges, company-wide, to determine the scope and scale of the issue. How many users are there? What are their profiles, and to which applications and systems do they typically need access? How many user accounts are dormant? And how many elevated privileges are rarely or never used?

Based on the answers uncovered, the next step is to establish an internal policy to define requirements for users to be granted access to target systems: Which roles and teams, under which conditions, and for how long should access is allowed? You will also need to regain control over all passwords and credentials to target systems. Centralizing management and rotation of passwords to applications and IT assets is critical to ensuring comprehensive risk and vulnerability management.

A privileged access management solution is a strong first step to protecting the “crown jewels” of the IT infrastructure. This type of solution centralizes and streamlines secure access to critical IT assets like production servers. This eliminates the shared use of root passwords, locking down sensitive access. Temporary privilege elevation can be requested as needed to enable human and machine users to carry out occasional tasks or run privileged commands. The user simply submits a ticket request to elevate privileges for a specified action and time thanks to privilege elevation and delegation management. When connecting through a privileged access management solution, the user experience is seamless, facilitating productivity and efficiency while fully vetting authorization to connect to the server based on the Just-In-Time principles defined in the solution.

Reaping the benefits

Once fully implemented, Just-In-Time access management strictly limits the amount of time an account possesses elevated privileges and access rights to reduce the risk and attack surface. Privileged accounts are only used for the time needed to complete the task or activity — users, accounts, and sessions do not hold on to “standing privileges” once the task is complete. With the proper access security solutions, Just-In-Time is made simple with dynamic privilege elevation to ensure that only the right identities have the appropriate privileges when necessary, and for the least time necessary.

Read the article on Intelligent CISO.