What is Just-In-Time Access Security?

The principle of Just-in-Time access security is exactly as the name suggests: access to IT resources precisely when needed. Users are granted privileges to access a system or resource to perform a specific task as and when the need arises. That is, just in time.

Why just in time?

Just-in-Time (JIT) access security is a foundational practice to help reduce superfluous access privileges, and a key tool in implementing the Principle of Least Privilege and Zero Trust security models.

As a policy, Just-in-Time security aims to minimize the risk of standing privileges in order to limit risk and exposure to potential cyber attack. When too many users have too many privileges at all times, the organization opens itself up to exponentially higher risk of having privileged credentials stolen, exploited, and escalated to steal secrets, encrypt data, or bring systems to a halt. Granting elevated privileges only as and when needed – no more and no less – restricts exposure to a minimum while still allowing users to go about their work efficiently.

In a recent study by Oracle and KPMG, 59% of surveyed companies suffered a cyber attack due to privileged credentials being shared or stolen. More than half of them. The odds are not in your favor when it comes to granting excessive privileges to users across your organization. In fact, most companies do give users too many privileges, to too many resources, as blanket policy. And often, applications and legacy systems require elevated privileges in order for users to do their jobs.

As we’ve seen time and time again, excessive privileges can put the IT infrastructure at extreme risk. In fact, 56% of reported vulnerabilities in Microsoft software in 2020 (the number of which increased by 48% since 2019) could have been mitigated by eliminating administrative privileges. That level of exposure represents a staggering risk to IT security.

Ultimately, the aim of Just-in-Time security is to reduce to an absolute minimum the number of users with elevated privileges, the amount of privileges they each hold, and the time duration for which they are granted. JIT enables organizations to improve cybersecurity posture, facilitated by strategic technology solutions, to minimize vulnerabilities and block malicious actors from potentially advancing and self-escalating privileges across the network.

Just-in-Time (JIT) security policies help companies to:

  • Improve overall cybersecurity posture
  • Eliminate excessive privileges & enact Zero Standing Privileges policy
  • Streamline & automate privilege escalation processes
  • Manage human and machine privileged users
  • Enable secure remote access to sensitive assets
  • Facilitate security without impacting productivity

How does it work?

JIT security, at its core, addresses three main factors of access: location, timing, and actions. Where is a user attempting to access from? Are they authorized to work during this timeframe, and how long will they need to retain access? What exactly are they attempting to do with their access?

When taking a Zero Standing Privileges approach, all users begin with no privileges to access IT resources, by default. The user will thus need to request access to the server, application, or other IT resource as needed to accomplish their work tasks. The user’s privilege escalation request is reviewed automatically to check the person’s role and authorizations, and access is granted or denied according to internal policy. When granted, the user’s privileges are temporarily elevated to enable access to carry out the intended activity for a specified duration, as defined by governance policy. When the task is completed or time has expired, the user’s privileges are revoked and returned to normal; that is, to zero standing privileges.

Take, for example, Alice who is a contractor with XYZ Corp. Alice needs access to the IT system to perform maintenance on a few key servers as part of her mission. Thanks to WALLIX, Alice can submit a ticket request which, after quick approval, allows her exclusive access to precisely the equipment she intends to work on, and no others, for an allotted time according to XYS Corp’s pre-defined terms.

Just-in-Time security can provide dynamic privilege elevation in clearly-defined conditions to ensure strong security posture:

  • Access only during normal work hours
  • Access to sensitive assets only for specific tasks
  • Elevating application privileges without elevating the full user session
  • Secure remote access for employees & external providers

How to implement Just-in-Time Security

So you want to implement Just-in-Time security in your privileged access management policy. You’re convinced that it’s the right approach to minimizing risk and eliminating the excessive standing privileges that are rampant across your organization’s IT infrastructure. It sounds good in theory, but… how to put it into practice?

The first step would be to audit all user access privileges, company-wide, to determine the scope and scale of the issue. How many users are there? What are their profiles, and to which applications and systems do they typically need access? How many user accounts are dormant, how many elevated privileges are rarely or never used?

Based on the answers uncovered, the next step is to establish internal policy to define requirements for users to be granted access to target systems: which roles and teams, under which conditions, and for how long should access be allowed?

You’ll also need to regain control over all passwords and credentials to target systems. Centralizing management and rotation of passwords to applications and IT assets is critical to ensuring comprehensive risk and vulnerability management.

Now you’re truly ready to implement solutions to enact Just-in-Time policy.

A Privileged Access Management solution is a strong first step to protect the “crown jewels” of the IT infrastructure. A PAM solution centralizes and streamlines secure access to critical IT assets like production servers, and eliminates the shared use of root passwords, locking down sensitive access. When connecting through a PAM solution like the WALLIX Bastion, the user experience is seamless, facilitating productivity and efficiency while fully vetting his authorization to connect to the server based on the JIT principles defined in the solution.

And even users like IT admins with Bastion access don’t have unlimited elevated privileges at all times. Temporary privilege elevation can be requested as needed to enable human and machine users to carry out occasional tasks or run privileged commands. The user simply submits a ticket request to elevate privileges for a specified action and time period thanks to Privilege Elevation and Delegation Management.

Non-IT users can also be protected by Just-in-Time security solutions. Workstations are a constant source of vulnerability due to phishing scams and “password fatigue” of users with too many login credentials to too many different systems. However, removing local administrator accounts can cause headaches for hampered users and overburdened Helpdesk. Endpoint Privilege Management empowers users to dynamically, seamlessly elevate privileges for a specific application or process without elevating session or user privileges effectively eliminating vulnerable endpoint admin rights. With a solution like WALLIX BestSafe, access and privilege elevation is granted just in time, as and when a user needs to accomplish a specific task (running a program, installing approved software) while blocking unauthorized encryption operations or attempts at privilege escalation.

Once fully implemented, Just-In-Time access management strictly limits the amount of time an account possesses elevated privileges and access rights to reduce the risk and attack surface. Privileged accounts are only used for the time needed to complete the task or activity – users, accounts, and sessions don’t hold on to “standing privileges” once the task is complete. With WALLIX access security solutions, JIT is made simple with dynamic privilege elevation to ensure that only the right identities have the appropriate privileges when necessary, and for the least time necessary.

Learn more about Just-in-Time Security:

Register for the upcoming webinar to discover how WALLIX can help implement a Just-In-Time strategy to strengthen and simplify IT security!Just in Time Privileged Access