The Context
Privileged accounts are the ‘keys’ to enterprises’ highly sensitive and confidential information. These accounts are the crown jewels.
Is it safe to keep the ‘keys’ accessible 24 hours a day to these crown jewels? Not really; however, organizations frequently make the mistake of allowing ‘always on’ privileged access to critical systems. As a result, the security of ‘crown jewels’ could be vulnerable to compromised insiders and third parties.
The objective behind creating privileges is to speed up any IT infrastructure and administrative tasks through Segregation of Duties (SOD) and rule- and role-based access. Many times, privileged accounts are created on an ad hoc basis to accommodate IT requirements. In their pursuit, however, organizations often overlook that, at a time when applications are rapidly increasing in the cloud era, not allowing access with time-based access controls can expand the insider attack vector.
The IT risks emanate if organizations miss the retraction of elevated privileges after the completion of the task. These unnecessary standing privileges pose a huge security threat since the system or application remains exposed to unwanted access. Malicious insiders, suspicious third-party users, and hackers normally search for similar access control vulnerabilities because it becomes easy to compromise data assets.
So, how could organizations address the threats arising from ‘always-on’ privileges?
Let us elucidate.
Why JIT approach – A Brief Analysis
Today there is massive proliferation of digital identities in every IT environment. It is always a challenge for the IT risk assessment teams to seamlessly monitor and manage every user activity. As a result, chances of unauthorized access, data breach, and cyber espionage remains high.
Just-In-Time (JIT) Privilege approach helps organizations to follow the principle of ‘Least Privilege’ and mitigates threats arising from ‘always-on’ privileges. It gives ample scope to the administrators to grant privilege rights to accomplish tasks in a secure manner without worrying about revoking the rights.
There are incidents that lays the emphasis on the Just-In-Time approach could have saved the organization from breaches. For instance, the Anthem breach incident – where an insider got legitimate access to confidential information of the organization for malicious activities. The compromised employee committed identity theft and misused some sensitive information. Had there been Just-In-Time access policy integrated, then the elevated access rights would have revoked automatically after the designated time and the data breach would have been prevented.
Below are some noteworthy benefits of the Just-In-Time (JIT) access policy.
Prevent Unauthorized Access: The more there is ‘Unlimited Access,’ the more there are chances of ‘Unauthorized Access.’ During unlimited access, organizations lose track of who is accessing what, when, and for which reason. As a result, there is no desired governance of the user identities and their activities. With the Just-In-Time privilege policy, organizations can control the dangerous practice of ‘unlimited (and uncontrolled) accesses’ to critical systems.
Automated Revocation of Privileged Rights: Typically, IT administrators are responsible for revoking the privilege rights once the task is done. If it is not done, then there will be unwanted standing privileges which increases risks of misuse of elevated rights. With JIT approach, the revocation process is automated, and the organizations do not need to depend on manual process.
Foundation for the ‘Least Privilege’ principle: Just-in-time privilege lays the foundation of the least privilege concept by discarding all the standing privileges. It mitigates all the risks arising from ‘always-on’ privilege practice that includes identity misuse, data breach, data espionage etc.
Security & IT efficiency: Just-In-Time privilege provides an edge to a secure access control model by allowing access to the users only for a predefined duration. After the duration is over, the users are denied access automatically. This enhances security as it provides access only when required and maintains improved IT user experience by reducing the time spent on allowing access and revoking it.
Compliance: By deploying JIT security approach, organizations can stay compliant with regulatory requirements. For example, the requirement of transparency of information and right access to data as mentioned by GDPR in Article 12, can be met easily through the just-in-time security approach. Apart from GDPR, regulatory compliance by HIPAA, PCI DSS, FedRAMP demand secure access control to ensure that every access to the information assets meets the mandatory restrictions. With JIT, every access to the critical systems is done exclusively on ‘need-to-know’ and ‘need-to-do’ basis. Hence, secure access is maintained.
Critical JIT Use Cases and how ARCON’s Just-In-Time privilege approach responds to them
Here are some day-to-day use cases found in a dynamic IT environment that can be addressed by ARCON | Privileged Access Management’s (PAM) Just-In-Time (JIT) approach.
On-Demand Temporary Accounts: Nowadays, organizations create on-demand temporary privileged accounts that are required to accomplish ad hoc tasks. IT administrators, for that, select existing users to permit temporary privileges. There could be chances of privilege misuse if the rights are not revoked on time. ARCON | PAM’s JIT approach helps organizations with limited pre-defined provisioning of privileged accounts (new user/ guest user) with limited access to the required system only. These on-demand temporary accounts ensure data security and data integrity throughout the duration of access.
Ephemeral Credentials: We count on OTPs while doing financial transactions anywhere. It is safe and secure for its specific time limit. After the time is over, the OTP carries no importance. Since JIT is a temporary access right, ephemeral credentials of ARCON’s JIT approach are the ‘OTP’ for user access rights. It is nothing but temporary access codes that remain valid only for the duration of authorized access. Users do not have to manually enter login credentials of the privileged account when connecting because they are automatically provided by ARCON’s JIT mechanism. Once the task is completed, the ephemeral credentials also become invalid.
Time-based Privileged Elevation: ARCON’s JIT approach helps organizations to secure their information assets by allowing time-based access to the critical systems. With this, the end-users get the ability to execute privileged commands one time for a definite time span that too for specific applications. It could be requested by the end-user daily or weekly as per requirements. The admin has a complete right to limit the time duration for which approvals are valid.
Temporary Elevation – Group Membership: ARCON provides Temporary Elevation – Group Membership option that is beneficial whenever any user requires temporary elevated access to perform any task/activity. With this functionality, the admin can allow the user to be added to any admin group temporarily for a specific period. After the period is over, the user is removed automatically from the group ensuring Just-In-Time policy standards.
Conclusion
Just-In-Time (JIT) Privilege approach helps organizations to follow the principle of ‘Least Privilege’ and mitigates threats arising from ‘always-on’ privileges. ARCON | Privileged Access Management (PAM) solution enforces ‘Least Privilege’ principle with the help of Just-In-Time access approach.