Learn how Just-in-Time Privileged Access Management (JIT PAM) can help organisations in the GCC region mitigate the risks associated with excessive privileges and improve overall security.
Much of the GCC region’s IT infrastructure has at least one foot in another organisation’s tech environment. This IT sprawl has led to an explosion in the number of user accounts and the privileges they hold. To make our new hybrid world run smoothly, we have knowingly opened many windows and doors to third parties. But do we know all the parties that are sneaking through these openings? “Too many privileges open at any one time” is a problem with a ready solution. We ensure that any authorised process or user is only given the access required to perform a necessary task.
Just-in-time (JIT) access, or just-in-time privileged access management (JIT PAM), is the practice of granting access to systems and resources only for the duration required to complete a task; no earlier, no later. While time is the classic basis for defining when permissions expire, other conditions can also be used. What matters is eliminating the risk-laden practice of permanently assigning permissions to an account. Standing privileges are a recipe for risk, even if they adhere to the just-enough-access (JEA) principle, where users are granted only enough access to fulfil their role and no more but are granted this access in perpetuity. To be capable of withstanding modern attack methods, an organisation must combine JEA and JIT. This is the first step in building a zero-trust security framework.
The benefits of JIT are not just theoretical. Consider a JEA account with standing privileged access. If the account is compromised, those privileges are available to attackers 24 hours a day or 168 hours a week. Now consider JIT access for a task that is performed once a week and takes one hour. The attack window for gaining privileged access has shrunk from 168 hours to one hour. If we consider the attack window duration as a risk factor, on that metric alone, risk has dropped by 99.4% in the described scenario.
A police officer’s headache
These simple numbers build the case for JIT PAM. Too many GCC organisations operate too many accounts with unnecessary entitlements. For larger organisations, there may be tens of thousands of such accounts. On-premises servers, platforms, and devices combine with cloud-native services to create a police officer’s headache — too much ground to patrol and too few boots to cover it. The answer is to shrink the ground — the attack surface — using JIT. In doing so, enterprises will also remove their blinkers, as many enterprises in the age of cloud are functionally blind when it comes to their IT environment. They will get to know the identities of those with elevated access (or the potential for it). The result is tighter security and everything that goes with it, including happier regulators and better options for cyber insurance.
JIT PAM is automated. Privileges are designed in advance, assigned to accounts, and provisioned and revoked in real-time. The business knows itself better than any outside consultant or cyber expert ever could. It is fitting that it takes control of the access of every staff member and assigns privileges as needed rather than allowing an account to “own” permissions.
JIT PAM is context-sensitive. Source IP address, geolocation, group membership, host operating system, active or inactive applications, documented vulnerabilities, and more can be used to give or cut off access as needed. Today’s PAM technologies are even capable of assigning bundled JIT permissions so that authorised users can carry out work that takes place across many different applications, platforms, or domains. This is invisible to the user, as is monitoring, auditing, reporting, and investigation. Access will be revoked only for predetermined criteria, which guarantees a frictionless experience for legitimate users in a well-designed framework.
Use wisely
When implementing JIT, use cases go beyond defining and assigning access. Creation and deletion of credentials and permissions bundles should be subject to governance, with everything logged in case it is needed later for forensics. This includes any additions and removals of accounts to and from administrative groups. JIT PAM can disable sysadmin accounts until their permissions are needed to perform a task. Since they are disabled when not performing a task, they cannot be leveraged as a traditional account with always-on access, even though the administrator’s user experience is effectively the same.
A non-admin account can also be linked to one or more admin accounts and assume all their permissions. This can happen instantaneously to perform certain actions and be revoked as quickly as the actions are complete. Under JIT PAM, security teams can also opt for JIT tokenisation, where an application or resource has its privileged token modified before injection into the operating system kernel. This is useful for endpoint security, where the goal is to elevate the privileges of an application over that of an end user.
The user experience remains intact, regardless of the privilege level or role. JIT PAM allows the securing of privileged access for everything from remote work and DevOps to emergency troubleshooting and temporary projects.
Get the JITers
JIT PAM platforms can start to address the “too many accounts; too many privileges” issue by dispensing with the standing-access model. Enforcing the least privilege is one thing, but to stump today’s threat actor, we must also enforce JIT credentials across premises and cloud environments. Supporting technologies will empower organisations to eliminate privilege blindness and allow security teams to add context when calculating risk.
In a modern IT space, zero-standing privileges (ZSP) — the total elimination of always-on entitlements — are impractical. IoT setups, for example, require always-on privileges to work properly. However, using modern AI-powered cybersecurity technology, organisations get access to rich visualisation that will make it easier to identify privileged pathways and identity vulnerabilities. Working together, the latest PAM solutions can make the region feel safer, knowing attack windows have shrunk to a sliver of what they were previously.