Just-In-Time for Privileged Access Management- Don’t distribute accesses like flyers

Privileged Access Management

It is a well-known fact that businesses rely on the effectiveness of access provisioning. Timely access is crucial for productivity, and the right access at the right time is necessary for security.

Yet in this debate of productivity versus security, quite often, chances are taken on security. This is due to the lack of awareness on cybercrime, the attitude of “we probably aren’t in the hacker’s radar, anyways”, or access provided out of necessity, under pressure.

Whatever might be the case, accesses cannot be distributed like flyers simply because someone is requesting it. Thus, inherently a process was put in place, with workflows and the concept of Role-Based Access Control (RBAC). These ensure that people who hold specific roles can only be entitled to certain applications, and based on these criteria, access is provisioned as and when required.

Going beyond this, there came a need to streamline some accesses only to some people. These are rights like those of admins, emergency file access, and so on. These are privileged accounts, who have privileged access to sensitive information.

Yet, these accounts, unfortunately, are the ones with a lack of stringent policies and security measures. According to a report by Forrester, 80% of the data breaches due to the privileged accounts.
This is why the way privileged accounts have been handled for the past 40 years cannot be the standardized method anymore. These have a dire need to be upgraded with newer security policies, effective governance methods, and modern, intelligent solutions. Just in time approach does just that.

What is Just in Time approach for Privileged Access Management?

Just in time (JIT) approach was originally used in manufacturing. This was done to only provide the required raw materials for production as and when needed to avoid wastage of material as well as storage space. This philosophy added to PAM can radically streamline access and security. Here the raw materials become accesses, production becomes the usage of the access to perform a task, and waste is the surplus, unneeded access.

JIT for PAM, essentially means providing access only as and when required, for a limited amount of time.

Consider this, let’s assume you assign a privileged account to users and map several privileges to them. These are standing privileges that come with the account now. They remain so for as long as the account exists. Even if the account is needed for a couple of hours a month, the access is alive throughout.

There are multiple ways this can play out.

The user can decide to misuse his/her privilege.

The user’s credentials can be stolen, and someone else can take advantage of it.

The user may no longer even use the account, but the account remains active.

The user leaves the organization, and the account remains orphan. The longer an account that is fully furnished with accesses, especially privileged access is left unattended, it is an open invitation for a hacker to take over.

The permutations and combinations of things going wrong are endless. This is why this approach is a necessity.

Just in time ensures that the user is granted access or has the privilege of access only when he/she needs it, and it is revoked when it isn’t. It is time-bound.

According to Gartner’s report- Remove standing privileges through a just-in-time PAM approach, “an effective PAM practice embraces the entire concept of least privilege, granting only the right privileges to only the right system and only the right person for only the right reason at only the right time.”

The word least privilege is key for provisioning of accesses, in general. This means users are granted only those accesses which they need. This ensures the user has the right access at the right time but also only those which he/she needs. This can be done with a simple access request workflow, wherein the user can request access to the application, the reviewer can allow or deny it, if and when it is allowed, there can be a specific timeline for the accesses. The timelines can be set depending on the requirement as well as the sensitivity of the application. If you think an application requires discretion, then you can provide access for a few minutes, as stated in the requirement. Security and productivity served the right way.

Just in time to up your security

Just in time for PAM, leverages “least privilege” which is the premise of “zero trust”. This is a security model that greatly changes the landscape of organizational security with the philosophy of—always verify, never trust. Which means, a business-wide rule of ensuring you are always who your identity claims to be.

These accesses can be completely automated with efficient governance tools that ensure accesses are strictly time-bound. As humans might be capable of missing out on revoking access, automating it is the way to go.

With JIT for PAM, a seamless audit trail can also be obtained of precisely who accesses what, at what time and for how long. It helps an organization stay up to date with regulations and compliance.

And the main advantage of all, the aspect of compromising on productivity or security, will cause you a dilemma. With just in time, you can enable accesses exactly when a user needs it once you check their role/entitlements or the requirement at hand—enabling productivity. These accesses are also revoked after a specific time—ensuring security.

Just in time PAM approach empowers users without limiting security!

Leave a comment

You must be logged in to post a comment.