Using Automated Just-in-Time (JIT) to Reach Least Privilege – A Guide
Published 02/09/2023
Originally published by Ermetic.
Privileged access and elevated permissions expose organizations to vulnerabilities that could be exploited. On-premises, security teams often use PAM tools for managing these types of risks. But for cloud operations, PAM tools are insufficient as they are built around network access rather than cloud access, which is identity based. JIT (Just-in-Time) privileged access strategies minimize the attack surface of your cloud environments by reducing the window that attackers have to exploit excessive permissions. Let’s dive into why JIT access in the cloud is an essential part of any cloud security strategy and recommended ways for implementing it.
What is JIT?
JIT (Just-in-Time) access is a modern security practice that grants users privileged access for only the amount of time needed to complete the task or action. After, the privileges are revoked. Implementing JIT reduces the risk of excessive permissions, minimizing the attack surface. Without JIT, attackers would have a longer window in which to exploit the elevated permissions.
JIT is a component of the principle of least privilege, which is a recommended security practice that reduces the resources a user can access and the actions the user can take on those resources to the minimum needed without impacting business operations. With JIT, the principle of least-privilege can be extended to the realm of time, reducing the number of long-standing permissions an organization has to provision.
The Value of JIT Access for the Enterprise and Security Professionals
In cloud environments identity is the new security perimeter, with user credentials the main vehicle for access and authorization. These credentials determine which users are granted access to which resources and the activities they can perform on those resources. The growing number of human users and services in the cloud requires security and IT teams to manage thousands of credential permissions – a complicated and risky endeavor. A single accidental error can lead to excessive permissions or toxic combinations that expand the attack surface and render the organization vulnerable to an attack.
This risk is not hypothetical. Verizon’s 2022 Data Breach Investigations Report (DBIR) found credentials to be the number one attack vector, as did IBM’s 2022 Cost of a Data Breach Report. The Identity Defined Security Alliance (IDSA) reported that 84% of respondents had an identity-related attack in the past year.
To mitigate such credential-related risks, organizations need security practices that can help minimize and manage permissions. One of the most important and effective principles is JIT access controls. Gartner advises organizations to treat all IaaS accesses as privileged access and to use CIEM and JIT to achieve least privilege for cloud entitlements and reduce long-standing privileges. [Gartner, Innovation Insight for Cloud Infrastructure Entitlement Management, 2021]
Who Needs JIT – Human Users vs. Service Principals
Overall, right-sizing permissions based on actual use and the principle of least privilege is the safest way to secure all cloud identities -- human users and service principals. For dynamic needs, JIT offers use cases for both kinds of cloud identities; in this blog, we focus on JIT for human users.
Due to how humans behave and operate in the cloud, JIT is the only way to reduce permissions below a certain threshold for human users. Absent JIT, such a user is typically granted the extra privileges without a mechanism for their removal, rendering the permissions permanent. Yet the production environment holds sensitive customer data, and the developer doesn’t need continuous access for their day-to-day work.
JIT closes the security gap on the justified, dynamic need for temporary elevated permissions while avoiding the kinds of scenarios that foster undue risk.
JIT Users and Use Cases
When implementing JIT, an organization has three main groups of human users to take into account: business users, admins and security teams. Let’s start with business users, who are the JIT customers and drivers of the business. We will focus on the most challenging use case for business users: developers and engineers.
JIT for Developers and Engineers
Developers, DevOps and other engineers often need powerful privileges and entitlements to stand up and manage cloud infrastructures. Providing this access as a standing privilege is risky because any excessive permissions pose risk. If compromised, the user’s credentials can be exploited by threat actors to breach an environment, like in the infamous Capital One data breach.
On the other hand, developers cannot be denied such access, as they are the main drivers of the business. The access they require is often business-critical. A JIT capability can empower engineering teams to easily request access and gain authorized access to required resources, while granting the elevated privileges for the smallest amount of time needed to perform the task.
JIT for Admins
The role of admins in the JIT workflow is to provision access to users by defining which identities are eligible for privileged access and for what period of time. These decisions are based on organizational policies, which take into account pre-approved use cases (like in the case of a security incident or a compliance requirement) and ad-hoc business needs.
Once access is approved, admins monitor the activity to see which actions the user performed, to make sure it is aligned with the justification. Monitoring is also useful for compliance requirements, retrospective investigation in case of suspicious activities and external audits.
JIT for Security Teams
In some organizations, security teams may also want to be involved in reviewing and approving requests, and monitoring activity, including for compliance and audit related to access granted to sensitive environments.
Tracking of all access requests including for compliance and audit needs
JIT Provisioning: The Case for an Automated JIT Mechanism
As we’ve established, human users have a legitimate need for temporary, elevated privileges. Dynamic in nature and an open lid to the candy jar with regard to access to sensitive resources, JIT permissions need a process for managing and monitoring the temporary changes to avoid risk. When conducted manually, a person, perhaps from IT or security, needs to approve and execute the change, and revoke the permissions once the task is complete.
What happens when a JIT access mechanism is not available?
In many organizations, IT and security teams have limited resources and a backlog of tasks on their plate. Even if not, assigning someone to manually review temporary elevation requests is not the optimal use of skilled resource hours and can cause natural delays. Throw into the mix the pressure and frustration of requestors trying to justify their needs and waiting for permissions to be granted, and you have a stressful, repeat situation that does not meet the needs of the business.
This is where a centralized automated mechanism for requesting and granting permissions, monitoring their usage and, finally, revoking the privileges, can help. An automated JIT mechanism can bridge manually-induced gaps and reduce the friction and administrative overhead. Automated monitoring and auditing of JIT access is also useful for ensuring no misconfigurations were accidentally made and enabling rapid incident investigation if required.
How JIT Works: Manual vs. Automated
JIT mechanisms are based on workflows for granting and revoking access. Let’s look at two potential workflows that organizations can implement – one that is basic and manual, the other advanced and automated.
Example #1: A Basic Manual JIT Workflow
Let’s say there is a production issue that requires developer debugging. The developer needs access to production.
A basic, manual JIT workflow: granting and revoking developer access
- First, the developer requests access
- The security team receives the request notification by email
- The security team approves the request and grants privileged access
- The developer gains elevated privileges
- The developer debugs the issue in production
- At the end, the developer’s access is revoked
Example #2: An Advanced and Automated JIT Workflow
Same as before: a production issue requires developer debugging, and the developer needs access to production.
An advanced, automated JIT workflow: granting and revoking developer access
- First, the developer requests access through a portal or a Slack bot
- An automated platform validates the request
- Access is automatically approved and audited
- The developer debugs the issue in production
- At the end, the developer’s access is revoked
As you can see, the more advanced workflow leverages platforms and automation to validate, grant, monitor and revoke access. Manual intervention isn’t required and friction is reduced for all stakeholders: the developer and the security team.
An automated mechanism also answers all organizational needs: development, business and security. Development - for quick resolution of their permissions request. Business - ensuring the issue gets fixed as soon as possible. Security - maintaining the security posture without compromising on operational productivity.
Temporary access is granted the requestor through an automated JIT process
JIT vs. PAM
PAM (Privileged Access Managed) is a set of tools for managing and controlling access to privileged accounts. PAM leverages digital vaults to reduce the risks of privileged account credentials getting compromised and of attackers accessing sensitive assets and resources.
What’s the difference between JIT and PAM? While often confused, the two tools describe a very different set of capabilities and uses.
PAM was designed for on-premises architectures and intended to secure servers and applications. JIT was developed for granting access in cloud infrastructures built on public cloud vendors like AWS, Azure and GCP.
When a developer needs access to a cloud resource like an AWS EC2 instance or into a CI/CD pipeline, implementing JIT enables the providing of the necessary access. Attempting to connect through PAM may require launching a virtual machine, which creates friction and is not necessarily secure. JIT eliminates friction and bridges security gaps to enable secure access management in the cloud.
Some PAM tools are more recently adding cloud supporting capabilities. The inherent weakness of these tools when in use in the cloud lies in lacking the cloud-native granularity and dynamic capabilities necessary for precisely determining permission levels.
JIT Best Practices for Organizations
JIT is essential for enhancing access and least privilege controls in a cloud-based organization. Here are the first steps security teams can take to implement JIT.
1. Provide a Self-service Portal
Users detest friction, and security teams are often notoriously perceived as friction creators. Therefore, any tool or mechanism that can help smoothen the process is recommended. A self-service portal is one such tool.
Letting users request elevated privileges through a self-service portal and then tracking the approval process, improves the user experience and eliminates delays and requests falling between the cracks. In addition, a self-service portal can support the automation of permissions management, which minimizes the cloud attack surface and creates an audit trail for monitoring purposes.
2. Introduce Automated Policies for Low-risk Requests
Automation is key for reducing friction and making the best use of human resources. Low-risk access requests, like those involving non-production environments, can be automated through policies that approve requests for a limited amount of time and with no need for immediate human intervention.
3. Define Owners for Each Step of the Process
Automation doesn’t eradicate ownership. Make sure there are owners for each step to review requests, monitor implementation and ensure privileges are revoked. Automation is a tool to help organizations, so it needs to be monitored to ensure proper operationalization and efficiency. In addition, make sure there is a human being who reviews and approves more complex and sensitive requests, on-demand.
JIT: A Key Component in Your Cloud Security Strategy
Enforcing highly granular permissions management for privileged access in the cloud is an essential part of a healthy cloud security strategy. JIT is a key component for managing and enforcing such granularity. However, manual provisioning is time-consuming for both developer and security teams. The ping pong of trying to determine which privileges are justifiable and what are the minimal escalated permissions for getting the job done takes a long time and creates frustration.
JIT automation can relieve security staff of unnecessary work and reduce friction by enabling developers with speedy assigning and removal of permissions on an as needed basis. Everyone wins: the business, developers and the security team. With JIT, security teams can rest assured they are moving one step closer to least privilege and implementing a zero trust strategy.
Related Articles:
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024