1. Planning.

• Assessment
  Begin by determining which users need access, the resources necessary, and the purpose. Record current access rights and determine if any can be reduced or removed. For enhanced visibility, you might want to use an entitlement discovery tool.
• Policy creation
  Develop precise policies for both granting and withdrawing access. Include guidelines about who can request access, under what circumstances, and how long it will last. Especially for elevated roles, put time-based parameters in place.
• Source of truth
  Sync your JIT access system with an Identity Provider such as Okta, Google Workspace, Azure AD, or OneLogin. These will act as the guiding sources for identities. Prioritizing individual identities over shared accounts can lead to better control over authorizations and increase the accuracy of audits.

2. Execution.

• Self-serve access requests
  Streamline the process by having users request access through the system, not people. Boost adoption rates by integrating with IM platforms like Slack or MS Teams. Make sure requests detail who's asking, what service/resource/role they require, the duration, and why.

• Approval process
  JIT access provides organizations with a chance to delegate approvals to those with business context. Resource owners and business unit managers frequently have more context than IT helpdesks. Utilize messaging platforms for prompt responses, giving all the necessary information for informed decision-making.

• Conditional approval workflows
  Incorporate your predetermined policies into workflows that determine access permissions. Integrate them into workflows that define who can access what, and under which conditions. One efficient method is assigning if-then conditions. IF identity group “X” requests access to “Y”, ask for approval from “Z” and notify “M”.

• Integrations
  Consider integrating JIT Access with other IT and security systems for added flexibility; synchronize with IT ticketing systems for automatic access based on ticket status. Coordinate with data classification systems to modify policies according to data sensitivity. Ideally, you should be able to tag resources and group them together to simplify this process. Partner with on-call schedule software for automatic approvals during emergencies. Use training systems to grant access based on training completion.
• Automated provisioning and removal
  Familiarize yourself with Acronis to effectively grant and revoke fine-grained access automatically within the service. This is crucial for JIT Access since it reduces dependence on people's availability. This type of access allows for automated revocation of access, aligning with the core principle of JIT access and the concept of least privilege access (POLP). Ideally, you should manage all permissions from a single place, without having to create or oversee an environment for every application.
• Access methods
  With Acronis JIT Access, APIs are recommended due to their flexibility and instantaneous capabilities. However, a mixture might be necessary. For instance, utilizing SAML for authentication, SCIM for user provisioning, and APIs for specific access control decisions.

3. Maintenance.

• Regular audits
  Routinely examine access logs to make sure that JIT access is working as expected. Detect any unusual patterns or behaviors either directly or by feeding the logs into your SIEM. Automating the user access review process can speed up evidence collection, delegate reviewers, and maintain compliance with relevant industry standards or regulations.
• User training
  Educate users, particularly those with elevated privileges, about the significance of least privilege, JIT Access, and how it operates. Ensure users are aware of how to request access when necessary.
• Feedback loop
  Implement an ongoing review of your JIT access procedures. Solicit feedback from users and IT staff to comprehend what improvements can be made.

By adopting this structured method, you'll be able to efficiently establish a robust Just-in-Time Access system for Acronis.