Traditional (RBAC) access controls have been falling short when it comes to providing temporary and time-sensitive access. This inadequacy is the gap that just-in-time (JIT) access fills. With JIT, administrators can provide access to users for a specific period, which is automatically revoked once the time expires.
In addition to its impact on security, it is also obligatory to use JIT access to sensitive environments like production in order to comply with information security regulations such as SOC2, SOX, and PCI-DSS. But despite its proven effectiveness, its implementation is still underwhelming. This article explores the benefits of implementing JIT access in several cloud use cases.
What is just-in-time access and how does it work?
JIT is used mainly in cloud computing environments to enforce access control and ensure that only authorized users can access specific resources within a specific timeframe. The JIT approach lowers the risk of unauthorized access.
Just-in-time access provides a dynamic way to manage access to cloud resources. It requires users to be able to ‘self-servicely’ request access to the resource whenever needed. Once the conditions of the security policy are fulfilled, the user gets automatic approval with a controlled level of access. The user is then granted time-bound access that is automatically revoked when the time lapses.
JIT benefits organizations where employees have different access levels based on job responsibilities. For instance, a salesperson may need access to customer data for a few hours to prepare a presentation. In contrast, a financial analyst may need access for two days to perform a detailed analysis. Cybersecurity MSPs also adopt JIT to provide an extra layer of security to their customers’ data.
Common JIT access use cases
While JIT is famous for its implementation in Azure VMs, its use transcends access management in a given environment. JIT can be used in either mission-critical scenarios or ongoing least privilege operations. Some of its common use cases are below.
On-call access to production with JIT
On-call is when an employee must be reachable outside working hours to respond to emergencies. JIT provides organizations with a perfect opportunity to regulate what an on-call person or team does within the specific duration of their on-call duty.
JIT access for on-call employees helps ensure that issues are promptly addressed without compromising the safety of the entire network. It also eliminates the occurrence of avoidable situations like the on-call staff waking the DevOps staff to request access at the middle of the night, and erases the need for a large team of dedicated IT staff, as organizations can grant temporary access to users with the necessary skills on an as-needed basis. This reduces overhead costs and boosts organizational agility.
Enabling break-glass protocol with JIT access
A break-glass protocol is a set of procedures implemented to restore normalcy in emergencies like security breaches. We can also incorporate JIT into these break-glass protocols to grant the security or incident response team immediate, time-bound access to cloud resources.
To set up a break-glass protocol with JIT, you’ll need to use a permission automation system where you can proactively define the resources, permissions and time limits teams will get in an emergency. After the emergency, it’s important to ensure the reason for the access, actions taken, and the outcome are all documented.
Break-glass protocol with JIT access ensures that access to sensitive resources is granted only in emergency situations and for a limited period. This reduces the risk of abuse or misuse of sensitive resources. With its tracking mechanism, you can track who has accessed sensitive resources and when, which can be useful for compliance and auditing purposes.
Customer success access to customer data with JIT
You can also incorporate JIT access in Jira or other project management tools used for customer monitoring and feedback. You can use JIT access to grant the customer success team temporary access to manage customer information and support issues.
JIT provides an audit trail of access, enabling organizations to demonstrate compliance with regulations such as HIPAA, GDPR, and PCI-DSS. Additionally, it can help customer success teams provide a better customer experience by resolving customer issues and requests quickly and efficiently. This can ultimately boost customer loyalty and retention.
Escalating to an admin role with JIT access
Cloud-native administrators can also use JIT access to assign temporary administrative roles to third-party platforms (like Azure, Okta, GCP, and AWS) to manage their cloud systems, including user accounts, virtual machines, k8s, cloud storage, and network security.
However, cloud-native admin actions are minimal. A large chunk of network access is user-based. JIT access helps ensure that standing admin rights do not expose the network to threats by granting staff time-bound access when required and revoking their permissions when their job is done. Additionally, JIT enables automatic access approval and provisioning, freeing up time and improving operational efficiency by reducing the risk of human error. Many organizations lean towards using their identity provider as an authorization mechanism but it often falls short when scaling granular, dynamic and time-bound access.
JIT access with SSH in non-federated identities and legacy environments
SSH (Secured Shell) is a protocol to remotely access and manage servers like virtual machines and non-federated identity systems like GitHub. In GitHub, JIT Git allows administrators to grant time-bound temporary access to the Git repositories, where granting permanent access to users is not desirable, such as when dealing with contractors, temporary employees, or third-party vendors.
To implement JIT access with SSH in GitHub, you can generate a public/private key pair on your local machine to authenticate your access to the GitHub repository. Next, add the public key to your GitHub account so the repository can recognize you as the repo owner and administrator. Using the generated private key, initiate an SSH connection to the GitHub repo from your local machine.
This approach can provide other benefits in non-federated identity scenarios. For example, it can help organizations comply with regulatory requirements by ensuring that only authorized users can access sensitive resources.
JIT SSH creation provides an audit trail of user activity, making it easier to track who accessed the network, and their actions. This increases accountability, helping organizations identify potential security risks. It can also improve operational efficiency by enabling employees to access resources quickly and easily without the need for the IT department to manually provision and manage access.
Although JIT SSH creation has many advantages, it is no longer a best practice and belongs to legacy systems. Identity Aware Proxy (IAP) and AWS Systems Manager (SSM) solutions offer more efficient access management in non-federated environments. Both IAP and SSM can also be used with JIT access.
JIT secrets creation for secrets-based authentication in legacy environments
Secrets-based authentication involves the use of secret-flavored 0auth protocol to protect sensitive data. You can also incorporate JIT access into the secrets creation of secrets-based database management systems. In MongoDB, for instance, you can use JIT MongoDB to enable access to sensitive information like API keys for a period of time.
There are 2 ways to set up JIT secrets creation, first you can create your secrets and save them in a secure storage (like in MongoDB). Next, create roles that specify users' privileges to access the secrets, such as access to read, write, or edit, and assign specific roles to the users. Users can then request JIT access to the secret vaults by providing their credentials and specifying the time needed. This access will be automatically revoked when their time has expired. The second option is using an automated provisioning system that actually creates the key just-in-time and securely sends the credentials to the user.
The above process can help minimize the possibilities of a security compromise by limiting exposure of the secrets as they are only accessible for a limited time. Additionally, since access to the secrets can be tracked and monitored, organizations can granularly control and audit their networks, thereby improving accountability.
Although secrets-based authentication has many advantages for legacy systems, it is being replaced with Identity Aware Proxy (IAP) and AWS Systems Manager (SSM) solutions which offer more efficient access management and are also usable with JIT.
Within the context of a robust privileged access management (PAM) solution, just-in-time restricts unguarded access, enabling tighter security. This makes JIT access a must for cybersecurity executives to explore for their organizations or clients’ networks.