The Benefits of Just In Time (JIT) access over Standing Privileges

What is Just In Time (JIT) access?

‍

Just-in-Time (JIT) access is a method employed by IT professionals to provide users with temporary access to applications strictly when necessary. 

This approach significantly lowers the risk of identity compromise for users holding high-privilege roles.

Why retain high privileges in an account that doesn't require them? 

The answer is JIT access as it eliminates persistent privileges that could potentially be exploited by hackers. This approach is grounded in the Zero Trust security model.

‍

Why is it gaining popularity over Privilege Access Management (PAM)?

‍

The current challenge for IT and security teams is that employees, service accounts, and even machines (see our post about Non-Human Identities) often possess access privileges that exceed their actual needs. 

As a result, digital identities have emerged as the foremost threat to organizational security.

Traditionally, Privileged Access Management (PAM) in on-premises environments involved issuing and periodically rotating credentials to provide users with temporary access.

‍

This approach has evolved to align with the role management practices of cloud applications, where users can log in seamlessly and may occasionally require temporary escalation of privileges.

The key difference between JIT and PAM lies in the granularity and control. While PAM is limited to issuing credentials to specific accounts, JIT access provides a more nuanced approach by evaluating the context and legitimacy of escalating a user's role for a limited and controlled period.

‍

Integrating JIT Access within Modern IGA: your lightweight setup for robust access requests

‍

JIT is a subset of PAM, which is itself a component of “access requests” involving sensitive roles and data. 

Standing privileges are granted initially and evolve over the course of an identity's lifecycle. Each role change typically requires at least a ticket and often involves manual intervention.

Disclaimer: some actions can be automated through the Identity Provider!

But this automation is often limited to just a few applications within the company. Either due to technical constraints, like SCIM compatibility, or budgetary considerations, as there is frequently an additional cost associated with SSO integration.

Exploding helpdesk and redundant low value-added tasks is what your IT team in charge of identity wants to avoid. 

‍

And this is where light IGA combined with JIT access comes into play!

It acts as a complementary option to manage every identity, following the same procedures as those that are critical.

‍

Applying least privilege at scale thanks to JIT access

‍

Let's take a practical example. Here's a real-world scenario of implementing JIT access within Zygon, our light IGA platform.

‍

Conclusion

‍

Implementing JIT access on a large scale is feasible in a matter of days. This releases the pressure on the helpdesk, while reducing the attack surface. Best of both worlds!

We see it as a complementary, lightweight approach to minimize the reliance on standing privilege for less critical apps. 

However, it still encounters challenges similar to those faced by IGA, including:

• The requirement for applications to offer deep user management APIs
• Team adoption, particularly in understanding what is covered and available
• Ensuring auditability

‍

We hope that our practical real-life example can serve as inspiration, demonstrating how we effectively tackle these challenges with limited resources and effort, thanks to Zygon.