The principle of least privilege (POLP) is core to a zero trust approach. It states that an identity should have only the access required to do its job (and no more), and only when needed. This has typically been accomplished by implementing an identity governance and administration (IGA) product to automate provisioning and deprovisioning and by using a role-based access control (RBAC) model to simplify the administration.
When an identity is granted access, the relevant permissions are assigned at that time. They remain assigned until the identity is no longer entitled to the access, based on the policy. For example, if an employee is granted access based on membership in a project team, the access is removed when he or she leaves the project or the project is completed. This is referred to as “always-on” access. Always-on access carries comes with its own risk. If an account is compromised, the attacker can take advantage of any provisioned access, privileged or otherwise.
POLP, in its purest form, also includes the “only when needed” clause. This is referred to as just-in-time (JIT) access, and it enables a concept called zero standing privileges. Simply put, access should be provisioned at the time it is needed, then de-provisioned as soon as it is no longer required. If an unused account is compromised, it has no access and the attacker can do no damage as a result of the account permissions.
As you can see in the images above, JIT access has far less exposure at a given point in time than always-on access. JIT access minimizes the risk of standing privileges that attackers or malicious insiders can readily exploit. With such a significant reduction in risk and exposure to threats, why don’t we use JIT access for everything all the time? Well, because granting JIT access is complicated.
The only way to truly achieve JIT access is for a dedicated component to be involved in every access attempt. The component would first need to determine if the access is allowed and know which assigned permissions need to be provisioned to enable the access. It must also continue monitoring the access to know when the task is completed so deprovisioning can be triggered.
To simplify JIT access, it is typically implemented through “time-bound access” — meaning that the required access is requested for a specified time period. The request is verified against the policy and, if allowed, the access is provisioned. At the end of the time period, the access is deprovisioned — irrespective of whether or not the task was completed.
Although JIT access may be too heavyweight for all access needs using current technology, it is highly recommended for privileged access. All privileged access security (PAS) product vendors are adding JIT access to their portfolio. The long-time vendors started by implementing JIT access in their agent-based PAM products, and are now building these capabilities into their core offerings. Some of the newer vendors have built their products from the ground up for JIT access.
Just in time access for privileged access security is a key trend, and several analysts have already dubbed 2022 as the year of “JIT PAM.”
About the author
Global IAM Practice Lead & CTO
Allen Moffett is Global IAM Practice lead and CTO at ATOS. He is also the global lead for the IAM and Biometrics sub-domain of the ATOS expert community, helping to steer business strategy and building the technology roadmap by anticipating the products and services that will be needed by the market. He also is member of the Executive Advisory board of the Identity Defined Security alliance.