EXECUTIVE SUMMARY:
Just-in-time (JIT) provisioning doesn’t quite get as much attention as other account authentication or access mechanisms, but that doesn’t mean that it isn’t worthwhile. If you’re curious about how just-in-time provisioning could benefit your organization, keep reading.
What is just-in-time (JIT) provisioning?
Just-in-time provisioning is a cyber security practice that provides users, processes, applications and systems with a certain level of access to resources for a limited length of time; as much as required to complete essential tasks.
In other words, it’s a way to provide secure privileged access while minimizing standing access.
Why does just-in-time provisioning matter for organizations?
Just-in-time provisioning reduces the risk of privileged access abuse and lateral network movement on the part of threat actors, allowing organizations to maintain a robust cyber security posture.
Just-in-time provisioning can also position organizations to better achieve compliance goals, as JIT not only minimizes the number of privileged users and sessions, but it also provides full audit trails of all privileged actions.
With just-in-time provisioning, new users can be added at-scale, meaning that new hires and acquired employees are no problem.
For many organizations, JIT is a component of a broader automation strategy. By automating the process of providing temporary access, organizations reduce manual intervention — eliminating admin review cycles and wait times — and allow for fast and accurate access provisioning.
What are the different types of just-in-time access?
- Temporary elevation. This form of access permits a temporary increase in privileges, allowing users to have access to privileged accounts or to execute privileged commands on a per-instance and time-limited basis. Access is revoked after a specified time.
- Ephemeral accounts. These are one-time-use accounts. They are created on a per-instance basis and immediately deprovisioned or deleted after use.
- Broker and remove access. These accounts are intended for routine use, but users are still responsible for providing a justification if connecting to a specific target. Users typically have a shared account. Credentials for the account are often centrally managed, secured and regularly rotated in a central vault.
Implementing just-in-time provisioning for your organization
In terms of implementing efficient just-in-time provisioning, administrators must set up Single Sign-On (SSO) between the target service provider and the identity provider. In addition, administrators must confirm the inclusion of user attributes necessary for the application.
In turn, when a new user logs onto the application, they will effectively auto-create an account, rather than requiring administrator assistance. SAML assertions present the web application with the details needed from the identity provider.
Administrators can leverage a centralized cloud identity provider or an SSO service developed on top of a traditional directory to achieve the JIT workflow.
During initial set-up, ensuring JIT provisioning compatibility is crucial. Popular applications, such as Slack and the Atlassian Suite, are notable examples of platforms that support just-in-time access.
More JIT information
Just-in-time provisioning represents a dynamic cyber security approach that enhances security, streamlines administrative processes, assists with access-at-scale, and helps organizations achieve compliance objectives while optimizing operational efficiency. For more information about just-in-time services, please click here.
Related resources
|