Organizations understand that securing privileged access is critical, which requires solutions to identify and systematically lock down accounts and systems with elevated levels of privilege. To effectively reduce risk, organizations must be able to fully manage, secure and automatically rotate credentials (especially for shared groups), while enabling employees to securely access critical target systems.
The concept of providing access to specific target systems during specific times when it is requested can be referred to as “just-in-time” access. This strategy is seen as a way to quickly install effective controls and provide privileged users the ability to access target machines without the need to manage and store credentials. These implementations are lightweight solutions that provide organizations the ability to introduce security protocols and help establish habitual security before segueing into a robust Privileged Access Security program. Version 10.6 of the CyberArk Privileged Access Security (PAS) Solution includes a feature that enables this option.
CyberArk’s Ad Hoc Access provides just-in-time access to Windows servers by placing an admin account on each desired system. When users require access to one of those particular systems, they must request access through the CyberArk console before they are allowed on to that system for a defined time period. Below is a screenshot showing what it looks like when an end user wants to “get access” to a Windows server that isn’t currently onboarded into CyberArk.
Once the time window has expired, they are removed from the admin account and, if needed, will have to request access to get back in. This is yet another control to signify steps towards privileged access by ensuring that privileged targets are only being used by the appropriate users at the appropriate time.
Workflow of an end user within CyberArk requesting Ad Hoc Access with just-in-time access to a Windows server
The steps to onboard and create Ad Hoc Access to Windows servers with the CyberArk Privileged Access Security solution are simple. First, discover local admins on targets via Accounts Discovery. Second, onboard the local admin for each target. Access is then granted to end-users using Ad Hoc Access for a specified time period.
While just-in-time solutions certainly have benefits, it is worth mentioning that by design these solutions provide minimal visibility into what users are actually doing on these unmanaged targets since session activity on these systems are neither isolated nor recorded. However, this is a more secure solution than completely unmanaged local admin accounts.
This feature addition to the CyberArk Privileged Access Security Solution is meant to be a complement to privileged access security programs and projects. Ad Hoc Access should be seen as a method to encourage teams to install privileged controls, even if they are unable to fully manage local administrator accounts and credentials with session isolation and monitoring.
As another alternative, CyberArk also offers customers the ability to utilize Privileged Session Manager Ad Hoc Connection functionality, which provides pre/post scripts to add or remove users from unmanaged targets to connect via Privileged Session Manager. This feature provides similar ease of use to Ad Hoc Access with the added security benefit of session isolation and monitoring. However, Privileged Session Manager Ad Hoc Connection is typically leveraged when an administrator already has an account on the target machine, and knows the destination information and credentials. Within the CyberArk console, an end user is prompted to enter the platform, client, address, username and password of the target system and is then connected via Privileged Session Manager. These unmanaged targets can be accessed on an ad hoc basis to connect privileged users to any unmanaged target system (not just Windows servers) through Privileged Session Manager.
CyberArk always urges customers to be as secure as possible, but we understand that every organization is different. Providing customers with the ability to set up ad hoc policies to reduce friction for end users is an option for certain types of targets, and can be seen as another way to implement privileged access controls. The Privileged Session Manager Ad Hoc Connection is a way for organizations to avoid managing local administrator credentials while providing an audit trail of privileged sessions, but may still be met with resistance from end users. Ad Hoc Connection with just-in-time access to Windows servers provides the ability to now manage local administrator accounts without the audit trail, thus reducing the steps needed for end users. Inevitably it’s up to each organization to make the decision that best suits their operational and security needs alike. However, both Ad Hoc methods should be seen as ways to increase user adoption by reducing some of the friction, rather than the most secure method of fully managing target systems that help achieve fully managed and secured privileged access.
For more information on the CyberArk Core Privileged Access Security solution please click here. CyberArk has also recently published the “Top 5 Reasons to Prioritize Privilege Today” showcasing why privileged access security should be top of mind for every organization.