Just-In-Time Access: Right Access, Right Resources, Right Reasons

June 27, 2019 Andrew Silberman

Just-in-time is a management philosophy that can be traced back to the early 1970s in Toyota manufacturing plants. Taiichi Ohno introduced this methodology in order to have production meet customer demand precisely and minimize waste. The major components of just-in-time manufacturing are: continuous improvement; eliminating waste; kanbans, which stop processes abruptly if they are not working; jidoka, which grant machines autonomy to carry out tasks so that workers can be more productive and levelled production, which smooths the flow of products through the factory. In order to successfully implement this business practice, teams need to be laser-focused on process, eliminating unnecessary activities and constantly striving for the best possible solution to a given problem. However, just-in-time is still just one piece of the overall puzzle and cannot be viewed as the singular reason for the success of Toyota.

In recent years, cybersecurity has adopted its own form of just-in-time called just-in-time access. Like its manufacturing namesake, just-in-time (JIT) access is geared towards removing waste, which is, in this case, unneeded access. This method of securing critical data and resources is implemented with the idea of providing the right person with the right access to the right resource at (and for) the right time for the right reasons — or, in other words, elevating privileges only when and where they’re required. Providing an audit trail of activities is essential for JIT, or else there becomes a trade-off between security and ease-of-use. Both are critical.

Just-in-time access is geared towards eliminating standing access and then dynamically bumping up privileged rights only when requested. The methodology, ideally, reduces friction for end-users and improves the security posture of the organization – so long as a clear and robust audit trail is provided. JIT eliminates standing access, thus providing better protection from attackers attempting to move laterally through the system.

Enterprises and analysts alike see JIT as being the next big thing in cybersecurity because it ensures that technical access is only provisioned to users or accounts when absolutely necessary. Gartner has noted[1] privileged access management in recent years[2] and has written about just-in-time access in a recent report, Best Practices for Privileged Access Management Through the Four Pillars of PAM. Per Gartner,  JIT access is the recommended method for privileged access, which is based on the principle that access is granted only for a short period of time and then removed, leaving no standing privileged access[3]. Further:

  • “A privileged account and session management (PASM) solution that can broker access to a privileged account, then remove access to that account.”
  • “Some PASM solutions can create an ephemeral account ‘on the fly,’ to be used only for a particular one-time use. The account would then be unavailable as soon as the user logs off and could either be removed or retained for future reuse.”
  • “A privilege elevation and delegation management (PEDM) solution could allow a user to temporarily elevate privileges for an account that is not privileged by default. Typically, this would enable a user to execute commands in privileged mode.”

These three concepts of just-in-time access share an underlying theme: reducing unneeded privileged access. This can be done with or without agents; it all depends on each organization’s propensity to manage them. An ideal solution will reduce unnecessary access to critical systems while simultaneously making things easier for their employees. Organizations can institute policies that limit privileged access to when it is needed or if it’s outside of the specified time frame, much like the “kanban” concept introduced by Ohno.

The typical workflow for just-in-time access is that a user (human or machine) requests access to a server, virtual machine or network device. The request is either checked against a policy of pre-approvals or goes to an administrator who either grants or denies access. (A jidoka could be useful here to enable task automation and ensure that workflows are followed, and mundane tasks aren’t subject to human error). The user, if granted access, enters the system and can go about their business as they normally would. After they’re done, they log off, and their access is revoked until they need it again. This just-in-time access workflow can be obtained in any of the above three ways, and provides organizations with a new way of approaching privileged access management.

As Mr. Ohno envisioned in the 70s, teams need a laser-focus on the task at hand, in this case cybersecurity. They must eliminate unnecessary activities (or access), lean on automation and strive to find the best solution to fit the given problem. Just-in-time access is subject to continuous improvement, since there is no single magic bullet to solve the issue of privileged access. But, just-in-time access can be a powerful tool for privileged access management just as it was for Mr. Ohno’s factory assembly line.

Stay tuned for Part 2 of just-in-time access blog series, which will cover CyberArk’s numerous capabilities from a product standpoint and what methods are appropriate for what scenarios.

 

[1] Gartner Top 10 Security Projects for 2019, Brian Reed, et al, 11 February 2019

[2] Smarter With Gartner, Gartner Top 10 Security Projects for 2019, 18 June 2018

[3] Gartner Best Practices for Privileged Access Management Through the Four Pillars of PAM,  Michael Kelley and Felix Gaehtgens, 28 January 2019

Previous Article
NIST 800-63-3 Digital Identity Guidelines – A Primer
NIST 800-63-3 Digital Identity Guidelines – A Primer

The National Institute of Standards and Technology (NIST), in June 2017, published a new set of guidelines ...

Next Article
Where Security Accountability Stops and Starts in the Public Cloud
Where Security Accountability Stops and Starts in the Public Cloud

For years, security was cited as a prime reason not to put sensitive data or valuable workloads into the pu...