Just-in-Time, JIT, or just plain old ‘Just in Time’; however you say it, we all understand its meaning – “at time requested” – it’s not a difficult concept. Unfortunately, like anything else, the definition blurs when you start adding context; in this case specifically, Privileged Access Management (PAM).
JIT can mean a lot of different things to different people, so let’s come to some common ground around the Just-In-Time (JIT) term. What it is and what it is not?
Every PAM product by its nature is just in time. Imagine a PAM solution where your request for privileged access was granted hours or days later. That probably wouldn’t work too well and would certainly change the IT dynamic significantly. Most PAM solutions provide just in time access to privileged accounts, and as their name would suggest, the accounts are considered to be privileged because they always have privileged access.
An analogy to solidify the concept: A bank has a number of safety deposit boxes, each with a separate key. To access a specific box, tellers are given access to their own key safe. Each key safe has a range of keys. The teller takes out the correct key when they need to access the particular safety deposit box and puts it back when finished. They only have the key for the length of time that they need it. This is just-in-time access, just like traditional PAM vendors and products accomplish it.
What Happens if Someone Compromises the Key Safe?
They gain access to all the safety deposit boxes. JIT access in this sense provides some control for the teller but doesn’t stop an attacker from accessing the same boxes if the key safe is compromised. Just-in-Time doesn’t have anything to do with a reduction in privilege accounts and therefore a reduction in your attack surface. It’s simply the ability to deliver privilege access, in real-time, when needed.
What if we had a mechanism to ensure when a teller needed to access a safety deposit box, the correct key would automatically be generated and placed in the box for them, and when the teller was finished and placed the key back in the box, it magically disappeared? Seems this would be a great solution! We still have control, but no keys are sitting at rest in the key safe.
Just-In-Time…. Be Careful How Vendors Bend the Truth
Many vendors use the JIT term insinuating they provide the functionality they don’t. This is fueled a bit by misunderstandings among the buying market.
Vendor “B”’s Blog… “Just-in-Time Privileged Access Management (JIT PAM) is the method by which organizations can enforce “true” least privilege, to drastically reduce the threat surface.”
Vendor “C”’s Glossary… “Cybersecurity industry analysts recommend JIT access as a way of provisioning secure privileged access by minimizing standing access.”
Be careful as traditional PAM vendors love to tout their use of or support for Ephemeral Accounts. The problem… they only support those accounts on Linux, or some limited use case. Ask them what platforms can use these special accounts and peel back the onion a bit.
The ONLY WAY to Minimize or Reduce Standing Privileges is to REMOVE Them and Embrace EPHEMERAL ADMINISTRATION.
We have analyzed thousands of environments and the vast majority have between 3-5 administrative accounts per live administrator. Likely you do too! If you have 50 admins, then you have 150-250 administrative accounts. That is the attack surface! That is the group attackers will most often attempt to compromise to accomplish their mission. Just in time access doesn’t reduce the number of administrative accounts, or your attack surface.
How Does Stealthbits Deliver JIT AND Reduce Your Standing Privileges?
We use ephemeral accounts or what we call ‘activity tokens’. We deliver privilege access JIT by creating the account at the time of access request. That account is only ‘alive’ for the time it takes to finish the task the access was requested for. Once the task is complete, the account is destroyed, leaving no standing privilege or attack surface behind.
KuppingerCole analysts referred to Stealthbits capability above as the “Future of PAM…”
We have spent countless hours rethinking and modernizing an approach to PAM that is simple to use, install, and change.
Check out why Cyber Security Excellence awarded Stealthbits Privileged Activity Manager® Best Privilege Access Management Product in 2020.
Seeing is believing. Start a free trial of Stealthbits Privileged Activity Manager – installs in less than 20 minutes and can even act as a complement to your existing legacy PAM deployment.
Martin is Vice President of Product Strategy at Stealthbits.
Martin is an experienced technologist, with over 30 years in the Privileged Access Management and security space. Prior to Stealthbits, Martin led the privileged access team at BeyondTrust where he took their password management solution from unknown to a recognized leader in the industry within 3 years. At BeyondTrust he also drove the development of their first SaaS PAM product as well as a new micro service-based platform for DevOps security. Prior to BeyondTrust, Martin held key management positions at Quest/Dell, Novell, Fortefi and Symantec. He is a recognized expert and a regular speaker for security events and webinars.