Just-in-Time Privileged Access Doesn’t Mean Reduced Standing Privileges

Just-in-Time Privileged Access Doesn’t Mean Reduced Standing Privileges

Just-in-time (JIT) is the latest new buzz word in the world of Privileged Access Management (PAM). ‘Just-In-Time Access’, ‘Just-In-Time Privilege’, ‘Just-In-Time Privilege Access’ an internet search brings up a multitude of vendors offering clickbait as to why their solution is best. The problem is JIT can be accomplished in different ways and not all are created equal. Continue reading to understand JIT differences so you can make informed buying decisions.

Many PAM vendors in the space only provide access to privileged accounts just-in-time; however, the accounts remain active with all their permissions when they are not being used. This half-baked approach leads to a condition called ‘standing privileges’ which builds a large attack surface that bad actors use to move laterally within corporate environments.

Stealthbits is a pioneer in true just-in-time privileged access management with just-enough-permissions. Stealthbits Privileged Activity Manager® (SbPAM®) not only provides all the usual PAM capabilities, such as providing controlled, audited access to privileged tasks as they need to be performed but very importantly, ensures the privileged accounts themselves only exist when they are actively being used. This ground-breaking approach is often referred to as ‘Zero Standing Privileges’ (ZSP).

SbPAM uniquely generates Activity Tokens (time-limited ephemeral accounts) that connect authorized users to privileged tasks and then automatically removed when the task is completed. After use, Activity Token artifacts such as home directories and SID caches are cleared automatically from resources, eliminating the opportunity for attackers to leverage these artifacts to move laterally or escalate privileges using advanced attack tactics, techniques, and procedures such as Pass the Hash.

No account = No standing privileges = Reduced attack surface = Less chance of cyberattack.

Some vendors have the capability to elevate user accounts with specific privileges on the fly, but these use cases are generally limited to host-based permissions. Least privilege products for Windows/Unix/Linux endpoints are often described as JIT PAM, which they are (at a basic level). Where they fall short is that they do not remove the privileged accounts from the domain. Again, it’s these standing privileged accounts that are often used for lateral movement attacks, remove the accounts and you remove one of an attacker’s best techniques for traversing your systems. So back to all these vendors claiming JIT privilege access. While just-in-time access is a convenience for those performing privileged tasks, it’s only half the answer. If you’re not reducing the attack surface at the same time, you’re only gaining half the benefit. Realize the full benefits with SbPAM. We can install in hours, integrate with your existing vault, and even offer built-in access certification workflows. Come see the future of the Privilege Access Management.

Stealthbits Privileged Activity Manager (SbPAM) was named a GOLD WINNER for Best Privilege Access Management Product 2020 by Cybersecurity Excellence Awards.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.