Traditional IT security models focused on one thing: keeping the bad guys out the network. Anyone inside the network was physically in the corporate office and logged on to a machine set up and managed by the IT team, so they were trusted implicitly.
That model no longer works. Today’s world of cloud resources, remote workers and user-owned devices has blurred if not entirely erased the notion of a network perimeter that could be defended. Moreover, security experts are more acutely aware of the reality of insider threats: legitimate business users and admins who could misuse their access, deliberately or accidentally, to cause breaches or downtime.
To address the new reality, a new security model has arisen — Zero Trust. This blog post explains what Zero Trust involves and then dive into an increasingly popular technique for helping to implement it: just-in-time (JIT) access. We’ll learn why JIT access is emerging as a game-changer in strengthening our defenses against cyber threats.
What is Zero Trust?
Zero Trust is a security model based on a simple premise: “Never trust, always verify.”Zero Trust requires that no user, device or application should be trusted implicitly. Instead, every access request, whether from inside or outside the network, should be carefully assessed.
What is just-in-time access?
In a typical organization, IT pros have special administrative accounts that grant them elevated privileges to sensitive systems and data. These accounts exist all the time, whether they are being used or not, so they are a top target of attacks. An adversary who compromises a privileged user account is well on their way to accomplishing their objectives, whether that’s to steal data, bring down vital systems or do other damage. Moreover, the account owners themselves can misuse their accounts, either accidentally or maliciously.
To reduce these risks, organizations can replace risky standing privileged accounts with just-in-time access. Here’s how it works: A user needs more access than they currently have to accomplish a particular task. The most common example is an IT pro who needs to perform an administrative task, such as installing patches or changing a system configuration. But it might also be a business user who has been assigned to cover for a colleague and needs temporary access to additional data or applications to complete that task.
The user requests the access they need. If the request is approved, they are provided with an ephemeral account that grants exactly the permissions they need, and that account is deleted immediately after they complete the task.
Notice that the user is never given a standing administrative account that they could misuse or that could be compromised by an adversary. Nor are they given more access than they need, which limits the risk that they can cause damage either deliberately or by mistake.
What are the benefits of JIT access as part of a Zero Trust approach?
As we have seen, just-in-time access support a Zero Trust security model by reducing privileged access. It offers all of the following benefits:
- Reduced attack surface: JIT access reduces the organization’s attack surface by replacing standing privileged accounts with temporary, least-privileged access granted through a defined approval workflow. Adversaries find it much harder to accomplish privilege escalation and lateral movement, reducing the risk of security breaches.
- Compliance and auditability. JIT access helps organizations meet compliance requirements by enabling them to limit privileged access and audit privileged activity. Auditors can review access logs and verify that access was granted based on legitimate business needs. JIT access also assists in enforcing separation of duties and the principle of least privilege, which are crucial for compliance.
- Operational efficiency: By automating the process for requesting, approving and granting JIT access, organizations can improve security and compliance without hurting productivity. A quality JIT solution empowers users to access the resources they need when they need them, without excessive hurdles or delays.
How can Netwrix help organizations adopt JIT?
With Netwrix Privilege Secure, you can replace your risky standing privileged accounts with ephemeral accounts that provide just enough access for the task at hand. With this solution, you can:
- Get dynamic and continuous visibility into privileged accounts across all endpoints.
- Replace risky privileged accounts with just-in-time privileged access — without hurting administrator productivity.
- Get a single control point for all just-in-time access, with the option to require multifactor authentication (MFA).
- Monitor and record privileged user sessions to enable investigations, satisfy auditors and ensure accountability.
- Visualize, analyze and manage your attack surface with dashboards tailored to executives and IT pros.