Using Automated Just-in-Time (JIT) to Reach Least Privilege – A Guide - Ermetic
Privileged access and elevated permissions expose organizations to vulnerabilities that could be exploited. On-premises, security teams often use PAM tools for managing these types of risks. But for cloud operations, PAM tools are insufficient as they are built around network access rather than cloud access, which is identity based. JIT (Just-in-Time) privileged access strategies minimize the attack surface of your cloud environments by reducing the window that attackers have to exploit excessive permissions. Let’s dive into why JIT access in the cloud is an essential part of any cloud security strategy and recommended ways for implementing it…
The Cyber Hut Comment: Ermetic have released a narrative article this month describing their approach to securing cloud based PAM resources - using a JIT (just in time) approach to permissions management. The concept is to essentially only provision the necessary entitlements for as short a time as is needed - and once the user has completed their associated task, the entitlements are removed again. This amplifies the concept of ZSP - zero standing privileges - essentially meaning the permissions are not handing around and associated with an identity profile indefinitely.
Ermetic argue that in cloud-centric ecosystems, this JIT approach is the only way to go when it comes to managing end user permissions. The article continues with the categorisation of users - business users, admin users and security users. Within that business user group, they mention both developers and engineers as being the most challenging to manage - mainly as those groups will require elevated permissions in order to complete specialist workflows and tasks.
The assignment of these JIT entitlements can essentially be done in two ways - automated and manual. Clearly automation is the IT saviour, and the association of these entitlements can be tied to some sort of contextual and task orientated policy. The article claims the main difference between PAM (privileged access management) and JIT, is that the former is for on-prem systems, whilst JIT is for the cloud. I think that is a pretty linear comparison and both concepts should really be applied to multiple different deployment models.
The article concludes with some JIT best practises, including the need for self-service, the building out of automated policies to assign access (especially low risk) and identification and association of owners and approvers for each stage of the workflow.