Just-in-time (JIT) access is a security approach where access to resources is granted only when needed and for a limited time with Just Enough Privileges (JEP). JEP is a synonym to Least Privileged Access. The goal is to ensure that a user, when granted access to a resource, has as minimal permissions as possible to perform the task at hand. Example use cases that require JIT access – a database administrator to patch a specific database in production or an Okta administrator needs to reset a user’s password or a Kubernetes administrator needs to update a cluster.
Long-standing privileges refer to permissions or access privileges granted to a user or account for an extended period. The long-standing privileges pose a significant security risk, increasing the attack surface for cybercriminals seeking access to critical systems or data. We periodically hear about data breaches where a DevOps user, administrator, or support engineer based in Southeast Asia is compromised.
Gartner recognizes JIT as an essential feature of Privileged Access Management. Today, most enterprises seek JIT solutions.
Challenges in JIT implementation
JIT is still a pipe dream for most enterprises. There are many challenges in implementing JIT. IT environments have become complex with SaaS and IaaS platforms. There is an API for everything, and the number of APIs enterprises consume is still on the uptrend. While each SaaS application provides hundreds to thousands of API endpoints and permissions, cloud service providers have 10K+ API endpoints and permissions to manage. Automation is necessary, but this is still an overwhelming magnitude of permissions & API capabilities for an enterprise to manage when consuming “as-a-service.” There is no universal solution, but a multi-faceted approach can help.
Digging deeper into APIs & permission sets provided by Cloud Service Providers (CSPs), one can see that AWS, GCP, and Azure each provide more than 10K+ permissions & API endpoints to manage. Each CSP has 1000+ roles to manage. A role, in essence, is a set of preconfigured permission sets. Further,one can create custom roles on a demand basis through APIs. As you think harder, you will realize that APIs hold the key to implementing the JIT solution. Many enterprises have implemented DIY JIT solutions. DIY solutions are harder to build and manage (a separate topic for discussion).
Challenges with JIT for cloud infrastructure?
1. Precut roles vs. custom roles: Each cloud service provider (CSP) has 1000+ precut roles. These roles provided by cloud service providers may not meet an organization’s specific needs. Custom roles can provide the granularity required for Just-In-Time Access. The life cycle of custom roles with JEP is a challenging task. Most enterprises don’t fully utilize the potential of custom roles because it’s too cumbersome to manage.
2. Cloud syntax: Each CSP offers its own permission sets and policy language. To effectively use the potential of the tens of thousands of permissions & policy language offered by CSPs, a cloud IAM administrator & user needs to master the policies & permissions provided by the CSPs they use. This is challenging because both users (say, a developer) and administrators need to understand the cloud-specific linguistics required for JEP. Different cloud resources have different sets of permissions. For instance, the permissions required for SSH are different from Kubernetes access. Further, there can be nuances (EKS vs. GKS) that are cloud service provider specific. Understanding what permissions one needs to perform the task can be a science in itself. Further, developers need to master cloud-native tools such as cloud-cli.
3. Access approval processes: JIT access requests must be approved quickly and efficiently to avoid unnecessary delays or disruptions. Centralized approval systems used by most enterprises aren’t designed for JIT. Internal communications between different teams: owner, requester, reviewers, and approvers – can stop JIT from becoming a reality.
4. Compliance: JIT access would require compliance and audit requirements for various checkpoints – who, why, how long, what resource, and need evidence for access revocation when time-bound access expires. The dynamic nature of the cloud makes it more difficult to track and monitor access requests and approvals.
5. Integration & Automation: JIT must be tightly integrated with existing Identity & Access management solutions and other communication channels, such as Slack, for quick approvals. Automation is required to free up both developers’ & administrators’ time in the JIT process.