What is Just-In-Time (JIT) privileged access?

 

JIT access provisioning

Just-in-Time (JIT) access provisioning grants a user temporary, on-demand (privileged) access to IT. It’s a form of identity access management or privileged access management that is often meant to address scenarios in which a user - who may not typically need to use certain applications or services - can receive timely access to those resources when they need it, but only for a short period of time. 

Just-in-Time access provisioning can also be viewed as an alternative to the concept of standing privileges, in which a user has broad, “always-on” access resources.

In contrast, Just-in-Time access ensures that all access is alway temporary and granted just at the time of making the connection to the target.

In most cases, access is also limited per role. This is way it also follows the principle of least privileged (POLP) which is required by many policies and regulations.

The idea of no one having permanent authorization or permanent access to critical infrastructures has gained more momentum. JIT access allows companies to make all access temporary by default and ensure the validity of each user, connection, role and the level of privileges at the time of establishing the connection repeatedly.

This basically eliminates implicit trust from the equation. which is also one of the core philosophies of the Zero Trust framework where the operating model is 'never trust, always verify'.

How is Just-in-Time Access Delivered?

One of the most effective ways to deliver Just-in-Time access to users is to use ephemeral certificates.

Ephemeral certificates are types of limited access security tokens that are

  • automatically created on-demand at the time of making the connection
  • configured to contain all the secrets (passwords, ssh keys) needed to establish the session
  • automatically expire after establishing the connection, leaving no secrets behind
  • and typically require no agents or configurations on the client or the server, keeping the environment immutable.

The access is also called passwordless, keyless or ‘credential-less’, since on establishing the connection the user does not handle or see access credentials at all. Find more information about ephemeral certificates here.

Just-in-time access solutions

SSH.COM has developed a comprehensive set of JIT Zero Trust solutions to mitigate the risk of managing digital keys, privileged passwords and other secrets (like API tokens or certificates) by greatly reducing their numbers in IT infrastructures. Learn more about the SSH.COM's Zero Trust and Just-in-time (JIT) solutions here.

Download here