Just-In-Time privileged access


What is Just in Time IAM?

Just-in-Time (JIT) access provisioning grants a user temporary, on-demand (privileged) access to IT. It’s a form of identity access management that is meant to address scenarios in which a user who may not typically need to use certain applications or services can receive timely access to those resources when they need it, but only for a short period of time. 

Just-in-Time access provisioning can be viewed as an alternative to the concept of standing privileges, in which a user has broad, “always-on” access resources. In contrast, Just-in-Time access ensures that all access is alway temporary and limited per role without granting permanent authorization to anyone. This is way it also follows the principle of least privileged (POLP) access, which is one of the core philosophies of the Zero Trust framework.

How is Just-in-Time Access Delivered?

One of the most effective ways to deliver Just-in-Time access to users is to use ephemeral certificates.

Ephemeral certificates are a type of limited access security token that is automatically created on-demand, automatically expires, and requires no installation, configuration or updating.

In ephemeral certificate-based authorization, the target systems are accessed without the need for permanent access credentials, explicit access revocation or traditional SSH key management. For each session, the ephemeral certificate:

  • is issued from the Certificate Authority, which serves as the trusted third party

  • is based on various industry-standard methods, the chief example being the short-lived X.509 certificate

  • encodes the target user ID for security

  • has a short lifetime (5 minutes) after which it auto-expires

The access is also called passwordless or ‘credential-less’, since on establishing the connection the user does not handle access credentials at all. Instead, the user logs in to the Certificate Authority each time he or she wants to establish a remote connection without having permanent authorization to the environment.

Just-in-time solutions

SSH.COM has developed a comprehensive set of JIT Zero Trust solutions to mitigate the risk of managing digital keys, privileged passwords and other secrets (like API tokens or certificates) by greatly reducing their numbers in IT infrastructures. Learn more about the SSH.COM's Zero Trust and Just-in-time (JIT) solutions here.

Download here