One disconcerting aspect in privileged access management (PAM) is that organizations are often not completely accustomed to widespread risks. Even if the PAM tools are in place, the fundamental principles sometimes could take a backseat. For instance, noncompliance to the ‘Least Privilege’ principle due to the absence of Just-in-time (JIT) privilege elevation approach. Scenario 1: Enterprise on-prem privileged access management includes robust vaulting and session monitoring, but privileged users have ‘Always-on’ entitlements. No privileged user requires 24*7 privileged access. And arbitrarily accessed privileged accounts amplifies the insider threat. Scenario 2: Enterprise does not want to do all the heavy lifting for setting-up on-prem PAM infrastructure. It therefore outsources to a managed service provider (MSP). The MSP in turn may have multiple layers of authentication including contextual authentication to mitigate risks involved in multi-tenant environments. Nevertheless, the access to systems whether deployed on its premises or on-cloud is threatened by unnecessary permanently elevated privileges. The essence of the just-in-time privilege elevation approach is simplicity; it brings in the manner enterprise manage and control risks. That is, the right person is entitled to access the right systems at the right time for the right purposes. Essentially, the just-in-time privilege elevation approach enables the IT security staff to:
  • Robustly implement the principle of Least Privilege
  • Grant access rights only on ‘need-to-know’ and ‘need-to-do’ basis
  • Comply with regulatory guidelines that explicitly mention access control rules for data controllers and data processors

Which just-in-time privilege elevation approach to adopt?

It depends on an organization’s daily use-cases. The scope of a project, access frequency and the taxonomy: shared/administrative/business privileges are some of the points to keep in mind. Broadly, the classification of JIT privilege elevation approaches is as follows and ARCON | PAM supports these use-cases:
  • Privileged Elevation and Delegation Management (PEDM): An end-user may have a project to do on Windows/Unix environments. The access requirement may run for a few weeks or months. Based on the requirements, the PEDM approach provides temporary elevated access to the target systems. The privileged rights are revoked after the completion of IT tasks. ARCON offers agent-based PEDM for JIT access.
  • One-time Privileged Access: It is meant for end-users requiring one-time administrative access to systems. The function ensures time-limited access to privileged accounts.
  • On-demand provisioning and de-provisioning of privileged elevation: The function allows to create and delete privileged accounts, just in time.
  • Ephemeral access to IaaS and SaaS consoles: The function helps in overcoming privilege escalation challenges in fast-expanding cloud environments. By ensuring ephemeral access to IaaS and SaaS consoles, security staff can ensure zero-standing privileges.
 

The bottom-line

Enforcing the principle of least privilege is essential for better management of PAM. JIT privilege elevation approach helps to attain it.