A “Just Right” Approach for Just-in-Time Access Management
Our recent post on striking the delicate seamless vs. secure balance in enterprise security touched on Just-in-Time (JIT) access management as a powerful tool for putting Zero Trust security principles to work in the organization. It’s worth a closer look to see just how powerful the right JIT implementation can be and how to customize such implementations to suit the needs of a particular business. As we’ll see, customization is easier said than done – since a lot of orchestration challenges and judgment calls happen along the way to implementing JIT in real-world enterprise systems.
Navigating Access Management Complexities
JIT deployments are popular because they’re a way to apply Zero Trust principles to create more secure access management while still providing the right stakeholders with needed access to the right data and systems. Yet many organizations struggle to translate this from theory into actual practice within enterprise systems.
There are two main reasons for this. The first reason is that Zero Trust principles are just that – principles that embody Zero Trust as a kind of North Star aspiration. IT teams implementing JIT need to turn that absolute principle into an approximation – one that’s rendered through a real-world deployment that requires certain compromises and tradeoffs when it comes to making specific architecture and access decisions.
That brings us to the second reason JIT implementations can be so tricky – the sheer range and complexity of all those architecture and access decisions that must be made. Especially for enterprises that are well established and have evolved their infrastructure and applications over time, the IT estate is often a complex mix of cloud and legacy systems, with an equally complex assortment of identity- and role-based access protocols.
Optimizing JIT Configuration Choices
The challenges outlined above can make setting up an effective JIT access management system daunting for most enterprises without the help of a seasoned MSP to help guide the implementation. While NIST and industry groups have developed Zero Trust reference architectures and code templates for access management, the bulk of the decisions around a specific JIT implementation are going to remain highly customized and bespoke to how the organization's IT estate is structured and operates.
At the software development level, for instance, JIT can represent a culture shock for developers who are used to having unfettered administrator access as they design, build and test new applications. A thorough JIT access management deployment will change this, but with the help of an MSP, organizations can strategize where developer access can still be granted. The MSP can also suggest and support process improvements – like creating more secure testing environments by introducing simulated or mock datasets for developers to use instead of actual protected data.
Elsewhere in the organization, JIT implementations need to be customized along the pre-approved vs. by-request continuum – deciding what access may be granted for stakeholders automatically, and what access requires a human sign-off for approval. Organizations can partner with an MSP to solve this with access models that map out privileges, including clear elevation or escalation paths in cases where a team leader, or even a senior manager or division head needs to sign off on certain access requests.
JIT access management also requires adequate cross-departmental collaboration in cases where, say, the HR department needs to coordinate with IT on the timing of an employee offboarding and concurrent removal of system access for that person. The right MSP partner can help by mapping out and sharing security “to-do” checklists for such scenarios – including offboarding, new hires and internal promotions where access parameters are being altered. A third-party strategic partner can also share customized templates and train the organization on access management policies, processes and governance.
Those are just some examples of where and how JIT access management requires a fair amount of customization in order to be effective. The right client/MSP partnership takes all these factors and more into account to create stronger JIT deployments and better configuration choices to optimize the implementation to the secure access management needs of the organization.