No single access methodology can effectively manage every access use case across an organization. While Role-Based and Attribute-Based Access Controls (RBAC and ABAC) can cover the majority of a given user’s access needs, neither method is ideally suited for every use case; there will always be exceptions.
So, what is the best way to handle these remaining use cases—the one-off exceptions or fringe cases that require special steps to grant access?
We recommend a fresh approach to managing special-case access needs called Just In Time (JIT) Access. With JIT Access, organizations can easily give users timely access to organizational resources that are outside their normal, routine work function. There’s no need for complex and expensive role management processes and tools.
Just in Time Access Explained
Just In Time (JIT) Access enables organizations to grant access to applications or systems for predetermined periods of time, on an as-needed basis.
You may be familiar with the concept of “just in time” as it relates to provisioning. With JIT Provisioning, if a user doesn’t already have an account in a target application, the application recognizes that, and the Identity and Access Management (IAM) system creates the account for the user on the fly, the first time the user accesses it.
JIT Access is similar, but different in fundamental ways. Rather than providing high-level access to applications like JIT Provisioning, JIT Access allows for more granular, short-term access. The “Just In Time” part comes from the fact that users can quickly get the access to what they need—without having to prearrange it or go through a long, drawn-out approvals process that impedes productivity.
Instead, users simply request the access they need via a Workflow process, and are quickly granted access or an access privilege level to an application or system. There is no need to submit help tickets, convene committees, or wait days to assess the request up through the managerial chain of command. Employees are able to get business tasks done faster and without compromising security.
JIT Access follows the security principle of least privilege—providing users only the access they need for the minimum time they need it, and then removing that access or privilege. Access can be granted for just a few minutes or several months, depending on the sensitivity level of the application or the organization’s governance requirements. Special approvals and logic checks can be added when access to sensitive applications or systems is requested.
This access affords another critical benefit: every request, grant, revoke, or other access control action is auditable. In this way, organizations will always know who did what and when, so they are always ready for an audit.
A Solution, Just in Time
Whether for a simple collaborative project in which a user must access a different department’s resources or an emergency situation when systems are down, the efficient handling of exception situations is critical in any IAM implementation.
When JIT Access is combined with RBAC and ABAC policies, organizations can effectively cover virtually all of their access needs and give organizations far greater control and knowledge over every user’s systems access at any point in time.
To learn more about the needs, motivations, and common use cases for the JIT Access Approach, as well as the shortcomings of RBAC- or ABAC-only models, check out our ebook, Just in Time Access: A More Secure Approach to Special-Case Access Needs that Fall Outside of RBAC & ABAC Policies.
Comments