WIXLIB

AUTOMATING JIT PAMThe Guide to JIT PAMJIT PoliciesThe two key questions for teams to considerare “What policies govern a JIT account forproper privileged access,” and “What conditionsshould be met for its revocation?”1.These policies could include:1. Time and date windows for access andchange control8.2.2. Commands or applications that maybe an indicator of compromise3. Detection of access to sensitiveinformation4. Termination of the primary session5. Existence of corresponding collateral ina ticketing solution6. Inappropriate modification of resources,including installing software or modifyingfiles3.7.7. Inappropriate attempts at lateralmovement8. Manipulation, creation, or deletion of useraccounts or data setsWhile this is by no means an exhaustive list ofall policy variables, it can help filter the criteriafor a JIT account to be made available orterminated based on corresponding triggers.4.6.5.5

AUTOMATING JIT PAMThe Guide to JIT PAMJIT PAM in ActionPrivileges RemovedTriggers WorkflowContext-AwareEntitlementsMulti-Factor AuthenticationAccess CertificationReportingAuditingRegulatory ComplianceAdheres to PolicyPolicies Time & DateIncidence of CompromiseAccess Sensitive InformationTerminationTicketingInstall/Modify SoftwareLateral MovementManipulation, Creation,Deletion of AccountsViolates PolicyMethods PrivilegesTokenizationAccount Creation & DeletionGroup MembershipImpersonationDisabled AdministrationAccountsPrivileges Revoked Session MonitoringKeystroke LoggingAlerting6

BEYONDTRUST & JIT PAMThe Guide to JIT PAM7How BeyondTrust Solutions Enable Just-In-Time Privileged Access ManagementThe BeyondTrust Privileged Access Management Platform can make the JIT PAM security model a reality for your organization, while also helping youenhance security by enforcing other critical aspects of your IAM/PAM strategy, such as privileged account discovery and management, least privilege,credential management, privilege separation and separation of duties, privilege auditing, and privileged threat analytics.BeyondTrust supports the just-in-time model by enabling the centralized management of privileged credentials and sessions, privilegeelevation/delegation across endpoints (desktops, servers, and more), and remote access (employees, vendors, etc.) with a wide variety oftriggers. The BeyondTrust PAM Platform includes multiple, integrated solutions.PRIVILEGED PASSWORD& SESSION MANAGEMENTENDPOINT PRIVILEGEMANAGEMENTSECUREREMOTE ACCESSDiscover, manage, audit, and monitor privilegedaccounts of all typesRemove excessive end user privilegeson Windows, Mac, Unix, Linuxand network devicesSecure, manage, and audit vendor and internalremote privileged access, and access andsupport remote systemsVULNERABILITY MANAGEMENTCHANGE AUDITINGIdentify, prioritize, and remediate vulnerabilities andinform privilege decisions with risk insightsAudit, report, and recover changes acrossMicrosoft Windows platformsHYBRIDCLOUDON PREMISEBeyondTrust supports the just-in-time model by enabling the centralizedmanagement of privileged credentials and sessions, privilege elevation/delegationacross endpoints, and remote access with a wide variety of triggers.

The Guide to JIT PAMBeyondTrust SolutionsFeatures & Capabilities Supporting JIT PAMPrivileged Password &Session ManagementContinuousAutomatedAccountDiscovery & AutoOnboardingSecure SSH gementEnhancedPrivileged SessionManagementAdaptive AccessControlAdvancedPrivileged ThreatAnalyticsDiscover, manage, audit, andmonitor privileged accountsof all typesLeverage adistributednetworkdiscovery engineto scan, identify,and profile allassets. Dynamiccategorizationallows autoonboarding intoSmart Groupsfor efficientmanagement andJIT access whennew accounts aredetected.Automaticallyrotate SSHkeys accordingto a definedschedule andenforce granularaccess controland workflows.Leverage privatekeys to securelylog users ontoUnix/Linuxsystems throughthe proxy, with nouser exposure tothe key, and withfull privilegedsession recording.Eliminatehard-codedor embeddedapplicationcredentialsthrough anadaptable APIinterface thatincludes anunlimited numberof passwordcaches forscalability andredundancy. Thisallows JIT accessto the latestpasswords for anyapplication.Live sessionmanagementenables truedual control,enabling adminsto record, lock,and documentsuspiciousbehavior—withoutkilling sessionsor productivity—based on any JITactivity.Evaluate just-intime context andsimplify accessrequests byconsidering theday, date, time,and location whena user accessesresources todetermine theirauthorizationto access thosesystems.Measure assetcharacteristics anduser behaviorsfrom one day tothe next, assessingthe scope andspeed of anychanges to alertyou to suspiciousdeviations.Endpoint PrivilegeManagementLeast lete Auditing& ReportingPrivileged e least privilege and removeexcessive end user privileges onWindows, Mac, Unix, Linux andnetwork devicesElevate privilegesto applications forstandard userson any operatingsystem throughfine-grained,policy-basedcontrols, providingjust enough accessto complete a taskjust-in-time.Deliver trustbased applicationwhitelisting,blacklisting,and greylistingwith a flexiblepolicy engine toset broad rules.Choose automaticapproval foradvanced users –protected by fullaudit trails –or utilizechallenge-responsecodes for just- intime applicationcontrol.Provide a single,unimpeachableaudit trail of alluser activity thatspeeds forensicsand simplifiescompliance.Correlate userbehavior againstasset vulnerabilitydata and securityintelligence frombest-of-breedsecurity solutionsto provide anoverall picture ofend-user risk.Built-in connectorsto a host of thirdparty solutions,including helpdesk applications,vulnerabilitymanagementscanners, andSIEM tools, ensurethat organizationsrealize a returnon their securityinvestments.8

The Guide to JIT PAMSecure, manage, andaudit vendor and internalremote privileged access,and access to supportremote systemsRemote Support & HelpDesk PersonnelSecure RemoteAccessRemote Vendor & Third-Party AccessBeyondTrust SolutionsFeatures & Capabilities Supporting JIT PAMPrivileged AccessControlMonitor SessionsReduce theAttack SurfaceIntegrate withPasswordManagementMobile & WebConsolesAudit &ComplianceEnforce leastprivilege bygiving users theright level ofaccess for anyremote session.Control andmonitor sessionsusing standardprotocols forRDP, VNC,HTTP/S, and SSHconnections.Reduce thethreat surfaceby consolidatingthe tracking,approval, andauditing ofprivilegedaccounts just intime, in one place,and by creatinga single accesspathway.Inject credentialsdirectly intoservers andsystems with justone click, just intime, so usersnever need toknow or see plaintext credentials.Use mobile appsor web-basedconsoles anytime,anywhere, andjust in time toperform remoteaccess tasks.Create audittrails, sessionforensics, andother reportingfeatures bycapturingdetailed sessiondata in realtime or postsession reviewand provideattestationreports to provecompliance.Chat SupportBroad PlatformSupportGranularPermissions &RolesCollaborationSessionRecording &Audit TrailSupport fromChrome, Firefox,IE, & moreEnable livesupport fromyour websitewith Click-toChat with just-intime escalationto screen sharingand remotecontrol, withoutever losingcontact with theend user.Support andprovide supportfrom Windows,Mac, Linux, iOS,and Androiddevices. Alsosupport legacydevices usingRDP, Telnet, SSH,and VNC.Granularlymanage teams,users, roles,and sessionpermissionsettings toenforce a leastprivilege securityposture.Resolve supportincidents fasterand definingescalationpaths to skilledresources, whileimprovingcustomersatisfaction byincluding theappropriate teammembers, just intime.Track teamperformance,as well as logsession activity,to serve asan audit trailfor security,compliance, andtraining.Our HTML5 WebRep Console letsyou offer secureremote supportjust-in-time fromany browser –no downloadsrequired – toimmediatelybegin fixingissues.9

BEYONDTRUST & JIT PAMThe Guide to JIT PAMMapping JIT Methods & TriggersThe following matrix maps JIT PAM Triggers and Methods to each BeyondTrust solution.Privileged Password &Session ManagementTriggersEntitlementsWorkflowContext AwareMulti-FactorMethodsAccount Creation & DeletionGroup Membership PrivilegeImpersonationDisabled Administration AccountsTokenizationEndpoint PrivilegedManagementSecure RemoteAccess10

BEYONDTRUST & JIT PAMThe Guide to JIT PAMMoving Your JIT PAM Implementation Forward to Reduce Cyber RiskFor many organizations, implementing a JITstrategy in synchrony with a just enoughaccess model is the next, most impactful stepthey can take toward protecting their valuableIT estate.JIT privilege management should beconsidered an essential component of a trueleast-privilege strategy. In lieu of enablingaccounts all the time once authenticated,exert further control over when and howthey can be used by expanding the securitymodel to deny all privileged activity until theappropriate business criteria is satisfied fortheir usage. This entails not only restrictingaccount access, but the actual privileges,permissions, and entitlements that an accountcan use in real-time.By enabling privileged access managementjust in time using to contextual triggers, andensuring the user behavior of the privilegedaccount is appropriate based on real-timepolicies, JIT PAM dynamically addresses thesubstantial, enterprise-wide risks posed byalways-on accounts. This represents not justthe natural evolution of privileged accessmanagement, but a considerable leap forwardin IT risk management.BeyondTrust Privileged Access Managementenables organizations to address thechallenges and risks of always-on privilegedaccess sprawled across increasingly complexand heterogeneous IT environments, whilekeeping your end-users productive and secure.JIT PAM Key Benefits1. Centralized, automated, contextual,and time-based provisioning/de-provisioningof privileges massively reduces the windowof vulnerability during which privileges maypotentially be exploited2. Enforcement of true least-privilege equates tofewer privileged users and privileged sessions,which in addition to improving security, simplifiesauditing and compliance initiatives3. Invisible and frictionless experience for the enduser, enabling productivity without disruptingworkflows4. The elimination of always-on privileged accountsand the attack vectors associated with them11

GLOSSARYThe Guide to JIT PAM12Related Concepts & TerminologyBreak-glass: In the context of computing, break-glassrefers to checking out a system account password tobypass normal access controls procedures for a criticalemergency, generally when other access methods havefailed or are inaccessible. Break-glass provides theuser immediate, but typically, time-limited accessto an account that they may not normally beauthorized to access.Just-In-Time (JIT) Privileged Access Management:The goal of JIT privilege management is to assign thenecessary privileges “on the fly” based on an approvedtask or mission, and subsequently remove them oncethe task is complete or once the window or context forauthorized access has expired. JIT privilege managementenables organizations to secure privileged accounts fromcontinuous, always-on access by enforcing restrictionsbased on behavioral and contextual parameters.Least Privilege: Least privilege refers to the concept andpractice of restricting access rights for users, accounts,and computing processes to only those resourcesabsolutely required to perform routine, authorizedactivities. A least privilege security model entailsenforcing the minimal level of user rights, or lowestclearance level, that allows the user to perform his/herrole. Least privilege also applies to processes, applications,systems, and devices (such as IoT), in that each shouldhave only those permissions required to perform anauthorized activity.Privilege: Privilege provides the authorization to override,or bypass, certain security restraints, and may includepermissions to perform such actions as shutting downsystems, loading device drivers, configuring networks orsystems, provisioning and configuring accounts and cloudinstances.Privileged Access Management (PAM): Alternativelyreferred to as privileged account management, privilegedidentity management (PIM) or simply privilegemanagement, PAM refers to solutions and strategiesto manage and secure privileged accounts, and controlprivilege delegation and escalation activities for users,applications, services, processes, tasks, etc. PAM solutionsenable organizations to remove admin rights from users(across both servers and desktops), and instead, elevateprivileges for authorized applications or tasks as-needed.Privileged Account: A privileged account is considered tobe any account that provides access and privileges beyondthose of non-privileged accounts (e.g. standard accountsand guest user accounts). A privileged user is any usercurrently leveraging privileged access, such as through aprivileged account. Because of their elevated capabilitiesand access, privileged users/privileged accounts poseconsiderably larger risks than non-privileged accounts/non-privileged users.Privileged Session: A privileged session is a computingsession that involves the execution of activities requiringprivileges that are typically beyond those of a standarduser. A privileged session could be initiated by a user,system, application, or service.Privileged Session Management (PSM): Privilegedsession management (PSM) entails the monitoringand management of all sessions for users, systems,applications, and services that involve elevated accessand permissions. PSM allows for advanced oversight andcontrol that can be used to better protect the environmentagainst insider threats or potential external attacks,while also maintaining critical forensic information thatis increasingly required for regulatory and compliancemandates.Standard User Accounts: Standard user accounts,sometimes called least-privileged user accounts (LUA) ornon-privileged accounts, have a limited set of privileges.In a least-privilege environment, these are the type ofaccounts that most users should be operating in 90 – 100%of the time. A standard user is a non-privileged user incomputing environments (Windows, Mac, Linux, Unix,etc.) with basic access rights. This type of account/user,has limited ability to access resources and settings, asopposed to a privileged or superuser account (such as rootor admin), which may have vast administrative rights andprivileged access.Superuser Accounts: Superuser accounts are highlyprivileged accounts primarily used for administrationby specialized IT employees and provide virtuallyunrestrained power to execute commands and makesystem changes. Superuser accounts are typically knownas “Root” in Unix/Linux and “Administrator” in Windowssystems. Superuser account privileges can provideunrestricted access to files, directories, and resources withfull read / write / execute privileges. Superuser accountscan also render systemic changes across a network, suchas creating or installing files or software, modifying filesand settings, and deleting users and data. Superusers mayalso provision and de-provision access and permissionsfor other users.

About BeyondTrustBeyondTrust is the worldwide leader in Privileged Access Management, offering the most seamless approach to preventing data breachesrelated to stolen credentials, misused privileges, and compromised remote access. Our extensible platform empowers organizations to easilyscale privilege security as threats evolve across endpoint, server, cloud, DevOps, and network device environments. BeyondTrust givesorganizations the visibility and control they need to reduce risk, achieve compliance objectives, and boost operational performance. We aretrusted by 20,000 customers, including half of the Fortune 100, and a global partner network.beyondtrust.comV2019 07 ENG

time-limited part and persistent risk portion of the equation for privileged user accounts. INTRODUCTION Taking "Just Enough" Access To The Next Level. The Guide to JIT PAM 2 Just-in-time (JIT) privileged access . Privileged session monitoring is typically enabled by PAM solutions in this scenario to verify that all corresponding actions .