Just-in-Time Access and Conditional Access Policies
Implement just-in-time privilege elevation and conditional access policies that grant access only when context (device, location, risk score) warrants it.
Standing Privilege: The Problem
Standing privilege means a user has always-on elevated access, 24/7, whether they need it or not. This is the traditional model for administrator accounts — the admin can access production systems at any moment, even at 3 AM on a Sunday when no legitimate work is happening. Standing privilege dramatically increases the risk surface: compromised admin credentials immediately give attackers elevated access with no additional steps required.
Just-in-Time Access Explained
Just-in-Time (JIT) access replaces standing privilege with temporary, on-demand elevation. When an administrator needs privileged access, they request it with a business justification. The request is approved (automatically or by a manager), the privilege is granted for a defined time window (e.g., 1 hour), and then it automatically expires. During the window, all activity is monitored. After expiry, the administrator has no privileged access until they make a new request.
# JIT access workflow summary
# 1. Admin: 'I need to patch prod-db-01 for CVE-2024-XXXX'
# Request: Role=DB-Admin, Duration=2h, Resource=prod-db-01
# 2. Manager approves (or auto-approved by policy)
# 3. PAM: grants DB-Admin role to admin's account for 2h
# 4. All session commands logged to SIEM
# 5. Timer expires: DB-Admin role auto-removed
# 6. Access attempt after expiry: DENIEDAll lessons in this course
- Directory Services: LDAP and Active Directory
- Privileged Access Management (PAM)
- Identity Governance and Provisioning
- Just-in-Time Access and Conditional Access Policies