Reduce Risk Through a Just-in-Time Approach with Bravura Privilege

John White

October 13, 2022

Credentials are the keys you use to access everything from your email account to your organization’s most sensitive data. These keys are not all created equal. Sure, you always need to have access to your email. Does the same hold true for administrative control within your organization? 

Probably not.

Employing a just-in-time (JIT) approach makes privileges available only when they’re needed. By reducing standing privileges, you can lower your risk when it comes to your most sensitive access points. According to Verizon’s 2022 Data Breach Investigations Report, half of breaches stem from credential abuse.

New attacks are brought to light routinely that target user credentials and allow hackers to gain access to resources and leak them or hold them for ransom. Microsoft, for instance, recently called out a Russian spy group that abuses OneDrive with phishing attacks. Microsoft isn’t alone. Phishing attempts on legitimate software-as-a-service (SaaS) platforms exploded from June 2021 to June 2022, increasing more than 1,100%, according to Palo Alto Networks.

Bravura Privilege is an award-winning privileged access management (PAM) solution that enables multiple types of just-in-time approaches, empowering you to reduce standing privileges and limit access to a finite period of time. This principle of least privilege is one of the core tenets of zero trust security, which is a priority for an astounding 97% of organizations.

Static, shared passwords are a threat to privileged accounts. Bravura Privilege regularly and frequently changes passwords to new, random values and stores those passwords in an encrypted, replicated vault. Users sign into Bravura Privilege when they need to log onto systems, which allows you to enforce strong authentication, robust authorization policies, and an audit trail. Passwords are never directly disclosed to the user and never embedded as plain text in scripts or applications. 

Bravura Privilege eliminates the need for managing privileged account passwords by automating the password change, storage, and disclosure processes. It leverages JIT approaches that can be applied to various use cases. 

Here are six ways JIT can be put to use to help reduce your organizational risk:

1. Personal privileged accounts

Bravura Privilege controls access and manages the password refresh process for personal administrative credentials. Accounts can be checked out as needed and passwords are randomized regularly in addition to the point in time when access is granted to the account. Account owners may only request their own administrative accounts and, since the passwords are randomized, they must exclusively use Bravura Privilege to gain access to their accounts.

2. Shared accounts

Much like personal accounts, Bravura Privilege controls access and manages password refresh processes for accounts with more than one owner. The accounts are made available by request and access is granted based on a robust authorization model and concurrent access control policy. Bravura Privilege strongly authenticates access to the accounts and audits their usage and privileges, including session recording. 

3. Built-in, high-level administration accounts

Every organization has a handful of administrative accounts that can’t be deleted or disabled, but are granted excessive privileges (like SQL administrators, root accounts, domain admins, etc.). These accounts should be managed by Bravura Privilege with defined processes for use and monitored by a security information and event management (SIEM) tool, just like shared accounts.

4. Privilege elevation

Temporary group membership in Bravura Privilege grants privileged access for a controlled duration with automatic removal. Users can join a group rather than requesting a shared or personal privileged account. A user seeking temporary privilege elevation might be using an Active Directory account or a local login account on the managed system in question. Bravura Privilege automatically removes the group membership from the user’s account after the check-out period has expired.

5. Enabled/disabled administrative accounts

Bravura Privilege can enable and disable administrative privileges on shared accounts and provide JIT access. Dedicated accounts with privileged access should be eliminated when possible, in favor of non-privileged accounts with privilege elevation, JIT access, or shared accounts. For the privileged accounts that can’t be eliminated, enabling and disabling the account is a best practice.

6. Ephemeral privileged account provisioning 

Automatic creation and deletion of privileged accounts, for a specific task completed over a determined period of time, can be accomplished when Bravura Privilege is used in conjunction with Bravura Identity. When used together, the Bravura Security Fabric can implement converged solutions that transcend the traditional limitations of disparate identity access management (IAM) and PAM products to eliminate standing privilege.

According to EMA, 80% of organizations discovered a privileged access policy violation within the last year and more than half (54%) have granted privileged access to users who are not direct employees of the company. JIT access reduces the business risk of that standing privilege and can harden the security posture of your most-used assets: Credentials.

To learn more about how Bravura Privilege leverages JIT access, book a meeting with us.