User Access Management

Do we need Just-In-Time (JIT) Access Control for Cloud?

Nishant Thorat
February 10, 2024
5 min read

he concept of computer Identity can be likened to an onion, ubiquitous and layered. If not handled properly, it can bring tears to the eyes. The outer layer - authentication is one of the most sought-after problems the software industry has long tried to solve. Initially, password-based authentication was used, but it was discovered that it was quite easy to guess someone's password and gain unauthorized access. We did not stop there, we studied usage patterns and started using them to reinforce the authentication systems. When enterprise users complained of keeping too many passwords for too many applications the Single-Sign-On (SSO) emerged.

The inner layer of computer Identity is authorization, which has also evolved over time. Initially, a simple access control list (ACL) was used, but with the advent of new complex systems, roles were introduced to dictate what any user can do. It was easy when started, with fewer users and fewer systems to manage roles. Even though the number of users increased in the pre-cloud era, it was still manageable because the number of systems was pretty under control.

Convenience and Security

Many people believe that convenience and security are inversely proportional. For instance, passwords and multi-factor authentication systems are effective methods of security. However, to optimize their effectiveness, passwords must be complex, rotated frequently, and multi-factor authentication must be properly configured. This is where convenience comes into play. Creating complex passwords and rotating them frequently can be tedious and frustrating, and many individuals avoid doing so because of the inconvenience. Instead, it's more convenient to use the same password for multiple logins and change it only once or twice a year. But this comes with a cost - security. Reusing the same password across multiple logins drastically reduces security, and if the password is compromised, then all the accounts it's associated with can be easily accessed.

Similarly, authorization presents its own challenges. People prefer 'Always On' access, and traditional access control systems have been static - once permission is granted, it remains in place indefinitely. Although this is convenient, it's not secure. In modern systems, there are hundreds of apps that work together seamlessly, and the network perimeter that was once well-defined has disappeared with the rise of Cloud and SaaS. With interconnected systems, lateral movements become easy for unwanted guests who manage to get in. This is not limited to only outsider attacks - insiders can also take advantage of the situation.

Authorization Pains

It has been observed that access to critical systems is required for only about 2% of the working time. However, in many cases, long-term access is granted for convenience. The process of manual access request, approval, and provision is quite a hassle. It is tedious to ask for access and wait for it to be granted and made available. It is even more difficult to manually review each access request and provide the users with the required access. As a result, oversized permissions, which are mostly one-size-fits-all, stay in place indefinitely. This would be a security issue even in pre-cloud times, but in today's era, the security issues that arise from it are amplified. Public cloud and SaaS apps are increasingly being used, and often these apps are interconnected. Allowing the wrong person to have the wrong access permission for an extended period of time is an invitation to a security disaster.

Security can be convenient

Remembering passwords can be difficult and inconvenient, but that is quickly becoming a thing of the past. New authentication schemes, such as magic links, behavior-based authentication systems, and biometric systems, are making authentication both enjoyable and convenient. And authorization can also be made convenient through an automated access or permission control process. It is possible to create systems that are both secure and user-friendly.

Access or Permissions Control

Controlling the digital perimeter through identity has become essential in today's world. As more cloud or SaaS applications are introduced, the perimeter expands, making "identity is the new perimeter" a cliché with some truth to it. However, the authorization process needs an overhaul in two aspects. The first is obvious. No one should ever have permissions more than required for the job at hand. This is the principle of least privileges. Given that the major cloud providers alone offer more than 40,000 permissions, it's a colossal task. Although roles can be configured to have the least privileges, there's always room for error. Building least privileges permissions and keeping them such require continuous efforts, and thus require automation to adjust the permissions as per changing needs.

In such cases, the Zero Trust principle is incredibly useful in reducing the attack surface. The "trust no one, verify always" mantra should be adopted. Critical system access should only be available for the required duration. This model follows the Just-In-Time (JIT) access approach, which allows access to be requested, granted, provisioned, used, and de-provisioned as needed.

Just-In-Time (JIT) Access management workflow
Just-In-Time Access Management Workflow

The old manual process makes it impossible to keep up with this approach, but an automated access management process with context information can help achieve Zero Trust systems. The JIT access limits the window of opportunity for any malicious actor. Furthermore, the automated process keeps an audit of all accesses to critical systems in one place, reducing manual efforts required for user access reviews. The burden on cloud or IT teams to process manual requests is also eliminated.

This automated system is convenient for requesting and granting access while still keeping the system secure. So, it's possible to make authorization both convenient and secure at the same time.

Nishant Thorat

Stay Informed

Get the latest updates, news, and exclusive offers delivered to your inbox.

By clicking Sign Up, you agree to our Terms and Conditions.
Thank you! Your submission has been received!
Oops! Something went wrong. Please try again.

Discover Our Featured Blogs

Stay up to date with our informative blog posts.


[Part 1] The Least Privilege Principle and IAM in AWS

The principle of least privilege (PoLP) is easier to understand until you put it into practice. In this series, we will discuss PoLP, how to set up accounts and guardrails, what tools to use, what process to follow, what technical and managerial challenges you may encounter, how to tackle them, and so on.
Nishant Thorat
April 16, 2024
5 min read
User Access Management

Streamlining AWS Access for Growing Startups

As your startup scales on AWS, managing access control becomes crucial. This blog post provides a roadmap for securing your cloud environment. You'll learn about the limitations of basic IAM users, the benefits of centralized identity management, and the capabilities of AWS IAM Identity Center with Just-In-Time access. By the end, you'll have a clear strategy to secure your AWS environment while maintaining agility.
Nishant Thorat
April 15, 2024
5 min read
AWS Cloud

Understanding Instance MetaData Service (IMDS)

Instance metadata service (IMDS) provides sensitive information. Understand IMDSv1 weakness and how IMDSv2 improves security. Identify IMDSv1 enabled instances across your cloud.
Nishant Thorat
February 11, 2024
5 min read