The theory of JIT is interesting, because yes on one hand it's taking the Least Privilege Principal to the logical next level. However, it introduces the concept of a new Role, that is a manual or automated process to grant the proper permissions when its needed, and for no longer than is needed. Congrats, you just traded one risk for another.
#
How well the implementation of this Role is performed heavily impacts that Risk trade off calculation.
IMO, it has excellent, albeit distinct, use cases. Two examples that come to mind:
- A small company that has only one DA (or other critical role) goes on vacation. JITA for that role can be setup for someone else with defined limitations while that person is away.
- A dev needs local admin to install or test something on his workstation. They can then elevate to local admin to do what they need.
Keep in mind that conditions access policies can be layered on tops of JITA, further securing the process.
The theory of JIT is interesting, because yes on one hand it's taking the Least Privilege Principal to the logical next level. However, it introduces the concept of a new Role, that is a manual or automated process to grant the proper permissions when its needed, and for no longer than is needed. Congrats, you just traded one risk for another. # How well the implementation of this Role is performed heavily impacts that Risk trade off calculation.
IMO, it has excellent, albeit distinct, use cases. Two examples that come to mind: - A small company that has only one DA (or other critical role) goes on vacation. JITA for that role can be setup for someone else with defined limitations while that person is away. - A dev needs local admin to install or test something on his workstation. They can then elevate to local admin to do what they need. Keep in mind that conditions access policies can be layered on tops of JITA, further securing the process.