Removing Admin

Rights, Reduce Risk

with Just-in-Time (JIT)
AJAY KUMAR
Privileged Access
Director, Solutions Engineering – APJ
BeyondTrust

© BeyondTrust 2019
 • Today’s Threat Landscape
Agenda
• The Problem
• Just-In-Time Privileged Access
Management (JIT PAM)
• Why every business needs JIT
PAM
• Technology Demonstration

© BeyondTrust 2019
|
 TODAY’S
THREAT
LANDSCAPE

© BeyondTrust 2020
© BeyondTrust 2019
The Attack Surface Continues to Expand
NEAR FUTURE
Even More Priv. Accts
TODAY

10 YEARS AGO IoT & DevOps

20 YEARS AGO Cloud & Hybrid

On-Premise

• SaaS Admins
• Cloud Admins
• Roaming workstations
• Application Admins
• BYOD
• Cloud Mgmt. Platforms (AWS, Azure) • Privileged End Users
• Cameras, Sensors, Printers
• Virtualized Environments • Developers
• Shared Admin Accounts • DevOps & SecDevOps Tools
(VMWare, MSFT) • Machine Password & Keys
• Desktops (Windows, Mac) • Dynamic Virtual Environment
• Virtualized Machines (Unix, Linux,
• Servers (Unix, Linux, Windows) • Containers
Windows)
• Industrial Control Systems • Microservices
• SaaS Apps (Facebook, LinkedIn,
• Security Infrastructure
Custom)
• Network Infrastructure
• Applications & Application Servers
• Databases & Database Servers
• Machine Credentials (AtoA)
• Hypervisors & Virtual Machine
 DevOps &
Automation
Workstations

Cloud
Infrastructure
Management
& Applications
& Operations

©BeyondTrust 2020 | 5
 DevOps &
Automation
Workstations

Cloud Infrastructure
Management & Applications
& Operations

Traditional
Password Management
encompasses
two attack vectors.

©BeyondTrust 2020 | 6
 Cloud
Management DevOps &
& Operations Automation

Workstations
Infrastructure
& Applications

Mobile
Devices
&
Next Gen But today’s attack vectors
Tech are very different from
the past.

©BeyondTrust 2020 | 7
 DevOps &
Automation
Workstations

Cloud Infrastructure
Management & Applications
& Operations

*Session Monitoring ©BeyondTrust 2020 | 8

 The Current
Weakest Links
• Ransomware
• Memory Scrapping
• Flat Files
• Phishing attacks
• Credential stuffing
• Misconfigurations

© BeyondTrust 2019
 The Impact
Unmanaged privileges and accounts leave the door open for hackers.

vulnerabilities are
vulnerabilities are of breaches start with of breaches are the result of companies aren’t
associated with
associated with excess
excess stolen and/or weak of privilege account adequately tracking
admin rights1 1 passwords2 abuse or misuse3 privileged access4
admin rights

Source: 1. 2020 Microsoft Vulnerabilities Report, BeyondTrust | 2. 2018 Privileged Access Threat Report, BeyondTrust
3. “The Forrester WaveTM: Privileged Identity Management, Q3 2016 | 4. Forrester. “2019 Data Breach Investigations Report” Verizon

10
 THE PROBLEM

© BeyondTrust 2020
© BeyondTrust 2019
 Always-On
Accounts Admin or Root Accounts
• always enabled
-and- • always have the entitlements & privileges
Persistent • can always perform privileged tasks on
Privileged Access an asset

Always-on (24x7) =
• always “fully-loaded”
• always ripe for abuse
The Attack Vector
Compromise an Always-On
Account (Identity)

Gain Administrative or
Root Privilege Access
Threat Actor
Goal

Exploit an Asset Based

on a Compromised
Account & Privileges
Possible Solution?
TODAY NEAR FUTURE

Least Privilege (as commonly practiced) “True” Least Privilege

Users, processes, applications, and systems Users, processes, applications, and systems
have “just enough” rights and access to have “just enough” rights and access - and for
perform appropriate actions no longer than necessary - to perform
appropriate actions.

#
© BeyondTrust 2019
 JUST IN TIME
PRIVILEGED ACCESS MANAGEMENT
Never Always On,
Always Just In Time

© BeyondTrust 2020
© BeyondTrust 2019
 By 2024, 50% of organizations will have
implemented a just in time (JIT) privileged access
model, which eliminates standing privileges,
experiencing 80% fewer privileged breaches than
those that don’t.

- Gartner, Magic Quadrant for Privileged Access Management, August 2020

© BeyondTrust 2020
 “Just-In-Time” (JIT) Concept
• Just-In-Time manufacturing strategy –
designed to minimize costs by reducing the in-
process inventory level.

• Just-In-Time (JIT) Privileged Access

Management (PAM) - aligns real-time requests
for usage of privileged accounts directly with
entitlements, workflow, and appropriate access
policies.

• JIT PAM - secures privileged accounts from

continuous, always-on access by enforcing
restrictions based on behavioral and
contextual parameters.

17
© BeyondTrust 2018
JIT PAM in Action PRIVILEGES REMOVED

• Access Certification
TRIGGERS • Reporting
• Auditing
• Workflow • Regulatory Compliance
• Context-Aware
• Entitlements
• Multi-Factor Authentication POLICIES

• Time & Date

• Incidence of Compromise
• Access Sensitive Information
• Termination
• Ticketing
• Install/Modify Software
• Lateral Movement
• Manipulation, Creation,
Deletion of Accounts
METHODS

• Privileges PRIVILEGES REVOKED

• Tokenization
• Session Monitoring
• Account Creation & Deletion
• Keystroke Logging
• Group Membership
• Alerting
• Impersonation
• Disabled Administration Accounts
 Why every business needs JIT PAM

USE CASE #1 USE CASE #2 USE CASE #3

Controlling Privileged Implementing DevOps End User Privileged Tasks
Remote Access

19
© BeyondTrust 2018
©BeyondTrust 2020 | 20
BeyondTrust JIT PAM: Solution Mapping
PRIVILEGE PASSWORD & ENDPOINT PRIVILEGED SECURE REMOTE
SESSION MANAGEMENT MANAGEMENT ACCESS

TRIGGERS

Entitlements

Workflow

Context Aware

Multi-Factor

METHODS

Account Creation
& Deletion
Group Membership
Privilege

Impersonation
Disabled Administration
Accounts
Tokenization
https://bit.ly/32lToSW
 THANK YOU
FOLLOW US ON

CONTACT US FOR FREE DEMO:

https://www.beyondtrust.com/privilege-management

© BeyondTrust 2019