In the previous (first) part of this blog series, we discussed the risks associated with standing (or) permanent admin rights and the productivity problem that arises when admin rights are removed. In this article, we explore how we can solve the admin rights - productivity problem using the principle of least privilege and just-in-time admin rights.
Moving Beyond Standing Admin Rights
Standing admin rights, while convenient, is extremely risky as the permissions can be leveraged by internal and external threats to cause data theft, financial loss, and network wide service outage.
Just-in-Time admin rights helps organizations eliminate the risk of standing admin rights by enforcing the princple of least privilege. With the principle of least privilege and just-in-time admin rights, organizations can grant the right level of access at the right time.
Employees/users can continue their work seamlessly without having unnecessary privileges and permissions on their machines.
What are Just-in-Time Admin Rights?
Just-in-Time admin access is a core component of least privilege, where:
- Users operate as standard users by default
- Admin privileges are granted only when required
- Access is automatically revoked after use
Temporarily granting privileges significantly reduces the risk of exposure while maintaining usability.
How Just-in-Time Admin Rights Works?
JIT admin rights replace static privileges with:
- Policy-based privilege elevation for routine work
- Approval workflow-based access for handling exceptions
- Code-based privilege elevation for remote users
This ensures seamless user experience without persistent risk.
Framework for Implementing Just-in-Time Admin Rights
1. Admin Account Discovery
You cannot implement security measures without visibility. The first step in implementing just-in-time admin rights is to identify user accounts with standing admin rights across endpoints.
Then, you must identify the applications that require elevated access or are frequently run with admin rights.
This helps define where JIT admin rights and privilege elevation are needed.
2. Risk vs Productivity Mapping
Blindly demoting all admin accounts to standard user accounts can have catastrophic consequences. You must identify unnecessary and minimally used administrator accounts that have non-existent bearings on the organization’s critical functions. You can remove admin rights from these accounts without causing productivity set backs.
When removing administrator rights from accounts, follow the thumb rule below.
- Secure high-risk accounts first
- Preserve productivity for critical workflows and address them later
3. Automate Privilege Elevation
Use endpoint privilege management tools like Securden Endpoint Privilege Manager to automatically elevate approved applications for users based on policies and rules.
A solid Endpoint Privilege Manager will help you:
- Automatically grant admin rights for approved applications
- Tracks activities to provide insights that improve privilege elevation policies.
This helps eliminate manual approvals for routine actions faster.
4. Enable Self-Service with Approval Workflows
Even with the most complete policy engine, no one can guarantee complete coverage of privilege elevation requirements. Exceptions are bound to occur. How you are prepared to handle the exceptions is an important factor.
An Endpoint Priviilege Manager will have a request-release workflow for handling needs that are not covered under a policy. This often works out of the box. However, you can tweak the configurations to improve the experience for yourself and the users:
- Assign designated approvers for users and user groups.
- Integrate your ITSM solution with the EPM and handle requests from your ticketing system.
- For repeat requests, create a policy from the request approval page.
In Securden EPM,
You can use the member-manager hierarchy in your AD and Entra ID domain for auto-assigning approvers. You also have the option of doing this manually.
Securden integrates with ITSM solutions like Jira, GLPI, ManageEngine SDP, Zendesk, ServiceNow, Freshdesk, Freshservice, and Solarwinds. Leverage the integrations for managing the IT helpdesk from a single dashboard.
You have a one-click policy creation button in the request approval interface to automatically create a policy for repeat requests.
Summary of steps for handling exceptions:
- Users request temporary privilege elevation for specific applications.
- EPM administrators or designated approvers will receive the request
- Approve/reject request and grant access just-in-time
- Track privilege elevation activities
5. Pilot and Optimize
Replacing standing admin rights with just-in-time access is a major step towards a more secure work environment. To ensure adoption among users, start small and then scale up towards organization wide enforcement.
Large enterprises using Securden have used this method successfully to enforce least privilege across multiple locations.
Always test JIT admin access with a controlled group. This helps you monitor request patterns, refine policies, and eliminate friction before you expand the coverage to other teams.
6. Scale Across the Organization
Once you have addressed all the issues with the pilot team and honed up your policies and approval workflow setup, you are now primed for expanding adoption to other teams. Phased approach will help you:
- Reduce IT workload
- Improve policy accuracy
- Ensure a smooth transition
Moving from the convenience of standing admin rights to a more secure, least privilege-based approach is hard for users and administrators alike. Phased adoption helps iron out the wrinkles and ensures smooth transitioning into just-in-time admin access.
Benefits of Just-in-Time Admin Rights
1. Reduced Attack Surface
Eliminates the risks associated with standing admin rights. Ransomware and malware attacks will have less impact on just-in-time admin rights. Even if your endpoints are infected or breached, the impact is well contained.
2. Improved Security Posture
Using just-in-time admin rights prevents lateral movement and privilege escalation attacks. When intruders breach an endpoint, they will not be able to move freely across endpoints and gain access to critical assets.
3. Lower Helpdesk Load
Automation of privilege elevation reduces the manual effort of the IT helpdesk. If admin rights were removed without JIT privilege elevation measures, users will start raising admin access tickets for minor requirements. JIT admin rights prevent such phenomenon from happening.
4. Enhanced Productivity
Employees work with standard user accounts without waiting for IT helpdesk technicians to intervene every time they need to run an app with admin rights. Unnecessary downtime is avoided using self-service admin rights and policy-based privilege elevation.
5. Zero Trust Alignment
Granting standing admin rights to users means you are implicitly trusting the users. This goes directly against Zero-Trust. Just-in-Time admin rights align well with modern Zero Trust security models as the elevated privileges are only granted after verifying the identity and is immediately revoked once the time runs out.
![What is Cloud PAM? [Definition, Features, Benefits, and Factors to Choose the Right One]](/images/cloud-pam/cloud-pam-blog-image.webp)
