What is Just-in-Time Access
- Just-in-Time Access (JIT):
-
JIT is an access control strategy used to manage and monitor user access to systems or resources. Its key feature is the immediate granting or revocation of access rights.
-
- Advantages of Just-in-Time Access:
- Reduces unnecessary access privileges, lowering security risks.
- Dynamically allocates permissions, enhancing security and compliance.
- Reduces management costs by eliminating the need to pre-configure specific time-based permissions for each user.
- Improves user experience by ensuring timely access to required resources.
- Just-in-Time Privilege Access Management (JIT PAM):
- Reduces the time and scope during which users have privileges, minimizing potential risks.
- Reduces the time and scope during which users have privileges, minimizing potential risks.
Just-in-Time Access: Compliance Benefits
- ISO/IEC 27001, 27002 Information Security Management System: Organizations can comply with the requirements of international information security management system standards by implementing robust authentication and authorization control mechanisms.
- GDPR (General Data Protection Regulation) - EU: Enterprises can ensure that permissions are provided only when necessary, reducing unnecessary access to personal data, thereby complying with GDPR requirements for the protection of personal data.
- PCI DSS (Payment Card Industry Data Security Standard): Enterprises can limit access to payment data and implement just-in-time permission provisioning to comply with the requirements of the Payment Card Industry Data Security Standard.
- HIPAA (Health Insurance Portability and Accountability Act): Enterprises can control access to medical records and personal health information to comply with the requirements of the U.S. Health Insurance Portability and Accountability Act.
Just-in-Time Access: Industry Applications for Compliance Standards
- Financial Services Industry: Restrict access to sensitive information and dynamically grant or revoke necessary access permissions to comply with financial industry data security standards such as PCI DSS.
- Healthcare Industry: Strictly control access to medical information to ensure that only authorized personnel can access it, in compliance with HIPAA requirements for the protection of medical information.
- E-commerce: Grant access permissions in real-time to reduce the risk of unauthorized access or misuse of personal data, aligning with GDPR requirements for personal data protection.
- Technology and Internet Companies: Implement strict control over sensitive information while enhancing information security to comply with the requirements of ISO/IEC information security management system standards.
Connection Approval Functionality of Mavis:
- Once the Connection Approval functionality of Mavis is enabled, it will block unrequested connections.
- Each connection request from an applicant requires submission.
- The system will promptly alert the approver to conduct the review.
- Applicants can view their application records on the request form.
- Notifications and logs will be maintained throughout the process.
- Approvers can access the historical records of all project applications.
RBAC vs. Just-in-Time Connection Approval Feature: Differential Explanation
- Before Enabling Connection Approval Feature:
-
RBAC (Role-Based Access Control):
-
Role-based access control assigns specific roles and permissions within projects to users.
-
Users are allocated access to resources such as devices, web applications, or database servers based on their roles and permissions.
-
- Users can freely connect based on their roles and permissions without the need to request authorization in advance.
-
- After Enabling Connection Approval Feature:
- RBAC + Just-In-Time Connection Approval (Optional Feature):
- Users are required to request authorization before connecting.
- Approvers must conduct approval within the review period.
- Users can only connect after approvers authorize the connection.
- Users must first be allocated to specific resources by project managers.
- All connections require prior authorization. Unauthorized connections will be blocked.
- RBAC + Just-In-Time Connection Approval (Optional Feature):
FAQ
Q: How do I enable the Connection Approval feature?
A: Please ensure that you have purchased a License that includes the Connection Approval feature. If you need to change your system License, please contact system support staff.
Q: Does the Connection Approval feature block any unrequested connections after it's enabled? Does this include connections not requested by administrators?
A: Yes, the system will block any unrequested connections.
Q: Does each connection request need to be submitted by the applicant?
A: Yes, each connection request needs to be submitted. However, multiple protocols and resources can be selected simultaneously.
Q: Is there a limit on the time range for applicant requests?
A: Yes, the request time cannot be in the past, and the request time range must be less than 72 hours.
Q: How long does an application remain valid?
A: Applications expire within 8 hours. Applicants must recall their requests within this timeframe, while approvers must approve, reject, or revoke within this window.
Q: Can approvers modify applicant requests?
A: Approvers can modify the protocols, request time range, and requested resources, but not the reason for the request.
Q: Is there a batch operation feature available?
A: Yes, applicants can batch recall requests, while approvers can batch approve or reject them. However, revoke must be done individually.
Q: Will applicants receive notifications during the application process?
A: Yes, applicants will receive notifications when their requests expire, are approved, rejected, or revoked.
Q: When will an applicant's connection be terminated if they are in the process of connecting?
A: There are two scenarios: first, the system periodically checks the validity period of the request, and connections are automatically terminated upon expiration. Second, if a approver clicks the revoke button, the applicant's connection will be immediately terminated.