topic Re: CIEM JIT Features in Prisma Cloud Discussions

CIEM JIT Features

rajnishnsit2000 — Mon, 20 Nov 2023 05:07:47 GMT

Hi All,

Can I check where can I find out more details on the CIEM JIT functionality?

https://www.paloaltonetworks.com/prisma/cloud/cloud-infrastructure-entitlement-mgmt

"Just-in-Time (JIT) Access

Provides a Zero Trust approach to permission management by limiting access to resources based on specific time-limited permissions. Users and machine identities can be granted access only when they need it and for a limited time, reducing the overall attack surface and exposure of critical resources to potential threats.

Utilize zero standing privileges:Allows identities to request temporary access to resources on an as-needed basis, reducing the risk of having long-lasting unused permissions.
Automate or manually approve access: Enables both automatic and manual approval based on the organization configurations.
Active monitoring:Visibility into active sessions — with the ability to kill unwanted sessions in real time."

How it plans to provide Zero standing access for AWS IAM identity center and other cloud providers.

Thanks

Raj

Re: CIEM JIT Features

WLejulus — Mon, 20 Nov 2023 23:13:56 GMT

Hi Rajnishnsit2000,

Prisma Cloud CIEM is purpose-built to directly solve the challenges of managing permissions across AWS, Azure, and GCP. Prisma Cloud CIEM automatically calculates users' effective permissions across cloud service providers, detects overly permissive access, and suggests corrections to reach least privilege.

Specific to your question about zero standing access to AWS,
On a high level, Prisma Cloud's CIEM Module consists of 3 Pillars (Source, Granter, and Destination). The module integrates with identity provider (IdP) services like AWS IAM Identity Center and Okta to ingest single sign-on (SSO) data. It allows identities to request temporary access to resources on an as-needed basis, reducing the risk of having long-lasting unused permissions. With the JIT functionality, users and machine identities can be granted access only when they need it and for a limited time, reducing the overall attack surface and exposure of critical resources to potential threats. For example a user/machine may need to perform a job only at 9:30 am for 30mins. With JIT, you make sure that user/machine has a role that allow access only during that time and for that duration.

To learn more about Zero Standing Privileges (ZSP)? (And How They Work): https://www.strongdm.com/blog/zero-standing-privileges

References/Resources: You can find some great detailed resources about Prisma Cloud CIEM module here at the following links:

Let us know us if this helps with your inquiry, or if you have further questions.

Thank you,

Re: CIEM JIT Features

rajnishnsit2000 — Tue, 21 Nov 2023 02:49:01 GMT

Hi Wlejulus,

Thanks a lot for providing all the details.

Does Palo Alto CIEM covers all the 3 major cloud providers AWS, Azure & GCP?

And do you have some more config details around this specific zero standing privileges feature set?

Thanks

Raj

Re: CIEM JIT Features

WLejulus — Wed, 13 Dec 2023 22:11:14 GMT

Hi Raj,

Yes, AWS, Azure, and GCP are supported for CIEM.

Zero Standing Privileges is a concept of requiring users to obtain access as needed and when needed instead of granting continuous access rights. More config details can be found here:

Regards,

topic Re: CIEM JIT Features in Prisma Cloud Discussions

CIEM JIT Features

Utilize zero standing privileges:Allows identities to request temporary access to resources on an as-needed basis, reducing the risk of having long-lasting unused permissions.

Automate or manually approve access: Enables both automatic and manual approval based on the organization configurations.

Active monitoring:Visibility into active sessions — with the ability to kill unwanted sessions in real time."

Re: CIEM JIT Features

Re: CIEM JIT Features

Re: CIEM JIT Features