CIEM JIT Features

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

CIEM JIT Features

L0 Member

Hi All,

Can I check where can I find out more details on the CIEM JIT functionality?

https://www.paloaltonetworks.com/prisma/cloud/cloud-infrastructure-entitlement-mgmt

"Just-in-Time (JIT) Access

Provides a Zero Trust approach to permission management by limiting access to resources based on specific time-limited permissions. Users and machine identities can be granted access only when they need it and for a limited time, reducing the overall attack surface and exposure of critical resources to potential threats.

  • Utilize zero standing privileges:Allows identities to request temporary access to resources on an as-needed basis, reducing the risk of having long-lasting unused permissions.

  • Automate or manually approve access: Enables both automatic and manual approval based on the organization configurations.

  • Active monitoring:Visibility into active sessions — with the ability to kill unwanted sessions in real time."

 

How it plans to provide Zero standing access for AWS IAM identity center and other cloud providers.

Thanks

Raj

 

3 REPLIES 3

L1 Bithead

Hi Rajnishnsit2000,

 

Prisma Cloud CIEM is purpose-built to directly solve the challenges of managing permissions across AWS, Azure, and GCP. Prisma Cloud CIEM automatically calculates users' effective permissions across cloud service providers, detects overly permissive access, and suggests corrections to reach least privilege.

 

Specific to your question about zero standing access to AWS,
On a high level, Prisma Cloud's CIEM Module consists of 3 Pillars (Source, Granter, and Destination). The module integrates with identity provider (IdP) services like AWS IAM Identity Center and Okta to ingest single sign-on (SSO) data. It allows identities to request temporary access to resources on an as-needed basis, reducing the risk of having long-lasting unused permissions. With the JIT functionality, users and machine identities can be granted access only when they need it and for a limited time, reducing the overall attack surface and exposure of critical resources to potential threats. For example a user/machine may need to perform a job only at 9:30 am for 30mins. With JIT, you make sure that user/machine has a role that allow access only during that time and for that duration.

To learn more about Zero Standing Privileges (ZSP)? (And How They Work): https://www.strongdm.com/blog/zero-standing-privileges 

 

References/Resources:   You can find some great detailed resources about Prisma Cloud CIEM module here at the following links:

  1. https://live.paloaltonetworks.com/t5/prisma-cloud-articles/leveraging-prisma-cloud-to-enforce-least-... 
  2. https://live.paloaltonetworks.com/t5/prisma-cloud-videos/february-2023-ciem-the-simple-way-to-secure... 
  3. https://www.paloaltonetworks.com/prisma/cloud/cloud-infrastructure-entitlement-mgmt

Let us know us if this helps with your inquiry, or if you have further questions.

 

Thank you,

Hi Wlejulus,

Thanks a lot for providing all the details.

Does Palo Alto CIEM covers all the 3 major cloud providers AWS, Azure & GCP?

And do you have some more config details around this specific zero standing privileges feature set?

Thanks

Raj

 

Hi Raj,

Yes,  AWS, Azure, and GCP are supported for CIEM.  

Zero Standing Privileges is a concept of requiring users to obtain access as needed and when needed instead of granting continuous access rights.  More config details can be found here: 

Regards,

 

  • 727 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!