When I first saw “’Just in time…(JIT)” as a new preview announcement for Azure VMs, my mind was cast back to one of my first roles in IT, working for an automotive firm who supplied parts for car manufacturers. JIT was (or is!) a supply chain strategy whereby the parts or products arrive at a specific point only when required. Although I wasn’t directly involved, it used to fill me with dread as some of the penalties for holding up the supply chain were eye watering Anyway, I digress…
In relation to the Azure announcement, JIT is a security process currently in preview in Azure, whereby access is granted to a virtual machine only when required. It is simple in it’s architecture, in that it uses ACLs/NSGs to lock down access to specific inbound ports until a request by an authorised user is made. This drastically reduces the attack surface of your virtual and reduces any potential attacks through basic port scanning and brute force.
Licensing wise, JIT is part of the standard tier of Azure Security. Azure Security Center comes in two tiers:
- Free tier – this is enabled by default on your subscription and provides access to key security recommendations to help protect your infrastructure
- Standard Tier – extends the cloud and on-premises capabilities of Azure Security Center. Additional features are noted below:
- Hybrid Security
- Advanced Threat Detection
- JIT VM access
- Adaptive application controls
The following link provides pricing details: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing (Note: the standard tier is free for the first 60 days to allow you to evaluate the components!)
Over the next few weeks I’ll aim to create blog posts for each of these areas to provide a rounded picture of what the standard security tier can provide for your organisation.
The preview of JIT can be found within the Azure Security Center pane, on the home page as seen in the below screenshot. As it is a preview you need to activate it:
An overview of some of the alert types and an activation link can be found on the next page:
If you click through the following page you will receive information around pricing and have the ability to “on-board” into the standard tier:
Once you click through, you need to apply the plan to your resources, select upgrade and then save the applicable settings:
If you navigate back to Security Center homepage – you will now see all of the new features activated within your subscription:
Enabling JIT is very simple. Click within the JIT context in the screenshot above, and you’ll be presented with the JIT pane. From within here, click the “Recommended” option, and you should see any VMs you have in your subscription not currently enabled for JIT:
From here simply click on the VM on the left hand side, review the current state/severity and then click “Enable JIT on x VMs”… A pane will appear recommending key ports that should be locked down. It is important to note from here you can add any additional ports, and also specific key things like source IPs that will be allowed access upon request, and the duration for which access will be granted.
Following this your VM will now go into a “resolved state” and you will be able to head back to the main JIT screen, navigate to the “configured” tab, and hit request access…
The request access screen will allow you to permit access to specific ports from either “MyIP” (which will detect the current IP you are accessing from) or a specific IP range. You can also specific a time frame, up to the maximum limit configured in an earlier step.
Note: the ability to request access will depend upon your user role and any configured RBAC settings in the Resource Group or Virtual Machine.
In summary? I think JIT is a great feature and another measure of the investment Microsoft are making in security on the Azure platform. It is a feature I will be talking about with clients and in conjunction with the other features of Security Center I think it is an investment many organisations will look to make.